You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@geronimo.apache.org by Edson Carlos Ericksson Richter <ed...@brinformatica.srv.br> on 2006/01/22 00:47:38 UTC
Tomcat to Geronimo migration
Hi!
First of all, I must say Apache products are the best. And I'm very
confident that Geronimo came to stay.
But as any very new product, lacks of high avaliability of docs and
tutorials (besides there are two PDFs with lot's of information I must
confess I had not time to read everything).
Well, I had working developing good software with Tomcat (since 3.1
days), and now Tomcat 5.5 has everything a developer could desire from a
product: easy install (just unzip or untar), exactly same config runs on
Windows and Linux, very easy to deploy (just put war on webapps) and
very stable (I have sites running Tomcat as webserver on linux for more
than a year without failures).
One things I love on Tomcat 5.5 is <Realm/> configuration, and the
separation "by context" (every context could have their own
authentication). Works like a charm for database authenticated users. I
have read on somewhere that Geronimo still not have this kind of support
(database auth users). Is this a reality, or this could be already
implemented? I ask this because it's a must have migrate all my apps to
Geronimo.
Best regards, and good work.
Richter
Re: Tomcat to Geronimo migration
Posted by Edson Carlos Ericksson Richter <ed...@brinformatica.srv.br>.
Well, let's I explain:
I have a web app where administrator could organize users in logical
groups. Then, administrator delegates roles to these groups.
The "roles" table is fixed, and is exactly equal to roles declared in
web.xml, and administrator has no "window" to put new roles there.
The "groups" table isn't fixed, and administrator could create as many
groups as he wants, and put any user in how many groups he desires.
I solved the problem mapping my "roles" table to de server-roles, and
using the "select username, group from userGroups where username=?" as
"select username, role from autorizationView where username=?", and
creating the mappings like:
<role role-name="admin">
<principal name="admin" designated-run-as="true"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
</role>
<role role-name="editor">
<principal name="editor" designated-run-as="true"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
</role>
<role role-name="user">
<principal name="user" designated-run-as="true"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"/>
</role>
So, for every role declared in web.xml, I have one role in "roles" table
and one mapping in geronimo-web.xml, so I can have variable number of
groups.
Thanks for clarifications. My web app is running as good as it run on
Tomcat right now.
Richter
Re: Tomcat to Geronimo migration
Posted by Aaron Mulder <am...@alumni.princeton.edu>.
Just to be clear, since the terms are a little overloaded:
- a "group" is what the "get groups for user" database query returns,
so anything returned by your view is what we'd call a "group"
- a "role" is what the J2EE application requires, so we have you map
"groups" to "roles" (you can map any number of DB groups to a J2EE
role, indicating that any user in any of those groups counts as a
member of the role)
It's true that you can't have a dynamic number of groups. Your
web.xml lists the J2EE roles that your application cares about, and
your geronimo-web.xml lists the database groups whose members should
count as members of each J2EE role. So you can say "J2EE role 'foo'
contains the members of database groups 'db-foo' and 'db-bar'" but you
cannot say "J2EE role 'foo' contains the members of all database
groups" or "for every database group, create a J2EE role accordingly".
However, since you have to list each J2EE role in web.xml, it's not
so clear to me what having a dynamic number of groups would get you.
Thanks,
Aaron
On 1/22/06, Edson Carlos Ericksson Richter
<ed...@brinformatica.srv.br> wrote:
> Well I see examples in two pages, but I'm not understand.
>
> If I map roles to groups in geronimo-web.xml, I can't have dynamic
> number of groups?
> Or should I understand group as role, and I should map app roles to
> server roles?
>
> I think I'm making some confusion here, because my app has 5 tables:
> users, groups, roles, userRoles, groupRoles. And I get everything from a
> view that is a union of user roles and group roles to know what roles
> user have...
>
> Back to the problem, "group" is the term used by Geronimo to "app role"?
>
> Thanks,
>
> Richter
>
>
> Aaron Mulder escreveu:
>
> >You can set up a database security realm in Geronimo that will control
> >both the password and groups for users. See, for example,
> >http://chariotsolutions.com/geronimo/security-configuration.html (also
> >the quick start at
> >http://chariotsolutions.com/geronimo/quick-start.html does this).
> >You'll still need a security block in the deployment plan for your
> >application module, for example, see
> >http://chariotsolutions.com/geronimo/web-plan.html#web-plan-security
> >for a WAR.
> >
> >Thanks,
> > Aaron
> >
> >On 1/22/06, Edson Carlos Ericksson Richter
> ><ed...@brinformatica.srv.br> wrote:
> >
> >
> >>Ok, I've found database authentication module.
> >>But, appear I can't have database authorization.
> >>
> >>Under Tomcat, I used "select username, password from users where
> >>username=?" so, user is authenticated. And, still under Tomcat, I used
> >>"select username, rolename from userRoles where username=?" so user gets
> >>authorization.
> >>
> >>How could I accomplish this under Geronimo?
> >>
> >>Thanks,
> >>
> >>Richter
> >>
> >>
> >>
> >>Edson Carlos Ericksson Richter escreveu:
> >>
> >>
> >>
> >>>Hi!
