Re: Replacing the server-security-config plugin

Fri, 11 Sep 2009 15:49:48 -0700 


On Sep 11, 2009, at 3:16 PM, Quintin Beukes wrote:


OK. So I found the reference. It's like so:
     <gbean name="PropertiesLoginManager"
class
=
"org
.apache.geronimo.console.core.security.PropertiesLoginModuleManager">
       <reference name="ServerInfo">
         <name>ServerInfo</name>
       </reference>
       <reference name="LoginModule">
         <name>properties-login</name>
       </reference>
     </gbean>

And it's in console-tomcat's plan.
1. How would I make it multivalued and wrap it in SingleElementCollection?
You need to find the java code for PropertiesLoginModuleManager. It should have a reference to a login module.... you need to turn the reference into a Collection<LoginModuleGBean>. Hopefully it's a constructor arg. Instead of dealing with the Collection itself you can immediately wrap it in a SingleElementCollection and use that instead. Then you'll have to look at the code in PropertiesLoginModuleManager and make sure it doesn't do anything unfortunate if there is no login module in the collection. 


2. How would I redeploy it?
you'll need to have checked out geronimo to get this far.... the simplest is to just build all of geronimo. If you've built at least once, you can just build the plugins/console and then assemblies. (I'm assuming that my recollection that this code is in plugins/ console is correct). 

hope this helps
david jencks




Q
On Fri, Sep 11, 2009 at 11:15 PM, Joe Dente <jde...@21technologies.com> wrote:
I'm going to be busy for the rest of the day, but here's the deployment plan I use in my replacement server-security-config plugin: 

<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2";>
 <environment>
   <moduleId>
     <groupId>com.mycode.geronimo</groupId>
     <artifactId>delegating-login-module</artifactId>
     <version>1.0</version>
     <type>car</type>
   </moduleId>
   <dependencies>
     <dependency>
       <groupId>org.apache.geronimo.framework</groupId>
       <artifactId>j2ee-security</artifactId>
       <version>2.1.4</version>
       <type>car</type>
     </dependency>
   </dependencies>
   <hidden-classes/>
   <non-overridable-classes/>
 </environment>
<gbean name="CredentialStore" class = "org .apache .geronimo.security.credentialstore.SimpleCredentialStoreImpl"/> 

 <!-- Default Security Realm Using Delegate Login Module -->
<gbean name="admin-login" class="org.apache.geronimo.security.jaas.LoginModuleGBean"> <attribute name = "loginModuleClass ">com.mycode.geronimo.authorization.login.DelegatingLoginModule</ attribute> 
   <attribute name="options">delegateRealm=delegate-realm
       groupName=delegate-admin</attribute>
   <attribute name="loginDomainName">geronimo-admin</attribute>
 </gbean>
<gbean name="geronimo-admin" class="org.apache.geronimo.security.realm.GenericSecurityRealm"> 
   <attribute name="realmName">geronimo-admin</attribute>
   <reference name="LoginModuleConfiguration">
     <name>admin-login</name>
   </reference>
   <reference name="ServerInfo">
     <name>ServerInfo</name>
   </reference>
 </gbean>
<gbean name="admin-login" class="org.apache.geronimo.security.jaas.JaasLoginModuleUse"> 
   <attribute name="controlFlag">REQUIRED</attribute>
   <reference name="LoginModule">
     <name>admin-login</name>
   </reference>
 </gbean>

 <!--
<gbean name="properties-login" class="org.apache.geronimo.security.jaas.LoginModuleGBean"> <attribute name = "loginModuleClass "> org .apache .geronimo.security.realm.providers.PropertiesFileLoginModule</ attribute> 
   <attribute name="options">usersURI=var/security/users.properties
           groupsURI=var/security/groups.properties</attribute>
   <attribute name="loginDomainName">geronimo-admin</attribute>
 </gbean>
 -->
<gbean name="geronimo-default" class="org.apache.geronimo.security.keystore.FileKeystoreInstance"> 
   <attribute name="keystoreName">geronimo-default</attribute>
<attribute name="keystorePath">var/security/keystores/geronimo- default</attribute> 
   <attribute name="keystorePassword">secret</attribute>
   <attribute name="keystoreType">JKS</attribute>
   <attribute name="keyPasswords">geronimo=secret</attribute>
   <reference name="ServerInfo">
     <name>ServerInfo</name>
   </reference>
 </gbean>
</module>
You can see the configuration for my custom login module. The important piece for this problem is the "properties-login" gbean that I have commented out. Without this GBean, Geronimo is unable to startup due to the bug originally discussed in this thread (GERONIMO-4603). If you enable this GBean, then Geronimo can startup correctly (granted everything else is configured appropriately). Because of the hardwired issue discussed in issue 4603, I have to put the dummy "properties-login" gbean in place even though I'm not using a "properties-login" gbean in my configuration. 

