Replacing the server-security-config plugin

Thanks. That helps. I'll see what I can do.

Q

On Sat, Sep 12, 2009 at 12:49 AM, David Jencks <david_jencks@...> wrote:
>
> On Sep 11, 2009, at 3:16 PM, Quintin Beukes wrote:
>
>> OK. So I found the reference. It's like so:
>>     <gbean name="PropertiesLoginManager"
>> class
>> =
>> "org
>> .apache.geronimo.console.core.security.PropertiesLoginModuleManager">
>>       <reference name="ServerInfo">
>>         <name>ServerInfo</name>
>>       </reference>
>>       <reference name="LoginModule">
>>         <name>properties-login</name>
>>       </reference>
>>     </gbean>
>>
>> And it's in console-tomcat's plan.
>>
>> 1. How would I make it multivalued and wrap it in SingleElementCollection?
>
> You need to find the java code for PropertiesLoginModuleManager.  It should
> have a reference to a login module.... you need to turn the reference into a
> Collection<LoginModuleGBean>.  Hopefully it's a constructor arg.  Instead of
> dealing with the Collection itself you can immediately wrap it in a
> SingleElementCollection and use that instead.  Then you'll have to look at
> the code in PropertiesLoginModuleManager and make sure it doesn't do
> anything unfortunate if there is no login module in the collection.
>>
>>
>> 2. How would I redeploy it?
>
> you'll need to have checked out geronimo to get this far.... the simplest is
> to just build all of geronimo.  If you've built at least once, you can just
> build the plugins/console and then assemblies.  (I'm assuming that my
> recollection that this code is in plugins/console is correct).
>
> hope this helps
> david jencks
>
>
>>
>> Q
>>
>> On Fri, Sep 11, 2009 at 11:15 PM, Joe Dente <jdente@...>
>> wrote:
>>>
>>> I'm going to be busy for the rest of the day, but here's the deployment
>>> plan I use in my replacement server-security-config plugin:
>>>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
>>>  <environment>
>>>   <moduleId>
>>>     <groupId>com.mycode.geronimo</groupId>
>>>     <artifactId>delegating-login-module</artifactId>
>>>     <version>1.0</version>
>>>     <type>car</type>
>>>   </moduleId>
>>>   <dependencies>
>>>     <dependency>
>>>       <groupId>org.apache.geronimo.framework</groupId>
>>>       <artifactId>j2ee-security</artifactId>
>>>       <version>2.1.4</version>
>>>       <type>car</type>
>>>     </dependency>
>>>   </dependencies>
>>>   <hidden-classes/>
>>>   <non-overridable-classes/>
>>>  </environment>
>>>
>>>  <gbean name="CredentialStore"
>>> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl"/>
>>>
>>>  <!-- Default Security Realm Using Delegate Login Module -->
>>>  <gbean name="admin-login"
>>> class="org.apache.geronimo.security.jaas.LoginModuleGBean">
>>>   <attribute
>>> name="loginModuleClass">com.mycode.geronimo.authorization.login.DelegatingLoginModule</attribute>
>>>   <attribute name="options">delegateRealm=delegate-realm
>>>       groupName=delegate-admin</attribute>
>>>   <attribute name="loginDomainName">geronimo-admin</attribute>
>>>  </gbean>
>>>  <gbean name="geronimo-admin"
>>> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>>>   <attribute name="realmName">geronimo-admin</attribute>
>>>   <reference name="LoginModuleConfiguration">
>>>     <name>admin-login</name>
>>>   </reference>
>>>   <reference name="ServerInfo">
>>>     <name>ServerInfo</name>
>>>   </reference>
>>>  </gbean>
>>>  <gbean name="admin-login"
>>> class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
>>>   <attribute name="controlFlag">REQUIRED</attribute>
>>>   <reference name="LoginModule">
>>>     <name>admin-login</name>
>>>   </reference>
>>>  </gbean>
>>>
>>>  <!--
>>>  <gbean name="properties-login"
>>> class="org.apache.geronimo.security.jaas.LoginModuleGBean">
>>>   <attribute
>>> name="loginModuleClass">org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</attribute>
>>>   <attribute name="options">usersURI=var/security/users.properties
>>>           groupsURI=var/security/groups.properties</attribute>
>>>   <attribute name="loginDomainName">geronimo-admin</attribute>
>>>  </gbean>
>>>  -->
>>>
>>>  <gbean name="geronimo-default"
>>> class="org.apache.geronimo.security.keystore.FileKeystoreInstance">
>>>   <attribute name="keystoreName">geronimo-default</attribute>
>>>   <attribute
>>> name="keystorePath">var/security/keystores/geronimo-default</attribute>
>>>   <attribute name="keystorePassword">secret</attribute>
>>>   <attribute name="keystoreType">JKS</attribute>
>>>   <attribute name="keyPasswords">geronimo=secret</attribute>
>>>   <reference name="ServerInfo">
>>>     <name>ServerInfo</name>
>>>   </reference>
>>>  </gbean>
>>> </module>
>>>
>>> You can see the configuration for my custom login module. The important
>>> piece for this problem is the "properties-login" gbean that I have commented
>>> out. Without this GBean, Geronimo is unable to startup due to the bug
>>> originally discussed in this thread (GERONIMO-4603). If you enable this
>>> GBean, then Geronimo can startup correctly (granted everything else is
>>> configured appropriately). Because of the hardwired issue discussed in issue
>>> 4603, I have to put the dummy "properties-login" gbean in place even though
>>> I'm not using a "properties-login" gbean in my configuration.
>>>
>>> Joe
>>>
>>> ===========================
>>> I also tried creating a realm through the console, then exporting it
>>> as a plugin, undeploying the original, deploying as a plugin and
>>> restarting the server after doing the config.xml changes.
