Versions Compared

Old Version 103

changes.mady.by.user Unknown User (hcunico@gmail.com)

Saved on

compared with

New Version 104

changes.mady.by.user Unknown User (hcunico@gmail.com)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • In the Console Navigation menu on the left click on Database Manager.
  • Enter SecurityDatabase in the Create DB: field and click Create.
  • Select the SecurityDatabase database from the Use DB: pull-down menu, enter the following SQL command commands and click Run SQL.
    create table users
    (username varchar(15),
    password varchar(15));
    create table groups
    (username varchar(15),
    groupname varchar(15));
    insert into users values('userone','p1');
    insert into users values('usertwo','p2');
    insert into users values('userthree','p3');
    insert into groups values('userone','admin');
    insert into groups values('usertwo','admin');
    insert into groups values('userthree','user');

...

Note that APP is the default schema for the embedded Derby database and need it needs to precede the table in the SQL statement. This These statements are likely to be different from one database to another, for instance this procedure was also tested with DB2, the SQL statements used were:

...

The remaining fields are no necessary to fill since all that information is already provided by the database conneciton pool. If you do not create a connection pool before are not using predefined database connection pools you will need to enter fill-in all the requested informationfields.

The following step will allow you to enable auditing for monitoring the login attempts via this realm. In this step you can also configure the account lockout based on the number of failed loging attempts withing a specified timeframe. The last option in this step, Store Password, when enabled will allow the realm to store the user password in a private credential in the subject.

...

Now you have a new, fully configured, security realm that retrieves user names and passwords from the build in Derby database.Security realm for using with database authentication.

The followig example shows the deployment plan for this security realm. As an alternative to the Geronimo Administration Console, you can save this example to a file (i.e. derby_security_realm.xml) and deploy it with the Deployer tool by running the following command:

<geronimo_home>\bin\deploy --user system --password manager deploy <realm_path>\derby_security_realm.xml

Code Block
xml
xml
borderStylesolid
titlederby_security_realm
<configuration configId="SecurityRealm-derby_security_realm" xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0">
    <import>
        <uri>user/database-pool-derby_poolSecurityDatabase/1/car</uri>
    </import>
    <gbean name="derby_security_realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm">
        <attribute name="realmName">derby_security_realm</attribute>
        <reference name="ServerInfo">
            <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,
	                j2eeType=GBean,name=ServerInfo</gbean-name>
        </reference>
        <reference name="LoginService">
            <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,
	                j2eeType=JaasLoginService,name=JaasLoginService</gbean-name>
        </reference>
        <xml-reference name="LoginModuleConfiguration">
            <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0">
                <log:login-module control-flag="REQUIRED" server-side="true" wrap-principals="false">
                    <log:login-domain-name>derby_security_realm</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
                    <log:option name="userSelect">select username, password from APP.users where username=?</log:option>
                    <log:option name="dataSourceApplication">null</log:option>
                    <log:option name="groupSelect">select username, groupname from APP.groups where username=?</log:option>
                    <log:option name="dataSourceName">derby_pool<>SecurityDatabase</log:option>
                </log:login-module>
                <log:login-module control-flag="OPTIONAL" server-side="true" wrap-principals="false">
                    <log:login-domain-name>derby_security_realm-Audit</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
                    <log:option name="file">var/log/login-attemptsderby_security_realm.log</log:option>
                </log:login-module>
            </log:login-config>
    <log:login-module control-flag="REQUISITE" server-side="true" wrap-principals="false">
           </xml-reference>
        </gbean>
</configuration>
Code Block
xmlxml
borderStylesolid
titledb2_security_realm

<configuration configId="SecurityRealm-db2_security_realm" xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0">
    <import>
        <uri>user/database-pool-DB2_Test/1/car</uri>
    </import>
    <gbean name="db2_security_realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm">
        <attribute name="realmName">db2_security_realm</attribute>
        <reference name="ServerInfo">
            <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-system/1.0/car,J2EEServer=geronimo,
	                j2eeType=GBean,name=ServerInfo</gbean-name>
        </reference>
        <reference name="LoginService">
            <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=geronimo/j2ee-security/1.0/car,J2EEServer=geronimo,
	                j2eeType=JaasLoginService,name=JaasLoginService</gbean-name>
        </reference>
        <xml-reference name="LoginModuleConfiguration">
            <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0">
                <log:login-module control-flag="REQUIRED" server-side="true" wrap-principals="false">
                    <log:login-domain-name>db2_security_realm</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
                    <log:option name="userSelect">select username, password from users where username=?</log:option>
                    <log:option name="dataSourceApplication">null</log:option>
                    <log:option name="groupSelect">select username, groupname from groups where username=?</log:option>
                    <log:option name="dataSourceName">SecurityDatabase</log:option>
                </log:login-module>
 <log:login-domain-name>derby_security_realm-Lockout</log:login-domain-name>
                    <log:login-module control-flag="OPTIONAL" server-side="true" wrap-principals="false">-class>org.apache.geronimo.security.realm.providers.RepeatedFailureLockoutLoginModule</log:login-module-class>
                    <log:login-domain-name>db2_security_realm-Audit<option name="lockoutDurationSecs">60</log:login-domain-name>option>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>option name="failurePeriodSecs">10</log:option>
                    <log:option name="file">var/log/login-attempts.log<failureCount">3</log:option>
                </log:login-module>
            </log:login-config>
        </xml-reference>
    </gbean>
</configuration>

...