Joe

===========================
I also tried creating a realm through the console, then exporting it
as a plugin, undeploying the original, deploying as a plugin and
restarting the server after doing the config.xml changes.

Doesn't work either. Complains about:
org.omg.CORBA.COMM_FAILURE: socket() failed: Unable to create server
SSL socket factory: Keystore 'geronimo-default' is locked; please use
the keystore page in the admin console to unlock it:  vmcid: Apache
minor code: 0x5  completed: No

Q
On Fri, Sep 11, 2009 at 10:16 PM, Quintin Beukes <quin...@skywalk.co.za > wrote: 
No. This isn't working right. I don't know what I'm doing wrong.

I take the exported plugin. Extract it to directory "x".

Then I change only the groupId everywhere in the plugin frmo
"org.apache.geronimo.framework" to "test" and version from
"2.2-SNAPSHOT" to "2.2". Then I jar it again.

Then I start geronimo and deploy this with deploy.sh install-plugin.
Successfully installed: test/server-security-config/2.2/car
I stop the server, and then edit artifact_aliases.properties and change: org.apache.geronimo.framework/server-security-config// car=org.apache.geronimo.framework/server-security-config/2.2- SNAPSHOT/car 
test/server-security-config//car=test/server-security-config/2.2/car

TO
org.apache.geronimo.framework/server-security-config//car=test/ server-security-config/2.2/car org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/ car=test/server-security-config/2.2/car 
test/server-security-config//car=test/server-security-config/2.2/car

And config.xml from:
<module name="org.apache.geronimo.framework/server-security- config/2.2-SNAPSHOT/car"/> 
   <module name="test/server-security-config/2.2/car"/>

