You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomee.apache.org by David Blevins <da...@visi.com> on 2008/06/12 04:34:17 UTC
Fwd: Using OpenEJB Security for JAAS LoginModule
This guy (a geronimo user) wants to use the Geronimo LoginModule
implementations in his unit tests with embedded openejb. Do you know
if there's a way for us to support them? Ideally he could just
include geronimo-security as a dependency and we could create some
wrappers that would construct them and get them the right
configuration (datasources, files, etc) and the wrappers could be
listed in a plain-text JAAS login.config file.
Is something like that possible? Are the LoginModules tightly coupled
with the kernel etc. or would it be possible to "peel" them out and
reuse them in a somewhat standalone fashion?
-David
Begin forwarded message:
> Resent-From: <db...@visi.com>
> From: Josef.Eisele@bgs-ag.de
> Date: June 11, 2008 5:03:59 AM PDT
> To: users@openejb.apache.org
> Subject: Antwort: Re: Antwort: Re: Using OpenEJB Security for JAAS
> LoginModule
> Reply-To: users@openejb.apache.org
>
> Hi David,
>
> thank you very much for your assistance. If I understand you right the
> Realm-Name of the Default Security Service is called
> "PropertiesLogin".
> If I could change that to "vesuv-db-sha256", my problems are solved.
>
> definition of the realm 'vesuv-db-sha256' in Geronimo 2.1.1:
>
> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
> <environment>
> <moduleId>
> <groupId>console.realm</groupId>
> <artifactId>vesuv-db-sha256</artifactId>
> <version>1.0</version>
> <type>car</type>
> </moduleId>
> <dependencies>
> <dependency>
> <groupId>org.apache.geronimo.framework</groupId>
> <artifactId>j2ee-security</artifactId>
> <type>car</type>
> </dependency>
> <dependency>
> <groupId>console.dbpool</groupId>
> <artifactId>Postgres.postgres.vesuv</artifactId>
> <version>1.0</version>
> <type>rar</type>
> </dependency>
> </dependencies>
> </environment>
> <gbean name="vesuv-db-sha256"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
> xsi:type="dep:gbeanType" xmlns:dep="
> http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance">
> <attribute name="realmName">vesuv-db-sha256</attribute>
> <reference name="ServerInfo">
> <name>ServerInfo</name>
> </reference>
> <xml-reference name="LoginModuleConfiguration">
> <log:login-config xmlns:log="
> http://geronimo.apache.org/xml/ns/loginconfig-2.0">
> <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
> <log:login-domain-name>vesuv-db-sha256</log:login-domain-name>
>
> <log:login-module-
> class>org.apache.geronimo.security.realm.providers.SQLLoginModule</
> log:login-module-class>
> <log:option
> name="dataSourceName">Postgres.postgres.vesuv</log:option>
> <log:option name="encoding">hex</log:option>
> <log:option
> name="dataSourceApplication">null</log:option>
> <log:option name="digest">SHA-256</log:option>
> <log:option name="groupSelect">select bla
> bla</log:option>
> <log:option name="userSelect">select bla
> bla</log:option>
> </log:login-module>
> <log:login-module control-flag="OPTIONAL"
> wrap-principals="false">
> <log:login-domain-name>vesuv-db-sha256-Audit</log:login-domain-name>
>
> <log:login-module-
> class
> >org.apache.geronimo.security.realm.providers.FileAuditLoginModule</
> log:login-module-class>
> <log:option
> name="file">var/log/vesuv-login.log</log:option>
> </log:login-module>
> <log:login-module control-flag="REQUISITE"
> wrap-principals="false">
> <log:login-domain-name>vesuv-db-sha256-Lockout</log:login-domain-name>
>
> <log:login-module-
> class
> >
> org
> .apache
> .geronimo
> .security.realm.providers.RepeatedFailureLockoutLoginModule</
> log:login-module-class>
> <log:option name="failureCount">3</log:option>
> <log:option name="failurePeriodSecs">180</
> log:option>
> <log:option
> name="lockoutDurationSecs">1800</log:option>
> </log:login-module>
> </log:login-config>
> </xml-reference>
> </gbean>
> </module>
>
>
> Session Bean LoginManagerImpl.java
>
> import javax.ejb.*;
> import javax.security.auth.login.LoginContext;
>
> import de.nrw.hagen.ggrz.Exception.StdAppException;
> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
> import de.nrw.hagen.ggrz.bv.benutzer.*;
> import de.nrw.hagen.ggrz.log.Logger;
> import javax.security.auth.login.*;
> ....
> /**
> * Login beim Container durchfhren lassen mit JAAS.
> *
> * @param benutzer
> * @param kennwort
> * @return
> */
> public boolean loginContainer(String benutzer, String
> kennwort) {
> logger.info("Login EJB Container:" + benutzer + "/" +
> kennwort);
> try {
> LoginCallback logcb = new
> LoginCallback(benutzer,
> kennwort);
> LoginContext lc = new
> LoginContext("vesuv-db-sha256",logcb);
> lc.login();
> subject = lc.getSubject();
> }
> catch (LoginException ex) {
> logger.error("Exception bei login:" +
> ex.getMessage());
> //if (ex.getMessage().equals("SQL error"))
> //throw ex;
> throw new StdAppException("Exception bei
> Login",
> ex);
>
> }
> }
>
>
> JUnit-Test Class:
>
> ....
> import java.util.Properties;
>
> import javax.naming.Context;
> import javax.naming.InitialContext;
> import javax.naming.NamingException;
>
> import org.junit.After;
>
> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
> import de.nrw.hagen.ggrz.login.LoginManager;
> import de.nrw.hagen.ggrz.security.Subject;
>
> public class BaseTest {
>
> private String benutzer = "sys";
> private String passwort = "chief";
> private Subject user = null;
> private BenutzerKontext benutzerKontext = null;
>
> private InitialContext initialContext;
>
> public BaseTest() {
> initEnvironment();
> }
>
> public void initEnvironment() {
>
> System.out.println("------------------
> initEnvironment--------------------------");
> Properties properties = new Properties();
> properties.setProperty(Context.INITIAL_CONTEXT_FACTORY,
> "org.apache.openejb.client.LocalInitialContextFactory");
>
> // Minimum required for login
>
> properties.setProperty(Context.SECURITY_PRINCIPAL,
> benutzer);
> properties.setProperty(Context.SECURITY_CREDENTIALS, passwort);
>
> // Optional param for specifying a specific
> Geronimo security realm
>
> properties.put("openejb.authentication.realmName",
> "vesuv-db-sha256");
>
> properties.put("openejb.home",
> "/home/user/workspace/VesuvUnit/openejb");
>
> properties.put("Postgres.postgres.vesuv",
> "new://Resource?type=DataSource");
> properties.put("Postgres.postgres.vesuv.JdbcDriver",
> "org.postgresql.Driver");
>
> properties.put("Postgres.postgres.vesuv.JdbcUrl",
> "jdbc:postgresql://localhost/bgsdev1");
>
> properties.put("Postgres.postgres.vesuv.UserName",
> "bgsdev1");
>
> properties.put("Postgres.postgres.vesuv.Password",
> "bgsdev1");
>
> properties.put("openjpa.jdbc.SynchronizeMappings",
> "false");
> properties.put("openjpa.jdbc.Schema", "vesuv");
>
> try {
> initialContext = new
> InitialContext(properties);
> user = readUserFromLogin();
> } catch (Exception e) {
> e.printStackTrace();
> }
>
> }
>
>
> private Subject readUserFromLogin() {
> LoginManager loginManager = null;
>
> try {
> loginManager = (LoginManager)
> initialContext.lookup("LoginManagerImplLocal");
> loginManager.loginContainer(benutzer,
> passwort);
> } catch (NamingException e1) {
> // TODO Auto-generated catch block
> e1.printStackTrace();
> } catch (Exception e) {
> // TODO Auto-generated catch block
> e.printStackTrace();
> }
>
> try {
> benutzerKontext =
> loginManager.bestimmeBenutzerKontext(benutzer);
> } catch (Exception e) {
> // TODO Auto-generated catch block
> e.printStackTrace();
> }
>
> return new
> Subject(benutzerKontext,loginManager.getSubject());
>
> }
> ....
>
> }
>
>
> Mit freundlichen Grüßen / Kind regards
> Josef Eisele
>
> Direkt: +49 (0) 6131 / 914-180
>
>
>
>
> David Blevins <da...@visi.com>
> 09.06.2008 22:55
> Bitte antworten an
> users@openejb.apache.org
>
>
> An
> users@openejb.apache.org
> Kopie
>
> Thema
> Re: Antwort: Re: Using OpenEJB Security for JAAS LoginModule
>
>
>
>
>
>
>
> On Jun 9, 2008, at 5:26 AM, Josef.Eisele@bgs-ag.de wrote:
>
>> Hi David,
>>
>> thank you very much for the link. I got it twice and I read it
>> twice ;-)
>> but it doesn't help concerning my actual problem.
>>
>> To run our business code it is necessary to login into an
>> 'SecurityService' with user/password/realm and as result there must
>> be a
>> Secuity-Object (javax.security.auth.Subject). This Security-Object is
>> nessary to invoke our business code. The magic
>> @RunAs("Employee")won't
>> work in our case.
