Using r779302 with jetty6 solves the problem. FYI I also got a 404 on the j_security_check page when using jetty7. I did not investigate this but it might be related.
Thanks again Trygve On Mon, Jun 1, 2009 at 4:11 PM, Trygve Hardersen <[email protected]> wrote: > Great, thanks! > > Since I'm unable to build the current trunk I've checked our r779302 and > it's building as we speak with jetty6 in pom.xml. Will let you know what I > find. > > Trygve > > > On Mon, Jun 1, 2009 at 4:07 PM, David Jencks <[email protected]>wrote: > >> I'll try to look into this today or tomorrow. If you want to switch back >> to jetty6 it's easy.... in the root pom properties uncomment jetty6 and >> comment jetty7 (around line 90) >> I really appreciate the testing on jetty7 with a real app -- a lot has >> changed and finding bugs now is waaaayy better than after we release! >> >> thanks >> david jencks >> >> On Jun 1, 2009, at 9:55 AM, Trygve Hardersen wrote: >> >> Hello >> >> We have been building a relatively large and complex system using >> Geronimo-2.2 for some time. We're now getting close to finishing the >> project, and it's encouraging to see that the release of Geronimo 2.2 is >> getting closer, and that branching is around the corner. >> >> However the latest Geronimo updates, I'm pretty sure it's the switch to >> Jetty7, broke our security model. I've been trying to get make it work again >> for some time, but with no luck. Hence this mail. >> >> First we have a realm and credential store plugin that is used by all >> other parts of the application: >> >> # plan.xml >> <?xml version="1.0" encoding="UTF-8"?> >> <dep:module >> >> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2<http://geronimo.apache.org/xml/ns/deployment-$%7BgeronimoSchemaVersion%7D> >> " >> >> xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2<http://geronimo.apache.org/xml/ns/naming-$%7BgeronimoSchemaVersion%7D> >> " >> >> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0<http://geronimo.apache.org/xml/ns/loginconfig-$%7BgeronimoLoginConfigSchemaVersion%7D> >> " >> >> xmlns:cs="http://geronimo.apache.org/xml/ns/credentialstore-1.0<http://geronimo.apache.org/xml/ns/credentialstore-$%7BgeronimoCredentialStoreSchemaVersion%7D> >> "> >> <dep:gbean name="jotta-realm" >> class="org.apache.geronimo.security.realm.GenericSecurityRealm"> >> <dep:attribute name="realmName">jotta-realm</dep:attribute> >> <dep:attribute name="global">true</dep:attribute> >> <dep:xml-reference name="LoginModuleConfiguration"> >> <log:login-config> >> <!-- Allow administrator logins --> >> <log:login-module control-flag="SUFFICIENT" >> wrap-principals="false"> >> >> <log:login-domain-name>jotta-admin</log:login-domain-name> >> >> <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class> >> <log:option >> name="usersURI">var/security/users.properties</log:option> >> <log:option >> name="groupsURI">var/security/groups.properties</log:option> >> </log:login-module> >> <!-- Then check the user DBs --> >> <log:login-module control-flag="REQUIRED" >> wrap-principals="false"> >> >> <log:login-domain-name>jotta-users</log:login-domain-name> >> >> <log:login-module-class>no.jotta.backup.security.server.JottaLoginModule</log:login-module-class> >> </log:login-module> >> </log:login-config> >> </dep:xml-reference> >> <dep:reference name="ServerInfo"> >> <dep:name>ServerInfo</dep:name> >> </dep:reference> >> </dep:gbean> >> <dep:gbean name="JottaCredentialStore" >> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl"> >> <dep:xml-attribute name="credentialStore"> >> <cs:credential-store> >> <cs:realm name="jotta-realm"> >> <cs:subject> >> <cs:id>anonymous</cs:id> >> <cs:credential> >> >> <cs:type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</cs:type> >> <cs:value>anonymous</cs:value> >> </cs:credential> >> <cs:credential> >> >> <cs:type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</cs:type> >> <cs:value>${geronimoPasswd}</cs:value> >> </cs:credential> >> </cs:subject> >> <cs:subject> >> <cs:id>system</cs:id> >> <cs:credential> >> >> <cs:type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</cs:type> >> <cs:value>system</cs:value> >> </cs:credential> >> <cs:credential> >> >> <cs:type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</cs:type> >> <cs:value>${geronimoPasswd}</cs:value> >> </cs:credential> >> </cs:subject> >> </cs:realm> >> </cs:credential-store> >> </dep:xml-attribute> >> <dep:reference name="Realms"> >> <dep:name>jotta-realm</dep:name> >> </dep:reference> >> <dep:dependency> >> <dep:name>jotta-realm</dep:name> >> </dep:dependency> >> </dep:gbean> >> </dep:module> >> >> I can use this security configuration later from other EJB modules, also >> deployed as plugins: >> >> # plan.xml >> <?xml version="1.0" encoding="UTF-8"?