Versions Compared

Old Version 29

changes.mady.by.user maojia

Saved on

compared with

New Version 30

changes.mady.by.user maojia

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

The properties files should be based on the client certificate intended to be used for client authentication. For example, a Certificate Properties File Realm CertificatePropsRealm with the user and group properties files based on My_Private_key created in the #Create keystore and certificate section is as follows:

Code Block
xml
xml
borderStylesolid
titleuser_sample.propertiesxml
client1=CN=localhost,OU=Geronimo,O=Apache,L=My_City,ST=My_State,C=CC
client2=CN=localhost2,OU=Geronimo,O=Apache,L=Your_City,ST=Your_State,C=CC
  • The password of client1 is based on the information of My_Private_key.
Code Block
xml
xml
borderStylesolid
titlegroup_sample.propertiesxml
admin=client1,client2

The deployment plan of the Certificate Properties File Realm CertificatePropsRealm is as follows:

Code Block
xml
xml
borderStylesolid
titleExcerpt from the deployment plan of CertificatePropsRealmxml
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
    <environment>
        <moduleId>
            <groupId>console.realm</groupId>
            <artifactId>cert-prop-file-realm</artifactId>
            <version>1.0</version>
            <type>car</type>
        </moduleId>
        <dependencies>
            <dependency>
                <groupId>org.apache.geronimo.framework</groupId>
                <artifactId>j2ee-security</artifactId>
                <type>car</type>
            </dependency>
        </dependencies>
    </environment>
    <gbean name="cert-prop-file-realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm" xsi:type="dep:gbeanType" xmlns:dep=
"http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <attribute name="realmName">CertificatePropsRealm</attribute>
        <reference name="ServerInfo">
            <name>ServerInfo</name>
        </reference>
        <xml-reference name="LoginModuleConfiguration">
            <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
                <log:login-module control-flag="REQUIRED" wrap-principals="false">
                    <log:login-domain-name>CertificatePropsRealm</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
                    <log:option name="usersURI">var/security/user_sample.properties</log:option>
                    <log:option name="groupsURI">var/security/group_sample.properties</log:option>
                </log:login-module>
            </log:login-config>
        </xml-reference>
    </gbean>
</module>

...

Configure the deployment descriptor and deployment plan of your web application to use the Certificate Properties File Realm for client authentication. The deployment descriptor is configured as follows:

Code Block
xml
xml
borderStylesolid
titleExcerpt from web.xmlxml
 <login-config>
      <auth-method>CLIENT-CERT</auth-method>
      <realm-name>Not Required for CLIENT-CERT</realm-name>
</login-config>

...

Web applications which use the CertificatePropsRealm security realm, for example, must configure their deployment plans as follows:

Code Block
xml
xml
borderStylesolid
titleExcerpt from geronimo-web.xmlxml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-2.0.1" 
         xmlns:naming="http://geronimo.apache.org/xml/ns/naming-1.2" 
         xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0" 
         xmlns:sys="http://geronimo.apache.org/xml/ns/deployment-1.2">
    <sys:environment>
        <sys:moduleId>
            <sys:groupId>org.apache.geronimo</sys:groupId>
            <sys:artifactId>sampleapplication</sys:artifactId>
            <sys:version>1.0</sys:version>
            <sys:type>car</sys:type>
        </sys:moduleId>
       <sys:dependencies>
            <sys:dependency>
            <sys:groupId>console.realm</sys:groupId>
            <sys:artifactId>cert-prop-file-realm</sys:artifactId>
            <sys:version>1.0</sys:version>
            <sys:type>car</sys:type>
            </sys:dependency>
        </sys:dependencies>
   </sys:environment>
  <context-root>/cert-realm-sample</context-root>
  <security-realm-name>CertificatePropsRealm</security-realm-name>
  <security>
    <default-principal realm-name="CertificatePropsRealm">
      <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="client1"/>
         <!-- name should match the entries from cert-users.properties of the realm -->
    </default-principal>
    <role-mappings>
      <role role-name="content-administrator">
        <realm realm-name="CertificatePropsRealm">
          <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="admin" designated-run-as="true"/>
             <!-- name should match the entries from cert-groups.properties of the realm -->
          <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="client1"/>
          <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="client2"/>
        </realm>
      </role>
    </role-mappings>
  </security>
</web-app>

...