>
> If you could give me some more detail here, that'd be great. Both
> login and runas result in a javax.security.auth.Subject being created
> by and enforced by the SecurityService. The creation is slightly
> different, but the subject is tracked and enforced by the
> SecurityService in exactly the same way.
>
> If you have any sample code on what doesn't work that would also be
> helpful.
>
>> The default implementation from the security service with the
>> parameters
>> user/password is fine, but we miss the realm-Parameter. And if we
>> add it,
>> the Security Service says
>>
>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>> konfiguriert.
>>
>> Anmeldemodule = Login module
>
> The realm in OpenEJB refers to the JAAS LoginModule. The login module
> that is setup in the SecurityServices login.config file is called
> "PropertiesLogin". This is the default value for realm when left
> unspecified.
>
> If you have a custom javax.security.auth.spi.LoginModule there is a
> way to set one up. Let me know if that is what you're trying to do
> and I'll see if I can get an example working.
>
> -David
>
>
>>
>>
>>
>> cu Josef
>>
>>
>>
>>
>>
>> David Blevins <da...@visi.com>
>> 06.06.2008 23:06
>> Bitte antworten an
>> users@openejb.apache.org
>>
>>
>> An
>> users@openejb.apache.org
>> Kopie
>>
>> Thema
>> Re: Using OpenEJB Security for JAAS LoginModule
>>
>>
>>
>>
>>
>>
>> Hi Josef,
>>
>> Looks this post arrived at about the same time as my last response,
>> so
>> this might be repeat information :)
>>
>> This example shows a good technique for unit testing various security
>> permissions.
>>
>> http://openejb.apache.org/3.0/testing-security-example.html
>>
>> The JNDI login approach isn't really optimal as there is no "logout"
>> option and it tends to make a mess of things. With the above
>> approach
>> you can wrap your calls with any security context you like and test
>> accessing your bean via secured and unsecured "clients" and check
>> that
>> permissions for various roles are as they need to be.
>>
>> -David
>>
>>
>> On Jun 6, 2008, at 1:24 AM, Josef.Eisele@bgs-ag.de wrote:
>>
>>> Hi All,
>>>
>>> we use embedded openejb to test our JavaEE-5 (Geronimo App.server)
>>> Application. With the great help of David Blevins the JUNIT-Tests
>>> can
>>> invoke our session beans and even Transaction Handling is working
>>> fine.
>>> At the moment I use a trick to avoid the Login-Procedure, but this
>>> won't
>>> work on the long run.
>>>
>>> With Geronimo 2.1.1 we use the JAAS API. Our usage is described in
>>> http://cwiki.apache.org/GMOxDOC10/geronimo-and-jaas.html. For my
>>> junit-testcase I need therefore anything which can provide me a
>>> javax.security.auth.Subject after successful login. With the
>>> default -
>>> Security Service
>>> <SecurityService id="Default Security Service"/>
>>> and the configuration in users.properties and groups.properties I
>>> get the
>>> error:
>>>
>>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>>> konfiguriert.
>>>
>>> (Anmeldemodule = security realm, I think...)
>>>
>>> I tried also PseudoSecurityService, but I got an exception as well.
>>>
>>> JUNIT-Testcase
>>> Properties properties = new
>>> Properties();
>>> ....
>>> // Minimum required for login
>>> properties.setProperty(Context.SECURITY_PRINCIPAL,
>>> benutzer);
>>> properties.setProperty(Context.SECURITY_CREDENTIALS,
>>> passwort);
>>>
>>> // Optional param for specifying a specific Geronimo
>>> security realm
>>> properties.put("openejb.authentication.realmName",
>>> "vesuv-db-sha256");
>>>
>>> properties.put("mySecurityService",
>>> "new://PseudoSecurityService");
>>> ....
>>> loginManager = (LoginManager)
>>> initialContext.lookup("LoginManagerImplLocal");
>>> loginManager.loginContainer(benutzer,
>>> passwort);
>>> ....
>>>
>>> LoginManager-Session Bean:
>>> ...
>>> try {
>>> LoginCallback logcb = new
>>> LoginCallback(benutzer,
>>> passwort);
>>> LoginContext lc = new
>>> LoginContext("vesuv-db-sha256",logcb);
>>> lc.login();
>>> subject = lc.getSubject();
>>> }
>>> ...
>>>
>>> The realm "vesuv-db-sha256" is defined under
>>> Geronimo-Applicationserver-Console Security - Security Realms.
>>>
>>> I read http://openejb.apache.org/3.0/security.html, but I don't
>>> understand how to configure the Security for embedded openejb.
>>>
>>> Thanx in advance for any help on this.
>>>
>>> Mit freundlichen Grüßen / Kind regards
>>> Josef Eisele
>>>
>>> Direkt: +49 (0) 6131 / 914-180
>>>
>>> BGS Beratungsgesellschaft
>>> Software Systemplanung AG Niederlassung Rhein/Main
>>> Robert-Koch-Straße 41
>>> 55129 Mainz
>>> Fon: +49 (0) 6131 / 914-0
>>> Fax: +49 (0) 6131 / 914-400
>>> www.bgs-ag.de Geschäftssitz Mainz
>>> Registergericht
>>> Amtsgericht Mainz
>>> HRB 62 50
>>> Aufsichtsratsvorsitzender
>>> Dr. Wolfgang Trommer
>>> Vorstand
>>> Hanspeter Gau
>>> Hermann Kiefer
>>> Nils Manegold
>>> Heinz-Jörg Zimmermann
>>>
>>>
>>
>>
>>
>> BGS Beratungsgesellschaft
>> Software Systemplanung AG
>>
>>
>>
>>
>> Niederlassung Rhein/Main
>> Robert-Koch-Straße 41
>> 55129 Mainz
>> Fon: +49 (0) 6131 / 914-0
>> Fax: +49 (0) 6131 / 914-400
>> www.bgs-ag.de
>> Geschäftssitz Mainz
>> Registergericht
>> Amtsgericht Mainz
>> HRB 62 50
>>
>> Aufsichtsratsvorsitzender
>> Dr. Wolfgang Trommer
>> Vorstand
>> Hanspeter Gau
>> Hermann Kiefer
>> Nils Manegold
>> Heinz-Jörg Zimmermann
>>
>>
>
>
>
> BGS Beratungsgesellschaft
> Software Systemplanung AG Niederlassung Rhein/Main
> Robert-Koch-Straße 41
> 55129 Mainz
> Fon: +49 (0) 6131 / 914-0
> Fax: +49 (0) 6131 / 914-400
> www.bgs-ag.de Geschäftssitz Mainz
> Registergericht
> Amtsgericht Mainz
> HRB 62 50
> Aufsichtsratsvorsitzender
> Dr. Wolfgang Trommer
> Vorstand
> Hanspeter Gau
> Hermann Kiefer
> Nils Manegold
> Heinz-Jörg Zimmermann
>
Re: Using OpenEJB Security for JAAS LoginModule
Posted by David Jencks <da...@yahoo.com>.
On Jun 12, 2008, at 11:20 AM, David Blevins wrote:
>
> On Jun 12, 2008, at 10:48 AM, David Jencks wrote:
>
>> Using the sql login module with a datasource name won't work
>> without the geronimo kernel running and the datasource deployed to
>> the geronimo kernel. However there's an alternate configuration
>> for this login module that uses a Driver class name and jdbc url
>> that ought to work. Most likely the geronimo kernel jar will need
>> to be on the classpath but you don't need a running kernel.
>>
>> With this configuration a plain text login.config file ought to
>> work. Since he'll need to translate the config to text anyway
>> changing the configuration to use the Driver shouldn't be
>> impossibly difficult.
>
> Is there some way we can pass the DataSource directly to the SQL
> LoginModule by possibly wrappering it. In the wrapper we'd take the
> text string, grab the datasource much like the G kernel would, and
> give it to the login module.
Geronimo provides a bunch of automatic secret options including the
kernel. The SQLLoginModule uses the "injected" kernel option to look
up the datasource from its name. So, to do this you'd have to start a
geronimo kernel and deploy something representing the datasource to it.
We could think about having a "look up in global jndi" strategy for
the SQLLoginModule but this would require a code change in geronimo.
thanks
david jencks
>
>
>
> -David
>
>> On Jun 11, 2008, at 7:34 PM, David Blevins wrote:
>>
>>> This guy (a geronimo user) wants to use the Geronimo LoginModule
>>> implementations in his unit tests with embedded openejb. Do you
>>> know if there's a way for us to support them? Ideally he could
>>> just include geronimo-security as a dependency and we could create
>>> some wrappers that would construct them and get them the right
>>> configuration (datasources, files, etc) and the wrappers could be
>>> listed in a plain-text JAAS login.config file.
>>>
>>> Is something like that possible? Are the LoginModules tightly
>>> coupled with the kernel etc. or would it be possible to "peel"
>>> them out and reuse them in a somewhat standalone fashion?
>>>
>>> -David
>>>
>>> Begin forwarded message:
>>>
>>>> Resent-From: <db...@visi.com>
>>>> From: Josef.Eisele@bgs-ag.de
>>>> Date: June 11, 2008 5:03:59 AM PDT
>>>> To: users@openejb.apache.org
>>>> Subject: Antwort: Re: Antwort: Re: Using OpenEJB Security for
>>>> JAAS LoginModule
>>>> Reply-To: users@openejb.apache.org
>>>>
>>>> Hi David,
>>>>
>>>> thank you very much for your assistance. If I understand you
>>>> right the
>>>> Realm-Name of the Default Security Service is called
>>>> "PropertiesLogin".
