Article donated by: Simon Godik, Hernan Cunico
There are a number of components that need be configured for the system to work. Such components are: implementations of the ConfiguraitonEntryFactory
interface, Login Modules, Login Module Use among others.
We start with GBeans that implement ConfigurationEntryFactory
interface and supporting GBeans, followed by the LoginModule
gbean.
Configuring DirectConfigurationEntry
DirectConfigurationEntry
exposes login module directly to JAAS clients. You have to specify Login Module here directly. To be able to login into Geronimo specify JaasLoginCoordinator
login module.
DirectConfigurationEntry
GBean declares following metadata:
- applicationConfigName - attribute; application configuration name; this is a key by which configuration entry is found.
- controlFlag - attribute; login module control flag according to the JAAS semantics; the only value that makes sense here is REQUIRED.
- wrapPrincipals - attribute; possible values are true and false. If set to true, all Principals generated by the login module (Login Domain) will be wrapped into the
DomainPrincipal
and everyDomainPrincipal
will be wrapped into theRealmPrincipal
. This enables J2EE role mappings intoDomainPrincipals
andRealmPrincipals
. - Module - reference; This is object name specification for the
LoginModuleGBean
.
The following example shows how DirectConfigurationEntry
is configured to use ServerLoginCoordinator
login module GBean.
<configuration xmlns="http://geronimo.apache.org/xml/ns/deployment" parentId="org/apache/geronimo/Client" configId="org/apache/geronimo/ClientSecurity" > <GBean name="ServerLoginStubDCE" class="org.apache.geronimo.security.jaas.DirectConfigurationEntry"> <attribute name="applicationConfigName">server-login</attribute> <attribute name="controlFlag">REQUIRED</attribute> <reference name="Module"> <!-- reference to the login module GBean: name=ServerLoginCoordinator --> <name>ServerLoginCoordinator</name> </reference> </GBean> <GBean name="ServerLoginCoordinator" class="org.apache.geronimo.security.jaas.LoginModuleGBean"> <attribute name="loginModuleClass">org.apache.geronimo.security.jaas.client.JaasLoginCoordinator</attribute> <attribute name="serverSide">false</attribute> <attribute name="options"> host=localhost <!-- Geronimo login service endpoint --> port=4242 realm=geronimo-properties-realm <!-- Security realm name --> </attribute> <attribute name="loginDomainName">geronimo-properties-realm</attribute> </GBean> </configuration>
Configuring ServerRealmConfigurationEntry
ServerRealmConfigurationEntry
connects server side component (such as a Servlet) to the Security Realm. It allows decoupling of configuration name and Security Realm name.
ServerRealmConfigurationEntry
declares following metadata:
- applicationConfigName - attribute; application configuration name; this is a key by which configuration entry is found.
- realmName - attribute; security realm name.
- LoginService - reference; object name for the JAAS Login Service GBean.
- wrapPrincipals - attribute; possible values are true and false. If set to true, all Principals generated by the login module (Login Domain) will be wrapped into the DomainPrincipal and every DomainPrincipal will be wrapped into the RealmPrincipal. This enables J2EE role mappings into DomainPrincipals and RealmPrincipals.
Example: Here we setup ServerRealmConfigurationEntry with the name of JMX. The security realm name is geronimo-properties-realm.
<configuration xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0" configId="org/apache/geronimo/Security" parentId="org/apache/geronimo/RMINaming" > <GBean name="JMX" class="org.apache.geronimo.security.jaas.ServerRealmConfigurationEntry"> <attribute name="applicationConfigName">JMX</attribute> <attribute name="realmName">geronimo-properties-realm</attribute> <!--name of the security realm --> <reference name="LoginService"> <!--reference to the login service GBean --> <name>JaasLoginService</name> </reference> </GBean> </configuration>