TO:
<module name="org.apache.geronimo.framework/server-security- config/2.2-SNAPSHOT/car" 
load="false"/>
   <module name="test/server-security-config/2.2/car"/>
Then I try and start the server, and all I get is this, ie. it starts 
and right after loading my plugin stops the server without an error.
2009-09-11 22:14:37,642 INFO  [Log4jService]
----------------------------------------------
2009-09-11 22:14:37,643 INFO  [Log4jService] Started Logging Service
2009-09-11 22:14:37,643 INFO  [Log4jService] Runtime Information:
2009-09-11 22:14:37,644 INFO  [Log4jService]   Install Directory =
/opt/testkms/server/geronimo-2.2-20090908
2009-09-11 22:14:37,645 INFO  [JvmVendor] Sun JVM 1.5.0_17
2009-09-11 22:14:37,645 INFO [Log4jService] JVM in use = Sun 
JVM 1.5.0_17
2009-09-11 22:14:37,645 INFO  [Log4jService] Java Information:
2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
[java.runtime.name]     = Java(TM) 2 Runtime Environment, Standard
Edition
2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
[java.runtime.version]  = 1.5.0_17-b04
2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
[os.name]               = Linux
2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
[os.version]            = 2.6.24-24-generic
2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
[sun.os.patch.level]    = unknown
2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
[os.arch]               = i386
2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
[java.class.version]    = 49.0
2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
[locale]                = en_ZA
2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
[unicode.encoding]      = UnicodeLittle
2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
[file.encoding]         = UTF-8
2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
[java.vm.name]          = Java HotSpot(TM) Client VM
2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
[java.vm.vendor]        = Sun Microsystems Inc.
2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
[java.vm.version]       = 1.5.0_17-b04
2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
[java.vm.info]          = mixed mode
2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
[java.home]             = /opt/kms/java/sun-jdk1.5.0_17/jre
2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
[java.classpath]        = null
2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
[java.library.path]     =
/opt/kms/java/sun-jdk1.5.0_17/jre/lib/i386/client:/opt/kms/java/ sun-jdk1.5.0_17/jre/lib/i386:/opt/kms/java/sun-jdk1.5.0_17/jre/../ lib/i386 
2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
[java.endorsed.dirs]    =
/opt/testkms/server/geronimo-2.2-20090908/lib/endorsed:/opt/kms/ java/sun-jdk1.5.0_17/jre/lib/endorsed 
2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
[java.ext.dirs]         =
/opt/testkms/server/geronimo-2.2-20090908/lib/ext:/opt/kms/java/ sun-jdk1.5.0_17/jre/lib/ext 
2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
[sun.boot.class.path]   =
/opt/testkms/server/geronimo-2.2-20090908/lib/endorsed/yoko-spec- corba-1.0.jar:/opt/testkms/server/geronimo-2.2-20090908/lib/ endorsed/yoko-rmi-spec-1.0.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/ lib/rt.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/i18n.jar:/opt/kms/ java/sun-jdk1.5.0_17/jre/lib/sunrsasign.jar:/opt/kms/java/sun- jdk1.5.0_17/jre/lib/jsse.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/ jce.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/charsets.jar:/opt/ kms/java/sun-jdk1.5.0_17/jre/classes 
2009-09-11 22:14:37,646 INFO  [Log4jService]
----------------------------------------------
2009-09-11 22:14:39,041 INFO  [KernelContextGBean] bound gbean
org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car? ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2- SNAPSHOT/car,j2eeType=Context,name=JavaCompContext 
at name java:comp
2009-09-11 22:14:39,043 INFO  [KernelContextGBean] bound gbean
org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car? ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2- SNAPSHOT/car,j2eeType=Context,name=JavaContext 
at name java:
2009-09-11 22:14:39,043 INFO  [KernelContextGBean] bound gbean
org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car? ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2- SNAPSHOT/car,j2eeType=Context,name=GeronimoContext 
at name ger:
2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
Property=javax.xml.soap.MetaFactory to
Value=org.apache.geronimo.webservices.saaj.GeronimoMetaFactory
2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
Property=javax.xml.soap.MessageFactory to
Value=org.apache.geronimo.webservices.saaj.GeronimoMessageFactory
2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
Property=java.net.preferIPv4Stack to Value=true
2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
Property=javax.xml.soap.SOAPConnectionFactory to
Value =org.apache.geronimo.webservices.saaj.GeronimoSOAPConnectionFactory 
2009-09-11 22:14:40,087 INFO  [SystemProperties] Setting
Property=javax.xml.soap.SOAPFactory to
Value=org.apache.geronimo.webservices.saaj.GeronimoSOAPFactory
2009-09-11 22:14:40,087 INFO  [SystemProperties] Setting
Property=java.security.Provider to Value=SUN
2009-09-11 22:14:40,261 INFO  [KernelContextGBean] unbound gbean
org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car? ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2- SNAPSHOT/car,j2eeType=Context,name=JavaContext 
at name java:
2009-09-11 22:14:40,264 INFO  [KernelContextGBean] unbound gbean
org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car? ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2- SNAPSHOT/car,j2eeType=Context,name=GeronimoContext 
at name ger:
2009-09-11 22:14:40,264 INFO  [KernelContextGBean] unbound gbean
org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car? ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2- SNAPSHOT/car,j2eeType=Context,name=JavaCompContext 
at name java:comp
2009-09-11 22:14:40,265 INFO [Log4jService] Stopping Logging Service 
2009-09-11 22:14:40,265 INFO  [Log4jService]
----------------------------------------------

Q
On Fri, Sep 11, 2009 at 9:31 PM, Quintin Beukes <quin...@skywalk.co.za > wrote: 
do i need to delete config.ser?

Q
On Fri, Sep 11, 2009 at 9:16 PM, Joe Dente <jde...@21technologies.com > wrote:
That's how I got started. I have a project that includes a custom login module as well as a customized geronimo-plugin.xml that originally was an exported version of the server-security- config plugin. My plugin project creates a simple jar with the geronimo-plugin.xml in my jar's 'META-INF' folder. I then deploy this jar into Geronimo with the geronimo-plugin.xml being my jar's deployment plan. You can also try and build a car using the maven car plugin, although I haven't played around with this yet. I found this wiki article to be helpful: http://cwiki.apache.org/confluence/display/GMOxDOC22/Administering+plugins 

Joe

---------------------
Sorry, I've never created a plugin. To create a new
server-security-config plugin, do you mean I should copy
server-security-config using the console's plugin export and modify 
it?

Q
On Fri, Sep 11, 2009 at 8:47 PM, Joe Dente <jde...@21technologies.com > wrote:
To reproduce it create your own server-security-config plugin that uses any login module other than the properties-login gbean that is expected. You then need to deploy your new server- security-config plugin and have it completely replace the default server-security-config (see http://cwiki.apache.org/confluence/display/GMOxDOC22/Basic+Hints+on+Security+Configuration) . I achieved this by telling the server-security-config car to not load in the config.xml, telling my security plugin to load in the config.xml, and then adding artifact aliases for both the 2.1.4 and wildcard-versioned lines referring to the server- security-config plugin in the artifact_aliases.properties file. 