>>>
>>> Doesn't work either. Complains about:
>>> org.omg.CORBA.COMM_FAILURE: socket() failed: Unable to create server
>>> SSL socket factory: Keystore 'geronimo-default' is locked; please use
>>> the keystore page in the admin console to unlock it:  vmcid: Apache
>>> minor code: 0x5  completed: No
>>>
>>> Q
>>>
>>> On Fri, Sep 11, 2009 at 10:16 PM, Quintin Beukes <quintin@...>
>>> wrote:
>>>>
>>>> No. This isn't working right. I don't know what I'm doing wrong.
>>>>
>>>> I take the exported plugin. Extract it to directory "x".
>>>>
>>>> Then I change only the groupId everywhere in the plugin frmo
>>>> "org.apache.geronimo.framework" to "test" and version from
>>>> "2.2-SNAPSHOT" to "2.2". Then I jar it again.
>>>>
>>>> Then I start geronimo and deploy this with deploy.sh install-plugin.
>>>> Successfully installed: test/server-security-config/2.2/car
>>>>
>>>> I stop the server, and then edit artifact_aliases.properties and change:
>>>>
>>>> org.apache.geronimo.framework/server-security-config//car=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car
>>>> test/server-security-config//car=test/server-security-config/2.2/car
>>>>
>>>> TO
>>>>
>>>> org.apache.geronimo.framework/server-security-config//car=test/server-security-config/2.2/car
>>>>
>>>> org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car=test/server-security-config/2.2/car
>>>> test/server-security-config//car=test/server-security-config/2.2/car
>>>>
>>>> And config.xml from:
>>>>   <module
>>>> name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car"/>
>>>>   <module name="test/server-security-config/2.2/car"/>
>>>>
>>>> TO:
>>>>   <module
>>>> name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car"
>>>> load="false"/>
>>>>   <module name="test/server-security-config/2.2/car"/>
>>>>
>>>> Then I try and start the server, and all I get is this, ie. it starts
>>>> and right after loading my plugin stops the server without an error.
>>>> 2009-09-11 22:14:37,642 INFO  [Log4jService]
>>>> ----------------------------------------------
>>>> 2009-09-11 22:14:37,643 INFO  [Log4jService] Started Logging Service
>>>> 2009-09-11 22:14:37,643 INFO  [Log4jService] Runtime Information:
>>>> 2009-09-11 22:14:37,644 INFO  [Log4jService]   Install Directory =
>>>> /opt/testkms/server/geronimo-2.2-20090908
>>>> 2009-09-11 22:14:37,645 INFO  [JvmVendor] Sun JVM 1.5.0_17
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   JVM in use        = Sun
>>>> JVM 1.5.0_17
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService] Java Information:
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>>> [java.runtime.name]     = Java(TM) 2 Runtime Environment, Standard
>>>> Edition
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>>> [java.runtime.version]  = 1.5.0_17-b04
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>>> [os.name]               = Linux
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>>> [os.version]            = 2.6.24-24-generic
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>>> [sun.os.patch.level]    = unknown
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>>> [os.arch]               = i386
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>>> [java.class.version]    = 49.0
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>>> [locale]                = en_ZA
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [unicode.encoding]      = UnicodeLittle
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [file.encoding]         = UTF-8
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [java.vm.name]          = Java HotSpot(TM) Client VM
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [java.vm.vendor]        = Sun Microsystems Inc.
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [java.vm.version]       = 1.5.0_17-b04
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [java.vm.info]          = mixed mode
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [java.home]             = /opt/kms/java/sun-jdk1.5.0_17/jre
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [java.classpath]        = null
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [java.library.path]     =
>>>>
>>>> /opt/kms/java/sun-jdk1.5.0_17/jre/lib/i386/client:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/i386:/opt/kms/java/sun-jdk1.5.0_17/jre/../lib/i386
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [java.endorsed.dirs]    =
>>>>
>>>> /opt/testkms/server/geronimo-2.2-20090908/lib/endorsed:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/endorsed
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [java.ext.dirs]         =
>>>>
>>>> /opt/testkms/server/geronimo-2.2-20090908/lib/ext:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/ext
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [sun.boot.class.path]   =
>>>>
>>>> /opt/testkms/server/geronimo-2.2-20090908/lib/endorsed/yoko-spec-corba-1.0.jar:/opt/testkms/server/geronimo-2.2-20090908/lib/endorsed/yoko-rmi-spec-1.0.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/rt.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/i18n.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/sunrsasign.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/jsse.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/jce.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/charsets.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/classes
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]
>>>> ----------------------------------------------
>>>> 2009-09-11 22:14:39,041 INFO  [KernelContextGBean] bound gbean
>>>>
>>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaCompContext
>>>> at name java:comp
>>>> 2009-09-11 22:14:39,043 INFO  [KernelContextGBean] bound gbean
>>>>
>>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaContext
>>>> at name java:
>>>> 2009-09-11 22:14:39,043 INFO  [KernelContextGBean] bound gbean
>>>>
>>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=GeronimoContext
>>>> at name ger:
>>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>>>> Property=javax.xml.soap.MetaFactory to
>>>> Value=org.apache.geronimo.webservices.saaj.GeronimoMetaFactory
>>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>>>> Property=javax.xml.soap.MessageFactory to
>>>> Value=org.apache.geronimo.webservices.saaj.GeronimoMessageFactory
>>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>>>> Property=java.net.preferIPv4Stack to Value=true
>>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>>>> Property=javax.xml.soap.SOAPConnectionFactory to
>>>> Value=org.apache.geronimo.webservices.saaj.GeronimoSOAPConnectionFactory
>>>> 2009-09-11 22:14:40,087 INFO  [SystemProperties] Setting
>>>> Property=javax.xml.soap.SOAPFactory to
>>>> Value=org.apache.geronimo.webservices.saaj.GeronimoSOAPFactory
>>>> 2009-09-11 22:14:40,087 INFO  [SystemProperties] Setting
>>>> Property=java.security.Provider to Value=SUN
>>>> 2009-09-11 22:14:40,261 INFO  [KernelContextGBean] unbound gbean
>>>>
>>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaContext
>>>> at name java:
>>>> 2009-09-11 22:14:40,264 INFO  [KernelContextGBean] unbound gbean
>>>>
>>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=GeronimoContext
>>>> at name ger:
>>>> 2009-09-11 22:14:40,264 INFO  [KernelContextGBean] unbound gbean
>>>>
>>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaCompContext
>>>> at name java:comp
>>>> 2009-09-11 22:14:40,265 INFO  [Log4jService] Stopping Logging Service
>>>> 2009-09-11 22:14:40,265 INFO  [Log4jService]
>>>> ----------------------------------------------
>>>>
>>>> Q
>>>> On Fri, Sep 11, 2009 at 9:31 PM, Quintin Beukes <quintin@...>
>>>> wrote:
>>>>>
>>>>> do i need to delete config.ser?
