...
The LDAP sample application provides a security realm that needs to be deployed before the deployment of the application itself. This realm is located in <ldap_home>/ldap-realm.xml and the content is illustrated in the following example.
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
<?xml version="1.0" encoding="UTF-8"?> <configuration xmlns="http://geronimo.apache.org/xml/ns/deployment" configId="org/apache/geronimo/ldap-secure"> <gbean name="ldap-login" class="org.apache.geronimo.security.jaas.LoginModuleGBean"> <attribute name="loginModuleClass">org.apache.geronimo.security.realm.providers.LDAPLoginModule</attribute> <attribute name="serverSide">true</attribute> <attribute name="options"> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory connectionURL=ldap://localhost:1389 connectionUsername=uid=admin,ou=system connectionPassword=secret connectionProtocol= authentication=simple userBase=ou=users,ou=system userSearchMatching=uid={0} userSearchSubtree=false roleBase=ou=groups,ou=system roleName=cn roleSearchMatching=(uniqueMember={0}) roleSearchSubtree=false userRoleName= </attribute> <attribute name="loginDomainName">ldap-realm</attribute> </gbean> <gbean name="ldap-realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm"> <attribute name="realmName">ldap-realm</attribute> <reference name="LoginModuleConfiguration"> <name>ldap-login</name> </reference> <reference name="ServerInfo"> <module>org/apache/geronimo/System</module> <name>ServerInfo</name> </reference> <!-- Add --> <reference name="LoginService"> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=org/apache/geronimo/Security, J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService </gbean-name> </reference> </gbean> <gbean name="ldap-login" class="org.apache.geronimo.security.jaas.JaasLoginModuleUse"> <attribute name="controlFlag">REQUIRED</attribute> <reference name="LoginModule"> <name>ldap-login</name> </reference> </gbean> <gbean name="ldaptest" class="org.apache.geronimo.security.jaas.ServerRealmConfigurationEntry"> <attribute name="applicationConfigName">ldaptest</attribute> <attribute name="realmName">ldap-realm</attribute> <reference name="LoginService"> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=org/apache/geronimo/Security, J2EEServer=geronimo,j2eeType=JaasLoginService,name=JaasLoginService </gbean-name> </reference> </gbean> </configuration> |
...
The deployment plans are located in the <ldap_home>/WEB-INF directory. Clearly, geronimo-web.xml is the Geronimo specific deployment plan. It provides the details on what security realm to use and user role mappings as well as the Geronimo specific namespace used to identify the elements in the security configuration. Common to other types of applications, not just security, the deployment plan also provides the main namespace for the deployment plan, a module identification (optional), a parent module configuration ID (also optional) and a context root. The following example illustrates the Geronimo specific deployment plan.
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://geronimo.apache.org/xml/ns/web" xmlns:sec="http://geronimo.apache.org/xml/ns/security" configId="org/apache/geronimo/ldap-secure-demo" parentId="org/apache/geronimo/ldap-secure"> <context-root>/ldap-demo</context-root> <context-priority-classloader>false</context-priority-classloader> <security-realm-name>ldap-realm</security-realm-name> <security> <default-principal realm-name="ldap-realm"> <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="system"/> </default-principal> <role-mappings> <role role-name="content-administrator"> <realm realm-name="ldap-realm"> <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="admin" designated-run-as="true"/> <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="system"/> </realm> </role> <role role-name="guest"> <realm realm-name="ldap-realm"> <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="guest" designated-run-as="true"/> <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="user1"/> <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="user2"/> </realm> </role> </role-mappings> </security> </web-app> |
...
The web.xml deployment descriptor shown in the following example (also located in the <ldap_home>/WEB-INF diretory) adds security constraints based on the location of the files.
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
<?xml version="1.0" encoding="ISO-8859-1"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd" version="2.4"> <welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list> <security-constraint> <web-resource-collection> <web-resource-name>Admin Role</web-resource-name> <url-pattern>/protect/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>content-administrator</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>No Access</web-resource-name> <url-pattern>/forbidden/*</url-pattern> </web-resource-collection> <auth-constraint/> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>MYREALM</realm-name> <form-login-config> <form-login-page>/auth/logon.html?param=test</form-login-page> <form-error-page>/auth/logonError.html?param=test</form-error-page> </form-login-config> </login-config> <security-role> <role-name>content-administrator</role-name> </security-role> </web-app> |
...