Re: Transaction manager
Thanks Martin, but I want to be more "generic" in my applicationContext.xml, and just look up for the TM like this: I finally followed this doc: http://www.atomikos.com/Documentation/Tomcat55Integration33 I just had to add commons-logging to be able to integrate in Tomcat 6. Spring is warning because it does not find the Transaction Manager, only User Transaction: "[WARN] org.springframework.transaction.jta.JtaTransactionManager - No JTA TransactionManager found: transaction suspension and synchronization with existing JTA transactions not available" But I'm not using REQUIRES_NEW or NOT_SUPPORTED so it should not be a problem. Jerome 2008/10/16 Martin Gainty <[EMAIL PROTECTED]>: > > take a look at this setup for atomikosTransactionManager as a ref for > org.springframework.transaction.jta.JtaTransactionManager 'transactionManager' > > class="com.atomikos.icatch.jta.UserTransactionManager" init-method="init" > destroy-method="close"> > name="startupTransactionService">true >true >600 > > > class="com.atomikos.icatch.jta.UserTransactionImp" /> > > class="org.springframework.transaction.jta.JtaTransactionManager"> > bean="atomikosTransactionManager"/> > bean="atomikosUserTransaction"/> > value="SYNCHRONIZATION_ON_ACTUAL_TRANSACTION"/> > > > http://forum.springframework.org/showthread.php?t=38266 > > let me know.. > Martin > __ > Disclaimer and confidentiality note > Everything in this e-mail and any attachments relates to the official > business of Sender. This transmission is of a confidential nature and Sender > does not endorse distribution to any party other than intended recipient. > Sender does not necessarily endorse content contained within this > transmission. > > >> Date: Thu, 16 Oct 2008 14:04:37 +0200 >> From: [EMAIL PROTECTED] >> To: users@tomcat.apache.org >> Subject: Re: Transaction manager >> >> 2008/10/15 Jérôme Delattre <[EMAIL PROTECTED]>: >> > 2008/10/15 Jérôme Delattre <[EMAIL PROTECTED]>: >> >> Hi, >> >> >> >> I am looking for a standalone transaction manager for Tomcat. >> >> >> >> I tried JOTM but there's some blocker bugs in XAPool and the >> >> datasource implementation, moreover no new release for 3 years is >> >> scary :-) >> >> JBossTM works fine but it's under LGPL and unfortunatly I can't use >> >> it, too bad :-( >> >> Atomikos would be ok but I did not manage to configure it with Spring >> >> (the lookup for JTATransactionManager fails: No JTA ... found ..., and >> >> I don't wan't to tweak my applicationContext.xml with specific things >> >> as it should work in some other servers). >> >> I don't know if Geronimo provides a standalone TM that I could use in >> >> Tomcat, it seems to but I did not found any clear doc / post. >> >> >> >> Which TM are using with Tomcat? >> >> >> >> Thanks, >> >> Jerome >> > >> > I've just noticed JOTM is available in version 2.1.2 in maven repository >> > ... >> > http://www.mvnrepository.com/artifact/org.ow2.jotm/jotm-standalone/2.1.2 >> > >> > On their website it's still 2.0.10 ... strange. >> > >> >> I finally managed to plug Atomikos in Tomcat 6 and it seems to work fine. >> Forget my question :-) >> >> - >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> > > _ > When your life is on the go—take your life with you. > http://clk.atdmt.com/MRT/go/115298558/direct/01/ - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Transaction manager
2008/10/15 Jérôme Delattre <[EMAIL PROTECTED]>: > 2008/10/15 Jérôme Delattre <[EMAIL PROTECTED]>: >> Hi, >> >> I am looking for a standalone transaction manager for Tomcat. >> >> I tried JOTM but there's some blocker bugs in XAPool and the >> datasource implementation, moreover no new release for 3 years is >> scary :-) >> JBossTM works fine but it's under LGPL and unfortunatly I can't use >> it, too bad :-( >> Atomikos would be ok but I did not manage to configure it with Spring >> (the lookup for JTATransactionManager fails: No JTA ... found ..., and >> I don't wan't to tweak my applicationContext.xml with specific things >> as it should work in some other servers). >> I don't know if Geronimo provides a standalone TM that I could use in >> Tomcat, it seems to but I did not found any clear doc / post. >> >> Which TM are using with Tomcat? >> >> Thanks, >> Jerome > > I've just noticed JOTM is available in version 2.1.2 in maven repository ... > http://www.mvnrepository.com/artifact/org.ow2.jotm/jotm-standalone/2.1.2 > > On their website it's still 2.0.10 ... strange. > I finally managed to plug Atomikos in Tomcat 6 and it seems to work fine. Forget my question :-) - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Transaction manager