>>>>>
>>>>> Q
>>>>>
>>>>> On Fri, Sep 11, 2009 at 9:16 PM, Joe Dente <jdente@...>
>>>>> wrote:
>>>>>>
>>>>>> That's how I got started. I have a project that includes a custom
>>>>>> login module as well as a customized geronimo-plugin.xml that originally was
>>>>>> an exported version of the server-security-config plugin. My plugin project
>>>>>> creates a simple jar with the geronimo-plugin.xml in my jar's 'META-INF'
>>>>>> folder. I then deploy this jar into Geronimo with the geronimo-plugin.xml
>>>>>> being my jar's deployment plan. You can also try and build a car using the
>>>>>> maven car plugin, although I haven't played around with this yet. I found
>>>>>> this wiki article to be helpful:
>>>>>> http://cwiki.apache.org/confluence/display/GMOxDOC22/Administering+plugins
>>>>>>
>>>>>> Joe
>>>>>>
>>>>>> ---------------------
>>>>>> Sorry, I've never created a plugin. To create a new
>>>>>> server-security-config plugin, do you mean I should copy
>>>>>> server-security-config using the console's plugin export and modify
>>>>>> it?
>>>>>>
>>>>>> Q
>>>>>>
>>>>>> On Fri, Sep 11, 2009 at 8:47 PM, Joe Dente <jdente@...>
>>>>>> wrote:
>>>>>>>
>>>>>>> To reproduce it create your own server-security-config plugin that
>>>>>>> uses any login module other than the properties-login gbean that is
>>>>>>> expected. You then need to deploy your new server-security-config plugin and
>>>>>>> have it completely replace the default server-security-config (see
>>>>>>> http://cwiki.apache.org/confluence/display/GMOxDOC22/Basic+Hints+on+Security+Configuration).
>>>>>>> I achieved this by telling the server-security-config car to not load in the
>>>>>>> config.xml, telling my security plugin to load in the config.xml, and then
>>>>>>> adding artifact aliases for both the 2.1.4 and wildcard-versioned lines
>>>>>>> referring to the server-security-config plugin in the
>>>>>>> artifact_aliases.properties file.
>>>>>>>
>>>>>>> In artifact_alases.properties:
>>>>>>>
>>>>>>> org.apache.geronimo.framework/server-security-config//car=com.my.geronimo/my-security-config/1.0/car
>>>>>>>
>>>>>>> org.apache.geronimo.framework/server-security-config/2.1.4/car=org
>>>>>>> com.my.geronimo/my-security-config/1.0/car
>>>>>>>
>>>>>>> In config.xml:
>>>>>>>       <module
>>>>>>> name="org.apache.geronimo.framework/server-security-config/2.1.4/car"
>>>>>>> load="false"/>
>>>>>>>       <module name="com.my.geronimo/my-security-config/1.0/car"/>
>>>>>>>
>>>>>>> Now try and startup Geronimo. You will see the error discussing the
>>>>>>> missing expected gbean.
>>>>>>> Hope this helps,
>>>>>>> Joe
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -------------
>>>>>>> Errr. Ouch. *rubbing the brused area in his brain*.
>>>>>>>
>>>>>>> I'm not that on with everything you said. I think the best thing
>>>>>>> would
>>>>>>> be to reproduce it. What would I do to reproduce it?
>>>>>>>
>>>>>>> Q
>>>>>>>
>>>>>>> On Fri, Sep 11, 2009 at 6:42 PM, David Jencks
>>>>>>> <david_jencks@...> wrote:
>>>>>>>>
>>>>>>>> On Sep 11, 2009, at 5:49 AM, Quintin Beukes wrote:
>>>>>>>>
>>>>>>>>> I'll be willing to have a look at it.
>>>>>>>>>
>>>>>>>>> can you give me a general idea what I'm supposed to look at and how
>>>>>>>>> it
>>>>>>>>> would be done?
>>>>>>>>
>>>>>>>> IIRC the failure is caused by an unsatisfied single valued gbean
>>>>>>>> reference
>>>>>>>> to the properties login module gbean from something in the admin
>>>>>>>> console.
>>>>>>>>  You need to find the gbean reference and change it to a collection
>>>>>>>> valued
>>>>>>>> reference so it's no longer a mandatory reference.  You can wrap a
>>>>>>>> collection valued reference with SingleElementCollection to make it
>>>>>>>> act like
>>>>>>>> an optional single valued reference.
>>>>>>>>
>>>>>>>> hope this is clear enough to help..
>>>>>>>> david jencks
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Q
>>>>>>>>>
>>>>>>>>> On Fri, Sep 11, 2009 at 12:07 AM, David Jencks
>>>>>>>>> <david_jencks@...>
>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi Joe!