>>>> If I could change that to "vesuv-db-sha256", my problems are
>>>> solved.
>>>>
>>>> definition of the realm 'vesuv-db-sha256' in Geronimo 2.1.1:
>>>>
>>>> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
>>>> <environment>
>>>> <moduleId>
>>>> <groupId>console.realm</groupId>
>>>> <artifactId>vesuv-db-sha256</artifactId>
>>>> <version>1.0</version>
>>>> <type>car</type>
>>>> </moduleId>
>>>> <dependencies>
>>>> <dependency>
>>>> <groupId>org.apache.geronimo.framework</groupId>
>>>> <artifactId>j2ee-security</artifactId>
>>>> <type>car</type>
>>>> </dependency>
>>>> <dependency>
>>>> <groupId>console.dbpool</groupId>
>>>> <artifactId>Postgres.postgres.vesuv</artifactId>
>>>> <version>1.0</version>
>>>> <type>rar</type>
>>>> </dependency>
>>>> </dependencies>
>>>> </environment>
>>>> <gbean name="vesuv-db-sha256"
>>>> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
>>>> xsi:type="dep:gbeanType" xmlns:dep="
>>>> http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="
>>>> http://www.w3.org/2001/XMLSchema-instance">
>>>> <attribute name="realmName">vesuv-db-sha256</attribute>
>>>> <reference name="ServerInfo">
>>>> <name>ServerInfo</name>
>>>> </reference>
>>>> <xml-reference name="LoginModuleConfiguration">
>>>> <log:login-config xmlns:log="
>>>> http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>>>> <log:login-module control-flag="REQUIRED"
>>>> wrap-principals="false">
>>>> <log:login-domain-name>vesuv-db-sha256</log:login-domain-name>
>>>>
>>>> <log:login-module-
>>>> class
>>>> >org.apache.geronimo.security.realm.providers.SQLLoginModule</
>>>> log:login-module-class>
>>>> <log:option
>>>> name="dataSourceName">Postgres.postgres.vesuv</log:option>
>>>> <log:option name="encoding">hex</log:option>
>>>> <log:option
>>>> name="dataSourceApplication">null</log:option>
>>>> <log:option name="digest">SHA-256</log:option>
>>>> <log:option name="groupSelect">select bla
>>>> bla</log:option>
>>>> <log:option name="userSelect">select bla
>>>> bla</log:option>
>>>> </log:login-module>
>>>> <log:login-module control-flag="OPTIONAL"
>>>> wrap-principals="false">
>>>> <log:login-domain-name>vesuv-db-sha256-Audit</log:login-domain-
>>>> name>
>>>>
>>>> <log:login-module-
>>>> class
>>>> >
>>>> org
>>>> .apache.geronimo.security.realm.providers.FileAuditLoginModule</
>>>> log:login-module-class>
>>>> <log:option
>>>> name="file">var/log/vesuv-login.log</log:option>
>>>> </log:login-module>
>>>> <log:login-module control-flag="REQUISITE"
>>>> wrap-principals="false">
>>>> <log:login-domain-name>vesuv-db-sha256-Lockout</log:login-domain-
>>>> name>
>>>>
>>>> <log:login-module-
>>>> class
>>>> >
>>>> org
>>>> .apache
>>>> .geronimo
>>>> .security.realm.providers.RepeatedFailureLockoutLoginModule</
>>>> log:login-module-class>
>>>> <log:option name="failureCount">3</log:option>
>>>> <log:option name="failurePeriodSecs">180</
>>>> log:option>
>>>> <log:option
>>>> name="lockoutDurationSecs">1800</log:option>
>>>> </log:login-module>
>>>> </log:login-config>
>>>> </xml-reference>
>>>> </gbean>
>>>> </module>
>>>>
>>>>
>>>> Session Bean LoginManagerImpl.java
>>>>
>>>> import javax.ejb.*;
>>>> import javax.security.auth.login.LoginContext;
>>>>
>>>> import de.nrw.hagen.ggrz.Exception.StdAppException;
>>>> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
>>>> import de.nrw.hagen.ggrz.bv.benutzer.*;
>>>> import de.nrw.hagen.ggrz.log.Logger;
>>>> import javax.security.auth.login.*;
>>>> ....
>>>> /**
>>>> * Login beim Container durchfhren lassen mit JAAS.
>>>> *
>>>> * @param benutzer
>>>> * @param kennwort
>>>> * @return
>>>> */
>>>> public boolean loginContainer(String benutzer, String
>>>> kennwort) {
>>>> logger.info("Login EJB Container:" + benutzer + "/" +
>>>> kennwort);
>>>> try {
>>>> LoginCallback logcb = new
>>>> LoginCallback(benutzer,
>>>> kennwort);
>>>> LoginContext lc = new
>>>> LoginContext("vesuv-db-sha256",logcb);
>>>> lc.login();
>>>> subject = lc.getSubject();
>>>> }
>>>> catch (LoginException ex) {
>>>> logger.error("Exception bei login:" +
>>>> ex.getMessage());
>>>> //if (ex.getMessage().equals("SQL error"))
>>>> //throw ex;
>>>> throw new StdAppException("Exception bei
>>>> Login",
>>>> ex);
>>>>
>>>> }
>>>> }
>>>>
>>>>
>>>> JUnit-Test Class:
>>>>
>>>> ....
>>>> import java.util.Properties;
>>>>
>>>> import javax.naming.Context;
>>>> import javax.naming.InitialContext;
>>>> import javax.naming.NamingException;
>>>>
>>>> import org.junit.After;
>>>>
>>>> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
>>>> import de.nrw.hagen.ggrz.login.LoginManager;
>>>> import de.nrw.hagen.ggrz.security.Subject;
>>>>
>>>> public class BaseTest {
>>>>
>>>> private String benutzer = "sys";
>>>> private String passwort = "chief";
>>>> private Subject user = null;
>>>> private BenutzerKontext benutzerKontext = null;
>>>>
>>>> private InitialContext initialContext;
>>>>
>>>> public BaseTest() {
>>>> initEnvironment();
>>>> }
>>>>
>>>> public void initEnvironment() {
>>>>
>>>> System.out.println("------------------
>>>> initEnvironment--------------------------");
>>>> Properties properties = new Properties();
>>>> properties.setProperty(Context.INITIAL_CONTEXT_FACTORY,
>>>> "org.apache.openejb.client.LocalInitialContextFactory");
>>>>
>>>> // Minimum required for login
>>>>
>>>> properties.setProperty(Context.SECURITY_PRINCIPAL,
>>>> benutzer);
>>>> properties.setProperty(Context.SECURITY_CREDENTIALS, passwort);
>>>>
>>>> // Optional param for specifying a specific
>>>> Geronimo security realm
>>>>
>>>> properties.put("openejb.authentication.realmName",
>>>> "vesuv-db-sha256");
>>>>
>>>> properties.put("openejb.home",
>>>> "/home/user/workspace/VesuvUnit/openejb");
>>>>
>>>> properties.put("Postgres.postgres.vesuv",
>>>> "new://Resource?type=DataSource");
>>>> properties.put("Postgres.postgres.vesuv.JdbcDriver",
>>>> "org.postgresql.Driver");
>>>>
>>>> properties.put("Postgres.postgres.vesuv.JdbcUrl",
>>>> "jdbc:postgresql://localhost/bgsdev1");
>>>>
>>>> properties.put("Postgres.postgres.vesuv.UserName",
>>>> "bgsdev1");
>>>>
>>>> properties.put("Postgres.postgres.vesuv.Password",
>>>> "bgsdev1");
>>>>
>>>> properties.put("openjpa.jdbc.SynchronizeMappings",
>>>> "false");
>>>> properties.put("openjpa.jdbc.Schema", "vesuv");
>>>>
>>>> try {
>>>> initialContext = new
>>>> InitialContext(properties);
>>>> user = readUserFromLogin();
>>>> } catch (Exception e) {
>>>> e.printStackTrace();
>>>> }
>>>>
>>>> }
>>>>
>>>>
>>>> private Subject readUserFromLogin() {
>>>> LoginManager loginManager = null;
>>>>
>>>> try {
>>>> loginManager = (LoginManager)
>>>> initialContext.lookup("LoginManagerImplLocal");
>>>> loginManager.loginContainer(benutzer,
>>>> passwort);
>>>> } catch (NamingException e1) {
>>>> // TODO Auto-generated catch block
>>>> e1.printStackTrace();
>>>> } catch (Exception e) {
>>>> // TODO Auto-generated catch block
>>>> e.printStackTrace();
>>>> }
>>>>
>>>> try {
>>>> benutzerKontext =
>>>> loginManager.bestimmeBenutzerKontext(benutzer);
>>>> } catch (Exception e) {
>>>> // TODO Auto-generated catch block
>>>> e.printStackTrace();
>>>> }
>>>>
>>>> return new
>>>> Subject(benutzerKontext,loginManager.getSubject());
>>>>
>>>> }
>>>> ....
