JACC and JAAS configuration for ClearTrust
Trying to use JACC and JAAS configuration for ClearTrust (Access Manager) 5.5 in Geronimo 1.1 - looks like it should work; but not sure where to start. Is anyone already using ClearTrust (aka RSA Access Manager)? I'm hoping that someone has already accomplished configuring Geronimo to use ClearTrust using just config.xml - or if someone could advise whether there is new code I need to implement, and what the correct way is to deploy it (surely not in my application archive). Having successfully implemented a web application using a properties realm, the time has come for us to deploy to a secured production environment. In preparation for this, our ClearTrust administrator has provisioned our IDs and we have groups set up that match the roles we need. Since the principals are named as the application uses, no role mapping should be required (I think). After perusing the general JAAS and JACC documentation, as well as that which is specific to Geronimo on the wiki (and the little bit of JAAS info provided for ClearTrust) - it is not clear how to configure the GeronimoLoginConfiguration GBean for the GeronimoSecurityRealm with JaasLoginService (or JaasLoginCoordinator) to replace what we were doing with the properties realm. From what I understand, there is no login.conf in Geronimo because the configurations are identified in the GBean; but the details of the deployment plan are unclear. For example, where do I tell the configuration which ClearTrust JAAS class is the LoginModule? Do I use LoginModuleGBean (or JaasLoginModuleUse) to do that? Do I configure parameters such as the ClearTrust host name and port in the options attribute? Is this all declarative or do I implement the ConfigurationEntryFactory interface in a jar to be deployed apart from the application? Can or should the login-config be used instead? Chapter 15 of the Wrox book Professional Apache Geronimo gives rather thorough coverage of JAAS and JACC and discusses the theory of gbean configuation as it applies to JAAS, but it doesn't give specifics that are similar enough to my needs for me to make the mental connection. Having just enough information I'm naively tempted to write some code; but it seems like its an administration component that someone coulda/shoulda done by now and that could keep us from complicating the deployment by adding custom code where it is not required. Further, it seems to me that I could waste a lot of time if I try to write a JACC adapter for the ClearTrust JAAS implementation without asking the Geronimo community if this is the right thing to do. If someone has already done this - great, I'm sure I'm not the only one who would like to see your responses in the mail archives. If not... cool, I get to write some code! Although the primary and urgent need is for basic web security of our application, it would be great to extend this to Geronimo's web console admin access too. If it matters in this context, our deployment stack is Win2003/IBM Java 5/WAS CE 1.1.0.1/web app 2.4 - Lee
RE: geronimo mail 1.1.1
Does anybody know how to create JNDI URL resources for files in Geronimo (like file://dir/file.properties) like in Websphere. I believe it is J2EE stantdard. _ This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. application/ms-tnef
Re: geronimo mail 1.1.1
Michael C. wrote: Sorry about that, honestly I was not sure exactly where to add one up. How do you add a Jira, and how can I track its progress? New Jiras can be created here: http://issues.apache.org/jira/secure/BrowseProject.jspa?id=10220 I have a suspicion your problem is a duplicate of this already created issue: http://issues.apache.org/jira/secure/IssueNavigator.jspa?pager/start=20
Re: JACC and JAAS configuration for ClearTrust
Thanks, David. The confirmation that this should be configurable is exactly what I was hoping for. The explanation and gbean/ example are very helpful - as is the advice about JACC and upcoming versions of Geronimo. After I get this working, I will gladly provide the relevant working plan fragments to this thread as you suggest; but I'm ignorant of how to make a useful contribution to the geronimoplugins site. - Lee David Jencks [EMAIL PROTECTED] 02/12/2007 11:56 AM Please respond to user@geronimo.apache.org To user@geronimo.apache.org cc Subject Re: JACC and JAAS configuration for ClearTrust On Feb 12, 2007, at 4:52 AM, [EMAIL PROTECTED] wrote: Trying to use JACC and JAAS configuration for ClearTrust (Access Manager) 5.5 in Geronimo 1.1 - looks like it should