>>>>>>>>>> On Sep 10, 2009, at 2:18 PM, Joe Dente wrote:
>>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>> I've been working on replacing Geronimo 2.1.4's
>>>>>>>>>> server-security-config
>>>>>>>>>> plugin's example security with our own security plugin. We need
>>>>>>>>>> single
>>>>>>>>>> sign
>>>>>>>>>> on for our application which also means the same sign on process
>>>>>>>>>> has to
>>>>>>>>>> work
>>>>>>>>>> with the Geronimo admin console. We need to be able to use custom
>>>>>>>>>> realms
>>>>>>>>>> and
>>>>>>>>>> custom login modules in our server-security-config plugin
>>>>>>>>>> replacement
>>>>>>>>>> that
>>>>>>>>>> may change depending on the environment we deploy to. I've run
>>>>>>>>>> into two
>>>>>>>>>> limitations so far that I've found documented online. One is that
>>>>>>>>>> unless
>>>>>>>>>> I
>>>>>>>>>> want to re-deploy other plugins that use the 'geronimo-admin'
>>>>>>>>>> security
>>>>>>>>>> realm, than our custom security realm must be named
>>>>>>>>>> 'geronimo-admin' as
>>>>>>>>>> well. The other is that I ran
>>>>>>>>>> intohttp://issues.apache.org/jira/browse/GERONIMO-4603, forcing me
>>>>>>>>>> to
>>>>>>>>>> creating a dummy properties-login gbean in order for the tomcat
>>>>>>>>>> components
>>>>>>>>>> to start up.
>>>>>>>>>>
>>>>>>>>>> In my experience this is incredibly annoying.  I don't have time
>>>>>>>>>> but
>>>>>>>>>> wonder
>>>>>>>>>> if anyone else can see about fixing this for 2.2.
>>>>>>>>>>
>>>>>>>>>>  I've created alias' for my plugin over the server-security-config
>>>>>>>>>> plugin
>>>>>>>>>> in
>>>>>>>>>> 'artifact-aliases.properties' file and I've also disabled the
>>>>>>>>>> server-security-config plugin and added my plugin as a loaded
>>>>>>>>>> module in
>>>>>>>>>> the
>>>>>>>>>> 'config.xml'. Unfortunately, I still cannot log into the Geronimo
>>>>>>>>>> console
>>>>>>>>>> using my custom security realm and login module. Geronimo has no
>>>>>>>>>> problem
>>>>>>>>>> starting with the current configuration and I can even login using
>>>>>>>>>> my
>>>>>>>>>> custom
>>>>>>>>>> login module. Everything seems happy as far as the login process
>>>>>>>>>> is
>>>>>>>>>> concerned when I step through the code, but instead of seeing the
>>>>>>>>>> Geronimo
>>>>>>>>>> console I get a tomcat error page stating 'Access to the specified
>>>>>>>>>> resource
>>>>>>>>>> () has been forbidden'.  The logs are completely clean as well as
>>>>>>>>>> the
>>>>>>>>>> console output. My only idea is that my admin users also need to
>>>>>>>>>> be
>>>>>>>>>> members
>>>>>>>>>> of a specifically named Geronimo admin group (make my admin groups
>>>>>>>>>> name
>>>>>>>>>> exactly match the one setup in the default security plugin)? I
>>>>>>>>>> have not
>>>>>>>>>> tested this hypothesis out yet, because I have my own admin group
>>>>>>>>>> that is
>>>>>>>>>> used by our application that I would like to re-use as the
>>>>>>>>>> Geronimo
>>>>>>>>>> console's admin group. Any other thoughts?
>>>>>>>>>>
>>>>>>>>>> In 2.1.x you are stuck with the principal-role mapping in the ee
>>>>>>>>>> application, although in 2.2 you can put it into a different
>>>>>>>>>> plugin if
>>>>>>>>>> you
>>>>>>>>>> want and I think then swap it via an artifact-alias with one in a
>>>>>>>>>> different
>>>>>>>>>> plugin.
>>>>>>>>>> So, that means that you need to supply the principals the
>>>>>>>>>> principal-role
>>>>>>>>>> mapping expects:
>>>>>>>>>>   <security
>>>>>>>>>> xmlns="http://geronimo.apache.org/xml/ns/security-1.2">
>>>>>>>>>>       <role-mappings>
>>>>>>>>>>           <role role-name="admin">
>>>>>>>>>>               <principal
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>>>>>>>>>> name="admin" />
>>>>>>>>>>           </role>
>>>>>>>>>>       </role-mappings>
>>>>>>>>>>   </security>
>>>>>>>>>>
>>>>>>>>>> So, your login module needs to supply a principal of
>>>>>>>>>> class GeronimoGroupPrincipal and name "admin".
>>>>>>>>>> Let us know if this doesn't work.
>>>>>>>>>> thanks
>>>>>>>>>> david jencks
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Joe
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Quintin Beukes
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Quintin Beukes
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Quintin Beukes
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Quintin Beukes
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Quintin Beukes
>>>>
>>>
>>>
>>>
>>> --
>>> Quintin Beukes
>>>
>>
>>
>>
>> --
>> Quintin Beukes
>
>

--
Quintin Beukes

You may also refer to https://issues.apache.org/jira/browse/GERONIMO-4818 .

Doc for G2.2 on this topic will be updated soon.

Jeff C

On Sat, Sep 12, 2009 at 6:40 PM, Quintin Beukes <quintin@...> wrote:

Thanks. That helps. I'll see what I can do.

