Re: webapp run-as problems

2009-06-03 Thread Trygve Hardersen 
Nothing much really.

In org.apache.geronimo.jetty6.connector.HTTPSelectChannelConnector we've
added support for a HTTP header that tells Jetty the request is really
secure (we have a proxy doing the encryption):

public HTTPSelectChannelConnector(JettyContainer container, ThreadPool
threadPool) {
super(container, new SelectChannelConnector(){

@Override
public void customize(EndPoint endpoint, Request request)
throws IOException {
super.customize(endpoint, request);
if(HTTPS.equals(request.getHeader(JX_SCHEME)))
request.setScheme(HTTPS);
}

@Override
public boolean isConfidential(Request request) {
if(request.getScheme() != null &&
request.getScheme().equals(HTTPS))
return true;
return super.isConfidential(request);
}

}, threadPool, "HTTPSelectChannelConnector");
}

If you would like to add this to the code base that would be great for us
:-)

We also excluded the org.apache.geronimo.configs.welcome-jetty plugin from
the org.apache.geronimo.plugingroups.javaee5-jetty plugingroup, and added
our Maven repository to the main pom.xml to allow deployment locally.

We used to have some stuff to allow the plugins to run on Java6 but that's
no longer needed. And from time to time we need to change minor stuff, like
we just did with using jetty6 instead of jetty7. I expect the need for this
to go away when the Geronimo 2.2 release is made.

Trygve

On Wed, Jun 3, 2009 at 8:37 AM, Jason Dillon  wrote:

> Curious what your minor hacks are?
> --jason
>
>
> On Jun 3, 2009, at 1:33 PM, Trygve Hardersen wrote:
>
> Thanks for looking into this David.
>
> We're building everything ourselves as we have minor hacks to the Geronimo
> code.
>
> I'll try to give it another shot sometime later this week, but right now I
> have to focus on other things. The Jetty6 build is working for us. I'll let
> you know what I find when I try again. Also see comments to your inline
> comments.
>
> Trygve
>
> On Wed, Jun 3, 2009 at 1:55 AM, David Jencks wrote:
>
>> I made a couple comments inline however I strongly suspect your problems
>> are caused by a jetty bug I had a hand in creating :-) that could cause the
>> FormAuthenticator to not recognize that the request is the data from the
>> login page.
>> https://bugs.eclipse.org/bugs/show_bug.cgi?id=278887
>>
>> I'm not sure how quickly jetty snapshots are getting pushed --- probably
>> daily.  Also you may want to wait until g. snapshots are available again
>> but if you build everything yourself you might find it's started working
>> again!
>>
>> thanks
>> david jencks
>>
>>
>> On Jun 1, 2009, at 9:55 AM, Trygve Hardersen wrote:
>>
>> Hello
>>
>> We have been building a relatively large and complex system using
>> Geronimo-2.2 for some time. We're now getting close to finishing the
>> project, and it's encouraging to see that the release of Geronimo 2.2 is
>> getting closer, and that branching is around the corner.
>>
>> However the latest Geronimo updates, I'm pretty sure it's the switch to
>> Jetty7, broke our security model. I've been trying to get make it work again
>> for some time, but with no luck. Hence this mail.
>>
>> First we have a realm and credential store plugin that is used by all
>> other parts of the application:
>>
>> # plan.xml
>> 
>> > 
>> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2
>> "
>> 
>> xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2
>> "
>> 
>> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0
>> "
>> 
>> xmlns:cs="http://geronimo.apache.org/xml/ns/credentialstore-1.0
>> ">
>> > class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>> jotta-realm
>> true
>> 
>> 
>> 
>> > wrap-principals="false">
>>
>> jotta-admin
>>
>> org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule
>> > name="usersURI">var/security/users.properties
>> > name="groupsURI">var/security/groups.properties
>> 
>> 
>> > wrap-principals="false">
>>
>> jotta-users
>>
>> no.jotta.backup.security.server.JottaLoginModule
>> 
>> 
>> 
>> 
>> ServerInfo
>> 
>> 
>> > class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
>> 
>> 
>> 
>> 
>> anonymous

Re: webapp run-as problems

2009-06-02 Thread Jason Dillon 

Curious what your minor hacks are?