2008/10/15 Jérôme Delattre <[EMAIL PROTECTED]>: > Hi, > > I am looking for a standalone transaction manager for Tomcat. > > I tried JOTM but there's some blocker bugs in XAPool and the > datasource implementation, moreover no new release for 3 years is > scary :-) > JBossTM works fine but it's under LGPL and unfortunatly I can't use > it, too bad :-( > Atomikos would be ok but I did not manage to configure it with Spring > (the lookup for JTATransactionManager fails: No JTA ... found ..., and > I don't wan't to tweak my applicationContext.xml with specific things > as it should work in some other servers). > I don't know if Geronimo provides a standalone TM that I could use in > Tomcat, it seems to but I did not found any clear doc / post. > > Which TM are using with Tomcat? > > Thanks, > Jerome I've just noticed JOTM is available in version 2.1.2 in maven repository ... http://www.mvnrepository.com/artifact/org.ow2.jotm/jotm-standalone/2.1.2 On their website it's still 2.0.10 ... strange. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Transaction manager
Hi, I am looking for a standalone transaction manager for Tomcat. I tried JOTM but there's some blocker bugs in XAPool and the datasource implementation, moreover no new release for 3 years is scary :-) JBossTM works fine but it's under LGPL and unfortunatly I can't use it, too bad :-( Atomikos would be ok but I did not manage to configure it with Spring (the lookup for JTATransactionManager fails: No JTA ... found ..., and I don't wan't to tweak my applicationContext.xml with specific things as it should work in some other servers). I don't know if Geronimo provides a standalone TM that I could use in Tomcat, it seems to but I did not found any clear doc / post. Which TM are using with Tomcat? Thanks, Jerome - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
2008/10/9 Kevin Jackson <[EMAIL PROTECTED]>: >>> I am trying to configure a JNDIRealm to authenticate against an Active >>> Directory. >>> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm >>> >>> The authentication seems to work but I wonder how to map LDAP groups >>> to security roles. >>> I do not want to add groups in the LDAP server, but to map existing >>> ones to the roles defined in my web application instead. >>> >>> Is it possible ? I did not found any doc / post about this topic. > > You could write a custom JNDIRealm that does the > mapping/authentication. I've seen this done with postgres, but not > with an LDAP server (or AD), but it should be a similar process. Then > you add it to tomca/lib and configure your context and web.xml to use > the custom JNDIRealm instead of the provided realm > > Kev Thanks Kevin, that's exactly what I finally done! ;-) - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
2008/10/8 Felix Schumacher <[EMAIL PROTECTED]>: > Hi Jerome, > > have you thought about adding an extra attribute to the groups, so that > the mapping is done by a normal ldap query? > > Consider having an objectClass tomcatRoleMapping which has one attribute > tomcatRole. Than with your mapping like below >> securityrole1=group1,group2,group4 >> securityrole2=group3 >> securityrole3=group5,group6 > you would extend all groups with tomcatRoleMapping. The value of the > attribute tomcatRole could then be "securityrole1" for group1, group2 > and group4 like this > > dn: cn=group1,... > objectClass: tomcatRoleMapping > objectClass: ... > tomcatRole: securityrole1 > cn: group1 > ... > > Now just change the roleName attribute in your realm definition to > tomcatRole and you have got a mapping from groups to securityroles. > > Bye > Felix Hi Felix, Thanks for your proposition, but I want to avoid any change on the LDAP server. The idea is: if you want to install my webapp in your environment, just map your existing groups to my webapp's roles before starting Tomcat and you're done. Jerome - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
2008/10/8 Caldarale, Charles R <[EMAIL PROTECTED]> > > > From: Felix Schumacher [mailto:[EMAIL PROTECTED] > > Subject: Re: JNDIRealm - mapping LDAP group to security role > > > > have you thought about adding an extra attribute to the > > groups, so that the mapping is done by a normal ldap query? > > Even that's not necessary. The servlet security model already has a built-in > mapping capability () that can be used to convert LDAP or > other database values to the roles declared in the web.xml file. > > - Chuck is a servlet attribute. What should I do with it? add the same for each LDAP group to all my Servlets? sound strange... And what happens if I call request.isUserInRole(myLDAPGroup) anywhere outside a declared Servlet? Jerome - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
2008/9/23 Jérôme Delattre <[EMAIL PROTECTED]>
> Hello,
>
> Env: Tomcat 6.0.18 / Java 6 / Windows
>
> I am trying to configure a JNDIRealm to authenticate against an Active
> Directory.