Q

On Sat, Sep 12, 2009 at 12:49 AM, David Jencks <david_jencks@...> wrote:
>
> On Sep 11, 2009, at 3:16 PM, Quintin Beukes wrote:
>
>> OK. So I found the reference. It's like so:
>>     <gbean name="PropertiesLoginManager"
>> class
>> =
>> "org
>> .apache.geronimo.console.core.security.PropertiesLoginModuleManager">
>>       <reference name="ServerInfo">
>>         <name>ServerInfo</name>
>>       </reference>
>>       <reference name="LoginModule">
>>         <name>properties-login</name>
>>       </reference>
>>     </gbean>
>>
>> And it's in console-tomcat's plan.
>>
>> 1. How would I make it multivalued and wrap it in SingleElementCollection?
>
> You need to find the java code for PropertiesLoginModuleManager.  It should
> have a reference to a login module.... you need to turn the reference into a
> Collection<LoginModuleGBean>.  Hopefully it's a constructor arg.  Instead of
> dealing with the Collection itself you can immediately wrap it in a
> SingleElementCollection and use that instead.  Then you'll have to look at
> the code in PropertiesLoginModuleManager and make sure it doesn't do
> anything unfortunate if there is no login module in the collection.
>>
>>
>> 2. How would I redeploy it?
>
> you'll need to have checked out geronimo to get this far.... the simplest is
> to just build all of geronimo.  If you've built at least once, you can just
> build the plugins/console and then assemblies.  (I'm assuming that my
> recollection that this code is in plugins/console is correct).
>
> hope this helps
> david jencks
>
>
>>
>> Q
>>
>> On Fri, Sep 11, 2009 at 11:15 PM, Joe Dente <jdente@...>
>> wrote:
>>>
>>> I'm going to be busy for the rest of the day, but here's the deployment
>>> plan I use in my replacement server-security-config plugin:
>>>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
>>>  <environment>
>>>   <moduleId>
>>>     <groupId>com.mycode.geronimo</groupId>
>>>     <artifactId>delegating-login-module</artifactId>
>>>     <version>1.0</version>
>>>     <type>car</type>
>>>   </moduleId>
>>>   <dependencies>
>>>     <dependency>
>>>       <groupId>org.apache.geronimo.framework</groupId>
>>>       <artifactId>j2ee-security</artifactId>
>>>       <version>2.1.4</version>
>>>       <type>car</type>
>>>     </dependency>
>>>   </dependencies>
>>>   <hidden-classes/>
>>>   <non-overridable-classes/>
>>>  </environment>
>>>
>>>  <gbean name="CredentialStore"
>>> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStoreImpl"/>
>>>
>>>  <!-- Default Security Realm Using Delegate Login Module -->
>>>  <gbean name="admin-login"
>>> class="org.apache.geronimo.security.jaas.LoginModuleGBean">
>>>   <attribute
>>> name="loginModuleClass">com.mycode.geronimo.authorization.login.DelegatingLoginModule</attribute>
>>>   <attribute name="options">delegateRealm=delegate-realm
>>>       groupName=delegate-admin</attribute>
>>>   <attribute name="loginDomainName">geronimo-admin</attribute>
>>>  </gbean>
>>>  <gbean name="geronimo-admin"
>>> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>>>   <attribute name="realmName">geronimo-admin</attribute>
>>>   <reference name="LoginModuleConfiguration">
>>>     <name>admin-login</name>
>>>   </reference>
>>>   <reference name="ServerInfo">
>>>     <name>ServerInfo</name>
>>>   </reference>
>>>  </gbean>
>>>  <gbean name="admin-login"
>>> class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
>>>   <attribute name="controlFlag">REQUIRED</attribute>
>>>   <reference name="LoginModule">
>>>     <name>admin-login</name>
>>>   </reference>
>>>  </gbean>
>>>
>>>  <!--
>>>  <gbean name="properties-login"
>>> class="org.apache.geronimo.security.jaas.LoginModuleGBean">
>>>   <attribute
>>> name="loginModuleClass">org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</attribute>
>>>   <attribute name="options">usersURI=var/security/users.properties
>>>           groupsURI=var/security/groups.properties</attribute>
>>>   <attribute name="loginDomainName">geronimo-admin</attribute>
>>>  </gbean>
>>>  -->
>>>
>>>  <gbean name="geronimo-default"
>>> class="org.apache.geronimo.security.keystore.FileKeystoreInstance">
>>>   <attribute name="keystoreName">geronimo-default</attribute>
>>>   <attribute
>>> name="keystorePath">var/security/keystores/geronimo-default</attribute>
>>>   <attribute name="keystorePassword">secret</attribute>
>>>   <attribute name="keystoreType">JKS</attribute>
>>>   <attribute name="keyPasswords">geronimo=secret</attribute>
>>>   <reference name="ServerInfo">
>>>     <name>ServerInfo</name>
>>>   </reference>
>>>  </gbean>
>>> </module>
>>>
>>> You can see the configuration for my custom login module. The important
>>> piece for this problem is the "properties-login" gbean that I have commented
>>> out. Without this GBean, Geronimo is unable to startup due to the bug
>>> originally discussed in this thread (GERONIMO-4603). If you enable this
>>> GBean, then Geronimo can startup correctly (granted everything else is
>>> configured appropriately). Because of the hardwired issue discussed in issue
>>> 4603, I have to put the dummy "properties-login" gbean in place even though
>>> I'm not using a "properties-login" gbean in my configuration.
>>>
>>> Joe
>>>
>>> ===========================
>>> I also tried creating a realm through the console, then exporting it
>>> as a plugin, undeploying the original, deploying as a plugin and
>>> restarting the server after doing the config.xml changes.
