Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

A simple example of credential store configuration would look like this:

Code Block
XML
XML
titleCredential Store Example
borderStylesolidXML
    <gbean name="CredentialStore" class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
        <xml-attribute name="credentialStore">
            <credential-store xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
                <realm name="my-properties-realm">
                    <subject>
                        <id>admin-run-as</id>
                        <credential>
                            <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
                            <value>system</value>
                        </credential>
                        <credential>
                            <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
                            <value>manager</value>
                        </credential>
                    </subject>
                    <subject>
                        <id>user-run-as</id>
                        <credential>
                            <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
                            <value>user</value>
                        </credential>
                        <credential>
                            <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
                            <value>user-password</value>
                        </credential>
                    </subject>
                    <subject>
                        <id>default</id>
                        <credential>
                            <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
                            <value>default</value>
                        </credential>
                        <credential>
                            <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
                            <value>default</value>
                        </credential>
                    </subject>
                </realm>
            </credential-store>
        </xml-attribute>
    </gbean>

...

A default subject or each run-as role specifies the information needed to get the subject using a subject-infoType element.

Code Block
XML
XML
titleExample Security Configuration
borderStylesolidXML
      <security use-context-handler="false" xmlns="http://geronimo.apache.org/xml/ns/security-2.0">
        <default-subject>
          <realm>my-properties-realm</realm>
          <id>default</id>
        </default-subject>
        <role-mappings>
          <role role-name="Administrator">
            <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="system"/>
          </role>
          <role role-name="User">
            <run-as-subject>
                <realm>my-properties-realm</realm>
                <id>user-run-as</id>
            </run-as-subject>the loi
            <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="user"/>
          </role>
        </role-mappings>
      </security>

The sample above shows the simplest principal-role mapping: you specify the principal class and name for each principal that maps to a certain role. Normally this will be entirely sufficient to distinguish principals. However, you might have several login modules or security realms that can produce the same principal but with different meanings. In this case you can include the login domain name or realm name to distinguish the principals.

Code Block
XML
XML
titleAdditional principal specifications
borderStylesolidXML
<!-- normal, no domain or realm info -->
<principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="user"/>

<!-- login domain name specified -->
<login-domain-principal domain-name="mydomain" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="user"/>

<~-- realm name and login domain name specified>
<realm-principal realm-name="my-properties-realm" domain-name="mydomain" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="user"/>