THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
This article is about how to replace default properties realm geronimo-admin with SQL or LDAP realms.
By default, Geronimo is using a .properties file realm for authentication named geronimo-admin, which is used by JMX server, Administration Console, Online-deploy and MEJB applications. However, you may not want to use it for production use. Alternatively, you can use database(SQL) or LDAP realms in a production environment. To demonstrate how to replace the default realm, we will use 2 samples as followed:
With a database(SQL) realm
In this example, we will use an embedded Derby database as the security provider.
- Create a database named
SecurityDatabaseusing DB manager on the administration console; - Create two tables
UsersandGroupsto store user credential and group information;create table users(username varchar(15),password varchar(15)); create table groups(username varchar(15),groupname varchar(15)); insert into users values('userone','p1'); insert into users values('usertwo','p2'); insert into users values('userthree','p3'); insert into groups values('userone','admin'); insert into groups values('usertwo','admin'); insert into groups values('userthree','user'); - Create an Derby XA database pool named
SecurityDatabasePoolusing Database Pools on the console; - Stop the server and update module
org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/carin the<Geronimo_Home/var/config/config.xmlfile to enable the SQL realmWhere<module name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car"> <gbean name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car,j2eeType=LoginModule,name=security-realm" gbeanInfo="org.apache.geronimo.security.jaas.LoginModuleGBean"> <attribute name="loginModuleClass">org.apache.geronimo.security.realm.providers.SQLLoginModule</attribute> <attribute name="options">dataSourceName=SecurityDatabasePool databasesourceApplication=null groupSelect=select username, groupname from groups where username=? userSelect=select username, password from users where username=?</attribute> <attribute name="loginDomainName">derby_security_realm</attribute> </gbean> <gbean name="geronimo-admin"> <reference name="LoginModuleConfiguration"> <pattern> <name>realm-login-use</name> </pattern> </reference> </gbean> <gbean name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car,j2eeType=LoginModuleUse,name=realm-login-use" gbeanInfo="org.apache.geronimo.security.jaas.JaasLoginModuleUse"> <attribute name="controlFlag">REQUIRED</attribute> <reference name="LoginModule"> <pattern> <name>security-realm</name> </pattern> </reference> </gbean> </module>
derby_security_realm is the realm name for global authenticaiton.
- Restart the server and try to login with user name "userone" and password "p1"
With a LDAP ream
- Deploy a new realm with real-name geronimo-admin either from the Admin console or using command line. Refer to Administering security realms for how to create a SQL or LDAP realm using the Admin Console. When it's done, a new realm is created with plugin id
console.realm/geronimo-admin/1.0/car. At the mean time, a new line is added intovar/config/config.xmlunder Geronimo installation directory like<module name="console.realm/geronimo-admin/1.0/car"/> - Locate
org.apache.geronimo.framework/server-security-config/2.2/carinconfig.xmlwhen the server is stopped and disable the default realm. The updatedconfig.xmlwill be looked like this... <module name="org.apache.geronimo.framework/server-security-config/2.2/car"> <gbean name="geronimo-admin" load="false"/> </modoule> ... - Restart the server and test with new userid and password instead of default system and manager. You can successfully log into the Admin console.