--jason


On Jun 3, 2009, at 1:33 PM, Trygve Hardersen wrote:


Thanks for looking into this David.

We're building everything ourselves as we have minor hacks to the  
Geronimo code.


I'll try to give it another shot sometime later this week, but right  
now I have to focus on other things. The Jetty6 build is working for  
us. I'll let you know what I find when I try again. Also see  
comments to your inline comments.


Trygve

On Wed, Jun 3, 2009 at 1:55 AM, David Jencks  
 wrote:
I made a couple comments inline however I strongly suspect your  
problems are caused by a jetty bug I had a hand in creating :-) that  
could cause the FormAuthenticator to not recognize that the request  
is the data from the login page.


https://bugs.eclipse.org/bugs/show_bug.cgi?id=278887

I'm not sure how quickly jetty snapshots are getting pushed ---  
probably daily.  Also you may want to wait until g. snapshots are  
available again but if you build everything yourself you might  
find it's started working again!


thanks
david jencks


On Jun 1, 2009, at 9:55 AM, Trygve Hardersen wrote:


Hello

We have been building a relatively large and complex system using  
Geronimo-2.2 for some time. We're now getting close to finishing  
the project, and it's encouraging to see that the release of  
Geronimo 2.2 is getting closer, and that branching is around the  
corner.


However the latest Geronimo updates, I'm pretty sure it's the  
switch to Jetty7, broke our security model. I've been trying to get  
make it work again for some time, but with no luck. Hence this mail.


First we have a realm and credential store plugin that is used by  
all other parts of the application:


# plan.xml

http://geronimo.apache.org/xml/ns/deployment-1.2";
xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2";
xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0";
xmlns:cs="http://geronimo.apache.org/xml/ns/credentialstore-1.0";>
class="org.apache.geronimo.security.realm.GenericSecurityRealm">

jotta-realm
true



principals="false">
jotta-admindomain-name>
class 
> 
org 
.apache 
.geronimo.security.realm.providers.PropertiesFileLoginModulelog:login-module-class>
var/security/ 
users.properties
var/security/ 
groups.properties



principals="false">
jotta-usersdomain-name>
class>no.jotta.backup.security.server.JottaLoginModulemodule-class>





ServerInfo


class 
= 
"org 
.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">





anonymous

 
< 
cs:type 
>org.apache.geronimo.security.credentialstore.NameCallbackHandlercs:type>

anonymous


 
< 
cs:type 
> 
org 
.apache.geronimo.security.credentialstore.PasswordCallbackHandlercs:type>

${geronimoPasswd}



system

 
< 
cs:type 
>org.apache.geronimo.security.credentialstore.NameCallbackHandlercs:type>

system


 
< 
cs:type 
> 
org 
.apache.geronimo.security.credentialstore.PasswordCallbackHandlercs:type>

${geronimoPasswd}






jotta-realm

   
jotta-realm




I can use this security configuration later from other EJB modules,  
also deployed as plugins:


# plan.xml

http://geronimo.apache.org/xml/ns/j2ee/application-2.0 
"

xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2";
xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2";
xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0";>

crm-ejb-${jottaVersion}.jar
http://openejb.apache.org/xml/ns/openejb-jar-2.2 
">



no.jotta.backup.crm
crm-ejb
${jottaVersion}
ejb



no.jotta.backup.securitydep:groupId>

security-ejb
${jottaVersion}
ejb





JottaCredentialStore

Re: webapp run-as problems

2009-06-02 Thread Trygve Hardersen 
Thanks for looking into this David.

We're building everything ourselves as we have minor hacks to the Geronimo
code.

I'll try to give it another shot sometime later this week, but right now I
have to focus on other things. The Jetty6 build is working for us. I'll let
you know what I find when I try again. Also see comments to your inline
comments.

