Re: Any example on how to implement a programmatic login with geronimo security?

[David Jencks]

I thought that would not be possible since IIUC the security realm is defined in the war or ear plan itself so there is nothing to depend on.  You should put in this dependency if the realm is defined in its' own plan. thanks david jencks On Feb 22, 2011, at 1:18 AM, chi runhua wrote: And IIRC, you also need to add your realm as a dependency in the deployment plan of your application.  geronimo-application.xml ...          <dep:dependency>                 <dep:groupId>console.realm</dep:groupId>                 <dep:artifactId>my_security_realm</dep:artifactId>                 <dep:type>car</dep:type>             </dep:dependency> ... HTH. Jeff On Tue, Feb 22, 2011 at 1:59 AM, David Jencks <david_jen...@yahoo.com> wrote: Hi Andreas, I think (but haven't checked) that if you do this kind of programatic use of a named security realm you have to mark the realm <attribute name="global">true</attribute>.  IIRC the built in code does some more lookup to find the actual login Configuration object for a non-global realm and you probably don't want to mess with that unless you need several realms all with the same name for different apps. thanks david jencks On Feb 21, 2011, at 9:21 AM, Andreas Bohnert wrote: hello david, thanks for you quick response! the servlet 3.0 implementation seems to be a much nicer approach. but at the moment I stuck with geronimo 2.2. > LoginContext lc = org.apache.geronimo.security.ContextManager.login(realm, callbackHandler); > ContextManager.registerSubject(lc.getSubject()); > ContextManager.setCallers(lc.getSubject(), lc,getSubject()); that is what I wanted to know. thanks. unfortunately I get an exception when I try this. the exception says that there are no LoginModules configured for the given realm. I created the realm according to this document: https://cwiki.apache.org/GMOxDOC22/database-sql-realm.html I tested the realm, it's working. As far as I understand, if I create a realm with the geronimo adminstration console, the realm is fully configured and I can reference the realm in my war without further configuration: LoginContext lc  = org.apache.geronimo.security.ContextManager.login("my_security_realm", this); because this was not working ( ... no LoginModules configured for the given realm ...), I also tried to add deployment plan of this realm to my ear (geronimo-application.xml). but still I get the exception. so my deployment plan for my realm look like this: <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">     <environment>         <moduleId>             <groupId>console.realm</groupId>             <artifactId>my_security_realm</artifactId>             <version>1.0</version>             <type>car</type>         </moduleId>         <dependencies>             <dependency>                 <groupId>org.apache.geronimo.framework</groupId>                 <artifactId>j2ee-security</artifactId>                 <type>car</type>             </dependency>             <dependency>                 <groupId>console.dbpool</groupId>                 <artifactId>SecurityDatabasePool</artifactId>                 <version>1.0</version>                 <type>car</type>             </dependency>         </dependencies>     </environment>     <gbean name="my_security_realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">         <attribute name="realmName">my_security_realm</attribute>         <attribute name="global">false</attribute>         <reference name="ServerInfo">             <name>ServerInfo</name>         </reference>         <xml-reference name="LoginModuleConfiguration">             <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">                 <log:login-module control-flag="REQUIRED" wrap-principals="false">                     <log:login-domain-name>eusoda_security_realm</log:login-domain-name>                     <log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>                     <log:option name="groupSelect">select username, groupname from groups where username=?</log:option>                     <log:option name="dataSourceApplication">null</log:option>                     <log:option name="userSelect">select username, password from users where username=?</log:option>                     <log:option name="dataSourceName">SecurityDatabasePool</log:option>                 </log:login-module>                 <log:login-module control-flag="OPTIONAL" wrap-principals="false">                     <log:login-domain-name>eusoda_security_realm-Audit</log:login-domain-name>                     <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>                     <log:option name="file">var/log/security_log.log</log:option>                 </log:login-module>             </log:login-config>         </xml-reference>     </gbean> </module> if I put this plan in my ear, the geronimo-application.xml look like this: <?xml version="1.0" encoding="UTF-8" standalone="no"?