> >> <application xmlns=" >> http://geronimo.apache.org/xml/ns/j2ee/application-2.0"; >> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"; >> xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2"; >> xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0";> >> <module> >> <ejb>crm-ejb-${jottaVersion}.jar</ejb> >> <openejb-jar xmlns=" >> http://openejb.apache.org/xml/ns/openejb-jar-2.2";> >> <dep:environment> >> <dep:moduleId> >> <dep:groupId>no.jotta.backup.crm</dep:groupId> >> <dep:artifactId>crm-ejb</dep:artifactId> >> <dep:version>${jottaVersion}</dep:version> >> <dep:type>ejb</dep:type> >> </dep:moduleId> >> <dep:dependencies> >> <dep:dependency> >> >> <dep:groupId>no.jotta.backup.security</dep:groupId> >> <dep:artifactId>security-ejb</dep:artifactId> >> <dep:version>${jottaVersion}</dep:version> >> <dep:type>ejb</dep:type> >> </dep:dependency> >> </dep:dependencies> >> </dep:environment> >> <security use-context-handler="false"> >> <sec:credential-store-ref> >> <dep:name>JottaCredentialStore</dep:name> >> </sec:credential-store-ref> >> <sec:role-mappings> >> <sec:role role-name="admin"> >> <sec:principal name="admin" >> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" >> /> >> </sec:role> >> <sec:role role-name="anonymous"> >> <sec:principal name="anonymous" >> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" >> /> >> </sec:role> >> <sec:role role-name="customer"> >> <sec:principal name="customer" >> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" >> /> >> </sec:role> >> <sec:role role-name="system"> >> <sec:run-as-subject> >> <sec:description>Allow internal components to >> run as system</sec:description> >> <sec:realm>jotta-realm</sec:realm> >> <sec:id>system</sec:id> >> </sec:run-as-subject> >> <sec:login-domain-principal >> name="system" >> domain-name="jotta-admin" >> >> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" >> /> >> <sec:principal >> name="system" >> >> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" >> /> >> </sec:role> >> </sec:role-mappings> >> </security> >> <enterprise-beans> >> <session> >> <ejb-name>jotta.crm.CustomerService</ejb-name> >> <ejb-ref> >> <!-- Reference to security service --> >> >> <nam:ref-name>no.jotta.backup.crm.ejb.CustomerServiceImpl/userService</nam:ref-name> >> <nam:pattern> >> <nam:artifactId>security-ejb</nam:artifactId> >> >> <nam:name>jotta.security.UserService</nam:name> >> </nam:pattern> >> </ejb-ref> >> </session> >> </enterprise-beans> >> </openejb-jar> >> </module> >> </application> >> >> When the "jotta.crm.CustomerService" EJB calls the >> "jotta.security.UserService" it always runs as the "system" role, which is >> what it is supposed to do. I also have a testsuite using remote EJB, and >> from it I can log in manually using either the PropertiesFileLoginModule or >> the JottaLoginModule. In other words the security configuration works as I >> expect it to. >> >> The problem comes when using this security setup from a WAR module. I have >> a very simple web application that has a single servlet responsible for >> gather the email addresses of interested customers. This servlet is supposed >> to run as "system": >> >> # web.xml >> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee"; >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> xsi:schemaLocation="http://java.sun.com/xml/ns/javaee >> http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"; >> metadata-complete="false"> >> <description> >> Web application resposible for providing the Web Beta >> for customers of Jotta Backup. >> </description> >> <display-name>Jotta Web Beta</display-name> >> <!