>>>>
>>>> }
>>>>
>>>>
>>>> Mit freundlichen Grüßen / Kind regards
>>>> Josef Eisele
>>>>
>>>> Direkt: +49 (0) 6131 / 914-180
>>>>
>>>>
>>>>
>>>>
>>>> David Blevins <da...@visi.com>
>>>> 09.06.2008 22:55
>>>> Bitte antworten an
>>>> users@openejb.apache.org
>>>>
>>>>
>>>> An
>>>> users@openejb.apache.org
>>>> Kopie
>>>>
>>>> Thema
>>>> Re: Antwort: Re: Using OpenEJB Security for JAAS LoginModule
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Jun 9, 2008, at 5:26 AM, Josef.Eisele@bgs-ag.de wrote:
>>>>
>>>>> Hi David,
>>>>>
>>>>> thank you very much for the link. I got it twice and I read it
>>>>> twice ;-)
>>>>> but it doesn't help concerning my actual problem.
>>>>>
>>>>> To run our business code it is necessary to login into an
>>>>> 'SecurityService' with user/password/realm and as result there
>>>>> must
>>>>> be a
>>>>> Secuity-Object (javax.security.auth.Subject). This Security-
>>>>> Object is
>>>>> nessary to invoke our business code. The magic
>>>>> @RunAs("Employee")won't
>>>>> work in our case.
>>>>
>>>> If you could give me some more detail here, that'd be great. Both
>>>> login and runas result in a javax.security.auth.Subject being
>>>> created
>>>> by and enforced by the SecurityService. The creation is slightly
>>>> different, but the subject is tracked and enforced by the
>>>> SecurityService in exactly the same way.
>>>>
>>>> If you have any sample code on what doesn't work that would also be
>>>> helpful.
>>>>
>>>>> The default implementation from the security service with the
>>>>> parameters
>>>>> user/password is fine, but we miss the realm-Parameter. And if we
>>>>> add it,
>>>>> the Security Service says
>>>>>
>>>>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>>>>> konfiguriert.
>>>>>
>>>>> Anmeldemodule = Login module
>>>>
>>>> The realm in OpenEJB refers to the JAAS LoginModule. The login
>>>> module
>>>> that is setup in the SecurityServices login.config file is called
>>>> "PropertiesLogin". This is the default value for realm when left
>>>> unspecified.
>>>>
>>>> If you have a custom javax.security.auth.spi.LoginModule there is a
>>>> way to set one up. Let me know if that is what you're trying to do
>>>> and I'll see if I can get an example working.
>>>>
>>>> -David
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>> cu Josef
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> David Blevins <da...@visi.com>
>>>>> 06.06.2008 23:06
>>>>> Bitte antworten an
>>>>> users@openejb.apache.org
>>>>>
>>>>>
>>>>> An
>>>>> users@openejb.apache.org
>>>>> Kopie
>>>>>
>>>>> Thema
>>>>> Re: Using OpenEJB Security for JAAS LoginModule
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Hi Josef,
>>>>>
>>>>> Looks this post arrived at about the same time as my last
>>>>> response, so
>>>>> this might be repeat information :)
>>>>>
>>>>> This example shows a good technique for unit testing various
>>>>> security
>>>>> permissions.
>>>>>
>>>>> http://openejb.apache.org/3.0/testing-security-example.html
>>>>>
>>>>> The JNDI login approach isn't really optimal as there is no
>>>>> "logout"
>>>>> option and it tends to make a mess of things. With the above
>>>>> approach
>>>>> you can wrap your calls with any security context you like and
>>>>> test
>>>>> accessing your bean via secured and unsecured "clients" and
>>>>> check that
>>>>> permissions for various roles are as they need to be.
>>>>>
>>>>> -David
>>>>>
>>>>>
>>>>> On Jun 6, 2008, at 1:24 AM, Josef.Eisele@bgs-ag.de wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> we use embedded openejb to test our JavaEE-5 (Geronimo
>>>>>> App.server)
>>>>>> Application. With the great help of David Blevins the JUNIT-
>>>>>> Tests can
>>>>>> invoke our session beans and even Transaction Handling is working
>>>>>> fine.
>>>>>> At the moment I use a trick to avoid the Login-Procedure, but
>>>>>> this
>>>>>> won't
>>>>>> work on the long run.
>>>>>>
>>>>>> With Geronimo 2.1.1 we use the JAAS API. Our usage is described
>>>>>> in
>>>>>> http://cwiki.apache.org/GMOxDOC10/geronimo-and-jaas.html. For my
>>>>>> junit-testcase I need therefore anything which can provide me a
>>>>>> javax.security.auth.Subject after successful login. With the
>>>>>> default -
>>>>>> Security Service
>>>>>> <SecurityService id="Default Security Service"/>
>>>>>> and the configuration in users.properties and groups.properties I
>>>>>> get the
>>>>>> error:
>>>>>>
>>>>>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>>>>>> konfiguriert.
>>>>>>
>>>>>> (Anmeldemodule = security realm, I think...)
>>>>>>
>>>>>> I tried also PseudoSecurityService, but I got an exception as
>>>>>> well.
>>>>>>
>>>>>> JUNIT-Testcase
>>>>>> Properties properties = new
>>>>>> Properties();
>>>>>> ....
>>>>>> // Minimum required for login
>>>>>> properties.setProperty(Context.SECURITY_PRINCIPAL,
>>>>>> benutzer);
>>>>>> properties.setProperty(Context.SECURITY_CREDENTIALS,
>>>>>> passwort);
>>>>>>
>>>>>> // Optional param for specifying a specific Geronimo
>>>>>> security realm
>>>>>> properties.put("openejb.authentication.realmName",
>>>>>> "vesuv-db-sha256");
>>>>>>
>>>>>> properties.put("mySecurityService",
>>>>>> "new://PseudoSecurityService");
>>>>>> ....
>>>>>> loginManager = (LoginManager)
>>>>>> initialContext.lookup("LoginManagerImplLocal");
>>>>>> loginManager.loginContainer(benutzer,
>>>>>> passwort);
>>>>>> ....
>>>>>>
>>>>>> LoginManager-Session Bean:
>>>>>> ...
>>>>>> try {
>>>>>> LoginCallback logcb = new
>>>>>> LoginCallback(benutzer,
>>>>>> passwort);
>>>>>> LoginContext lc = new
>>>>>> LoginContext("vesuv-db-sha256",logcb);
>>>>>> lc.login();
>>>>>> subject = lc.getSubject();
>>>>>> }
>>>>>> ...
>>>>>>
>>>>>> The realm "vesuv-db-sha256" is defined under
>>>>>> Geronimo-Applicationserver-Console Security - Security Realms.
>>>>>>
>>>>>> I read http://openejb.apache.org/3.0/security.html, but I don't
>>>>>> understand how to configure the Security for embedded openejb.
>>>>>>
>>>>>> Thanx in advance for any help on this.
>>>>>>
>>>>>> Mit freundlichen Grüßen / Kind regards
>>>>>> Josef Eisele
>>>>>>
>>>>>> Direkt: +49 (0) 6131 / 914-180
>>>>>>
>>>>>> BGS Beratungsgesellschaft
>>>>>> Software Systemplanung AG Niederlassung Rhein/Main
>>>>>> Robert-Koch-Straße 41
>>>>>> 55129 Mainz
>>>>>> Fon: +49 (0) 6131 / 914-0
>>>>>> Fax: +49 (0) 6131 / 914-400
>>>>>> www.bgs-ag.de Geschäftssitz Mainz
>>>>>> Registergericht
>>>>>> Amtsgericht Mainz
>>>>>> HRB 62 50
>>>>>> Aufsichtsratsvorsitzender
>>>>>> Dr. Wolfgang Trommer
>>>>>> Vorstand
>>>>>> Hanspeter Gau
>>>>>> Hermann Kiefer
>>>>>> Nils Manegold
>>>>>> Heinz-Jörg Zimmermann
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> BGS Beratungsgesellschaft
>>>>> Software Systemplanung AG
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Niederlassung Rhein/Main
>>>>> Robert-Koch-Straße 41
>>>>> 55129 Mainz
>>>>> Fon: +49 (0) 6131 / 914-0
>>>>> Fax: +49 (0) 6131 / 914-400
>>>>> www.bgs-ag.de
>>>>> Geschäftssitz Mainz
>>>>> Registergericht
>>>>> Amtsgericht Mainz
>>>>> HRB 62 50
>>>>>
>>>>> Aufsichtsratsvorsitzender
>>>>> Dr. Wolfgang Trommer
>>>>> Vorstand
>>>>> Hanspeter Gau
>>>>> Hermann Kiefer
>>>>> Nils Manegold
>>>>> Heinz-Jörg Zimmermann
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> BGS Beratungsgesellschaft
>>>> Software Systemplanung AG Niederlassung Rhein/Main
>>>> Robert-Koch-Straße 41
>>>> 55129 Mainz
>>>> Fon: +49 (0) 6131 / 914-0
>>>> Fax: +49 (0) 6131 / 914-400
>>>> www.bgs-ag.de Geschäftssitz Mainz
>>>> Registergericht
>>>> Amtsgericht Mainz
>>>> HRB 62 50
>>>> Aufsichtsratsvorsitzender
>>>> Dr. Wolfgang Trommer
>>>> Vorstand
>>>> Hanspeter Gau
>>>> Hermann Kiefer
>>>> Nils Manegold
>>>> Heinz-Jörg Zimmermann
>>>>
>>>
>>
>>
>
Re: Using OpenEJB Security for JAAS LoginModule
Posted by David Blevins <da...@visi.com>.
