Versions Compared

Old Version 21

changes.mady.by.user Donald Woods

Saved on

compared with

New Version 22

changes.mady.by.user Donald Woods

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

The LDAP sample application provides a security realm that needs to be deployed before the deployment of the application itself. This realm is located in <ldap_home>/ldap-realm.xml and the content is illustrated in the following example.

Code Block
xml
xml
borderStylesolid
titleldap-realm.xmlxml
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
    <environment>
        <moduleId>
            <groupId>console.realm</groupId>
            <artifactId>LDAP_Sample_Realm</artifactId>
            <version>1.0</version>
            <type>car</type>
        </moduleId>
    </environment>
    <gbean name="LDAP_Sample_Realm" class="org.apache.geronimo.security.realm.GenericSecurityRealm"
           xsi:type="dep:gbeanType" xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
           xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
        <attribute name="realmName">LDAP_Sample_Realm</attribute>
        <reference name="ServerInfo">
            <name>ServerInfo</name>
        </reference>
        <xml-reference name="LoginModuleConfiguration">
            <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.2">
                <log:login-module control-flag="REQUIRED" wrap-principals="false">
                    <log:login-domain-name>LDAP_Sample_Realm</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.LDAPLoginModule</log:login-module-class>
                    <log:option name="initialContextFactory">com.sun.jndi.ldap.LdapCtxFactory</log:option>
                    <log:option name="connectionURL">ldap://localhost:10389</log:option>
                    <log:option name="connectionUsername">uid=admin,ou=system</log:option>
                    <log:option name="connectionPassword">secret</log:option>
                    <log:option name="authentication">simple</log:option>
                    <log:option name="userBase">ou=users,ou=system</log:option>
                    <log:option name="userSearchMatching">uid={0}</log:option>
                    <log:option name="userSearchSubtree">false</log:option>
                    <log:option name="roleBase">ou=groups,ou=system</log:option>
                    <log:option name="roleName">cn</log:option>
                    <log:option name="roleSearchMatching">(uniqueMember={0})</log:option>
                    <log:option name="roleSearchSubtree">false</log:option>
                </log:login-module>
                <log:login-module control-flag="OPTIONAL" wrap-principals="false">
                    <log:login-domain-name>LDAP_Sample_Realm-Audit</log:login-domain-name>
                    <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
                    <log:option name="file">var/log/login-attempts.log</log:option>
                </log:login-module>
            </log:login-config>
        </xml-reference>
    </gbean>
</module>

...

There is a common deployment plan that is used for the sample. The unprocessed version of this plan is at ldap-sample-app/ldap-sample-app-jetty/src/main/plan/plan.xml. The processed version shown here with plugin name and all dependencies filled in can be found at ldap-sample-app/ldap-sample-app-jetty/target/resources/META-INF/plan.xml after building the project.

Code Block
xml
xml
borderStylesolid
titleplan.xmlxml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.2">
  <dep:environment xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2">
    <dep:moduleId>
      <dep:groupId>org.apache.geronimo.samples</dep:groupId>
      <dep:artifactId>ldap-sample-app-jetty</dep:artifactId>
      <dep:version>2.1.2</dep:version>
      <dep:type>car</dep:type>
    </dep:moduleId>
    <dep:dependencies>
      <dep:dependency>
        <dep:groupId>org.apache.geronimo.samples</dep:groupId>
        <dep:artifactId>ldap-sample-app-realm</dep:artifactId>
        <dep:version>2.1.2</dep:version>
        <dep:type>car</dep:type>
      </dep:dependency>
      <dep:dependency>
        <dep:groupId>org.apache.geronimo.configs</dep:groupId>
        <dep:artifactId>jasper</dep:artifactId>
        <dep:version>2.1.2</dep:version>
        <dep:type>car</dep:type>
      </dep:dependency>
      <dep:dependency>
        <dep:groupId>org.apache.geronimo.configs</dep:groupId>
        <dep:artifactId>jetty6</dep:artifactId>
        <dep:version>2.1.2</dep:version>
        <dep:type>car</dep:type>
      </dep:dependency>
    </dep:dependencies>
    <dep:hidden-classes/>
    <dep:non-overridable-classes/>
  </dep:environment>
  <context-root>/LDAP_Sample</context-root>
  <security-realm-name>LDAP_Sample_Realm</security-realm-name>
  <security>
    <default-principal realm-name="LDAP_Sample_Realm">
      <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="system"/>
    </default-principal>
    <role-mappings>
      <role role-name="content-administrator">
        <realm realm-name="LDAP_Sample_Realm">
          <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="admin" designated-run-as="true"/>
          <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="system"/>
        </realm>
      </role>
      <role role-name="guest">
        <realm realm-name="LDAP_Sample_Realm">
          <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="guest" designated-run-as="true"/>
          <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="user1"/>
        </realm>
      </role>
    </role-mappings>
  </security>
</web-app>

...

The web.xml deployment descriptor shown in the following example (also located in the <ldap_home>/WEB-INF diretory) adds security constraints based on the location of the files.

Code Block
xml
xml
borderStylesolid
titleweb.xmlxml
<?xml version="1.0" encoding="ISO-8859-1"?>
<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
         version="2.4">

    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
    </welcome-file-list>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Admin Role</web-resource-name>
            <url-pattern>/protect/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>content-administrator</role-name>
        </auth-constraint>
    </security-constraint>

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>No Access</web-resource-name>
            <url-pattern>/forbidden/*</url-pattern>
        </web-resource-collection>
        <auth-constraint/>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>ldap-realm-1</realm-name>
        <form-login-config>
            <form-login-page>/auth/logon.html?param=test</form-login-page>
            <form-error-page>/auth/logonError.html?param=test</form-error-page>
        </form-login-config>
    </login-config>

    <security-role>
        <role-name>content-administrator</role-name>
    </security-role>

</web-app>

...