On Feb 12, 2008, at 12:35 PM, Brian Gregory wrote:
Ok, this might clear things up a bit:
yup:-)
// This needs to happen when a connection is pulled from the pool
// and before the connection is used.
// The "<username>" could be pulled from the GeronimoUserPrincipal()
// in the current session (?) if available
java.util.Properties prop = new java.util.Properties();
prop.put(OracleConnection.PROXY_USER_NAME, "<username>");
((OracleConnection)conn).openProxySession
(OracleConnection.PROXYTYPE_USER_NAME,
prop);
// This nees to happen when a connection is returned to the pool
((OracleConnection)conn).close(OracleConnection.PROXY_SESSION);
And that's pretty much it. The LoginModule for the security realm
is pretty
much a standard JDBC Realm (with a little code to calculate Oracle
password
hashes) that populates the GeronimoUserPrincipal() and
GeronimoGroupPrincipal(). The "proxy" part is just a way to let
oracle know
who the "real" user is for the audit trail and any user-bound security
policies.
So....
every oracle connection will be created using a fixed user/pw
combination you configure somewhere, and in addition the actual
user's username will be used to set up the proxy session?
I looked into this a bit more and don't think there's a way to write
a app server independent connector that can deal with this. I think
what you can do is:
leave your login module setup alone
specify container-manage-security in your connector plan
modify the tranql oracle wrapper so that in the MCFs:
add a method to set up the oracle proxy session given the Subject
(from which you extract the GeronimoUserPrincipal) and the physical
connection
you override:
createManagedConnection
by copying the superclass code and calling the openProxySession
method after getting the physical connection and creating your own
ManagedConnection implementation (see below)
and
matchManagedConnections
by calling super and then calling the openProxySession method.
(the base methods are in AbstractLocalDataSourceMCF and
AbstractXADataSourceMCF)
You also need to override the ManagedConnection implementations so
that the cleanup() method can end the oracle proxy session.
Hope this is enough of a hint.... feel free to ask for more info.
Maybe we'd could add a tranql login module that set up an oracle
specific principal to transfer the user name? Then we could include
this work in tranql and it wouldn't really be tied to geronimo.
thanks
david jencks
Note from before: RARs ah. That's a new one for me. Learning curves
are a
bitch sometimes. And I'm still trying to catch up with learning
maven (and
the 6 million things it does). As you can probably tell, geronimo is a
pretty new beast to me too.
No problem about the help, I've got to work through it anyway.
--
View this message in context: http://www.nabble.com/proxy-session-
w--built-in-dbcp-%2B-openjpa-tp15404731s134p15442349.html
Sent from the Apache Geronimo - Users mailing list archive at
Nabble.com.
