Versions Compared

Old Version 7

changes.mady.by.user Joseph Bohn

Saved on

compared with

New Version 8

changes.mady.by.user Joseph Bohn

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Back to Top

Deploy the LDAP realm

The LDAP sample application provides a security realm that needs to be deployed before the deployment of the application itself. This realm is located in <ldap_home>/ldap-realm.xml and the content is illustrated in the following example.

...

One way to install the LDAP realm for the sample is by installing a Geronimo plugin created for this purpose. You can do this by navigating in the Geronimo Administration Console to Applications -> Plugins. Once in the view, updating the repository list (which should add http://geronimo.apache.org/

...

plugins/

...

geronimo-

...

2.1/Image Added if not already included), selecting the referenced repository, and then select Show Plugins in selected repository to display the list of all possible plugins in this directory. Locate the Geronimo Configs :: LDAP Sample Security Realm and then install it. However, this process hides many of the details of creating and installing the realm. For those details refer to the next section.

LDAP realm deployment details

The LDAP sample application provides a security realm that needs to be deployed before the deployment of the application itself. This realm is located in <ldap_home>/ldap-realm.xml and the content is illustrated in the following example.

Code Block
xml
xml
borderStylesolid
titleldap-realm.xml

<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
    <environment>
        <moduleId>
            <groupId>console.realm</groupId>
            <artifactId>LDAP_Sample_Realm</artifactId>
            <version>1.0</version>
            <type>car</type>
        </moduleId>
        <dependencies>
            <dependency>
                <groupId>org.apache.geronimo.configs</groupId>
                <artifactId>j2ee-security</artifactId>
        ">
    <environment>
        <moduleId>
            <groupId>console.realm</groupId>
            <artifactId>LDAP_Sample_Realm</artifactId> <type>car</type>
            <version>1.0<</version>dependency>
        </dependencies>
    <type>car<</type>environment>
    <gbean name="LDAP_Sample_Realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm" 
 </moduleId>
        <dependencies>
            <dependency>
                <groupId>orgxsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.geronimo.configs</groupId>org/xml/ns/deployment-1.2" 
                <artifactId>j2ee-security</artifactId>
                <type>car</type>
            </dependency>
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
         </dependencies><attribute name="realmName">LDAP_Sample_Realm</attribute>
    </environment>
    <gbean<reference name="LDAP_Sample_Realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm" 
="ServerInfo">
            <name>ServerInfo</name>
        </reference>
        <xml-reference name="LoginModuleConfiguration">
            xsi:type="dep:gbeanType"<log:login-config xmlns:deplog="http://geronimo.apache.org/xml/ns/deploymentloginconfig-1.2" >
                <log:login-module       control-flag="REQUIRED" wrap-principals="false">
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <attribute name="realmName">LDAP <log:login-domain-name>LDAP_Sample_Realm</attribute>log:login-domain-name>
        <reference name="ServerInfo">
            <name>ServerInfo</name>
        </reference><log:login-module-class>org.apache.geronimo.security.realm.providers.LDAPLoginModule</log:login-module-class>
        <xml-reference name="LoginModuleConfiguration">
            <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.2">
option name="initialContextFactory">com.sun.jndi.ldap.LdapCtxFactory</log:option>
                    <log:login-module control-flag="REQUIRED" wrap-principals="false">:option name="connectionURL">ldap://localhost:10389</log:option>
                    <log:login-domain-name>LDAP_Sample_Realm</log:login-domain-name>option name="connectionUsername">uid=admin,ou=system</log:option>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.LDAPLoginModule</log:login-module-class>option name="connectionPassword">secret</log:option>
                    <log:option name="initialContextFactory">com.sun.jndi.ldap.LdapCtxFactory<authentication">simple</log:option>
                    <log:option name="connectionURL">ldap://localhost:10389<userBase">ou=users,ou=system</log:option>
                    <log:option name="connectionUsernameuserSearchMatching">uid=admin,ou=system<{0}</log:option>
                    <log:option name="connectionPassworduserSearchSubtree">secret<>false</log:option>
                    <log:option name="authentication">simple<roleBase">ou=groups,ou=system</log:option>
                    <log:option name="userBase">ou=users,ou=system<roleName">cn</log:option>
                    <log:option name="userSearchMatchingroleSearchMatching">uid>(uniqueMember={0})</log:option>
                    <log:option name="userSearchSubtreeroleSearchSubtree">false</log:option>
                    <log:option name="roleBase">ou=groups,ou=system< </log:option>login-module>
                    <log:option name="roleName">cn</log:option>login-module control-flag="OPTIONAL" wrap-principals="false">
                    <log:option name="roleSearchMatching">(uniqueMember={0})</log:option>login-domain-name>LDAP_Sample_Realm-Audit</log:login-domain-name>
                    <log:option name="roleSearchSubtree">false</log:option>
login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
                    < <log:option name="file">var/log:/login-module>attempts.log</log:option>
                <log</log:login-module control-flag="OPTIONAL" wrap-principals="false">
module>
            </log:login-config>
        </xml-reference>
       <log:login-domain-name>LDAP_Sample_Realm-Audit</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
                    <log:option name="file">var/log/login-attempts.log</log:option>
                </log:login-module>
            </log:login-config>
 </gbean>
</module>

This deployment plan tell Geronimo all the connection and search paraments against the LDAP database. This plan also specifies to record each login attempt into the login-attempts.log log file.