-- Can be run in a cluster, but does not require session replication >> --> >> <distributable/> >> <welcome-file-list> >> <welcome-file>welcome</welcome-file> >> </welcome-file-list> >> ..... >> <servlet> >> <description>Servlet providing interested customer >> functionality</description> >> <display-name>Interested Customer Servlet</display-name> >> <servlet-name>InterestedCustomerServlet</servlet-name> >> <servlet-class>no.jotta.backup. >> web.gui.pub..servlets.InterestedCustomerServlet<http://web.gui.pub.servlets.InterestedCustomerServlet> >> </servlet-class> >> <run-as> >> <description>Runs as system</description> >> <role-name>system</role-name> >> </run-as> >> </servlet> >> <servlet-mapping> >> <servlet-name>InterestedCustomerServlet</servlet-name> >> <url-pattern>/welcome</url-pattern> >> </servlet-mapping> >> <servlet-mapping> >> <servlet-name>InterestedCustomerServlet</servlet-name> >> <url-pattern>/welcome/</url-pattern> >> </servlet-mapping> >> <servlet-mapping> >> <servlet-name>InterestedCustomerServlet</servlet-name> >> <url-pattern>/register</url-pattern> >> </servlet-mapping> >> <servlet-mapping> >> <servlet-name>InterestedCustomerServlet</servlet-name> >> <url-pattern>/register/</url-pattern> >> </servlet-mapping> >> <!-- EJB Mappings --> >> <ejb-local-ref> >> <description>Reference to the Customer Service</description> >> <ejb-ref-name>customerService</ejb-ref-name> >> <ejb-ref-type>Session</ejb-ref-type> >> <local>no.jotta.backup.crm.intf.CustomerServiceLocal</local> >> </ejb-local-ref> >> <security-role> >> <role-name>anonymous</role-name> >> </security-role> >> <security-role> >> <role-name>system</role-name> >> </security-role> >> </web-app> >> >> Now I've been trying a lot of different plan.xml configurations to make >> this work, but the one that we've been using for quite some time looked like >> this: >> >> # plan.xml >> <?xml version="1.0" encoding="UTF-8"?> >> <application xmlns=" >> http://geronimo.apache.org/xml/ns/j2ee/application-2.0"; >> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"; >> xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2"; >> xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0";> >> <module> >> <web>web-beta.war</web> >> <web-app xmlns=" >> http://geronimo.apache.org/xml/ns/j2ee/web/jetty-2.0.2";> >> <context-root>/beta</context-root> >> <security-realm-name>jotta-realm</security-realm-name> >> <security use-context-handler="false"> >> <sec:credential-store-ref> >> <dep:name>JottaCredentialStore</dep:name> >> </sec:credential-store-ref> >> <sec:default-subject> >> <sec:realm>jotta-realm</sec:realm> >> <sec:id>anonymous</sec:id> >> </sec:default-subject> >> <sec:role-mappings> >> <sec:role role-name="anonymous"> >> <sec:login-domain-principal name="anonymous" >> domain-name="jotta-admin" >> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" >> /> >> </sec:role> >> <sec:role role-name="system"> >> <sec:run-as-subject> >> <sec:description>Allow internal components to >> run as system</sec:description> >> <sec:realm>jotta-realm</sec:realm> >> <sec:id>system</sec:id> >> </sec:run-as-subject> >> <sec:login-domain-principal name="system" >> domain-name="jotta-admin" >> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" >> /> >> <sec:principal name="system" >> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" >> /> >> </sec:role> >> </sec:role-mappings> >> </security> >> </web-app> >> </module> >> </application> >> >> >> This used to work but no longer so. The servlet does not run as "system" >> and access to the EJB is denied: >> >> javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied >> at >> org.apache.openejb.core.stateless.StatelessContainer.invoke(StatelessContainer.java:153) >> at >> org.apache.openejb.core.ivm.EjbObjectProxyHandler.businessMethod(EjbObjectProxyHandler.java:217) >> at >> org.apache.openejb.core.ivm.EjbObjectProxyHandler._invoke(EjbObjectProxyHandler.java:77) >> at >> org.apache.openejb.core.ivm.BaseEjbProxyHandler.invoke(BaseEjbProxyHandler..java:281) >> >> The Geronimo source I'm running against is trunk from sometime on Thursday >> last week (28th). I'm unable to build the current Geronimo trunk because of >> the following error: >> >> [INFO] >> ------------------------------------------------------------------------ >> [ERROR] BUILD ERROR >> [INFO] >> ------------------------------------------------------------------------ >> [INFO] Error assembling WAR: Deployment descriptor: >> /home/jotta/dailybuild/geronimo/trunk/server_clean/plugins/activemq/activemq-webconsole/target/activemq-webconsole-2.2-SNAPSHOT/WEB-INF/web.xml >> does not exist. >> >> Does anyone have an idea what is going wrong here, or how I can make this >> work again? I'll try to create a simple application that illustrates the >> webapp run-as problem. Our application is rather complex and many things can >> go wrong. It's probably also possible to switch back to Jetty6, any idea if >> that would help? >> >> Your help and work is much appreciated! >> >> Trygve Hardersen >> Jotta AS >> >> >> >