Trygve

On Wed, Jun 3, 2009 at 1:55 AM, David Jencks  wrote:

> I made a couple comments inline however I strongly suspect your problems
> are caused by a jetty bug I had a hand in creating :-) that could cause the
> FormAuthenticator to not recognize that the request is the data from the
> login page.
> https://bugs.eclipse.org/bugs/show_bug.cgi?id=278887
>
> I'm not sure how quickly jetty snapshots are getting pushed --- probably
> daily.  Also you may want to wait until g. snapshots are available again
> but if you build everything yourself you might find it's started working
> again!
>
> thanks
> david jencks
>
>
> On Jun 1, 2009, at 9:55 AM, Trygve Hardersen wrote:
>
> Hello
>
> We have been building a relatively large and complex system using
> Geronimo-2.2 for some time. We're now getting close to finishing the
> project, and it's encouraging to see that the release of Geronimo 2.2 is
> getting closer, and that branching is around the corner.
>
> However the latest Geronimo updates, I'm pretty sure it's the switch to
> Jetty7, broke our security model. I've been trying to get make it work again
> for some time, but with no luck. Hence this mail.
>
> First we have a realm and credential store plugin that is used by all other
> parts of the application:
>
> # plan.xml
> 
>  
> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2
> "
> 
> xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2
> "
> 
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0
> "
> 
> xmlns:cs="http://geronimo.apache.org/xml/ns/credentialstore-1.0
> ">
>  class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> jotta-realm
> true
> 
> 
> 
>  wrap-principals="false">
>
> jotta-admin
>
> org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule
>  name="usersURI">var/security/users.properties
>  name="groupsURI">var/security/groups.properties
> 
> 
>  wrap-principals="false">
>
> jotta-users
>
> no.jotta.backup.security.server.JottaLoginModule
> 
> 
> 
> 
> ServerInfo
> 
> 
>  class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
> 
> 
> 
> 
> anonymous
> 
>
> org.apache.geronimo.security.credentialstore.NameCallbackHandler
> anonymous
> 
> 
>
> org.apache.geronimo.security.credentialstore.PasswordCallbackHandler
> ${geronimoPasswd}
> 
> 
> 
> system
> 
>
> org.apache.geronimo.security.credentialstore.NameCallbackHandler
> system
> 
> 
>
> org.apache.geronimo.security.credentialstore.PasswordCallbackHandler
> ${geronimoPasswd}
> 
> 
> 
> 
> 
> 
> jotta-realm
> 
>
> jotta-realm
> 
> 
> 
>
> I can use this security configuration later from other EJB modules, also
> deployed as plugins:
>
> # plan.xml
> 
> http://geronimo.apache.org/xml/ns/j2ee/application-2.0
> "
> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2";
> xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2";
> xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0";>
> 
> crm-ejb-${jottaVersion}.jar
> http://openejb.apache.org/xml/ns/openejb-jar-2.2";>
> 
> 
> no.jotta.backup.crm
> crm-ejb
> ${jottaVersion}
> ejb
> 
> 
> 
> no.jotta.backup.security
> security-ejb
> ${jottaVersion}
> ejb
> 
> 
>

Re: webapp run-as problems

2009-06-02 Thread David Jencks 
I made a couple comments inline however I strongly suspect your  
problems are caused by a jetty bug I had a hand in creating :-) that  
could cause the FormAuthenticator to not recognize that the request is  
the data from the login page.


https://bugs.eclipse.org/bugs/show_bug.cgi?id=278887

I'm not sure how quickly jetty snapshots are getting pushed ---  
probably daily.  Also you may want to wait until g. snapshots are  
available again but if you build everything yourself you might  
find it's started working again!


thanks
david jencks


On Jun 1, 2009, at 9:55 AM, Trygve Hardersen wrote:


Hello

We have been building a relatively large and complex system using  
Geronimo-2.2 for some time. We're now getting close to finishing the  
project, and it's encouraging to see that the release of Geronimo  
2.2 is getting closer, and that branching is around the corner.


However the latest Geronimo updates, I'm pretty sure it's the switch  
to Jetty7, broke our security model. I've been trying to get make it  
work again for some time, but with no luck. Hence this mail.