work; but not sure where to start. Is anyone already using ClearTrust (aka RSA Access Manager)? I'm hoping that someone has already accomplished configuring Geronimo to use ClearTrust using just config.xml - or if someone could advise whether there is new code I need to implement, and what the correct way is to deploy it (surely not in my application archive). Having successfully implemented a web application using a properties realm, the time has come for us to deploy to a secured production environment. In preparation for this, our ClearTrust administrator has provisioned our IDs and we have groups set up that match the roles we need. Since the principals are named as the application uses, no role mapping should be required (I think). After perusing the general JAAS and JACC documentation, as well as that which is specific to Geronimo on the wiki (and the little bit of JAAS info provided for ClearTrust) - it is not clear how to configure the GeronimoLoginConfiguration GBean for the GeronimoSecurityRealm with JaasLoginService (or JaasLoginCoordinator) to replace what we were doing with the properties realm. From what I understand, there is no login.conf in Geronimo because the configurations are identified in the GBean; but the details of the deployment plan are unclear. For example, where do I tell the configuration which ClearTrust JAAS class is the LoginModule? Do I use LoginModuleGBean (or JaasLoginModuleUse) to do that? Do I configure parameters such as the ClearTrust host name and port in the options attribute? Is this all declarative or do I implement the ConfigurationEntryFactory interface in a jar to be deployed apart from the application? Can or should the login-config be used instead? Chapter 15 of the Wrox book Professional Apache Geronimo gives rather thorough coverage of JAAS and JACC and discusses the theory of gbean configuation as it applies to JAAS, but it doesn't give specifics that are similar enough to my needs for me to make the mental connection. Having just enough information I'm naively tempted to write some code; but it seems like its an administration component that someone coulda/shoulda done by now and that could keep us from complicating the deployment by adding custom code where it is not required. Further, it seems to me that I could waste a lot of time if I try to write a JACC adapter for the ClearTrust JAAS implementation without asking the Geronimo community if this is the right thing to do. If someone has already done this - great, I'm sure I'm not the only one who would like to see your responses in the mail archives. If not... cool, I get to write some code! Although the primary and urgent need is for basic web security of our application, it would be great to extend this to Geronimo's web console admin access too. If it matters in this context, our deployment stack is Win2003/IBM Java 5/WAS CE 1.1.0.1/web app 2.4 I'm not familiar with ClearTrust, but from your description it sounds like it provides one or more login modules where the result of using them is that you get a Subject populated with principals each of whose name represents a role ClearTrust knows about. If this is the case you should not need to write any code, just configuration. Lets assume you only need one login module, of class com.ct.LoginModule, and the principals are of class com.ct.RolePrincipal. Lets further assume that the possible options for the login module are host and port. To set up a security realm that uses ClearTrust you'd include something like this to an appropriate geronimo plan, either a web app plan if you use only one web app, or a separate security module if you plan to use this for more than one application (as it appears you do from the comment about the admin console): gbean name=cleartrust-realm class=org.apache.geronimo.security.realm.GenericSecurityRealm attribute name=realmNamecleartrust-realm/attribute xml-reference name=LoginModuleConfiguration lc:login-config xmlns:lc= http://geronimo.apache.org/xml/ns/loginconfig-1.1; lc:login-module
RE: Gbean within a signed jar
