This article is about how to replace default properties realm geronimo-admin
with SQL or LDAP realms.
By default, Geronimo is using a .properties file realm for authentication named geronimo-admin
, which is used by JMX server, Administration Console, Online-deploy and MEJB applications. However, you may not want to use it for production use. Alternatively, you can use database(SQL) or LDAP realms in a production environment. To demonstrate how to replace the default realm, we will use 2 samples as followed:
With a database(SQL) realm
In this example, we will use an embedded Derby database as the security provider.
- Create a database named SecurityDatabase using DB manager on the administration console;
- Create two tables Users and Groups to store user credential and group information;
- Create an Derby XA database pool named SecurityDatabasePool using Database Pools on the console;
- Update module org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car in the{{<Geronimo_Home/var/config/config.xml}} to enable the SQL realm
Where
<module name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car"> <gbean name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car,j2eeType=LoginModule,name=security-realm" gbeanInfo="org.apache.geronimo.security.jaas.LoginModuleGBean"> <attribute name="loginModuleClass">org.apache.geronimo.security.realm.providers.SQLLoginModule</attribute> <attribute name="options">dataSourceName=SecurityDatabasePool dataSourceApplication=null groupSelect=select username, groupname from groups where username=? userSelect=select username, password from users where username=?</attribute> <attribute name="loginDomainName">derby_security_realm</attribute> </gbean> <gbean name="geronimo-admin"> <reference name="LoginModuleConfiguration"> <pattern> <name>realm-login-use</name> </pattern> </reference> </gbean> <gbean name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car,j2eeType=LoginModuleUse,name=realm-login-use" gbeanInfo="org.apache.geronimo.security.jaas.JaasLoginModuleUse"> <attribute name="controlFlag">REQUIRED</attribute> <reference name="LoginModule"> <pattern> <name>security-realm</name> </pattern> </reference> </gbean> </module>
_derby_security_realm__ is the realm name for global authenticaiton.
With a LDAP ream
- Deploy a new realm with real-name geronimo-admin either from the Admin console or using command line. Refer to Administering security realms for how to create a SQL or LDAP realm using the Admin Console. When it's done, a new realm is created with plugin id
console.realm/geronimo-admin/1.0/car
. At the mean time, a new line is added intovar/config/config.xml
under Geronimo installation directory like<module name="console.realm/geronimo-admin/1.0/car"/>
- Locate
org.apache.geronimo.framework/server-security-config/2.2/car
inconfig.xml
when the server is stopped and disable the default realm. The updatedconfig.xml
will be looked like this... <module name="org.apache.geronimo.framework/server-security-config/2.2/car"> <gbean name="geronimo-admin" load="false"/> </modoule> ...
- Restart the server and test with new userid and password instead of default system and manager. You can successfully log into the Admin console.