>>>
>>> Doesn't work either. Complains about:
>>> org.omg.CORBA.COMM_FAILURE: socket() failed: Unable to create server
>>> SSL socket factory: Keystore 'geronimo-default' is locked; please use
>>> the keystore page in the admin console to unlock it:  vmcid: Apache
>>> minor code: 0x5  completed: No
>>>
>>> Q
>>>
>>> On Fri, Sep 11, 2009 at 10:16 PM, Quintin Beukes <quintin@...>
>>> wrote:
>>>>
>>>> No. This isn't working right. I don't know what I'm doing wrong.
>>>>
>>>> I take the exported plugin. Extract it to directory "x".
>>>>
>>>> Then I change only the groupId everywhere in the plugin frmo
>>>> "org.apache.geronimo.framework" to "test" and version from
>>>> "2.2-SNAPSHOT" to "2.2". Then I jar it again.
>>>>
>>>> Then I start geronimo and deploy this with deploy.sh install-plugin.
>>>> Successfully installed: test/server-security-config/2.2/car
>>>>
>>>> I stop the server, and then edit artifact_aliases.properties and change:
>>>>
>>>> org.apache.geronimo.framework/server-security-config//car=org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car
>>>> test/server-security-config//car=test/server-security-config/2.2/car
>>>>
>>>> TO
>>>>
>>>> org.apache.geronimo.framework/server-security-config//car=test/server-security-config/2.2/car
>>>>
>>>> org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car=test/server-security-config/2.2/car
>>>> test/server-security-config//car=test/server-security-config/2.2/car
>>>>
>>>> And config.xml from:
>>>>   <module
>>>> name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car"/>
>>>>   <module name="test/server-security-config/2.2/car"/>
>>>>
>>>> TO:
>>>>   <module
>>>> name="org.apache.geronimo.framework/server-security-config/2.2-SNAPSHOT/car"
>>>> load="false"/>
>>>>   <module name="test/server-security-config/2.2/car"/>
>>>>
>>>> Then I try and start the server, and all I get is this, ie. it starts
>>>> and right after loading my plugin stops the server without an error.
>>>> 2009-09-11 22:14:37,642 INFO  [Log4jService]
>>>> ----------------------------------------------
>>>> 2009-09-11 22:14:37,643 INFO  [Log4jService] Started Logging Service
>>>> 2009-09-11 22:14:37,643 INFO  [Log4jService] Runtime Information:
>>>> 2009-09-11 22:14:37,644 INFO  [Log4jService]   Install Directory =
>>>> /opt/testkms/server/geronimo-2.2-20090908
>>>> 2009-09-11 22:14:37,645 INFO  [JvmVendor] Sun JVM 1.5.0_17
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   JVM in use        = Sun
>>>> JVM 1.5.0_17
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService] Java Information:
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>>> [java.runtime.name]     = Java(TM) 2 Runtime Environment, Standard
>>>> Edition
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>>> [java.runtime.version]  = 1.5.0_17-b04
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>>> [os.name]               = Linux
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>>> [os.version]            = 2.6.24-24-generic
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>>> [sun.os.patch.level]    = unknown
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>>> [os.arch]               = i386
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>>> [java.class.version]    = 49.0
>>>> 2009-09-11 22:14:37,645 INFO  [Log4jService]   System property
>>>> [locale]                = en_ZA
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [unicode.encoding]      = UnicodeLittle
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [file.encoding]         = UTF-8
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [java.vm.name]          = Java HotSpot(TM) Client VM
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [java.vm.vendor]        = Sun Microsystems Inc.
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [java.vm.version]       = 1.5.0_17-b04
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [java.vm.info]          = mixed mode
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [java.home]             = /opt/kms/java/sun-jdk1.5.0_17/jre
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [java.classpath]        = null
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [java.library.path]     =
>>>>
>>>> /opt/kms/java/sun-jdk1.5.0_17/jre/lib/i386/client:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/i386:/opt/kms/java/sun-jdk1.5.0_17/jre/../lib/i386
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [java.endorsed.dirs]    =
>>>>
>>>> /opt/testkms/server/geronimo-2.2-20090908/lib/endorsed:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/endorsed
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [java.ext.dirs]         =
>>>>
>>>> /opt/testkms/server/geronimo-2.2-20090908/lib/ext:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/ext
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]   System property
>>>> [sun.boot.class.path]   =
>>>>
>>>> /opt/testkms/server/geronimo-2.2-20090908/lib/endorsed/yoko-spec-corba-1.0.jar:/opt/testkms/server/geronimo-2.2-20090908/lib/endorsed/yoko-rmi-spec-1.0.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/rt.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/i18n.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/sunrsasign.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/jsse.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/jce.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/lib/charsets.jar:/opt/kms/java/sun-jdk1.5.0_17/jre/classes
>>>> 2009-09-11 22:14:37,646 INFO  [Log4jService]
>>>> ----------------------------------------------
>>>> 2009-09-11 22:14:39,041 INFO  [KernelContextGBean] bound gbean
>>>>
>>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaCompContext
>>>> at name java:comp
>>>> 2009-09-11 22:14:39,043 INFO  [KernelContextGBean] bound gbean
>>>>
>>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaContext
>>>> at name java:
>>>> 2009-09-11 22:14:39,043 INFO  [KernelContextGBean] bound gbean
>>>>
>>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=GeronimoContext
>>>> at name ger:
>>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>>>> Property=javax.xml.soap.MetaFactory to
>>>> Value=org.apache.geronimo.webservices.saaj.GeronimoMetaFactory
>>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>>>> Property=javax.xml.soap.MessageFactory to
>>>> Value=org.apache.geronimo.webservices.saaj.GeronimoMessageFactory
>>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>>>> Property=java.net.preferIPv4Stack to Value=true
>>>> 2009-09-11 22:14:40,086 INFO  [SystemProperties] Setting
>>>> Property=javax.xml.soap.SOAPConnectionFactory to
>>>> Value=org.apache.geronimo.webservices.saaj.GeronimoSOAPConnectionFactory
>>>> 2009-09-11 22:14:40,087 INFO  [SystemProperties] Setting
>>>> Property=javax.xml.soap.SOAPFactory to
>>>> Value=org.apache.geronimo.webservices.saaj.GeronimoSOAPFactory
>>>> 2009-09-11 22:14:40,087 INFO  [SystemProperties] Setting
>>>> Property=java.security.Provider to Value=SUN
>>>> 2009-09-11 22:14:40,261 INFO  [KernelContextGBean] unbound gbean
>>>>
>>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaContext
>>>> at name java:
>>>> 2009-09-11 22:14:40,264 INFO  [KernelContextGBean] unbound gbean
>>>>
>>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=GeronimoContext
>>>> at name ger:
>>>> 2009-09-11 22:14:40,264 INFO  [KernelContextGBean] unbound gbean
>>>>
>>>> org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car?ServiceModule=org.apache.geronimo.framework/rmi-naming/2.2-SNAPSHOT/car,j2eeType=Context,name=JavaCompContext
>>>> at name java:comp
>>>> 2009-09-11 22:14:40,265 INFO  [Log4jService] Stopping Logging Service
>>>> 2009-09-11 22:14:40,265 INFO  [Log4jService]
>>>> ----------------------------------------------
>>>>
>>>> Q
>>>> On Fri, Sep 11, 2009 at 9:31 PM, Quintin Beukes <quintin@...>
>>>> wrote:
>>>>>
>>>>> do i need to delete config.ser?