First we have a realm and credential store plugin that is used by  
all other parts of the application:


# plan.xml

http://geronimo.apache.org/xml/ns/deployment-1.2";
xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2";
xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0";
xmlns:cs="http://geronimo.apache.org/xml/ns/credentialstore-1.0";>
class="org.apache.geronimo.security.realm.GenericSecurityRealm">

jotta-realm
true



principals="false">
jotta-admindomain-name>
class 
> 
org 
.apache.geronimo.security.realm.providers.PropertiesFileLoginModulelog:login-module-class>
var/security/ 
users.properties
var/security/ 
groups.properties



principals="false">
jotta-usersdomain-name>
class>no.jotta.backup.security.server.JottaLoginModulemodule-class>





ServerInfo


class 
= 
"org 
.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">





anonymous

 
< 
cs:type 
>org.apache.geronimo.security.credentialstore.NameCallbackHandlercs:type>

anonymous


 
< 
cs:type 
> 
org 
.apache.geronimo.security.credentialstore.PasswordCallbackHandlercs:type>

${geronimoPasswd}



system

 
< 
cs:type 
>org.apache.geronimo.security.credentialstore.NameCallbackHandlercs:type>

system


 
< 
cs:type 
> 
org 
.apache.geronimo.security.credentialstore.PasswordCallbackHandlercs:type>

${geronimoPasswd}






jotta-realm

   
jotta-realm




I can use this security configuration later from other EJB modules,  
also deployed as plugins:


# plan.xml

http://geronimo.apache.org/xml/ns/j2ee/application-2.0 
"

xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2";
xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2";
xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0";>

crm-ejb-${jottaVersion}.jar
http://openejb.apache.org/xml/ns/openejb-jar-2.2 
">



no.jotta.backup.crm
crm-ejb
${jottaVersion}
ejb



no.jotta.backup.securitydep:groupId>

security-ejb
${jottaVersion}
ejb





JottaCredentialStore



class 
= 
"org 
.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />



class 
= 
"org 
.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />



class 
= 
"org 
.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />




Allow

Re: webapp run-as problems

2009-06-01 Thread Trygve Hardersen 
Using r779302 with jetty6 solves the problem.

FYI I also got a 404 on the j_security_check page when using jetty7. I did
not investigate this but it might be related.

Thanks again

Trygve

On Mon, Jun 1, 2009 at 4:11 PM, Trygve Hardersen  wrote:

> Great, thanks!
>
> Since I'm unable to build the current trunk I've checked our r779302 and
> it's building as we speak with jetty6 in pom.xml. Will let you know what I
> find.
>
> Trygve
>
>
> On Mon, Jun 1, 2009 at 4:07 PM, David Jencks wrote:
>
>> I'll try to look into this today or tomorrow.  If you want to switch back
>> to jetty6 it's easy in the root pom properties uncomment jetty6 and
>> comment jetty7 (around line 90)
>> I really appreciate the testing on jetty7 with a real app -- a lot has
>> changed and finding bugs now is wyy better than after we release!
>>
>> thanks
>> david jencks
>>
>> On Jun 1, 2009, at 9:55 AM, Trygve Hardersen wrote:
>>
>> Hello
>>
>> We have been building a relatively large and complex system using
>> Geronimo-2.2 for some time. We're now getting close to finishing the
>> project, and it's encouraging to see that the release of Geronimo 2.2 is
>> getting closer, and that branching is around the corner.
>>
>> However the latest Geronimo updates, I'm pretty sure it's the switch to
>> Jetty7, broke our security model. I've been trying to get make it work again
>> for some time, but with no luck. Hence this mail.
>>
>> First we have a realm and credential store plugin that is used by all
>> other parts of the application:
>>
>> # plan.xml
>> 
>> > 
>> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2
>> "
>> 
>> xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2
>> "
>> 
>> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0
>> "
>> 
>> xmlns:cs="http://geronimo.apache.org/xml/ns/credentialstore-1.0
>> ">
>> > class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>> jotta-realm
>> true
>> 
>> 
>> 
>> > wrap-principals="false">
>>
>> jotta-admin
>>
>> org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule
>> > name="usersURI">var/security/users.properties
>> > name="groupsURI">var/security/groups.properties
>> 
>> 
>> > wrap-principals="false">
>>
>> jotta-users
>>
>> no.jotta.backup.security.server.JottaLoginModule
>> 
>> 
>> 
>> 
>> ServerInfo
>> 
>> 
>> > class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
>> 
>> 
>> 
>> 
>> anonymous
>> 
>>
>> org.apache.geronimo.security.credentialstore.NameCallbackHandler
>> anonymous
>> 
>> 
>>
>> org.apache.geronimo.security.credentialstore.PasswordCallbackHandler
>> ${geronimoPasswd}
>> 
>> 
>> 
>> system
>> 
>>
>> org.apache.geronimo.security.credentialstore.NameCallbackHandler
>> system
>> 
>> 
>>
>> org.apache.geronimo.security.credentialstore.PasswordCallbackHandler
>> ${geronimoPasswd}
>> 
>> 
>> 
>> 
>> 
>> 
>> jotta-realm
>> 
>>
>> jotta-realm
>> 
>> 
>> 
>>
>> I can use this security configuration later from other EJB modules, also
>> deployed as plugins:
>>
>> # plan.xml
>> 
>> http://geronimo.apache.org/xml/ns/j2ee/application-2.0";
>> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2";
>> xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2";
>> xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0";>
>> 
>> crm-ejb-${jottaVersion}.jar
>> http://openejb.apache.org/xml/ns/openejb-jar-2.2";>
>> 
>> 
>> no.jotta.backup.crm
>> crm-ejb
>> ${jottaVersion}
>> ejb
>> 
>> 
>> 
>>
>> no.jotta.backup.security
>> security-ejb
>> ${jottaVersion}
>> ejb
>> 
>> 
>>