Kevan, How do I turn off proxy generation? What do you mean by breaking admin console? I wont be able to control that app from the admin console? Are there other side effects? Thanks, Yoel _ From: Kevan Miller [mailto:[EMAIL PROTECTED] Sent: Saturday, February 10, 2007 12:56 PM To: user@geronimo.apache.org Subject: Re: Gbean within a signed jar On Feb 6, 2007, at 2:54 PM, Spotts, Joel ((ISS Atlanta)) wrote: I have a gbean packaged within a signed jar that is placed in my EAR. Trouble is it seems that geronimo uses proxy classes on the gbean class files, which results in the dreaded: java.lang.SecurityException: class ...'s signer information does not match signer information of other classes in the same package when geronimo attempts to start the gbean. Anyone have a solution to this problem other than not signing the jar? Hi Yoel, Interesting. First I've heard of this problem, but it makes sense. I don't really have a solution for you. 1) As you suggest, don't sign your jar... :-P 2) Turn off proxy generation in the server. This, however, has the unfortunate side-effect of breaking the admin console. So, this really isn't much of an option. Perhaps somebody else can chime in... --kevan
Re: JACC and JAAS configuration for ClearTrust
On Feb 12, 2007, at 4:52 AM, [EMAIL PROTECTED] wrote: Trying to use JACC and JAAS configuration for ClearTrust (Access Manager) 5.5 in Geronimo 1.1 - looks like it should work; but not sure where to start. Is anyone already using ClearTrust (aka RSA Access Manager)? I'm hoping that someone has already accomplished configuring Geronimo to use ClearTrust using just config.xml - or if someone could advise whether there is new code I need to implement, and what the correct way is to deploy it (surely not in my application archive). Having successfully implemented a web application using a properties realm, the time has come for us to deploy to a secured production environment. In preparation for this, our ClearTrust administrator has provisioned our IDs and we have groups set up that match the roles we need. Since the principals are named as the application uses, no role mapping should be required (I think). After perusing the general JAAS and JACC documentation, as well as that which is specific to Geronimo on the wiki (and the little bit of JAAS info provided for ClearTrust) - it is not clear how to configure the GeronimoLoginConfiguration GBean for the GeronimoSecurityRealm with JaasLoginService (or JaasLoginCoordinator) to replace what we were doing with the properties realm. From what I understand, there is no login.conf in Geronimo because the configurations are identified in the GBean; but the details of the deployment plan are unclear. For example, where do I tell the configuration which ClearTrust JAAS class is the LoginModule? Do I use LoginModuleGBean (or JaasLoginModuleUse) to do that? Do I configure parameters such as the ClearTrust host name and port in the options attribute? Is this all declarative or do I implement the ConfigurationEntryFactory interface in a jar to be deployed apart from the application? Can or should the login-config be used instead? Chapter 15 of the Wrox book Professional Apache Geronimo gives rather thorough coverage of JAAS and JACC and discusses the theory of gbean configuation as it applies to JAAS, but it doesn't give specifics that are similar enough to my needs for me to make the mental connection. Having just enough information I'm naively tempted to write some code; but it seems like its an administration component that someone coulda/shoulda done by now and that could keep us from complicating the deployment by adding custom code where it is not required. Further, it seems to me that I could waste a lot of time if I try to write a JACC adapter for the ClearTrust JAAS implementation without asking the Geronimo community if this is the right thing to do. If someone has already done this - great, I'm sure I'm not the only one who would like to see your responses in the mail archives. If not... cool, I get to write some code! Although the primary and urgent need is for basic web security of our application, it would be great to extend this to Geronimo's web console admin access too. If it matters in this context, our deployment stack is Win2003/IBM Java 5/WAS CE 1.1.0.1/web app 2.4 I'm not familiar with ClearTrust, but from your description it sounds like it provides one or more login modules where the result of using them is that you get a Subject populated with principals each of whose name represents a role ClearTrust knows about. If this is the case you should not need to write any code, just configuration. Lets assume you only need one login module, of class com.ct.LoginModule, and the principals are of class com.ct.RolePrincipal. Lets further assume that the possible options for the login module are host and port. To set up a security realm that uses ClearTrust you'd include something like this to an appropriate geronimo plan, either a web app plan if you use only one web app, or a separate