To deploy the ldap-realm.xml run the following command from the <geronimo_home>/bin directory:

java -jar deployer.jar --user system --password manager deploy <ldap_home>/ldap-realm.xml

Once deployed you should see a confirmation message similar to the following example:

No Format
bgColor#000000
borderStylesolid

D:\geronimo-tomcat6-jee5-2.0\bin>deploy deploy \samples\2.0\ldap-sample-app\ldap-realm.xml
Using GERONIMO_BASE:   D:\geronimo-tomcat6-jee5-2.0
Using GERONIMO_HOME:   D:\geronimo-tomcat6-jee5-2.0
Using GERONIMO_TMPDIR: D:\geronimo-tomcat6-jee5-2.0\var\temp
Using JRE_HOME:

...

 C:\Java\jdk1.5.0_06\\jre
    Deployed console.realm/LDAP_Sample_Realm/1.0/car

Back to Top

For further details refer to the LDAP Realm section.

Creating and Installing the LDAP Sample Application

One way to install the LDAP sample application is by installing a Geronimo plugin created for this purpose. You can do this by navigating in the Geronimo Administration Console to Applications -> Plugins. Once in the view, updating the repository list (which should add http://geronimo.apache.org/plugins/geronimo-2.1/Image Added if not already included), selecting the referenced repository, and then select Show Plugins in selected repository to display the list of all possible plugins in this directory. Locate the Geronimo Configs :: LDAP Sample for Tomcat or Geronimo Configs :: LDAP Sample for Jetty (depending upon you Geronimo service choice) and then install it. However, this process hides many of the details of creating and installing the sample. For those details refer to the next

This deployment plan tell Geronimo all the connection and search paraments against the LDAP database. This plan also specifies to record each login attempt into the login-attempts.log log file.

To deploy the ldap-realm.xml run the following command from the <geronimo_home>/bin directory:

java -jar deployer.jar --user system --password manager deploy <ldap_home>/ldap-realm.xml

Once deployed you should see a confirmation message similar to the following example:

No Format
bgColor#000000
borderStylesolid

D:\geronimo-tomcat6-jee5-2.0\bin>deploy deploy \samples\2.0\ldap-sample-app\ldap-realm.xml
Using GERONIMO_BASE:   D:\geronimo-tomcat6-jee5-2.0
Using GERONIMO_HOME:   D:\geronimo-tomcat6-jee5-2.0
Using GERONIMO_TMPDIR: D:\geronimo-tomcat6-jee5-2.0\var\temp
Using JRE_HOME:        C:\Java\jdk1.5.0_06\\jre
    Deployed console.realm/LDAP_Sample_Realm/1.0/car
Back to TopFor further details refer to the LDAP Realm section.

Deployment plans

The deployment plans are located in the <ldap_home>/WEB-INF directory. Clearly, geronimo-web.xml is the Geronimo specific deployment plan. It provides the details on what security realm to use and user role mappings as well as the Geronimo specific namespace used to identify the elements in the security configuration. Common to other types of applications, not just security, the deployment plan also provides the main namespace for the deployment plan, a module identification (optional), a parent module configuration ID (also optional) and a context root. The following example illustrates the Geronimo specific deployment plan.

...

Code Block
xml
xml
borderStylesolid
titleweb.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
         version="2.4">

    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
    </welcome-file-list>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Admin Role</web-resource-name>
            <url-pattern>/protect/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>content-administrator</role-name>
        </auth-constraint>
    </security-constraint>
    
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>No Access</web-resource-name>
            <url-pattern>/forbidden/*</url-pattern>
        </web-resource-collection>
        <auth-constraint/>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
            <realm-name>ldap-realm-1</realm-name>
            <form-login-config>
                <form-login-page>/auth/logon.html?param=test</form-login-page>
                <form-error-page>/auth/logonError.html?param=test</form-error-page>
            </form-login-config>
    </login-config>

    <security-role>
        <role-name>content-administrator</role-name>
    </security-role>

</web-app>

Back to Top

Package the sample application

Now that all the elements have been identified, it is necessary to package the sample application in a Web application Archive (.war). Open a command line window, change directory to <ldap_home> and run the following command:

...

This command will package all the existing files and directories inside <ldap_home>. Although not needed inside the .war file, the ldap-realm.xml and ldap-sample.ldif files will also be included.

Back to Top

Deploy

...

the sample application

To deploy the LDAP sample application make sure the Geronimo server is up and running. Open a command line window, change directory to <geronimo_home>/bin and run the following command:

java -jar deployer.jar --user system --password manager deploy <ldap_home>/ldap-demo.war

Testing the sample application

Once the Web application is successfully deployed you should see a confirmation message similar as the one shown in the following example:

...