Re: webapp run-as problems

2009-06-01 Thread Trygve Hardersen 
Great, thanks!

Since I'm unable to build the current trunk I've checked our r779302 and
it's building as we speak with jetty6 in pom.xml. Will let you know what I
find.

Trygve

On Mon, Jun 1, 2009 at 4:07 PM, David Jencks  wrote:

> I'll try to look into this today or tomorrow.  If you want to switch back
> to jetty6 it's easy in the root pom properties uncomment jetty6 and
> comment jetty7 (around line 90)
> I really appreciate the testing on jetty7 with a real app -- a lot has
> changed and finding bugs now is wyy better than after we release!
>
> thanks
> david jencks
>
> On Jun 1, 2009, at 9:55 AM, Trygve Hardersen wrote:
>
> Hello
>
> We have been building a relatively large and complex system using
> Geronimo-2.2 for some time. We're now getting close to finishing the
> project, and it's encouraging to see that the release of Geronimo 2.2 is
> getting closer, and that branching is around the corner.
>
> However the latest Geronimo updates, I'm pretty sure it's the switch to
> Jetty7, broke our security model. I've been trying to get make it work again
> for some time, but with no luck. Hence this mail.
>
> First we have a realm and credential store plugin that is used by all other
> parts of the application:
>
> # plan.xml
> 
>  
> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2
> "
> 
> xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2
> "
> 
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0
> "
> 
> xmlns:cs="http://geronimo.apache.org/xml/ns/credentialstore-1.0
> ">
>  class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> jotta-realm
> true
> 
> 
> 
>  wrap-principals="false">
>
> jotta-admin
>
> org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule
>  name="usersURI">var/security/users.properties
>  name="groupsURI">var/security/groups.properties
> 
> 
>  wrap-principals="false">
>
> jotta-users
>
> no.jotta.backup.security.server.JottaLoginModule
> 
> 
> 
> 
> ServerInfo
> 
> 
>  class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
> 
> 
> 
> 
> anonymous
> 
>
> org.apache.geronimo.security.credentialstore.NameCallbackHandler
> anonymous
> 
> 
>
> org.apache.geronimo.security.credentialstore.PasswordCallbackHandler
> ${geronimoPasswd}
> 
> 
> 
> system
> 
>
> org.apache.geronimo.security.credentialstore.NameCallbackHandler
> system
> 
> 
>
> org.apache.geronimo.security.credentialstore.PasswordCallbackHandler
> ${geronimoPasswd}
> 
> 
> 
> 
> 
> 
> jotta-realm
> 
>
> jotta-realm
> 
> 
> 
>
> I can use this security configuration later from other EJB modules, also
> deployed as plugins:
>
> # plan.xml
> 
> http://geronimo.apache.org/xml/ns/j2ee/application-2.0
> "
> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2";
> xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2";
> xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0";>
> 
> crm-ejb-${jottaVersion}.jar
> http://openejb.apache.org/xml/ns/openejb-jar-2.2";>
> 
> 
> no.jotta.backup.crm
> crm-ejb
> ${jottaVersion}
> ejb
> 
> 
> 
> no.jotta.backup.security
> security-ejb
> ${jottaVersion}
> ejb
> 
> 
> 
> 
> 
> JottaCredentialStore
> 
> 
> 
>  class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> />
> 
> 
>  class="org.apache.geronimo.security.realm.providers.GeronimoGroup

