...
This section covers some common security related taks such as adding and removing users and groups, dealing with digital certificates and increasing the security level by using different realms and authentication methods. Refer to the Security section for further details on how security is implemented in Apache Geronimo.
Administering users and groups
...
You can equally administer users and groups by modifying directly these files:
users.properties
groups.properties
users.properties uses the <user_name>=<password> format, groups.properties uses the <group_name>=<user_name> format. See the following examples for additional details.
No Format | ||||
---|---|---|---|---|
| ||||
system=manager user2=p2 user1=p1 |
...
Just like with the users, with the groups.properties you can add and remove groups and users to those groups.
...
The files mentioned in this sections along with the all the security configuration in addition to user names and passwords are defined in the geronimo-properties-realm security realm covered in the following section.
Administering security realms
Before we move on, it is recommended for you to become familiar with the Geronimo security architecture and concepts. Visit the Security section for details on how security is implemented in Geronimo. The two main Concepts on which the Apache Geronimo security architecture is built on are Login Domain and Security Realm, in this section we will focus on the later.
To administer security realms via the Geronimo Administration Console the Security Realms portlet is available on the Console Navigation menu on the left hand side. This portlet allows you to add a new security realm or edit an existing one.
Listed in this portlet you will find all the available security realms. By default, the security realm used by Geronimo to authenticate users via properties file is geronimo-properties-realm.
When you edit an existing realm (in this case geronimo-properties-realm) you will be presented with the following screen, note that you will not be able to change the realm name nor the login domain name.
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
<configuration configId="SecurityRealm-geronimo-properties-realm" xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0">
<gbean name="geronimo-properties-realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm">
<attribute name="realmName">geronimo-properties-realm</attribute>
<reference name="ServerInfo">
<gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbean-name>
</reference>
<reference name="LoginService">
<gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService</gbean-name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0">
<log:login-module control-flag="REQUIRED" server-side="true" wrap-principals="false">
<log:login-domain-name>geronimo-properties-realm</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
<log:option name="usersURI">var/security/users.properties</log:option>
<log:option name="groupsURI">var/security/groups.properties</log:option>
</log:login-module>
</log:login-config>
</xml-reference>
</gbean>
</configuration> |
Administering certificates
...