THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- In the Console Navigation menu on the left click on Database Pools.
- Click on Using the Geronimo database pool wizard.
- Enter SecurityDatabase SecurityDatabasePool as the database pool name.
- Select Derby embedded XA from the database pool type pull-down menu and click Next.
- From the Driver JAR scroll box select org.apache.geronimo.configs/system-database/2.0.1/car.
- Leave blank the DB user name and password.
- Enter SecurityDatabase as the database and click Next.
- Click Test Connection.
- Click Deploy.
...
Enter derby_security_realm in the Name of Security Realm: field and select Database (SQL) Realm from the Realm type: pull-down menu and click Next.
The following screen configures the login module. The first two field you need to fill may vary from one database type to another. In this case we are using the embedded Derby database so the User and Group select SQL should read as follows:
User SELECT SQL: select username, password from users where username=?
Group SELECT SQL: select username, groupname from groups where username=?
Once you entered the SQL statements for retrieving users and groups you need to select from the Database Pool pull-down menu the database connection pool you created in the previous step. Add the required values as shown below and click Next.
Database Pool: SecurityDatabasePool
JDBC Driver Class: org.apache.derby.jdbc.EmbeddedDriver
Driver JAR: org.apache.derby/derby/10.1.1.0/jar
JDBC URL: jdbc:derby:SecurityDatabase
The following step will allow you to enable auditing for monitoring the login attempts via this realm. In this step you can also configure the account lockout based on the number of failed loging attempts withing a specified timeframe. If you enable Store Password, then it will allow the realm to store the user's password in a private credential in the "Subject". If you enable Naming Credential, in addition to the user's password, this option will use private credentials to store user names too.
At this point you have configured this new security realm, the next step i to test it and then deploy it. Click on Test a Login.
Enter a valid user name and password to be retrieved from the database and click Next.
You should receive a confirmation message that the login succeeded, click on Deploy Realm to load this configuration to the server.
Now you have a new, fully configured, security realm that retrieves user names and passwords from the build in Derby database.
| Note |
|---|
If you get an error the first time you try to validate this realm, you will very likely see the |
The following example shows the deployment plan for this security realm. As an alternative to the Geronimo Administration Console, you can save this example to a file (i.e. derby_security_realm.xml) and deploy it with the Deployer tool by running the following command:
<geronimo_home>\bin\deploy --user system --password manager deploy <realm_path>\derby_security_realm.xml
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
<environment>
<moduleId>
<groupId>console.realm</groupId>
<artifactId>derby_security_realm</artifactId>
<version>1.0</version>
<type>car</type>
</moduleId>
<dependencies>
<dependency>
<groupId>org.apache.geronimo.configs</groupId>
<artifactId>j2ee-security</artifactId>
<type>car</type>
</dependency>
<dependency>
<groupId>org.apache.derby</groupId>
<artifactId>derby</artifactId>
<version>10.1.3.1</version>
<type>jar</type>
</dependency>
<dependency>
<groupId>console.dbpool</groupId>
<artifactId>SecurityDatabase</artifactId>
<version>1.0</version>
<type>rar</type>
</dependency>
</dependencies>
</environment>
<service name="derby_security_realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType"
xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<attribute name="realmName">derby_security_realm</attribute>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
<reference name="LoginService">
<name>JaasLoginService</name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.2">
<log:login-module control-flag="REQUIRED" server-side="true" wrap-principals="false">
<log:login-domain-name>derby_security_realm</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
<log:option name="userSelect">select username, password from APP.users where username=?</log:option>
<log:option name="jdbcDriver">org.apache.derby.jdbc.EmbeddedDriver</log:option>
<log:option name="dataSourceApplication">null</log:option>
<log:option name="groupSelect">select username, groupname from APP.groups where username=?</log:option>
<log:option name="dataSourceName">SecurityDatabase</log:option>
<log:option name="jdbcURL">jdbc:derby:SecurityDatabase</log:option>
</log:login-module>
<log:login-module control-flag="OPTIONAL" server-side="true" wrap-principals="false">
<log:login-domain-name>derby_security_realm-Audit</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
<log:option name="file">var/log/derby_security_realm.log</log:option>
</log:login-module>
<log:login-module control-flag="REQUISITE" server-side="true" wrap-principals="false">
<log:login-domain-name>derby_security_realm-Lockout</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.RepeatedFailureLockoutLoginModule</log:login-module-class>
<log:option name="lockoutDurationSecs">60</log:option>
<log:option name="failurePeriodSecs">10</log:option>
<log:option name="failureCount">3</log:option>
</log:login-module>
</log:login-config>
</xml-reference>
</service>
</module> |
Once the security realm has been created, you can use the usage link to view samples of how to use the new realm in your applications.