> http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm
>
> The authentication seems to work but I wonder how to map LDAP groups
> to security roles.
> I do not want to add groups in the LDAP server, but to map existing
> ones to the roles defined in my web application instead.
>
> Is it possible ? I did not found any doc / post about this topic.
>
> Thanks,
> Jerome
>
So for the log and if it can help someone, here is how I resolved my issue:
I've extended the JNDIRealm class to override the getRoles(...) method.
package org.apache.catalina.realm;
...
public class CustomJNDIRealm extends JNDIRealm {
...
@Override
protected List getRoles(DirContext context, User user) throws
NamingException {
List ldapRoles = super.getRoles(context, user);
// customized part
return ldapRoles;
}
...
}
The package needs to be the same as JNDIRealm class otherwise the class User
is not visible.
In the "custom part" of the method I read a properties file that describe
the mapping between ldap roles and security roles.
And I simply add security roles to the ldapRoles list before returning it.
The properties file is in Tomcat's lib directory and looks like:
securityrole1=group1,group2,group4
securityrole2=group3
securityrole3=group5,group6
...
And to be exhaustive, here is the realm configuration for Active Directory
that works in my env:
ldap://myADserver:389";
connectionName="myADreadonlyUser"
connectionPassword="password"
referrals="follow"
userBase="DC=mycompany,DC=com"
userSearch="(sAMAccountName={0})"
userSubtree="true"
roleBase="DC=mycompany,DC=com"
roleName="cn"
roleSearch="(member={0})"
roleSubtree="true"/>
Cheers,
Jerome
Re: JNDIRealm - mapping LDAP group to security role
No idea? I thought it was a common use case ... Jerome 2008/9/23 Jérôme Delattre <[EMAIL PROTECTED]> > Hello, > > Env: Tomcat 6.0.18 / Java 6 / Windows > > I am trying to configure a JNDIRealm to authenticate against an Active > Directory. > http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm > > The authentication seems to work but I wonder how to map LDAP groups > to security roles. > I do not want to add groups in the LDAP server, but to map existing > ones to the roles defined in my web application instead. > > Is it possible ? I did not found any doc / post about this topic. > > Thanks, > Jerome >
Re: JNDIRealm - mapping LDAP group to security role
>> If I remember well the just creates an alias on an
>> existing for servlets.
>> It's not related to the mapping between my "system" groups and the
>> application roles.
>
> O.k., I'm confused. Isn't an alias just what you need to do the mapping from
> any role names used internally in your webapp to the roles (groups) obtained
> from the LDAP server?
>
Yes an alias is what I need :-)
But is not done for that (unless I missed something).
Quoting: http://java.sun.com/developer/technicalArticles/Servlets/servletapi2.3/
secret
...
mgr
manager
...
manager
the servlet secret can call isUserInRole("mgr") or
isUserInRole("manager") -- they will give the same behavior.
Basically, security-role-ref acts to create an alias, but isn't
necessary.
/Quote
What I am looking for is more a security role mapping descriptor or
configuration.
Like one can do in SunAS:
myapprole
myldapgroup
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: JNDIRealm - mapping LDAP group to security role
>> I do not want to add groups in the LDAP server, but to map existing >> ones to the roles defined in my web application instead. > > Perhaps you can use the declaration; look in section 12 > of the servlet spec. > If I remember well the just creates an alias on an existing for servlets. It's not related to the mapping between my "system" groups and the application roles. The section 12.4 of the servlet spec says : "A security role is a logical grouping of users defined by the Application Developer or Assembler.When the application is deployed, roles are mapped by a Deployer to principals or groups in the runtime environment." That's exactly what I am looking for. Something like: In the tomcat-users.xml file but for my LDAP realm. Cheers, Jerome - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
JNDIRealm - mapping LDAP group to security role
Hello, Env: Tomcat 6.0.18 / Java 6 / Windows I am trying to configure a JNDIRealm to authenticate against an Active Directory. http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JNDIRealm The authentication seems to work but I wonder how to map LDAP groups to security roles. I do not want to add groups in the LDAP server, but to map existing ones to the roles defined in my web application instead. Is it possible ? I did not found any doc / post about this topic. Thanks, Jerome - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