> <app:application xmlns:app="http://geronimo.apache.org/xml/ns/j2ee/application-2.0" xmlns:client="http://geronimo.apache.org/xml/ns/j2ee/application-client-2.0" xmlns:conn="http://geronimo.apache.org/xml/ns/j2ee/connector-1.2" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:ejb="http://openejb.apache.org/xml/ns/openejb-jar-2.2" xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0" xmlns:name="http://geronimo.apache.org/xml/ns/naming-1.2" xmlns:pers="http://java.sun.com/xml/ns/persistence" xmlns:pkgen="http://openejb.apache.org/xml/ns/pkgen-2.1" xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0" xmlns:web="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1" application-name="test-geronimo">     <dep:environment>         <dep:moduleId>             <dep:groupId>test</dep:groupId>             <dep:artifactId>test-geronimo</dep:artifactId>             <dep:version>1.0</dep:version>             <dep:type>ear</dep:type>         </dep:moduleId>         <dep:dependencies>             <dep:dependency>                 <dep:groupId>org.apache.geronimo.framework</dep:groupId>                 <dep:artifactId>j2ee-security</dep:artifactId>                 <dep:type>car</dep:type>             </dep:dependency>             <dep:dependency>                 <dep:groupId>console.dbpool</dep:groupId>                 <dep:artifactId>SecurityDatabasePool</dep:artifactId>                 <dep:version>1.0</dep:version>                 <dep:type>car</dep:type>             </dep:dependency>      </dep:dependencies>     </dep:environment>     <dep:gbean name="my_security_realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">         <dep:attribute name="realmName">my_security_realm</dep:attribute>         <dep:attribute name="global">false</dep:attribute>         <dep:reference name="ServerInfo">             <dep:name>ServerInfo</dep:name>         </dep:reference>         <dep:xml-reference name="LoginModuleConfiguration">             <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">                 <log:login-module control-flag="REQUIRED" wrap-principals="false">                     <log:login-domain-name>my_security_realm</log:login-domain-name>                     <log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>                     <log:option name="groupSelect">select username, groupname from groups where username=?</log:option>                     <log:option name="dataSourceApplication">null</log:option>                     <log:option name="userSelect">select username, password from users where username=?</log:option>                     <log:option name="dataSourceName">SecurityDatabasePool</log:option>                 </log:login-module>                 <log:login-module control-flag="OPTIONAL" wrap-principals="false">                     <log:login-domain-name>eusoda_security_realm-Audit</log:login-domain-name>                     <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>                     <log:option name="file">var/log/eusoda_security_log.log</log:option>                 </log:login-module>             </log:login-config>         </dep:xml-reference>     </dep:gbean>     </app:application> for my war I added this to geronimo-web.xml :     <web:security-realm-name>my_security_realm</web:security-realm-name>      <sec:security>         <sec:role-mappings>             <sec:role role-name="admin">                 <sec:principal name="administrators"  class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />                 <sec:principal name="root" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" />             </sec:role>         </sec:role-mappings>     </sec:security> What am I'm doing wrong? regards, Andreas David Jencks 21. Februar 2011 08:10 It's not entirely clear what you want to do. The documentation you point to is still fairly accurate but not really relevant IIUC. In servlet 3.0 (implemented in geronimo 3.0, not yet released but this part is working), there are new methods on HttpServletRequest where you can either force a login (e.g. form or basic) that has been otherwise configured for the web app or login using username and password you have collected yourself somehow. After this login all container managed security will work just as if the user had tried to access a protected resource and been logged in automatically. Before servlet 3.0 you can always get some credentials and login but the resulting subject won't automatically be known to the container and container managed security won't work at all unless you do something to register the result. I think I've given some advice on how to do this on the user list in the past. IIRC you want to do something like LoginContext lc = org.apache.geronimo.security.ContextManager.login(realm, callbackHandler); ContextManager.registerSubject(lc.getSubject()); ContextManager.setCallers(lc.getSubject(), lc,getSubject()); //do work ContextManager.clearCallers(); ContextManager.unregisterSubject(lc.getSubject()); lc.logout(); hope this helps david jencks . Andreas Bohnert 21. Februar 2011 07:26 dear list, there is an example (time report) on how to configure a form based login (j_security_check) but how am I'm doing a programmatic login with geronimo? I can not find any references on how to do this with geronimo 2.x I found this, but I wonder if it is still up to date: http://docs.huihoo.com/apache/geronimo/1.0/geronimo-and-jaas.html If the above documentation is obsolet: Do I need to write a login-config.xm and how does it look like? Are there any callbackhandler implementations that I can pass to a LoginContext? Any help is very much appreciated. Andreas Andreas Bohnert 21. Februar 2011 00:28 dear list, there is an example (time report) on how to configure a form based login (j_security_check) but how am I'm doing a programmatic login with geronimo? I can not find any references on how to do this with geronimo 2.x I found this: http://docs.huihoo.com/apache/geronimo/1.0/geronimo-and-jaas.html Is this still up to date? If the documentation is obsolet: Do I need to write a login-config.xm and how does it look like? Are there any callbackhandler implementations that I can pass to a LoginContext? Any help is very much appreciated. Andreas