And IIRC, you also need to add your realm as a dependency in the deployment plan of your application.
geronimo-application.xml
...
<dep:dependency>
<dep:groupId>console.realm</dep:groupId>
<dep:artifactId>my_security_realm</dep:artifactId>
<dep:type>car</dep:type>
</dep:dependency>
...
HTH.
Jeff
On Tue, Feb 22, 2011 at 1:59 AM, David Jencks <david_jen...@yahoo.com>wrote:
> Hi Andreas,
>
> I think (but haven't checked) that if you do this kind of programatic use
> of a named security realm you have to mark the realm <attribute
> name="global">true</attribute>. IIRC the built in code does some more
> lookup to find the actual login Configuration object for a non-global realm
> and you probably don't want to mess with that unless you need several realms
> all with the same name for different apps.
>
> thanks
> david jencks
>
> On Feb 21, 2011, at 9:21 AM, Andreas Bohnert wrote:
>
> hello david,
>
> thanks for you quick response!
> the servlet 3.0 implementation seems to be a much nicer approach. but at
> the moment I stuck with geronimo 2.2.
>
> > LoginContext lc =
> org.apache.geronimo.security.ContextManager.login(realm, callbackHandler);
> > ContextManager.registerSubject(lc.getSubject());
> > ContextManager.setCallers(lc.getSubject(), lc,getSubject());
>
> that is what I wanted to know. thanks.
> unfortunately I get an exception when I try this. the exception says that
> there are no LoginModules configured for the given realm.
>
> I created the realm according to this document:
> https://cwiki.apache.org/GMOxDOC22/database-sql-realm.html
> I tested the realm, it's working.
>
> As far as I understand, if I create a realm with the geronimo adminstration
> console, the realm is fully configured and I can reference the realm in my
> war without further configuration:
>
> LoginContext lc =
> org.apache.geronimo.security.ContextManager.login("my_security_realm",
> this);
>
> because this was not working ( ... no LoginModules configured for the given
> realm ...), I also tried to add deployment plan of this realm to my ear
> (geronimo-application.xml). but still I get the exception.
>
> so my deployment plan for my realm look like this:
> <module
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2";<http://geronimo.apache.org/xml/ns/deployment-1.2>
> >
> <environment>
> <moduleId>
> <groupId>console.realm</groupId>
> <artifactId>my_security_realm</artifactId>
> <version>1.0</version>
> <type>car</type>
> </moduleId>
> <dependencies>
> <dependency>
> <groupId>org.apache.geronimo.framework</groupId>
> <artifactId>j2ee-security</artifactId>
> <type>car</type>
> </dependency>
> <dependency>
> <groupId>console.dbpool</groupId>
> <artifactId>SecurityDatabasePool</artifactId>
> <version>1.0</version>
> <type>car</type>
> </dependency>
> </dependencies>
> </environment>
> <gbean name="my_security_realm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
> xsi:type="dep:gbeanType" xmlns:dep=
> "http://geronimo.apache.org/xml/ns/deployment-1.2";<http://geronimo.apache.org/xml/ns/deployment-1.2>xmlns:xsi=
> "http://www.w3.org/2001/XMLSchema-instance";<http://www.w3.org/2001/XMLSchema-instance>
> >
> <attribute name="realmName">my_security_realm</attribute>
> <attribute name="global">false</attribute>
> <reference name="ServerInfo">
> <name>ServerInfo</name>
> </reference>
> <xml-reference name="LoginModuleConfiguration">
> <log:login-config xmlns:log=
> "http://geronimo.apache.org/xml/ns/loginconfig-2.0";<http://geronimo.apache.org/xml/ns/loginconfig-2.0>
> >
> <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
>
> <log:login-domain-name>eusoda_security_realm</log:login-domain-name>
>
> <log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
> <log:option name="groupSelect">select username,
> groupname from groups where username=?</log:option>
> <log:option
> name="dataSourceApplication">null</log:option>