On Jun 12, 2008, at 10:48 AM, David Jencks wrote:
> Using the sql login module with a datasource name won't work without
> the geronimo kernel running and the datasource deployed to the
> geronimo kernel. However there's an alternate configuration for
> this login module that uses a Driver class name and jdbc url that
> ought to work. Most likely the geronimo kernel jar will need to be
> on the classpath but you don't need a running kernel.
>
> With this configuration a plain text login.config file ought to
> work. Since he'll need to translate the config to text anyway
> changing the configuration to use the Driver shouldn't be impossibly
> difficult.
Is there some way we can pass the DataSource directly to the SQL
LoginModule by possibly wrappering it. In the wrapper we'd take the
text string, grab the datasource much like the G kernel would, and
give it to the login module.
-David
> On Jun 11, 2008, at 7:34 PM, David Blevins wrote:
>
>> This guy (a geronimo user) wants to use the Geronimo LoginModule
>> implementations in his unit tests with embedded openejb. Do you
>> know if there's a way for us to support them? Ideally he could
>> just include geronimo-security as a dependency and we could create
>> some wrappers that would construct them and get them the right
>> configuration (datasources, files, etc) and the wrappers could be
>> listed in a plain-text JAAS login.config file.
>>
>> Is something like that possible? Are the LoginModules tightly
>> coupled with the kernel etc. or would it be possible to "peel" them
>> out and reuse them in a somewhat standalone fashion?
>>
>> -David
>>
>> Begin forwarded message:
>>
>>> Resent-From: <db...@visi.com>
>>> From: Josef.Eisele@bgs-ag.de
>>> Date: June 11, 2008 5:03:59 AM PDT
>>> To: users@openejb.apache.org
>>> Subject: Antwort: Re: Antwort: Re: Using OpenEJB Security for JAAS
>>> LoginModule
>>> Reply-To: users@openejb.apache.org
>>>
>>> Hi David,
>>>
>>> thank you very much for your assistance. If I understand you right
>>> the
>>> Realm-Name of the Default Security Service is called
>>> "PropertiesLogin".
>>> If I could change that to "vesuv-db-sha256", my problems are solved.
>>>
>>> definition of the realm 'vesuv-db-sha256' in Geronimo 2.1.1:
>>>
>>> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
>>> <environment>
>>> <moduleId>
>>> <groupId>console.realm</groupId>
>>> <artifactId>vesuv-db-sha256</artifactId>
>>> <version>1.0</version>
>>> <type>car</type>
>>> </moduleId>
>>> <dependencies>
>>> <dependency>
>>> <groupId>org.apache.geronimo.framework</groupId>
>>> <artifactId>j2ee-security</artifactId>
>>> <type>car</type>
>>> </dependency>
>>> <dependency>
>>> <groupId>console.dbpool</groupId>
>>> <artifactId>Postgres.postgres.vesuv</artifactId>
>>> <version>1.0</version>
>>> <type>rar</type>
>>> </dependency>
>>> </dependencies>
>>> </environment>
>>> <gbean name="vesuv-db-sha256"
>>> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
>>> xsi:type="dep:gbeanType" xmlns:dep="
>>> http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="
>>> http://www.w3.org/2001/XMLSchema-instance">
>>> <attribute name="realmName">vesuv-db-sha256</attribute>
>>> <reference name="ServerInfo">
>>> <name>ServerInfo</name>
>>> </reference>
>>> <xml-reference name="LoginModuleConfiguration">
>>> <log:login-config xmlns:log="
>>> http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>>> <log:login-module control-flag="REQUIRED"
>>> wrap-principals="false">
>>> <log:login-domain-name>vesuv-db-sha256</log:login-domain-name>
>>>
>>> <log:login-module-
>>> class>org.apache.geronimo.security.realm.providers.SQLLoginModule</
>>> log:login-module-class>
>>> <log:option
>>> name="dataSourceName">Postgres.postgres.vesuv</log:option>
>>> <log:option name="encoding">hex</log:option>
>>> <log:option
>>> name="dataSourceApplication">null</log:option>
>>> <log:option name="digest">SHA-256</log:option>
>>> <log:option name="groupSelect">select bla
>>> bla</log:option>
>>> <log:option name="userSelect">select bla
>>> bla</log:option>
>>> </log:login-module>
>>> <log:login-module control-flag="OPTIONAL"
>>> wrap-principals="false">
>>> <log:login-domain-name>vesuv-db-sha256-Audit</log:login-domain-name>
>>>
>>> <log:login-module-
>>> class
>>> >
>>> org.apache.geronimo.security.realm.providers.FileAuditLoginModule</
>>> log:login-module-class>
>>> <log:option
>>> name="file">var/log/vesuv-login.log</log:option>
>>> </log:login-module>
>>> <log:login-module control-flag="REQUISITE"
>>> wrap-principals="false">
>>> <log:login-domain-name>vesuv-db-sha256-Lockout</log:login-domain-
>>> name>
>>>
>>> <log:login-module-
>>> class
>>> >
>>> org
>>> .apache
>>> .geronimo
>>> .security.realm.providers.RepeatedFailureLockoutLoginModule</
>>> log:login-module-class>
>>> <log:option name="failureCount">3</log:option>
>>> <log:option name="failurePeriodSecs">180</
>>> log:option>
>>> <log:option
>>> name="lockoutDurationSecs">1800</log:option>
>>> </log:login-module>
>>> </log:login-config>
>>> </xml-reference>
>>> </gbean>
>>> </module>
>>>
>>>
>>> Session Bean LoginManagerImpl.java
>>>
>>> import javax.ejb.*;
>>> import javax.security.auth.login.LoginContext;
>>>
>>> import de.nrw.hagen.ggrz.Exception.StdAppException;
>>> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
>>> import de.nrw.hagen.ggrz.bv.benutzer.*;
>>> import de.nrw.hagen.ggrz.log.Logger;
>>> import javax.security.auth.login.*;
>>> ....
>>> /**
>>> * Login beim Container durchfhren lassen mit JAAS.
>>> *
>>> * @param benutzer
>>> * @param kennwort
>>> * @return
>>> */
>>> public boolean loginContainer(String benutzer, String
>>> kennwort) {
>>> logger.info("Login EJB Container:" + benutzer + "/" +
>>> kennwort);
>>> try {
>>> LoginCallback logcb = new
>>> LoginCallback(benutzer,
>>> kennwort);
>>> LoginContext lc = new
>>> LoginContext("vesuv-db-sha256",logcb);
>>> lc.login();
>>> subject = lc.getSubject();
>>> }
>>> catch (LoginException ex) {
>>> logger.error("Exception bei login:" +
>>> ex.getMessage());
>>> //if (ex.getMessage().equals("SQL error"))
>>> //throw ex;
>>> throw new StdAppException("Exception bei
>>> Login",
>>> ex);
>>>
>>> }
>>> }
>>>
>>>
>>> JUnit-Test Class:
>>>
>>> ....
>>> import java.util.Properties;
>>>
>>> import javax.naming.Context;
>>> import javax.naming.InitialContext;
>>> import javax.naming.NamingException;
>>>
>>> import org.junit.After;
>>>
>>> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
>>> import de.nrw.hagen.ggrz.login.LoginManager;
>>> import de.nrw.hagen.ggrz.security.Subject;
>>>
>>> public class BaseTest {
>>>
>>> private String benutzer = "sys";
>>> private String passwort = "chief";
>>> private Subject user = null;
>>> private BenutzerKontext benutzerKontext = null;
>>>
>>> private InitialContext initialContext;
>>>
>>> public BaseTest() {
>>> initEnvironment();
>>> }
>>>
>>> public void initEnvironment() {
>>>
>>> System.out.println("------------------
>>> initEnvironment--------------------------");
>>> Properties properties = new Properties();
>>> properties.setProperty(Context.INITIAL_CONTEXT_FACTORY,
>>> "org.apache.openejb.client.LocalInitialContextFactory");
>>>
>>> // Minimum required for login
>>>
>>> properties.setProperty(Context.SECURITY_PRINCIPAL,
>>> benutzer);
>>> properties.setProperty(Context.SECURITY_CREDENTIALS, passwort);
>>>
>>> // Optional param for specifying a specific
>>> Geronimo security realm
>>>
>>> properties.put("openejb.authentication.realmName",
>>> "vesuv-db-sha256");
>>>
>>> properties.put("openejb.home",
>>> "/home/user/workspace/VesuvUnit/openejb");
>>>
>>> properties.put("Postgres.postgres.vesuv",
>>> "new://Resource?type=DataSource");
>>> properties.put("Postgres.postgres.vesuv.JdbcDriver",
>>> "org.postgresql.Driver");
>>>
>>> properties.put("Postgres.postgres.vesuv.JdbcUrl",
>>> "jdbc:postgresql://localhost/bgsdev1");
>>>
>>> properties.put("Postgres.postgres.vesuv.UserName",
>>> "bgsdev1");
>>>
>>> properties.put("Postgres.postgres.vesuv.Password",
>>> "bgsdev1");
>>>
>>> properties.put("openjpa.jdbc.SynchronizeMappings",
>>> "false");
>>> properties.put("openjpa.jdbc.Schema", "vesuv");
>>>
>>> try {
>>> initialContext = new
>>> InitialContext(properties);
>>> user = readUserFromLogin();
>>> } catch (Exception e) {
>>> e.printStackTrace();
>>> }
>>>
>>> }
>>>
>>>
>>> private Subject readUserFromLogin() {
>>> LoginManager loginManager = null;
>>>
>>> try {
>>> loginManager = (LoginManager)
>>> initialContext.lookup("LoginManagerImplLocal");
>>> loginManager.loginContainer(benutzer,
>>> passwort);
>>> } catch (NamingException e1) {
>>> // TODO Auto-generated catch block
>>> e1.printStackTrace();
>>> } catch (Exception e) {
>>> // TODO Auto-generated catch block
>>> e.printStackTrace();
>>> }
>>>
>>> try {
>>> benutzerKontext =
>>> loginManager.bestimmeBenutzerKontext(benutzer);
>>> } catch (Exception e) {
>>> // TODO Auto-generated catch block
>>> e.printStackTrace();
>>> }
>>>
>>> return new
>>> Subject(benutzerKontext,loginManager.getSubject());
>>>
>>> }
>>> ....
