Versions Compared

Old Version 16

changes.mady.by.user Barrett Reed

Saved on

compared with

New Version 17

changes.mady.by.user Barrett Reed

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The <doas-current-caller> optional element may be set to true or false (default). If set to true, any work done by the application will be performed as the calling Subject, instead of "as the application server". This can be used to hook into the Java JVM security sandbox (for example, to only allow trusted users to access the server filesystem). It is not ususally necessary, as the application-level security features are typically sufficient. When it is enabled, you may want to adjust the security policy used for the server to control certain permissions by subject.

  • The <use-context-handler> optional element may be set to true or false (default). If set to true, the installed JACC policy contexts will use PolicyContextHandlers.

  • The <default-role> element is used by the the Deployer to assign method permissions for all of the unspecified methods, either by assigning them to security roles, or by marking them as unchecked. If the value of default-role is empty, then the unspecified methods are marked unchecked.

  • The <description> element holds the description.

  • The <credential-store-ref> element holds the pattern for matching a module.

  • The <default-subject> element provides a description, realm, and id.

  • The <role-mappings> element holds the information mapping roles declared in the application.xml deployment descriptor to specific principals present in the security realms available to Geronimo.
Code Block
xml
xml
borderStylesolid
title<sec:security> example

<application xmlns="http://geronimo.apache.org/xml/ns/j2ee/application-2.0" 
             xmlns:sys="http://geronimo.apache.org/xml/ns/deployment-1.2" 
             xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0"
             application-name="SampleSecurityEAR">

  <dep:environment>

    <dep:moduleId>
      <dep:groupId>sampleear</dep:groupId>
      <dep:artifactId>sample-ear</dep:artifactId>
      <dep:version>1.0</dep:version>
      <dep:type>ear</dep:type>
    </dep:moduleId>

    <dep:dependencies>
      <dep:dependency>
        <dep:groupId>org.apache.geronimo.configs</dep:groupId>
        <dep:artifactId>tomcat6</dep:artifactId>
        <dep:version>2.2-SNAPSHOT</dep:version>
        <dep:type>car</dep:type>
      </dep:dependency>

      <dep:dependency>
         <dep:groupId>default</dep:groupId>
         <dep:artifactId>geronim-web-4</dep:artifactId>
         <dep:version>1.0</dep:version>
         <dep:type>car</dep:type>
      </dep:dependency>
    </dep:dependencies>

  </dep:environment>

  <sec:security use-context-handler="false" doas-current-caller="true" default-role="admin1">
    <sec:role-mappings>
      <sec:role role-name="admin-role">
        <sec:description>ability to do everything</sec:description>
      </sec:role>
      <sec:role role-name="user-role">
        <sec:description>limited access</sec:description>
      </sec:role>
    </sec:role-mappings>
  </sec:security>

</application>

<sys:service>

The <sys:service> element uses the Geronimo deployment namespace described here:

...