Versions Compared

Old Version 3

changes.mady.by.user Hernan Cunico

Saved on

compared with

New Version 4

changes.mady.by.user Hernan Cunico

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The following example shows the content of the ldap-sample.ldif file.

No Format
borderStylesolid
titleldap-sample.ldif
# User: system

dn: uid=system,ou=users,ou=system
cn: John Doe
sn: Doe
givenname: John
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Las Vegas
uid: system
mail: system@apachecon.comm
telephonenumber: +1 408 555 5555
facsimiletelephonenumber: +1 408 555 5556
roomnumber: 4613
userPassword: manager

# User: user1

dn: uid=user1,ou=users,ou=system
cn: User
sn: One
givenname: User1
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Las Vegas
uid: user1
mail: user1@apachecon.comm
telephonenumber: +1 408 555 5555
facsimiletelephonenumber: +1 408 555 5556
roomnumber: 4613
userPassword: p1

# User: user2

dn: uid=user2,ou=users,ou=system
cn: User
sn: Two
givenname: User2
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
ou: Human Resources
ou: People
l: Las Vegas
uid: user2
mail: user2@apachecon.comm
telephonenumber: +1 408 555 5555
facsimiletelephonenumber: +1 408 555 5556
roomnumber: 4613
userPassword: p2

# Group: admin

dn: cn=admin,ou=groups,ou=system
objectClass: groupOfUniqueNames
uniqueMember: uid=system,ou=users,ou=system
uniqueMember: uid=user2,ou=users,ou=system
cn: admin

# Group: guest

dn: cn=guest,ou=groups,ou=system
objectClass: groupOfUniqueNames
uniqueMember: uid=user1,ou=users,ou=system
cn: guest

...

For further details refer to the LDAP Realm section.

Deployment plans

The deployment plans are located in the <ldap_home>/WEB-INF directory. Clearly, geronimo-web.xml is the Geronimo specific deployment plan. It provides the details on what security realm to use and user role mappings as well as the Geronimo specific namespace used to identify the elements in the security configuration. Common to other types of applications, not just security, the deployment plan also provides the main namespace for the deployment plan, a module identification (optional), a parent module configuration ID (also optional) and a context root. The following example illustrates the Geronimo specific deployment plan.

Code Block
xml
xml
borderStylesolid
titlegeronimo-web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.1">
	<environment>
		<moduleId>
			<groupId>samples</groupId>
			<artifactId>ldap-realm-1-app</artifactId>
			<version>1.1</version>
		</moduleId>		
	</environment>
    <context-root>/ldap-demo-1</context-root>

    <security-realm-name>ldap-realm-1</security-realm-name>
    <security>
        <default-principal realm-name="ldap-realm-1">
            <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="system"/>
        </default-principal>
        <role-mappings>
            <role role-name="content-administrator">
                <realm realm-name="ldap-realm-1">
                    <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="admin" designated-run-as="true"/>
                    <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="system"/>
                </realm>
            </role>
            <role role-name="guest">
                <realm realm-name="ldap-realm-1">
                    <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="guest" designated-run-as="true"/>
                    <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="user1"/>
                </realm>
            </role>
        </role-mappings>
    </security>
</web-app>

Note that these role mappings will be overridden by the actual roles (what users pertaining to what groups) defined in the LDAP server. Ultimately it is the realm defined in the application deployment plan who determines the velidation method. Nevertheless, for this particular example, you still need to define principals and role mappings as determined in the XML schemas.

Back to Top

The web.xml deployment descriptor shown in the following example (also located in the <ldap_home>/WEB-INF diretory) adds security constraints based on the location of the files.

Code Block
xml
xml
borderStylesolid
titleweb.xml

<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
         version="2.4">

    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
    </welcome-file-list>

    <security-constraint>
      <web-resource-collection>
        <web-resource-name>Admin Role</web-resource-name>
        <url-pattern>/protect/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>content-administrator</role-name>
      </auth-constraint>
    </security-constraint>
    
    <security-constraint>
      <web-resource-collection>
        <web-resource-name>No Access</web-resource-name>
        <url-pattern>/forbidden/*</url-pattern>
      </web-resource-collection>
      <auth-constraint/>
    </security-constraint>

    <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>MYREALM</realm-name>
      <form-login-config>
         <form-login-page>/auth/logon.html?param=test</form-login-page>
         <form-error-page>/auth/logonError.html?param=test</form-error-page>
      </form-login-config>
    </login-config>

  <security-role>
      <role-name>content-administrator</role-name>
  </security-role>

</web-app>

Back to Top

Package the sample application

Now that all the elements have been identified, it is necessary to package the sample application in a Web application Archive (.war). Open a command line window, change directory to <ldap_home> and run the following command:

jar -cvf ldap-demo.war *

This command will package all the existing files and directories inside <ldap_home>. Although not needed inside the .war file, the ldap-realm.xml and ldap-sample.ldif files will also be included.

Back to Top

Deploy the application

To deploy the LDAP sample application make sure the Geronimo server is up and running. Open a command line window, change directory to <geronimo_home>/bin and run the following command:

java -jar deployer.jar --user system --password manager deploy <ldap_home>/ldap-demo.war

Once the Web application is successfully deployed you should see a confirmation message similar as the one shown in the following example:

No Format
bgColor#000000
borderStylesolid

D:\geronimo-1.1.1-Tomcat\bin>java -jar deployer.jar --user system --password manager deploy \ldap-sample-app\ldap-demo.war
    Deployed samples/ldap-realm-1-app/1.1/war @
    http://hc2t60p:8080/ldap-demo-1

To test the LDAP application open a Web browser and access the following URL:

http://localhost:8080/ldap-demo