>>>>>
>>>>> Q
>>>>>
>>>>> On Fri, Sep 11, 2009 at 9:16 PM, Joe Dente <jdente@...>
>>>>> wrote:
>>>>>>
>>>>>> That's how I got started. I have a project that includes a custom
>>>>>> login module as well as a customized geronimo-plugin.xml that originally was
>>>>>> an exported version of the server-security-config plugin. My plugin project
>>>>>> creates a simple jar with the geronimo-plugin.xml in my jar's 'META-INF'
>>>>>> folder. I then deploy this jar into Geronimo with the geronimo-plugin.xml
>>>>>> being my jar's deployment plan. You can also try and build a car using the
>>>>>> maven car plugin, although I haven't played around with this yet. I found
>>>>>> this wiki article to be helpful:
>>>>>> http://cwiki.apache.org/confluence/display/GMOxDOC22/Administering+plugins
>>>>>>
>>>>>> Joe
>>>>>>
>>>>>> ---------------------
>>>>>> Sorry, I've never created a plugin. To create a new
>>>>>> server-security-config plugin, do you mean I should copy
>>>>>> server-security-config using the console's plugin export and modify
>>>>>> it?
>>>>>>
>>>>>> Q
>>>>>>
>>>>>> On Fri, Sep 11, 2009 at 8:47 PM, Joe Dente <jdente@...>
>>>>>> wrote:
>>>>>>>
>>>>>>> To reproduce it create your own server-security-config plugin that
>>>>>>> uses any login module other than the properties-login gbean that is
>>>>>>> expected. You then need to deploy your new server-security-config plugin and
>>>>>>> have it completely replace the default server-security-config (see
>>>>>>> http://cwiki.apache.org/confluence/display/GMOxDOC22/Basic+Hints+on+Security+Configuration).
>>>>>>> I achieved this by telling the server-security-config car to not load in the
>>>>>>> config.xml, telling my security plugin to load in the config.xml, and then
>>>>>>> adding artifact aliases for both the 2.1.4 and wildcard-versioned lines
>>>>>>> referring to the server-security-config plugin in the
>>>>>>> artifact_aliases.properties file.
>>>>>>>
>>>>>>> In artifact_alases.properties:
>>>>>>>
>>>>>>> org.apache.geronimo.framework/server-security-config//car=com.my.geronimo/my-security-config/1.0/car
>>>>>>>
>>>>>>> org.apache.geronimo.framework/server-security-config/2.1.4/car=org
>>>>>>> com.my.geronimo/my-security-config/1.0/car
>>>>>>>
>>>>>>> In config.xml:
>>>>>>>       <module
>>>>>>> name="org.apache.geronimo.framework/server-security-config/2.1.4/car"
>>>>>>> load="false"/>
>>>>>>>       <module name="com.my.geronimo/my-security-config/1.0/car"/>
>>>>>>>
>>>>>>> Now try and startup Geronimo. You will see the error discussing the
>>>>>>> missing expected gbean.
>>>>>>> Hope this helps,
>>>>>>> Joe
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -------------
>>>>>>> Errr. Ouch. *rubbing the brused area in his brain*.
>>>>>>>
>>>>>>> I'm not that on with everything you said. I think the best thing
>>>>>>> would
>>>>>>> be to reproduce it. What would I do to reproduce it?
>>>>>>>
>>>>>>> Q
>>>>>>>
>>>>>>> On Fri, Sep 11, 2009 at 6:42 PM, David Jencks
>>>>>>> <david_jencks@...> wrote:
>>>>>>>>
>>>>>>>> On Sep 11, 2009, at 5:49 AM, Quintin Beukes wrote:
>>>>>>>>
>>>>>>>>> I'll be willing to have a look at it.
>>>>>>>>>
>>>>>>>>> can you give me a general idea what I'm supposed to look at and how
>>>>>>>>> it
>>>>>>>>> would be done?
>>>>>>>>
>>>>>>>> IIRC the failure is caused by an unsatisfied single valued gbean
>>>>>>>> reference
>>>>>>>> to the properties login module gbean from something in the admin
>>>>>>>> console.
>>>>>>>>  You need to find the gbean reference and change it to a collection
>>>>>>>> valued
>>>>>>>> reference so it's no longer a mandatory reference.  You can wrap a
>>>>>>>> collection valued reference with SingleElementCollection to make it
>>>>>>>> act like
>>>>>>>> an optional single valued reference.
