You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

OpenID Administering Security Using SPNEGO in Geronimo

This article is about how to replace default properties realm geronimo-admin with SQL or LDAP realms.

By default, Geronimo is using a .properties file realm for authentication named geronimo-admin, which is used by JMX server, Administration Console, Online-deploy and MEJB applications. However, you may not want to use it for production use. Alternatively, you can use database(SQL) or LDAP realms in a production environment. To demonstrate how to replace the default realm, we will use 2 samples as followed:

With a database(SQL) realm

In this example, we will use an embedded Derby database as the security provider.

  1. Create a database named SecurityDatabase using DB manager on the administration console;
  2. Create two tables Users and Groups to store user credential and group information; 
    create table users(username varchar(15),password varchar(15));
create table groups(username varchar(15),groupname varchar(15));
insert into users values('userone','p1');
insert into users values('usertwo','p2');
insert into users values('userthree','p3');
insert into groups values('userone','admin');
insert into groups values('usertwo','admin');
insert into groups values('userthree','user');
  3. Create an Derby XA database pool named SecurityDatabasePool using Database Pools on the console;
  4. Stop the server and update module org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car in the <Geronimo_Home>/var/config/config.xml file to enable the SQL realm. 
    <module name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car">
        <gbean name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car,j2eeType=LoginModule,name=security-realm" gbeanInfo="org.apache.geronimo.security.jaas.LoginModuleGBean">
            <attribute name="loginModuleClass">org.apache.geronimo.security.realm.providers.SQLLoginModule</attribute>
            <attribute name="options">dataSourceName=SecurityDatabasePool
                                                           databasesourceApplication=null                    							
                                                           groupSelect=select username, groupname from groups where username=?                    							
                                                           userSelect=select username, password from users where username=?</attribute>
            <attribute name="loginDomainName">derby_security_realm</attribute>
        </gbean>
        <gbean name="geronimo-admin">
            <reference name="LoginModuleConfiguration">
                <pattern>
                    <name>realm-login-use</name>
                </pattern>
            </reference>
        </gbean>
        <gbean name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car,j2eeType=LoginModuleUse,name=realm-login-use" gbeanInfo="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
            <attribute name="controlFlag">REQUIRED</attribute>
            <reference name="LoginModule">
                <pattern>
                    <name>security-realm</name>
                </pattern>
            </reference>
        </gbean>
    </module>
    Where derby_security_realm is the realm name for global authenticaiton, you may use the realm for other applications to be deployed on the server.
  5. Then,restart the server and try to login with user name userone and password p1. You will see the newly created SQL realm working.

With a LDAP ream

In this example, we will use Apache Directory Server as the LDAP security provider.

  1. Deploy a new realm with real-name geronimo-admin either from the Admin console or using command line. Refer to Administering security realms for how to create a SQL or LDAP realm using the Admin Console. When it's done, a new realm is created with plugin id console.realm/geronimo-admin/1.0/car. At the mean time, a new line is added into var/config/config.xml under Geronimo installation directory like 
         <module name="console.realm/geronimo-admin/1.0/car"/>
  2. Locate org.apache.geronimo.framework/server-security-config/2.2/car in config.xml when the server is stopped and disable the default realm. The updated config.xml will be looked like this 
         ...
     <module name="org.apache.geronimo.framework/server-security-config/2.2/car">
           <gbean name="geronimo-admin" load="false"/>
     </modoule>
     ...
  3. Restart the server and test with new userid and password instead of default system and manager. You can successfully log into the Admin console.
  • No labels