In artifact_alases.properties:
org.apache.geronimo.framework/server-security-config// car=com.my.geronimo/my-security-config/1.0/car org.apache.geronimo.framework/server-security-config/ 2.1.4/car=org com.my.geronimo/my-security-config/1.0/car 

In config.xml:
<module name="org.apache.geronimo.framework/server- security-config/2.1.4/car" load="false"/> <module name="com.my.geronimo/my-security-config/1.0/ car"/>
Now try and startup Geronimo. You will see the error discussing the missing expected gbean. 
Hope this helps,
Joe



-------------
Errr. Ouch. *rubbing the brused area in his brain*.
I'm not that on with everything you said. I think the best thing would 
be to reproduce it. What would I do to reproduce it?

Q
On Fri, Sep 11, 2009 at 6:42 PM, David Jencks <david_jen...@yahoo.com > wrote: 

On Sep 11, 2009, at 5:49 AM, Quintin Beukes wrote:


I'll be willing to have a look at it.
can you give me a general idea what I'm supposed to look at and how it 
would be done?
IIRC the failure is caused by an unsatisfied single valued gbean reference to the properties login module gbean from something in the admin console. You need to find the gbean reference and change it to a collection valued reference so it's no longer a mandatory reference. You can wrap a collection valued reference with SingleElementCollection to make it act like 
an optional single valued reference.

hope this is clear enough to help..
david jencks



Q
On Fri, Sep 11, 2009 at 12:07 AM, David Jencks <david_jen...@yahoo.com > 
wrote:


Hi Joe!
On Sep 10, 2009, at 2:18 PM, Joe Dente wrote:

Hi,
I've been working on replacing Geronimo 2.1.4's server- security-config plugin's example security with our own security plugin. We need single 
sign
on for our application which also means the same sign on process has to 
work
with the Geronimo admin console. We need to be able to use custom realms 
and
custom login modules in our server-security-config plugin replacement 
that
may change depending on the environment we deploy to. I've run into two limitations so far that I've found documented online. One is that unless 
I
want to re-deploy other plugins that use the 'geronimo- admin' security realm, than our custom security realm must be named 'geronimo-admin' as 
well. The other is that I ran
intohttp://issues.apache.org/jira/browse/GERONIMO-4603, forcing me to creating a dummy properties-login gbean in order for the tomcat 
components
to start up.
In my experience this is incredibly annoying. I don't have time but 
wonder
if anyone else can see about fixing this for 2.2.
I've created alias' for my plugin over the server-security- config plugin 
in
'artifact-aliases.properties' file and I've also disabled the
server-security-config plugin and added my plugin as a loaded module in 
the
'config.xml'. Unfortunately, I still cannot log into the Geronimo console using my custom security realm and login module. Geronimo has no problem starting with the current configuration and I can even login using my 
custom
login module. Everything seems happy as far as the login process is concerned when I step through the code, but instead of seeing the 
Geronimo
console I get a tomcat error page stating 'Access to the specified 
resource
() has been forbidden'. The logs are completely clean as well as the console output. My only idea is that my admin users also need to be 
members
of a specifically named Geronimo admin group (make my admin groups name exactly match the one setup in the default security plugin)? I have not tested this hypothesis out yet, because I have my own admin group that is used by our application that I would like to re-use as the Geronimo 
console's admin group. Any other thoughts?
In 2.1.x you are stuck with the principal-role mapping in the ee application, although in 2.2 you can put it into a different plugin if 
you
want and I think then swap it via an artifact-alias with one in a 
different
plugin.
So, that means that you need to supply the principals the principal-role 
mapping expects:
<security xmlns="http://geronimo.apache.org/xml/ns/security-1.2 "> 
       <role-mappings>
           <role role-name="admin">
               <principal
class = "org .apache .geronimo.security.realm.providers.GeronimoGroupPrincipal" 
name="admin" />
           </role>
       </role-mappings>
   </security>

So, your login module needs to supply a principal of
class GeronimoGroupPrincipal and name "admin".
Let us know if this doesn't work.
thanks
david jencks

Thanks,
Joe





--
Quintin Beukes







--
Quintin Beukes





--
Quintin Beukes





--
Quintin Beukes





--
Quintin Beukes





--
Quintin Beukes





--
Quintin Beukes

Reply via email to