>>>
>>> }
>>>
>>>
>>> Mit freundlichen Grüßen / Kind regards
>>> Josef Eisele
>>>
>>> Direkt: +49 (0) 6131 / 914-180
>>>
>>>
>>>
>>>
>>> David Blevins <da...@visi.com>
>>> 09.06.2008 22:55
>>> Bitte antworten an
>>> users@openejb.apache.org
>>>
>>>
>>> An
>>> users@openejb.apache.org
>>> Kopie
>>>
>>> Thema
>>> Re: Antwort: Re: Using OpenEJB Security for JAAS LoginModule
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Jun 9, 2008, at 5:26 AM, Josef.Eisele@bgs-ag.de wrote:
>>>
>>>> Hi David,
>>>>
>>>> thank you very much for the link. I got it twice and I read it
>>>> twice ;-)
>>>> but it doesn't help concerning my actual problem.
>>>>
>>>> To run our business code it is necessary to login into an
>>>> 'SecurityService' with user/password/realm and as result there must
>>>> be a
>>>> Secuity-Object (javax.security.auth.Subject). This Security-
>>>> Object is
>>>> nessary to invoke our business code. The magic
>>>> @RunAs("Employee")won't
>>>> work in our case.
>>>
>>> If you could give me some more detail here, that'd be great. Both
>>> login and runas result in a javax.security.auth.Subject being
>>> created
>>> by and enforced by the SecurityService. The creation is slightly
>>> different, but the subject is tracked and enforced by the
>>> SecurityService in exactly the same way.
>>>
>>> If you have any sample code on what doesn't work that would also be
>>> helpful.
>>>
>>>> The default implementation from the security service with the
>>>> parameters
>>>> user/password is fine, but we miss the realm-Parameter. And if we
>>>> add it,
>>>> the Security Service says
>>>>
>>>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>>>> konfiguriert.
>>>>
>>>> Anmeldemodule = Login module
>>>
>>> The realm in OpenEJB refers to the JAAS LoginModule. The login
>>> module
>>> that is setup in the SecurityServices login.config file is called
>>> "PropertiesLogin". This is the default value for realm when left
>>> unspecified.
>>>
>>> If you have a custom javax.security.auth.spi.LoginModule there is a
>>> way to set one up. Let me know if that is what you're trying to do
>>> and I'll see if I can get an example working.
>>>
>>> -David
>>>
>>>
>>>>
>>>>
>>>>
>>>> cu Josef
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> David Blevins <da...@visi.com>
>>>> 06.06.2008 23:06
>>>> Bitte antworten an
>>>> users@openejb.apache.org
>>>>
>>>>
>>>> An
>>>> users@openejb.apache.org
>>>> Kopie
>>>>
>>>> Thema
>>>> Re: Using OpenEJB Security for JAAS LoginModule
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Hi Josef,
>>>>
>>>> Looks this post arrived at about the same time as my last
>>>> response, so
>>>> this might be repeat information :)
>>>>
>>>> This example shows a good technique for unit testing various
>>>> security
>>>> permissions.
>>>>
>>>> http://openejb.apache.org/3.0/testing-security-example.html
>>>>
>>>> The JNDI login approach isn't really optimal as there is no
>>>> "logout"
>>>> option and it tends to make a mess of things. With the above
>>>> approach
>>>> you can wrap your calls with any security context you like and test
>>>> accessing your bean via secured and unsecured "clients" and check
>>>> that
>>>> permissions for various roles are as they need to be.
>>>>
>>>> -David
>>>>
>>>>
>>>> On Jun 6, 2008, at 1:24 AM, Josef.Eisele@bgs-ag.de wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> we use embedded openejb to test our JavaEE-5 (Geronimo App.server)
>>>>> Application. With the great help of David Blevins the JUNIT-
>>>>> Tests can
>>>>> invoke our session beans and even Transaction Handling is working
>>>>> fine.
>>>>> At the moment I use a trick to avoid the Login-Procedure, but this
>>>>> won't
>>>>> work on the long run.
>>>>>
>>>>> With Geronimo 2.1.1 we use the JAAS API. Our usage is described in
>>>>> http://cwiki.apache.org/GMOxDOC10/geronimo-and-jaas.html. For my
>>>>> junit-testcase I need therefore anything which can provide me a
>>>>> javax.security.auth.Subject after successful login. With the
>>>>> default -
>>>>> Security Service
>>>>> <SecurityService id="Default Security Service"/>
>>>>> and the configuration in users.properties and groups.properties I
>>>>> get the
>>>>> error:
>>>>>
>>>>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>>>>> konfiguriert.
>>>>>
>>>>> (Anmeldemodule = security realm, I think...)
>>>>>
>>>>> I tried also PseudoSecurityService, but I got an exception as
>>>>> well.
>>>>>
>>>>> JUNIT-Testcase
>>>>> Properties properties = new
>>>>> Properties();
>>>>> ....
>>>>> // Minimum required for login
>>>>> properties.setProperty(Context.SECURITY_PRINCIPAL,
>>>>> benutzer);
>>>>> properties.setProperty(Context.SECURITY_CREDENTIALS,
>>>>> passwort);
>>>>>
>>>>> // Optional param for specifying a specific Geronimo
>>>>> security realm
>>>>> properties.put("openejb.authentication.realmName",
>>>>> "vesuv-db-sha256");
>>>>>
>>>>> properties.put("mySecurityService",
>>>>> "new://PseudoSecurityService");
>>>>> ....
>>>>> loginManager = (LoginManager)
>>>>> initialContext.lookup("LoginManagerImplLocal");
>>>>> loginManager.loginContainer(benutzer,
>>>>> passwort);
>>>>> ....
>>>>>
>>>>> LoginManager-Session Bean:
>>>>> ...
>>>>> try {
>>>>> LoginCallback logcb = new
>>>>> LoginCallback(benutzer,
>>>>> passwort);
>>>>> LoginContext lc = new
>>>>> LoginContext("vesuv-db-sha256",logcb);
>>>>> lc.login();
>>>>> subject = lc.getSubject();
>>>>> }
>>>>> ...
>>>>>
>>>>> The realm "vesuv-db-sha256" is defined under
>>>>> Geronimo-Applicationserver-Console Security - Security Realms.
>>>>>
>>>>> I read http://openejb.apache.org/3.0/security.html, but I don't
>>>>> understand how to configure the Security for embedded openejb.
>>>>>
>>>>> Thanx in advance for any help on this.
>>>>>
>>>>> Mit freundlichen Grüßen / Kind regards
>>>>> Josef Eisele
>>>>>
>>>>> Direkt: +49 (0) 6131 / 914-180
>>>>>
>>>>> BGS Beratungsgesellschaft
>>>>> Software Systemplanung AG Niederlassung Rhein/Main
>>>>> Robert-Koch-Straße 41
>>>>> 55129 Mainz
>>>>> Fon: +49 (0) 6131 / 914-0
>>>>> Fax: +49 (0) 6131 / 914-400
>>>>> www.bgs-ag.de Geschäftssitz Mainz
>>>>> Registergericht
>>>>> Amtsgericht Mainz
>>>>> HRB 62 50
>>>>> Aufsichtsratsvorsitzender
>>>>> Dr. Wolfgang Trommer
>>>>> Vorstand
>>>>> Hanspeter Gau
>>>>> Hermann Kiefer
>>>>> Nils Manegold
>>>>> Heinz-Jörg Zimmermann
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> BGS Beratungsgesellschaft
>>>> Software Systemplanung AG
>>>>
>>>>
>>>>
>>>>
>>>> Niederlassung Rhein/Main
>>>> Robert-Koch-Straße 41
>>>> 55129 Mainz
>>>> Fon: +49 (0) 6131 / 914-0
>>>> Fax: +49 (0) 6131 / 914-400
>>>> www.bgs-ag.de
>>>> Geschäftssitz Mainz
>>>> Registergericht
>>>> Amtsgericht Mainz
>>>> HRB 62 50
>>>>
>>>> Aufsichtsratsvorsitzender
>>>> Dr. Wolfgang Trommer
>>>> Vorstand
>>>> Hanspeter Gau
>>>> Hermann Kiefer
>>>> Nils Manegold
>>>> Heinz-Jörg Zimmermann
>>>>
>>>>
>>>
>>>
>>>
>>> BGS Beratungsgesellschaft
>>> Software Systemplanung AG Niederlassung Rhein/Main
>>> Robert-Koch-Straße 41
>>> 55129 Mainz
>>> Fon: +49 (0) 6131 / 914-0
>>> Fax: +49 (0) 6131 / 914-400
>>> www.bgs-ag.de Geschäftssitz Mainz
>>> Registergericht
>>> Amtsgericht Mainz
>>> HRB 62 50
>>> Aufsichtsratsvorsitzender
>>> Dr. Wolfgang Trommer
>>> Vorstand
>>> Hanspeter Gau
>>> Hermann Kiefer
>>> Nils Manegold
>>> Heinz-Jörg Zimmermann
>>>
>>
>
>
Re: Using OpenEJB Security for JAAS LoginModule
Posted by David Jencks <da...@yahoo.com>.