> <log:option name="userSelect">select username, password
> from users where username=?</log:option>
> <log:option
> name="dataSourceName">SecurityDatabasePool</log:option>
> </log:login-module>
> <log:login-module control-flag="OPTIONAL"
> wrap-principals="false">
>
> <log:login-domain-name>eusoda_security_realm-Audit</log:login-domain-name>
>
> <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
> <log:option
> name="file">var/log/security_log.log</log:option>
> </log:login-module>
> </log:login-config>
> </xml-reference>
> </gbean>
> </module>
>
> if I put this plan in my ear, the geronimo-application.xml look like this:
>
> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
> <app:application xmlns:app=
> "http://geronimo.apache.org/xml/ns/j2ee/application-2.0";<http://geronimo.apache.org/xml/ns/j2ee/application-2.0>xmlns:client=
> "http://geronimo.apache.org/xml/ns/j2ee/application-client-2.0";<http://geronimo.apache.org/xml/ns/j2ee/application-client-2.0>xmlns:conn=
> "http://geronimo.apache.org/xml/ns/j2ee/connector-1.2";<http://geronimo.apache.org/xml/ns/j2ee/connector-1.2>xmlns:dep=
> "http://geronimo.apache.org/xml/ns/deployment-1.2";<http://geronimo.apache.org/xml/ns/deployment-1.2>xmlns:ejb=
> "http://openejb.apache.org/xml/ns/openejb-jar-2.2";<http://openejb.apache.org/xml/ns/openejb-jar-2.2>xmlns:log=
> "http://geronimo.apache.org/xml/ns/loginconfig-2.0";<http://geronimo.apache.org/xml/ns/loginconfig-2.0>xmlns:name=
> "http://geronimo.apache.org/xml/ns/naming-1.2";<http://geronimo.apache.org/xml/ns/naming-1.2>xmlns:pers=
> "http://java.sun.com/xml/ns/persistence";<http://java.sun.com/xml/ns/persistence>xmlns:pkgen=
> "http://openejb.apache.org/xml/ns/pkgen-2.1";<http://openejb.apache.org/xml/ns/pkgen-2.1>xmlns:sec=
> "http://geronimo.apache.org/xml/ns/security-2.0";<http://geronimo.apache.org/xml/ns/security-2.0>xmlns:web=
> "http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1";<http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1>application-name="test-geronimo">
> <dep:environment>
> <dep:moduleId>
> <dep:groupId>test</dep:groupId>
> <dep:artifactId>test-geronimo</dep:artifactId>
> <dep:version>1.0</dep:version>
> <dep:type>ear</dep:type>
> </dep:moduleId>
> <dep:dependencies>
> <dep:dependency>
> <dep:groupId>org.apache.geronimo.framework</dep:groupId>
> <dep:artifactId>j2ee-security</dep:artifactId>
> <dep:type>car</dep:type>
> </dep:dependency>
> <dep:dependency>
> <dep:groupId>console.dbpool</dep:groupId>
> <dep:artifactId>SecurityDatabasePool</dep:artifactId>
> <dep:version>1.0</dep:version>
> <dep:type>car</dep:type>
> </dep:dependency>
> </dep:dependencies>
> </dep:environment>
> <dep:gbean name="my_security_realm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
> xsi:type="dep:gbeanType" xmlns:dep=
> "http://geronimo.apache.org/xml/ns/deployment-1.2";<http://geronimo.apache.org/xml/ns/deployment-1.2>xmlns:xsi=
> "http://www.w3.org/2001/XMLSchema-instance";<http://www.w3.org/2001/XMLSchema-instance>
> >
> <dep:attribute name="realmName">my_security_realm</dep:attribute>
> <dep:attribute name="global">false</dep:attribute>
> <dep:reference name="ServerInfo">
> <dep:name>ServerInfo</dep:name>
> </dep:reference>
> <dep:xml-reference name="LoginModuleConfiguration">
> <log:login-config xmlns:log=
> "http://geronimo.apache.org/xml/ns/loginconfig-2.0";<http://geronimo.apache.org/xml/ns/loginconfig-2.0>
> >
> <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
>
> <log:login-domain-name>my_security_realm</log:login-domain-name>
>
> <log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
> <log:option name="groupSelect">select username,
> groupname from groups where username=?</log:option>
> <log:option
> name="dataSourceApplication">null</log:option>
> <log:option name="userSelect">select username, password
> from users where username=?</log:option>