security module if you plan to use this for more than one application (as it appears you do from the comment about the admin console): gbean name=cleartrust-realm class=org.apache.geronimo.security.realm.GenericSecurityRealm attribute name=realmNamecleartrust-realm/attribute xml-reference name=LoginModuleConfiguration lc:login-config xmlns:lc=http://geronimo.apache.org/ xml/ns/loginconfig-1.1 lc:login-module control-flag=REQUIRED server- side=true lc:login-domain-namecleartrust-domain/ lc:login-domain-name lc:login-module-classcom.ct.LoginModule/ lc:login-module-class lc:option name=hostlocalhost/lc:option lc:option name=port/lc:option /lc:login-module /lc:login-config /xml-reference reference name=ServerInfo nameServerInfo/name /reference reference name=LoginService nameJaasLoginService/name
Re: Multiple Repositories and Server Instances
Very Cool Stuff !!! Thanks for contributing to Geronimo's documentation. PS. friendly reminder for future references, use the HTML version (http://cwiki.apache.org/GMOxDOC20/multiple-repositories-and-server-instances.html) Cheers! Hernan Ted Kirby wrote: I just crafted a wiki page with this title at http://cwiki.apache.org/confluence/display/GMOxDOC20/Multiple+Repositories+and+Server+Instances to describe how to set up and use multiple repositories and server instances. They can be used together or separately, that is, they are independent of each other. There has been some discussion of this topic, so I wrote up some documentation. I solicit your feedback on it. This work is related to JIRA-2814, which contains some code patches and sample xml files to deploy a second repository.
Re: Gbean within a signed jar
On Feb 12, 2007, at 11:27 AM, Spotts, Joel ((ISS Atlanta)) wrote: Kevan, How do I turn off proxy generation? What do you mean by breaking admin console? I wont be able to control that app from the admin console? Are there other side effects? Hi Yoel, Disable proxy generation like this: export JAVA_OPTS=-DXorg.apache.geronimo.gbean.NoProxy=true ./geronimo.sh run Server startup will be a few seconds faster. You should see a log entry like this: 14:28:05,885 WARN [AbstractGBeanReference] GBean reference proxies has been disabled: This is an experimental and untested operating mode Starting Geronimo Application Server v1.1.1 It's my understanding that there are some admin console functions that won't work, with NoProxy. I must confess that I don't know what specific features they are... Generated GBean proxies give the admin console a common management GBean interface to work with. Without proxies some GBean inspection/ management functions won't work. I ran a quick test with NoProxy -- starting stopping web apps, etc -- and didn't run into any errors. Perhaps someone better versed in our console implementation can explain what exactly won't work... --kevan Thanks, Yoel From: Kevan Miller [mailto:[EMAIL PROTECTED] Sent: Saturday, February 10, 2007 12:56 PM To: user@geronimo.apache.org Subject: Re: Gbean within a signed jar On Feb 6, 2007, at 2:54 PM, Spotts, Joel ((ISS Atlanta)) wrote: I have a gbean packaged within a signed jar that is placed in my EAR. Trouble is it seems that geronimo uses proxy classes on the gbean class files, which results in the dreaded: java.lang.SecurityException: class ...'s signer information does not match signer information of other classes in the same package when geronimo attempts to start the gbean. Anyone have a solution to this problem other than not signing the jar? Hi Yoel, Interesting. First I've heard of this problem, but it makes sense. I don't really have a solution for you. 1) As you suggest, don't sign your jar... :-P 2) Turn off proxy generation in the server. This, however, has the unfortunate side-effect of breaking the admin console. So, this really isn't much of an option. Perhaps somebody else can chime in... --kevan
Re: Gbean within a signed jar
Alternatively, just change the code that complains about the signature. We could add a flag to the Geronimo class loader to hide all signing data. -dain On Feb 6, 2007, at 11:54 AM, Spotts, Joel (ISS Atlanta) wrote: I have a gbean packaged within a signed jar that is placed in my EAR. Trouble is it seems that geronimo uses proxy classes on the gbean class files, which results in the dreaded: java.lang.SecurityException: class ...'s signer information does not match signer information of other classes in the same package when geronimo attempts to start the gbean. Anyone have a solution to this problem other than not signing the jar? Thanks, Yoel Spotts