Using the sql login module with a datasource name won't work without
the geronimo kernel running and the datasource deployed to the
geronimo kernel. However there's an alternate configuration for this
login module that uses a Driver class name and jdbc url that ought to
work. Most likely the geronimo kernel jar will need to be on the
classpath but you don't need a running kernel.
With this configuration a plain text login.config file ought to work.
Since he'll need to translate the config to text anyway changing the
configuration to use the Driver shouldn't be impossibly difficult.
Note I haven't tested this.
thanks
david jencks
On Jun 11, 2008, at 7:34 PM, David Blevins wrote:
> This guy (a geronimo user) wants to use the Geronimo LoginModule
> implementations in his unit tests with embedded openejb. Do you
> know if there's a way for us to support them? Ideally he could just
> include geronimo-security as a dependency and we could create some
> wrappers that would construct them and get them the right
> configuration (datasources, files, etc) and the wrappers could be
> listed in a plain-text JAAS login.config file.
>
> Is something like that possible? Are the LoginModules tightly
> coupled with the kernel etc. or would it be possible to "peel" them
> out and reuse them in a somewhat standalone fashion?
>
> -David
>
> Begin forwarded message:
>
>> Resent-From: <db...@visi.com>
>> From: Josef.Eisele@bgs-ag.de
>> Date: June 11, 2008 5:03:59 AM PDT
>> To: users@openejb.apache.org
>> Subject: Antwort: Re: Antwort: Re: Using OpenEJB Security for JAAS
>> LoginModule
>> Reply-To: users@openejb.apache.org
>>
>> Hi David,
>>
>> thank you very much for your assistance. If I understand you right
>> the
>> Realm-Name of the Default Security Service is called
>> "PropertiesLogin".
>> If I could change that to "vesuv-db-sha256", my problems are solved.
>>
>> definition of the realm 'vesuv-db-sha256' in Geronimo 2.1.1:
>>
>> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
>> <environment>
>> <moduleId>
>> <groupId>console.realm</groupId>
>> <artifactId>vesuv-db-sha256</artifactId>
>> <version>1.0</version>
>> <type>car</type>
>> </moduleId>
>> <dependencies>
>> <dependency>
>> <groupId>org.apache.geronimo.framework</groupId>
>> <artifactId>j2ee-security</artifactId>
>> <type>car</type>
>> </dependency>
>> <dependency>
>> <groupId>console.dbpool</groupId>
>> <artifactId>Postgres.postgres.vesuv</artifactId>
>> <version>1.0</version>
>> <type>rar</type>
>> </dependency>
>> </dependencies>
>> </environment>
>> <gbean name="vesuv-db-sha256"
>> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
>> xsi:type="dep:gbeanType" xmlns:dep="
>> http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="
>> http://www.w3.org/2001/XMLSchema-instance">
>> <attribute name="realmName">vesuv-db-sha256</attribute>
>> <reference name="ServerInfo">
>> <name>ServerInfo</name>
>> </reference>
>> <xml-reference name="LoginModuleConfiguration">
>> <log:login-config xmlns:log="
>> http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>> <log:login-module control-flag="REQUIRED"
>> wrap-principals="false">
>> <log:login-domain-name>vesuv-db-sha256</log:login-domain-name>
>>
>> <log:login-module-
>> class>org.apache.geronimo.security.realm.providers.SQLLoginModule</
>> log:login-module-class>
>> <log:option
>> name="dataSourceName">Postgres.postgres.vesuv</log:option>
>> <log:option name="encoding">hex</log:option>
>> <log:option
>> name="dataSourceApplication">null</log:option>
>> <log:option name="digest">SHA-256</log:option>
>> <log:option name="groupSelect">select bla
>> bla</log:option>
>> <log:option name="userSelect">select bla
>> bla</log:option>
>> </log:login-module>
>> <log:login-module control-flag="OPTIONAL"
>> wrap-principals="false">
>> <log:login-domain-name>vesuv-db-sha256-Audit</log:login-domain-name>
>>
>> <log:login-module-
>> class
>> >org.apache.geronimo.security.realm.providers.FileAuditLoginModule</
>> log:login-module-class>
>> <log:option
>> name="file">var/log/vesuv-login.log</log:option>
>> </log:login-module>
>> <log:login-module control-flag="REQUISITE"
>> wrap-principals="false">
>> <log:login-domain-name>vesuv-db-sha256-Lockout</log:login-domain-
>> name>
>>
>> <log:login-module-
>> class
>> >
>> org
>> .apache
>> .geronimo
>> .security.realm.providers.RepeatedFailureLockoutLoginModule</
>> log:login-module-class>
>> <log:option name="failureCount">3</log:option>
>> <log:option name="failurePeriodSecs">180</
>> log:option>
>> <log:option
>> name="lockoutDurationSecs">1800</log:option>
>> </log:login-module>
>> </log:login-config>
>> </xml-reference>
>> </gbean>
>> </module>
>>
>>
>> Session Bean LoginManagerImpl.java
>>
>> import javax.ejb.*;
>> import javax.security.auth.login.LoginContext;
>>
>> import de.nrw.hagen.ggrz.Exception.StdAppException;
>> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
>> import de.nrw.hagen.ggrz.bv.benutzer.*;
>> import de.nrw.hagen.ggrz.log.Logger;
>> import javax.security.auth.login.*;
>> ....
>> /**
>> * Login beim Container durchfhren lassen mit JAAS.
>> *
>> * @param benutzer
>> * @param kennwort
>> * @return
>> */
>> public boolean loginContainer(String benutzer, String
>> kennwort) {
>> logger.info("Login EJB Container:" + benutzer + "/" +
>> kennwort);
>> try {
>> LoginCallback logcb = new
>> LoginCallback(benutzer,
>> kennwort);
>> LoginContext lc = new
>> LoginContext("vesuv-db-sha256",logcb);
>> lc.login();
>> subject = lc.getSubject();
>> }
>> catch (LoginException ex) {
>> logger.error("Exception bei login:" +
>> ex.getMessage());
>> //if (ex.getMessage().equals("SQL error"))
>> //throw ex;
>> throw new StdAppException("Exception bei
>> Login",
>> ex);
>>
>> }
>> }
>>
>>
>> JUnit-Test Class:
>>
>> ....
>> import java.util.Properties;
>>
>> import javax.naming.Context;
>> import javax.naming.InitialContext;
>> import javax.naming.NamingException;
>>
>> import org.junit.After;
>>
>> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
>> import de.nrw.hagen.ggrz.login.LoginManager;
>> import de.nrw.hagen.ggrz.security.Subject;
>>
>> public class BaseTest {
>>
>> private String benutzer = "sys";
>> private String passwort = "chief";
>> private Subject user = null;
>> private BenutzerKontext benutzerKontext = null;
>>
>> private InitialContext initialContext;
>>
>> public BaseTest() {
>> initEnvironment();
>> }
>>
>> public void initEnvironment() {
>>
>> System.out.println("------------------
>> initEnvironment--------------------------");
>> Properties properties = new Properties();
>> properties.setProperty(Context.INITIAL_CONTEXT_FACTORY,
>> "org.apache.openejb.client.LocalInitialContextFactory");
>>
>> // Minimum required for login
>>
>> properties.setProperty(Context.SECURITY_PRINCIPAL,
>> benutzer);
>> properties.setProperty(Context.SECURITY_CREDENTIALS, passwort);
>>
>> // Optional param for specifying a specific
>> Geronimo security realm
>>
>> properties.put("openejb.authentication.realmName",
>> "vesuv-db-sha256");
>>
>> properties.put("openejb.home",
>> "/home/user/workspace/VesuvUnit/openejb");
>>
>> properties.put("Postgres.postgres.vesuv",
>> "new://Resource?type=DataSource");
>> properties.put("Postgres.postgres.vesuv.JdbcDriver",
>> "org.postgresql.Driver");
>>
>> properties.put("Postgres.postgres.vesuv.JdbcUrl",
>> "jdbc:postgresql://localhost/bgsdev1");
>>
>> properties.put("Postgres.postgres.vesuv.UserName",
>> "bgsdev1");
>>
>> properties.put("Postgres.postgres.vesuv.Password",
>> "bgsdev1");
>>
>> properties.put("openjpa.jdbc.SynchronizeMappings",
>> "false");
>> properties.put("openjpa.jdbc.Schema", "vesuv");
>>
>> try {
>> initialContext = new
>> InitialContext(properties);
>> user = readUserFromLogin();
>> } catch (Exception e) {
>> e.printStackTrace();
>> }
>>
>> }
>>
>>
>> private Subject readUserFromLogin() {
>> LoginManager loginManager = null;
>>
>> try {
>> loginManager = (LoginManager)
>> initialContext.lookup("LoginManagerImplLocal");
>> loginManager.loginContainer(benutzer,
>> passwort);
>> } catch (NamingException e1) {
>> // TODO Auto-generated catch block
>> e1.printStackTrace();
>> } catch (Exception e) {
>> // TODO Auto-generated catch block
>> e.printStackTrace();
>> }
>>
>> try {
>> benutzerKontext =
>> loginManager.bestimmeBenutzerKontext(benutzer);
>> } catch (Exception e) {
>> // TODO Auto-generated catch block
>> e.printStackTrace();
>> }
>>
>> return new
>> Subject(benutzerKontext,loginManager.getSubject());
>>
>> }
>> ....
