...
The properties files should be based on the client certificate intended to be used for client authentication. For example, a Certificate Properties File Realm CertificatePropsRealm
with the user and group properties files based on My_Private_key
created in the #Create keystore and certificate section is as follows:
Code Block |
---|
| xml | xml |
---|
borderStyle | solid |
---|
title | user_sample.properties |
---|
| xml |
---|
|
client1=CN=localhost,OU=Geronimo,O=Apache,L=My_City,ST=My_State,C=CC
client2=CN=localhost2,OU=Geronimo,O=Apache,L=Your_City,ST=Your_State,C=CC
|
- The password of
client1
is based on the information of My_Private_key
.
Code Block |
xml |
---|
| xml |
---|
borderStyle | solid |
---|
title | group_sample.properties |
---|
| xml |
---|
|
admin=client1,client2
|
The deployment plan of the Certificate Properties File Realm CertificatePropsRealm
is as follows:
Code Block |
xml |
---|
| xml |
---|
borderStyle | solid |
---|
title | Excerpt from the deployment plan of CertificatePropsRealm |
---|
| xml |
---|
|
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
<environment>
<moduleId>
<groupId>console.realm</groupId>
<artifactId>cert-prop-file-realm</artifactId>
<version>1.0</version>
<type>car</type>
</moduleId>
<dependencies>
<dependency>
<groupId>org.apache.geronimo.framework</groupId>
<artifactId>j2ee-security</artifactId>
<type>car</type>
</dependency>
</dependencies>
</environment>
<gbean name="cert-prop-file-realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep=
"http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<attribute name="realmName">CertificatePropsRealm</attribute>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
<log:login-module control-flag="REQUIRED" wrap-principals="false">
<log:login-domain-name>CertificatePropsRealm</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
<log:option name="usersURI">var/security/user_sample.properties</log:option>
<log:option name="groupsURI">var/security/group_sample.properties</log:option>
</log:login-module>
</log:login-config>
</xml-reference>
</gbean>
</module>
|
...
Configure the deployment descriptor and deployment plan of your web application to use the Certificate Properties File Realm for client authentication. The deployment descriptor is configured as follows:
Code Block |
---|
| xml | xml |
---|
borderStyle | solid |
---|
title | Excerpt from web.xml |
---|
| xml |
---|
|
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Not Required for CLIENT-CERT</realm-name>
</login-config>
|
...
Web applications which use the CertificatePropsRealm
security realm, for example, must configure their deployment plans as follows:
Code Block |
---|
| xml | xml |
---|
borderStyle | solid |
---|
title | Excerpt from geronimo-web.xml |
---|
| xml |
---|
|
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1"
xmlns:naming="http://geronimo.apache.org/xml/ns/naming-1.2"
xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0"
xmlns:sys="http://geronimo.apache.org/xml/ns/deployment-1.2">
<sys:environment>
<sys:moduleId>
<sys:groupId>org.apache.geronimo</sys:groupId>
<sys:artifactId>sampleapplication</sys:artifactId>
<sys:version>1.0</sys:version>
<sys:type>car</sys:type>
</sys:moduleId>
<sys:dependencies>
<sys:dependency>
<sys:groupId>console.realm</sys:groupId>
<sys:artifactId>cert-prop-file-realm</sys:artifactId>
<sys:version>1.0</sys:version>
<sys:type>car</sys:type>
</sys:dependency>
</sys:dependencies>
</sys:environment>
<context-root>/cert-realm-sample</context-root>
<security-realm-name>CertificatePropsRealm</security-realm-name>
<security>
<default-principal realm-name="CertificatePropsRealm">
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="client1"/>
<!-- name should match the entries from cert-users.properties of the realm -->
</default-principal>
<role-mappings>
<role role-name="content-administrator">
<realm realm-name="CertificatePropsRealm">
<principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="admin" designated-run-as="true"/>
<!-- name should match the entries from cert-groups.properties of the realm -->
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="client1"/>
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="client2"/>
</realm>
</role>
</role-mappings>
</security>
</web-app>
|
...