> <log:option
> name="dataSourceName">SecurityDatabasePool</log:option>
> </log:login-module>
> <log:login-module control-flag="OPTIONAL"
> wrap-principals="false">
>
> <log:login-domain-name>eusoda_security_realm-Audit</log:login-domain-name>
>
> <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
> <log:option
> name="file">var/log/eusoda_security_log.log</log:option>
> </log:login-module>
> </log:login-config>
> </dep:xml-reference>
> </dep:gbean>
>
> </app:application>
>
> for my war I added this to geronimo-web.xml :
>
> <web:security-realm-name>my_security_realm</web:security-realm-name>
> <sec:security>
> <sec:role-mappings>
> <sec:role role-name="admin">
> <sec:principal name="administrators"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> />
> <sec:principal name="root"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
> />
> </sec:role>
> </sec:role-mappings>
> </sec:security>
>
> What am I'm doing wrong?
>
> regards,
> Andreas
>
>
> David Jencks <david_jen...@yahoo.com>
> 21. Februar 2011 08:10
>
> It's not entirely clear what you want to do.
>
> The documentation you point to is still fairly accurate but not really
> relevant IIUC.
>
> In servlet 3.0 (implemented in geronimo 3.0, not yet released but this part
> is working), there are new methods on HttpServletRequest where you can
> either force a login (e.g. form or basic) that has been otherwise configured
> for the web app or login using username and password you have collected
> yourself somehow. After this login all container managed security will work
> just as if the user had tried to access a protected resource and been logged
> in automatically.
>
> Before servlet 3.0 you can always get some credentials and login but the
> resulting subject won't automatically be known to the container and
> container managed security won't work at all unless you do something to
> register the result.
>
> I think I've given some advice on how to do this on the user list in the
> past. IIRC you want to do something like
>
> LoginContext lc = org.apache.geronimo.security.ContextManager.login(realm,
> callbackHandler);
> ContextManager.registerSubject(lc.getSubject());
> ContextManager.setCallers(lc.getSubject(), lc,getSubject());
> //do work
>
> ContextManager.clearCallers();
> ContextManager.unregisterSubject(lc.getSubject());
> lc.logout();
>
> hope this helps
> david jencks
>
> .
> ------------------------------
>
> Andreas Bohnert <a...@weberhofer.at>
> 21. Februar 2011 07:26
>
> dear list,
>
> there is an example (time report) on how to configure a form based login
> (j_security_check) but how am I'm doing a programmatic login with geronimo?
> I can not find any references on how to do this with geronimo 2.x
>
> I found this, but I wonder if it is still up to date:
> http://docs.huihoo.com/apache/geronimo/1.0/geronimo-and-jaas.html
>
> If the above documentation is obsolet:
> Do I need to write a login-config.xm and how does it look like?
> Are there any callbackhandler implementations that I can pass to a
> LoginContext?
>
> Any help is very much appreciated.
>
> Andreas
>
> ------------------------------
>
> Andreas Bohnert <a...@online.de>
> 21. Februar 2011 00:28
>
> dear list,
>
> there is an example (time report) on how to configure a form based login
> (j_security_check) but how am I'm doing a programmatic login with geronimo?
> I can not find any references on how to do this with geronimo 2.x
>
> I found this:
> http://docs.huihoo.com/apache/geronimo/1.0/geronimo-and-jaas.html
> Is this still up to date?
>
> If the documentation is obsolet:
> Do I need to write a login-config.xm and how does it look like?
> Are there any callbackhandler implementations that I can pass to a
> LoginContext?
>
> Any help is very much appreciated.
>
> Andreas
>
> ------------------------------
>
>
>
>
>
<<compose-unknown-contact.jpg>>
