Article donated by: Simon Godik, Hernan Cunico
There are a number of components that need be configured for the system to work. Such components are: implementations of the ConfiguraitonEntryFactory interface, Login Modules, Login Module Use among others.
We start with GBeans that implement ConfigurationEntryFactory interface and supporting GBeans, followed by the LoginModule gbean.
Configuring DirectConfigurationEntry
DirectConfigurationEntry exposes login module directly to JAAS clients. You have to specify Login Module here directly. To be able to login into Geronimo specify JaasLoginCoordinator login module.
DirectConfigurationEntry GBean declares following metadata:
- applicationConfigName - attribute; application configuration name; this is a key by which configuration entry is found.
- controlFlag - attribute; login module control flag according to the JAAS semantics; the only value that makes sense here is REQUIRED.
- wrapPrincipals - attribute; possible values are true and false. If set to true, all Principals generated by the login module (Login Domain) will be wrapped into the
DomainPrincipaland everyDomainPrincipalwill be wrapped into theRealmPrincipal. This enables J2EE role mappings intoDomainPrincipalsandRealmPrincipals. - Module - reference; This is object name specification for the
LoginModuleGBean.
The following example shows how DirectConfigurationEntry is configured to use ServerLoginCoordinator login module GBean.
<configuration
xmlns="http://geronimo.apache.org/xml/ns/deployment"
parentId="org/apache/geronimo/Client"
configId="org/apache/geronimo/ClientSecurity"
>
<GBean name="ServerLoginStubDCE" class="org.apache.geronimo.security.jaas.DirectConfigurationEntry">
<attribute name="applicationConfigName">server-login</attribute>
<attribute name="controlFlag">REQUIRED</attribute>
<reference name="Module"> <!-- reference to the login module GBean: name=ServerLoginCoordinator -->
<name>ServerLoginCoordinator</name>
</reference>
</GBean>
<GBean name="ServerLoginCoordinator" class="org.apache.geronimo.security.jaas.LoginModuleGBean">
<attribute name="loginModuleClass">org.apache.geronimo.security.jaas.client.JaasLoginCoordinator</attribute>
<attribute name="serverSide">false</attribute>
<attribute name="options">
host=localhost <!-- Geronimo login service endpoint -->
port=4242
realm=geronimo-properties-realm <!-- Security realm name -->
</attribute>
<attribute name="loginDomainName">geronimo-properties-realm</attribute>
</GBean>
</configuration>
Configuring ServerRealmConfigurationEntry
ServerRealmConfigurationEntry connects server side component (such as a Servlet) to the Security Realm. It allows decoupling of configuration name and Security Realm name.
ServerRealmConfigurationEntry declares following metadata:
- applicationConfigName - attribute; application configuration name; this is a key by which configuration entry is found.
- realmName - attribute; security realm name.
- LoginService - reference; object name for the JAAS Login Service GBean.
- wrapPrincipals - attribute; possible values are true and false. If set to true, all Principals generated by the login module (Login Domain) will be wrapped into the DomainPrincipal and every DomainPrincipal will be wrapped into the RealmPrincipal. This enables J2EE role mappings into DomainPrincipals and RealmPrincipals.
Example: Here we setup ServerRealmConfigurationEntry with the name of JMX. The security realm name is geronimo-properties-realm.
<configuration
xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0"
configId="org/apache/geronimo/Security"
parentId="org/apache/geronimo/RMINaming"
>
<GBean name="JMX" class="org.apache.geronimo.security.jaas.ServerRealmConfigurationEntry">
<attribute name="applicationConfigName">JMX</attribute>
<attribute name="realmName">geronimo-properties-realm</attribute> <!--name of the security realm -->
<reference name="LoginService"> <!--reference to the login service GBean -->
<name>JaasLoginService</name>
</reference>
</GBean>
</configuration>