THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
When you edit an existing realm (in this case geronimo-properties-realm) you will be presented with the following screen, note that you will not be able to change the realm name nor the login domain name.
The following example illustrates the deployment plan generated by this portlet.
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
<configuration configId="SecurityRealm-geronimo-properties-realm" xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0">
<gbean name="geronimo-properties-realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm">
<attribute name="realmName">geronimo-properties-realm</attribute>
<reference name="ServerInfo">
<gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,
j2eeType=GBean,name=ServerInfo</gbean-name>
</reference>
<reference name="LoginService">
<gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,
j2eeType=JaasLoginService,name=JaasLoginService</gbean-name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0">
<log:login-module control-flag="REQUIRED" server-side="true" wrap-principals="false">
<log:login-domain-name>geronimo-properties-realm</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
<log:option name="usersURI">var/security/users.properties</log:option>
<log:option name="groupsURI">var/security/groups.properties</log:option>
</log:login-module>
</log:login-config>
</xml-reference>
</gbean>
</configuration> |
As we mentioned before, this plan is for the default, properties file based, security realm. When you create a new realm you will have to choose from the following realm types available:
- Certificate Properties File Realm
- Database (SQL) Realm
- LDAP Realm
- Properties File Realm
- Other
The last available option lets you create your custom realm type when none of the above fits your environment needs.
Apache Geronimo has a properties file realm already configured, this is the default realm used for authentication. Geronimo also comes with a set of sample applications, one of those applications provide an additional security realm for LDAP. For this example, we will focus on a different type, we will use a database for verifying and retrieving user names and passwords.
For this example we created a new database called SecurityDatabase using the built-in Derby database. The following steps summarize the procedure followed to create the database and tables, load some sample data and create the connection pool. Detailed instructions on how to define database connection pools are described in the #Configuring database pools section.
Create database
- In the Console Navigation menu on the left click on Database Manager.
- Enter SecurityDatabase in the Create DB: field and click Create.
- Select the SecurityDatabase database from the Use DB: pull-down menu, enter the following SQL command and click Run SQL.
CREATE TABLE USERS
(username VARCHAR(15),
password VARCHAR(15));
CREATE TABLE GROUPS
(username VARCHAR(15),
groupname VARCHAR(15)); - Select the SecurityDatabase database from the Use DB: pull-down menu, enter the following SQL command and click Run SQL.
INSERT INTO USERS VALUES('USERONE','P1');
INSERT INTO USERS VALUES('USERTWO','P2');
INSERT INTO USERS VALUES('USERTHREE','P3');
INSERT INTO GROUPS VALUES('USERONE','admin');
INSERT INTO GROUPS VALUES('USERTWO','admin');
INSERT INTO GROUPS VALUES('USERTHREE','user');
Create connection pool
- In the Console Navigation menu on the left click on Database Pools.
- Click on Using the Geronimo database pool wizard.
- Enter SecurityDatabase as the database pool name. Select Derby embedded from the database pool type pull-down menu and click Next.
- Verify the JDBC driver class is org.apache.derby.jdbc.EmbeddedDriver.
- From the Driver Jar pull-down menu select org.apache.derby/derby/10.1.1.0/jar.
- Enter UserOne and p1 as the connection user name and password.
- Enter SecurityDatabase as the database name and click Next.
- Click Test Connection.
- Click Deploy.
Add a new security realm
To create a new security realm click on Add new security realm from the Security Realms portlet.
Enter new-geronimo-realm in the Name of Security Realm: field and select Database (SQL) Realm from the Realm type: pull-down menu and click Next.
select username, password from users where username=?
select username, groupname from groups where username=?
Security realm for using with database authentication.
<configuration configId="SecurityRealm-new-geronimo-realm" xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0">
<import>
<uri>user/database-pool-SecurityDatabase/1/car</uri>
</import>
<gbean name="new-geronimo-realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm">
<attribute name="realmName">new-geronimo-realm</attribute>
<reference name="ServerInfo">
<gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbean-name>
</reference>
<reference name="LoginService">
<gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService</gbean-name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0">
<log:login-module control-flag="REQUIRED" server-side="true" wrap-principals="false">
<log:login-domain-name>new-geronimo-realm</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
<log:option name="userSelect">select username, password from users where username=?</log:option>
<log:option name="dataSourceApplication">null</log:option>
<log:option name="groupSelect">select username, groupname from groups where username=?</log:option>
<log:option name="dataSourceName">SecurityDatabase</log:option>
</log:login-module>
</log:login-config>
</xml-reference>
</gbean>
</configuration>
Administering certificates
...