Re: webapp run-as problems

2009-06-01 Thread David Jencks 
I'll try to look into this today or tomorrow.  If you want to switch  
back to jetty6 it's easy in the root pom properties uncomment  
jetty6 and comment jetty7 (around line 90)


I really appreciate the testing on jetty7 with a real app -- a lot has  
changed and finding bugs now is wyy better than after we release!


thanks
david jencks

On Jun 1, 2009, at 9:55 AM, Trygve Hardersen wrote:


Hello

We have been building a relatively large and complex system using  
Geronimo-2.2 for some time. We're now getting close to finishing the  
project, and it's encouraging to see that the release of Geronimo  
2.2 is getting closer, and that branching is around the corner.


However the latest Geronimo updates, I'm pretty sure it's the switch  
to Jetty7, broke our security model. I've been trying to get make it  
work again for some time, but with no luck. Hence this mail.


First we have a realm and credential store plugin that is used by  
all other parts of the application:


# plan.xml

http://geronimo.apache.org/xml/ns/deployment-1.2";
xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2";
xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0";
xmlns:cs="http://geronimo.apache.org/xml/ns/credentialstore-1.0";>
class="org.apache.geronimo.security.realm.GenericSecurityRealm">

jotta-realm
true



principals="false">
jotta-admindomain-name>
class 
> 
org 
.apache.geronimo.security.realm.providers.PropertiesFileLoginModulelog:login-module-class>
var/security/ 
users.properties
var/security/ 
groups.properties



principals="false">
jotta-usersdomain-name>
class>no.jotta.backup.security.server.JottaLoginModulemodule-class>





ServerInfo


class 
= 
"org 
.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">





anonymous

 
< 
cs:type 
>org.apache.geronimo.security.credentialstore.NameCallbackHandlercs:type>

anonymous


 
< 
cs:type 
> 
org 
.apache.geronimo.security.credentialstore.PasswordCallbackHandlercs:type>

${geronimoPasswd}



system

 
< 
cs:type 
>org.apache.geronimo.security.credentialstore.NameCallbackHandlercs:type>

system


 
< 
cs:type 
> 
org 
.apache.geronimo.security.credentialstore.PasswordCallbackHandlercs:type>

${geronimoPasswd}






jotta-realm

   
jotta-realm




I can use this security configuration later from other EJB modules,  
also deployed as plugins:


# plan.xml

http://geronimo.apache.org/xml/ns/j2ee/application-2.0 
"

xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2";
xmlns:nam="http://geronimo.apache.org/xml/ns/naming-1.2";
xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0";>

crm-ejb-${jottaVersion}.jar
http://openejb.apache.org/xml/ns/openejb-jar-2.2 
">



no.jotta.backup.crm
crm-ejb
${jottaVersion}
ejb



no.jotta.backup.securitydep:groupId>

security-ejb
${jottaVersion}
ejb





JottaCredentialStore



class 
= 
"org 
.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />



class 
= 
"org 
.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />



class 
= 
"org 
.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />




Allow internal  
components to run as system

jotta-realm
system

 
class 
= 
"