THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Where is the security configuration?
In a normal geronimo Geronimo server, the basic security configuration is divided into two plugins, j2ee-security and server-security-config. The stuff parts you are not too likely to want to change, such as the jacc provider and the keystore manager, are in j2ee-security. The stuff parts that you are almost certain to want to change is in server-security config. For instance, the toy properties file security realm for the admin console is in server-security-config.
...
You want to replace server-security-config with your own geronimo Geronimo plugin (see plugin- Plugin infrastructure) that contains a security realm customized for your security setup (e.g. ldap) , and includes whatever keystores you need. To make your plugin replace all uses of server-security-config with your plugin, you need to include an artifact-alias element in your geronimo-plugin.xml file.
| Code Block |
|---|
<artifact-alias key="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car">com.myco/myco-security-config/1.0/car</artifact-alias> <artifact-alias key="org.apache.geronimo.framework/server-security-config//car">com.myco/myco-security-config/1.0/car</artifact-alias> |
or if you save time and effort and Another option is to use maven with the car-maven-plugin you'd include this in your . The above code would need to be included in the car-maven-plugin configuration in your pom.xml.
Note that if you want the admin console and MEJB to continue working without redeployment, you have to include a security realm named geronimo-admin that supplies . geronimo-admin should supply supply appropriate users with principals of class org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal and names of (as appropriate) admin (for console and MEJB read access) and mejbadmin (for MEJB write access).
...
You can also include security realm configuration, keystores, and credential stores in your geronimo plan for your application. Just put the gbean configurations at the end after the javaee specific configuration. In this case you may not want to remove the standard server-security-config as removing it would prevent the admin console or mejb from starting.
Using a pluggable encryption system
By default you get the old behavior with {Simple} encryption with a hard-coded key. If you want to have a fixed key generated by Geronimo, you can add this Gbean to the rmi-naming module in config.xml:
| Code Block |
|---|
<gbean name="ConfiguredEncryption">
<attribute name="path">var/security/ConfiguredSecretKey.ser</attribute>
<reference name="ServerInfo"><pattern><name>ServerInfo</name></pattern></reference>
</gbean>
|
This will create a key the first time the server started, after that it will keep using the saved key at the location specified. If you put a serialized SecretKeySpec there it will use it instead.