THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
When you export the initial configuration you get an ldif file with a content similar as the one shown in the following example.
| No Format | ||||||
|---|---|---|---|---|---|---|
| ||||||
dn: ou=system ou: system objectClass: organizationalUnit objectClass: top dn: uid=admin, ou=system displayName: Directory Superuser uid: admin userPassword:: c2VjcmV0 objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top sn: administrator cn: system administrator dn: ou=users, ou=system ou: users objectClass: organizationalUnit objectClass: top dn: ou=groups, ou=system ou: groups objectClass: organizationalUnit objectClass: top dn: ou=configuration, ou=system ou: configuration objectClass: organizationalUnit objectClass: top dn: ou=partitions, ou=configuration, ou=system ou: partitions objectClass: organizationalUnit objectClass: top dn: ou=services, ou=configuration, ou=system ou: services objectClass: organizationalUnit objectClass: top dn: ou=interceptors, ou=configuration, ou=system ou: interceptors objectClass: organizationalUnit objectClass: top dn: prefNodeName=sysPrefRoot, ou=system objectClass: extensibleObject prefNodeName: sysPrefRoot |
...
The following example shows the content of the ldap-sample.ldif file.
| No Format | borderStyle | solid|||
|---|---|---|---|---|
| ||||
# User: system dn: uid=system,ou=users,ou=system cn: John Doe sn: Doe givenname: John objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson ou: Human Resources ou: People l: Las Vegas uid: system mail: system@apachecon.comm telephonenumber: +1 408 555 5555 facsimiletelephonenumber: +1 408 555 5556 roomnumber: 4613 userPassword: manager # User: user1 dn: uid=user1,ou=users,ou=system cn: User sn: One givenname: User1 objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson ou: Human Resources ou: People l: Las Vegas uid: user1 mail: user1@apachecon.comm telephonenumber: +1 408 555 5555 facsimiletelephonenumber: +1 408 555 5556 roomnumber: 4613 userPassword: p1 # User: user2 dn: uid=user2,ou=users,ou=system cn: User sn: Two givenname: User2 objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson ou: Human Resources ou: People l: Las Vegas uid: user2 mail: user2@apachecon.comm telephonenumber: +1 408 555 5555 facsimiletelephonenumber: +1 408 555 5556 roomnumber: 4613 userPassword: p2 # Group: admin dn: cn=admin,ou=groups,ou=system objectClass: groupOfUniqueNames uniqueMember: uid=system,ou=users,ou=system uniqueMember: uid=user2,ou=users,ou=system cn: admin # Group: guest dn: cn=guest,ou=groups,ou=system objectClass: groupOfUniqueNames uniqueMember: uid=user1,ou=users,ou=system cn: guest |
...
The LDAP sample application provides a security realm that needs to be deployed before the deployment of the application itself. This realm is located in <ldap_home>/ldap-realm.xml and the content is illustrated in the following example.
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
<environment>
<moduleId>
<groupId>console.realm</groupId>
<artifactId>LDAP_Sample_Realm</artifactId>
<version>1.0</version>
<type>car</type>
</moduleId>
</environment>
<gbean name="LDAP_Sample_Realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm"
xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<attribute name="realmName">LDAP_Sample_Realm</attribute>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.2">
<log:login-module control-flag="REQUIRED" wrap-principals="false">
<log:login-domain-name>LDAP_Sample_Realm</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.LDAPLoginModule</log:login-module-class>
<log:option name="initialContextFactory">com.sun.jndi.ldap.LdapCtxFactory</log:option>
<log:option name="connectionURL">ldap://localhost:10389</log:option>
<log:option name="connectionUsername">uid=admin,ou=system</log:option>
<log:option name="connectionPassword">secret</log:option>
<log:option name="authentication">simple</log:option>
<log:option name="userBase">ou=users,ou=system</log:option>
<log:option name="userSearchMatching">uid={0}</log:option>
<log:option name="userSearchSubtree">false</log:option>
<log:option name="roleBase">ou=groups,ou=system</log:option>
<log:option name="roleName">cn</log:option>
<log:option name="roleSearchMatching">(uniqueMember={0})</log:option>
<log:option name="roleSearchSubtree">false</log:option>
</log:login-module>
<log:login-module control-flag="OPTIONAL" wrap-principals="false">
<log:login-domain-name>LDAP_Sample_Realm-Audit</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
<log:option name="file">var/log/login-attempts.log</log:option>
</log:login-module>
</log:login-config>
</xml-reference>
</gbean>
</module>
|
...
There is a common deployment plan that is used for the sample. The unprocessed version of this plan is at ldap-sample-app/ldap-sample-app-jetty/src/main/plan/plan.xml. The processed version shown here with plugin name and all dependencies filled in can be found at ldap-sample-app/ldap-sample-app-jetty/target/resources/META-INF/plan.xml after building the project.
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.2">
<dep:environment xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2">
<dep:moduleId>
<dep:groupId>org.apache.geronimo.samples</dep:groupId>
<dep:artifactId>ldap-sample-app-jetty</dep:artifactId>
<dep:version>2.1.2</dep:version>
<dep:type>car</dep:type>
</dep:moduleId>
<dep:dependencies>
<dep:dependency>
<dep:groupId>org.apache.geronimo.samples</dep:groupId>
<dep:artifactId>ldap-sample-app-realm</dep:artifactId>
<dep:version>2.1.2</dep:version>
<dep:type>car</dep:type>
</dep:dependency>
<dep:dependency>
<dep:groupId>org.apache.geronimo.configs</dep:groupId>
<dep:artifactId>jasper</dep:artifactId>
<dep:version>2.1.2</dep:version>
<dep:type>car</dep:type>
</dep:dependency>
<dep:dependency>
<dep:groupId>org.apache.geronimo.configs</dep:groupId>
<dep:artifactId>jetty6</dep:artifactId>
<dep:version>2.1.2</dep:version>
<dep:type>car</dep:type>
</dep:dependency>
</dep:dependencies>
<dep:hidden-classes/>
<dep:non-overridable-classes/>
</dep:environment>
<context-root>/LDAP_Sample</context-root>
<security-realm-name>LDAP_Sample_Realm</security-realm-name>
<security>
<default-principal realm-name="LDAP_Sample_Realm">
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="system"/>
</default-principal>
<role-mappings>
<role role-name="content-administrator">
<realm realm-name="LDAP_Sample_Realm">
<principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="admin" designated-run-as="true"/>
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="system"/>
</realm>
</role>
<role role-name="guest">
<realm realm-name="LDAP_Sample_Realm">
<principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="guest" designated-run-as="true"/>
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="user1"/>
</realm>
</role>
</role-mappings>
</security>
</web-app>
|
...
The web.xml deployment descriptor shown in the following example (also located in the <ldap_home>/WEB-INF diretory) adds security constraints based on the location of the files.
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin Role</web-resource-name>
<url-pattern>/protect/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>content-administrator</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>No Access</web-resource-name>
<url-pattern>/forbidden/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>ldap-realm-1</realm-name>
<form-login-config>
<form-login-page>/auth/logon.html?param=test</form-login-page>
<form-error-page>/auth/logonError.html?param=test</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>content-administrator</role-name>
</security-role>
</web-app>
|
...