THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
A simple example of credential store configuration would look like this:
| Code Block | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||
<gbean name="CredentialStore" class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl">
<xml-attribute name="credentialStore">
<credential-store xmlns="http://geronimo.apache.org/xml/ns/credentialstore-1.0">
<realm name="my-properties-realm">
<subject>
<id>admin-run-as</id>
<credential>
<type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
<value>system</value>
</credential>
<credential>
<type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
<value>manager</value>
</credential>
</subject>
<subject>
<id>user-run-as</id>
<credential>
<type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
<value>user</value>
</credential>
<credential>
<type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
<value>user-password</value>
</credential>
</subject>
<subject>
<id>default</id>
<credential>
<type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</type>
<value>default</value>
</credential>
<credential>
<type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandler</type>
<value>default</value>
</credential>
</subject>
</realm>
</credential-store>
</xml-attribute>
</gbean>
|
...
A default subject or each run-as role specifies the information needed to get the subject using a subject-infoType element.
| Code Block | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||
<security use-context-handler="false" xmlns="http://geronimo.apache.org/xml/ns/security-2.0">
<default-subject>
<realm>my-properties-realm</realm>
<id>default</id>
</default-subject>
<role-mappings>
<role role-name="Administrator">
<principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="system"/>
</role>
<role role-name="User">
<run-as-subject>
<realm>my-properties-realm</realm>
<id>user-run-as</id>
</run-as-subject>the loi
<principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="user"/>
</role>
</role-mappings>
</security>
|
The sample above shows the simplest principal-role mapping: you specify the principal class and name for each principal that maps to a certain role. Normally this will be entirely sufficient to distinguish principals. However, you might have several login modules or security realms that can produce the same principal but with different meanings. In this case you can include the login domain name or realm name to distinguish the principals.
| Code Block | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||
<!-- normal, no domain or realm info --> <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="user"/> <!-- login domain name specified --> <login-domain-principal domain-name="mydomain" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="user"/> <~-- realm name and login domain name specified> <realm-principal realm-name="my-properties-realm" domain-name="mydomain" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="user"/> |