>>>>>>>>
>>>>>>>> hope this is clear enough to help..
>>>>>>>> david jencks
>>>>>>>>
>>>>>>>>>
>>>>>>>>> Q
>>>>>>>>>
>>>>>>>>> On Fri, Sep 11, 2009 at 12:07 AM, David Jencks
>>>>>>>>> <david_jencks@...>
>>>>>>>>> wrote:
>>>>>>>>>>
>>>>>>>>>> Hi Joe!
>>>>>>>>>> On Sep 10, 2009, at 2:18 PM, Joe Dente wrote:
>>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>> I've been working on replacing Geronimo 2.1.4's
>>>>>>>>>> server-security-config
>>>>>>>>>> plugin's example security with our own security plugin. We need
>>>>>>>>>> single
>>>>>>>>>> sign
>>>>>>>>>> on for our application which also means the same sign on process
>>>>>>>>>> has to
>>>>>>>>>> work
>>>>>>>>>> with the Geronimo admin console. We need to be able to use custom
>>>>>>>>>> realms
>>>>>>>>>> and
>>>>>>>>>> custom login modules in our server-security-config plugin
>>>>>>>>>> replacement
>>>>>>>>>> that
>>>>>>>>>> may change depending on the environment we deploy to. I've run
>>>>>>>>>> into two
>>>>>>>>>> limitations so far that I've found documented online. One is that
>>>>>>>>>> unless
>>>>>>>>>> I
>>>>>>>>>> want to re-deploy other plugins that use the 'geronimo-admin'
>>>>>>>>>> security
>>>>>>>>>> realm, than our custom security realm must be named
>>>>>>>>>> 'geronimo-admin' as
>>>>>>>>>> well. The other is that I ran
>>>>>>>>>> intohttp://issues.apache.org/jira/browse/GERONIMO-4603, forcing me
>>>>>>>>>> to
>>>>>>>>>> creating a dummy properties-login gbean in order for the tomcat
>>>>>>>>>> components
>>>>>>>>>> to start up.
>>>>>>>>>>
>>>>>>>>>> In my experience this is incredibly annoying.  I don't have time
>>>>>>>>>> but
>>>>>>>>>> wonder
>>>>>>>>>> if anyone else can see about fixing this for 2.2.
>>>>>>>>>>
>>>>>>>>>>  I've created alias' for my plugin over the server-security-config
>>>>>>>>>> plugin
>>>>>>>>>> in
>>>>>>>>>> 'artifact-aliases.properties' file and I've also disabled the
>>>>>>>>>> server-security-config plugin and added my plugin as a loaded
>>>>>>>>>> module in
>>>>>>>>>> the
>>>>>>>>>> 'config.xml'. Unfortunately, I still cannot log into the Geronimo
>>>>>>>>>> console
>>>>>>>>>> using my custom security realm and login module. Geronimo has no
>>>>>>>>>> problem
>>>>>>>>>> starting with the current configuration and I can even login using
>>>>>>>>>> my
>>>>>>>>>> custom
>>>>>>>>>> login module. Everything seems happy as far as the login process
>>>>>>>>>> is
>>>>>>>>>> concerned when I step through the code, but instead of seeing the
>>>>>>>>>> Geronimo
>>>>>>>>>> console I get a tomcat error page stating 'Access to the specified
>>>>>>>>>> resource
>>>>>>>>>> () has been forbidden'.  The logs are completely clean as well as
>>>>>>>>>> the
>>>>>>>>>> console output. My only idea is that my admin users also need to
>>>>>>>>>> be
>>>>>>>>>> members
>>>>>>>>>> of a specifically named Geronimo admin group (make my admin groups
>>>>>>>>>> name
>>>>>>>>>> exactly match the one setup in the default security plugin)? I
>>>>>>>>>> have not
>>>>>>>>>> tested this hypothesis out yet, because I have my own admin group
>>>>>>>>>> that is
>>>>>>>>>> used by our application that I would like to re-use as the
>>>>>>>>>> Geronimo
>>>>>>>>>> console's admin group. Any other thoughts?
>>>>>>>>>>
>>>>>>>>>> In 2.1.x you are stuck with the principal-role mapping in the ee
>>>>>>>>>> application, although in 2.2 you can put it into a different
>>>>>>>>>> plugin if
>>>>>>>>>> you
>>>>>>>>>> want and I think then swap it via an artifact-alias with one in a
>>>>>>>>>> different
>>>>>>>>>> plugin.
>>>>>>>>>> So, that means that you need to supply the principals the
>>>>>>>>>> principal-role
>>>>>>>>>> mapping expects:
>>>>>>>>>>   <security
>>>>>>>>>> xmlns="http://geronimo.apache.org/xml/ns/security-1.2">
>>>>>>>>>>       <role-mappings>
>>>>>>>>>>           <role role-name="admin">
>>>>>>>>>>               <principal
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>>>>>>>>>> name="admin" />
>>>>>>>>>>           </role>
>>>>>>>>>>       </role-mappings>
>>>>>>>>>>   </security>
>>>>>>>>>>
>>>>>>>>>> So, your login module needs to supply a principal of
>>>>>>>>>> class GeronimoGroupPrincipal and name "admin".
>>>>>>>>>> Let us know if this doesn't work.
>>>>>>>>>> thanks
>>>>>>>>>> david jencks
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Joe
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>> Quintin Beukes
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Quintin Beukes
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Quintin Beukes
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Quintin Beukes
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Quintin Beukes

>>>>
>>>
>>>
>>>
>>> --
>>> Quintin Beukes
>>>
>>
>>
>>
>> --
>> Quintin Beukes

>
>

--
Quintin Beukes