>>
>> }
>>
>>
>> Mit freundlichen Grüßen / Kind regards
>> Josef Eisele
>>
>> Direkt: +49 (0) 6131 / 914-180
>>
>>
>>
>>
>> David Blevins <da...@visi.com>
>> 09.06.2008 22:55
>> Bitte antworten an
>> users@openejb.apache.org
>>
>>
>> An
>> users@openejb.apache.org
>> Kopie
>>
>> Thema
>> Re: Antwort: Re: Using OpenEJB Security for JAAS LoginModule
>>
>>
>>
>>
>>
>>
>>
>> On Jun 9, 2008, at 5:26 AM, Josef.Eisele@bgs-ag.de wrote:
>>
>>> Hi David,
>>>
>>> thank you very much for the link. I got it twice and I read it
>>> twice ;-)
>>> but it doesn't help concerning my actual problem.
>>>
>>> To run our business code it is necessary to login into an
>>> 'SecurityService' with user/password/realm and as result there must
>>> be a
>>> Secuity-Object (javax.security.auth.Subject). This Security-Object
>>> is
>>> nessary to invoke our business code. The magic
>>> @RunAs("Employee")won't
>>> work in our case.
>>
>> If you could give me some more detail here, that'd be great. Both
>> login and runas result in a javax.security.auth.Subject being created
>> by and enforced by the SecurityService. The creation is slightly
>> different, but the subject is tracked and enforced by the
>> SecurityService in exactly the same way.
>>
>> If you have any sample code on what doesn't work that would also be
>> helpful.
>>
>>> The default implementation from the security service with the
>>> parameters
>>> user/password is fine, but we miss the realm-Parameter. And if we
>>> add it,
>>> the Security Service says
>>>
>>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>>> konfiguriert.
>>>
>>> Anmeldemodule = Login module
>>
>> The realm in OpenEJB refers to the JAAS LoginModule. The login
>> module
>> that is setup in the SecurityServices login.config file is called
>> "PropertiesLogin". This is the default value for realm when left
>> unspecified.
>>
>> If you have a custom javax.security.auth.spi.LoginModule there is a
>> way to set one up. Let me know if that is what you're trying to do
>> and I'll see if I can get an example working.
>>
>> -David
>>
>>
>>>
>>>
>>>
>>> cu Josef
>>>
>>>
>>>
>>>
>>>
>>> David Blevins <da...@visi.com>
>>> 06.06.2008 23:06
>>> Bitte antworten an
>>> users@openejb.apache.org
>>>
>>>
>>> An
>>> users@openejb.apache.org
>>> Kopie
>>>
>>> Thema
>>> Re: Using OpenEJB Security for JAAS LoginModule
>>>
>>>
>>>
>>>
>>>
>>>
>>> Hi Josef,
>>>
>>> Looks this post arrived at about the same time as my last
>>> response, so
>>> this might be repeat information :)
>>>
>>> This example shows a good technique for unit testing various
>>> security
>>> permissions.
>>>
>>> http://openejb.apache.org/3.0/testing-security-example.html
>>>
>>> The JNDI login approach isn't really optimal as there is no "logout"
>>> option and it tends to make a mess of things. With the above
>>> approach
>>> you can wrap your calls with any security context you like and test
>>> accessing your bean via secured and unsecured "clients" and check
>>> that
>>> permissions for various roles are as they need to be.
>>>
>>> -David
>>>
>>>
>>> On Jun 6, 2008, at 1:24 AM, Josef.Eisele@bgs-ag.de wrote:
>>>
>>>> Hi All,
>>>>
>>>> we use embedded openejb to test our JavaEE-5 (Geronimo App.server)
>>>> Application. With the great help of David Blevins the JUNIT-Tests
>>>> can
>>>> invoke our session beans and even Transaction Handling is working
>>>> fine.
>>>> At the moment I use a trick to avoid the Login-Procedure, but this
>>>> won't
>>>> work on the long run.
>>>>
>>>> With Geronimo 2.1.1 we use the JAAS API. Our usage is described in
>>>> http://cwiki.apache.org/GMOxDOC10/geronimo-and-jaas.html. For my
>>>> junit-testcase I need therefore anything which can provide me a
>>>> javax.security.auth.Subject after successful login. With the
>>>> default -
>>>> Security Service
>>>> <SecurityService id="Default Security Service"/>
>>>> and the configuration in users.properties and groups.properties I
>>>> get the
>>>> error:
>>>>
>>>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>>>> konfiguriert.
>>>>
>>>> (Anmeldemodule = security realm, I think...)
>>>>
>>>> I tried also PseudoSecurityService, but I got an exception as well.
>>>>
>>>> JUNIT-Testcase
>>>> Properties properties = new
>>>> Properties();
>>>> ....
>>>> // Minimum required for login
>>>> properties.setProperty(Context.SECURITY_PRINCIPAL,
>>>> benutzer);
>>>> properties.setProperty(Context.SECURITY_CREDENTIALS,
>>>> passwort);
>>>>
>>>> // Optional param for specifying a specific Geronimo
>>>> security realm
>>>> properties.put("openejb.authentication.realmName",
>>>> "vesuv-db-sha256");
>>>>
>>>> properties.put("mySecurityService",
>>>> "new://PseudoSecurityService");
>>>> ....
>>>> loginManager = (LoginManager)
>>>> initialContext.lookup("LoginManagerImplLocal");
>>>> loginManager.loginContainer(benutzer,
>>>> passwort);
>>>> ....
>>>>
>>>> LoginManager-Session Bean:
>>>> ...
>>>> try {
>>>> LoginCallback logcb = new
>>>> LoginCallback(benutzer,
>>>> passwort);
>>>> LoginContext lc = new
>>>> LoginContext("vesuv-db-sha256",logcb);
>>>> lc.login();
>>>> subject = lc.getSubject();
>>>> }
>>>> ...
>>>>
>>>> The realm "vesuv-db-sha256" is defined under
>>>> Geronimo-Applicationserver-Console Security - Security Realms.
>>>>
>>>> I read http://openejb.apache.org/3.0/security.html, but I don't
>>>> understand how to configure the Security for embedded openejb.
>>>>
>>>> Thanx in advance for any help on this.
>>>>
>>>> Mit freundlichen Grüßen / Kind regards
>>>> Josef Eisele
>>>>
>>>> Direkt: +49 (0) 6131 / 914-180
>>>>
>>>> BGS Beratungsgesellschaft
>>>> Software Systemplanung AG Niederlassung Rhein/Main
>>>> Robert-Koch-Straße 41
>>>> 55129 Mainz
>>>> Fon: +49 (0) 6131 / 914-0
>>>> Fax: +49 (0) 6131 / 914-400
>>>> www.bgs-ag.de Geschäftssitz Mainz
>>>> Registergericht
>>>> Amtsgericht Mainz
>>>> HRB 62 50
>>>> Aufsichtsratsvorsitzender
>>>> Dr. Wolfgang Trommer
>>>> Vorstand
>>>> Hanspeter Gau
>>>> Hermann Kiefer
>>>> Nils Manegold
>>>> Heinz-Jörg Zimmermann
>>>>
>>>>
>>>
>>>
>>>
>>> BGS Beratungsgesellschaft
>>> Software Systemplanung AG
>>>
>>>
>>>
>>>
>>> Niederlassung Rhein/Main
>>> Robert-Koch-Straße 41
>>> 55129 Mainz
>>> Fon: +49 (0) 6131 / 914-0
>>> Fax: +49 (0) 6131 / 914-400
>>> www.bgs-ag.de
>>> Geschäftssitz Mainz
>>> Registergericht
>>> Amtsgericht Mainz
>>> HRB 62 50
>>>
>>> Aufsichtsratsvorsitzender
>>> Dr. Wolfgang Trommer
>>> Vorstand
>>> Hanspeter Gau
>>> Hermann Kiefer
>>> Nils Manegold
>>> Heinz-Jörg Zimmermann
>>>
>>>
>>
>>
>>
>> BGS Beratungsgesellschaft
>> Software Systemplanung AG Niederlassung Rhein/Main
>> Robert-Koch-Straße 41
>> 55129 Mainz
>> Fon: +49 (0) 6131 / 914-0
>> Fax: +49 (0) 6131 / 914-400
>> www.bgs-ag.de Geschäftssitz Mainz
>> Registergericht
>> Amtsgericht Mainz
>> HRB 62 50
>> Aufsichtsratsvorsitzender
>> Dr. Wolfgang Trommer
>> Vorstand
>> Hanspeter Gau
>> Hermann Kiefer
>> Nils Manegold
>> Heinz-Jörg Zimmermann
>>
>