> >>>
> >>>First of all, I must say Apache products are the best. And I'm very
> >>>confident that Geronimo came to stay.
> >>>But as any very new product, lacks of high avaliability of docs and
> >>>tutorials (besides there are two PDFs with lot's of information I must
> >>>confess I had not time to read everything).
> >>>
> >>>Well, I had working developing good software with Tomcat (since 3.1
> >>>days), and now Tomcat 5.5 has everything a developer could desire from
> >>>a product: easy install (just unzip or untar), exactly same config
> >>>runs on Windows and Linux, very easy to deploy (just put war on
> >>>webapps) and very stable (I have sites running Tomcat as webserver on
> >>>linux for more than a year without failures).
> >>>
> >>>One things I love on Tomcat 5.5 is <Realm/> configuration, and the
> >>>separation "by context" (every context could have their own
> >>>authentication). Works like a charm for database authenticated users.
> >>>I have read on somewhere that Geronimo still not have this kind of
> >>>support (database auth users). Is this a reality, or this could be
> >>>already implemented? I ask this because it's a must have migrate all
> >>>my apps to Geronimo.
> >>>
> >>>Best regards, and good work.
> >>>
> >>>Richter
> >>>
> >>>
> >>>
> >>>
> >>
> >>
> >
> >
> >
>
>
Re: Tomcat to Geronimo migration
Posted by Edson Carlos Ericksson Richter <ed...@brinformatica.srv.br>.
Well I see examples in two pages, but I'm not understand.
If I map roles to groups in geronimo-web.xml, I can't have dynamic
number of groups?
Or should I understand group as role, and I should map app roles to
server roles?
I think I'm making some confusion here, because my app has 5 tables:
users, groups, roles, userRoles, groupRoles. And I get everything from a
view that is a union of user roles and group roles to know what roles
user have...
Back to the problem, "group" is the term used by Geronimo to "app role"?
Thanks,
Richter
Aaron Mulder escreveu:
>You can set up a database security realm in Geronimo that will control
>both the password and groups for users. See, for example,
>http://chariotsolutions.com/geronimo/security-configuration.html (also
>the quick start at
>http://chariotsolutions.com/geronimo/quick-start.html does this).
>You'll still need a security block in the deployment plan for your
>application module, for example, see
>http://chariotsolutions.com/geronimo/web-plan.html#web-plan-security
>for a WAR.
>
>Thanks,
> Aaron
>
>On 1/22/06, Edson Carlos Ericksson Richter
><ed...@brinformatica.srv.br> wrote:
>
>
>>Ok, I've found database authentication module.
>>But, appear I can't have database authorization.
>>
>>Under Tomcat, I used "select username, password from users where
>>username=?" so, user is authenticated. And, still under Tomcat, I used
>>"select username, rolename from userRoles where username=?" so user gets
>>authorization.
>>
>>How could I accomplish this under Geronimo?
>>
>>Thanks,
>>
>>Richter
>>
>>
>>
>>Edson Carlos Ericksson Richter escreveu:
>>
>>
>>
>>>Hi!
>>>
>>>First of all, I must say Apache products are the best. And I'm very
>>>confident that Geronimo came to stay.
>>>But as any very new product, lacks of high avaliability of docs and
>>>tutorials (besides there are two PDFs with lot's of information I must
>>>confess I had not time to read everything).
>>>
>>>Well, I had working developing good software with Tomcat (since 3.1
>>>days), and now Tomcat 5.5 has everything a developer could desire from
>>>a product: easy install (just unzip or untar), exactly same config
>>>runs on Windows and Linux, very easy to deploy (just put war on
>>>webapps) and very stable (I have sites running Tomcat as webserver on
>>>linux for more than a year without failures).
>>>
>>>One things I love on Tomcat 5.5 is <Realm/> configuration, and the
>>>separation "by context" (every context could have their own
>>>authentication). Works like a charm for database authenticated users.
>>>I have read on somewhere that Geronimo still not have this kind of
>>>support (database auth users). Is this a reality, or this could be
>>>already implemented? I ask this because it's a must have migrate all
>>>my apps to Geronimo.
>>>
>>>Best regards, and good work.
>>>
>>>Richter
>>>
>>>
>>>
>>>
>>
>>
>
>
>
Re: Tomcat to Geronimo migration
Posted by Aaron Mulder <am...@alumni.princeton.edu>.
You can set up a database security realm in Geronimo that will control
both the password and groups for users. See, for example,
http://chariotsolutions.com/geronimo/security-configuration.html (also
the quick start at
http://chariotsolutions.com/geronimo/quick-start.html does this).
You'll still need a security block in the deployment plan for your
application module, for example, see
http://chariotsolutions.com/geronimo/web-plan.html#web-plan-security
for a WAR.
Thanks,
Aaron
On 1/22/06, Edson Carlos Ericksson Richter
<ed...@brinformatica.srv.br> wrote:
> Ok, I've found database authentication module.
> But, appear I can't have database authorization.
>
> Under Tomcat, I used "select username, password from users where
> username=?" so, user is authenticated. And, still under Tomcat, I used
> "select username, rolename from userRoles where username=?" so user gets
> authorization.
>
> How could I accomplish this under Geronimo?
>
> Thanks,
>
> Richter
>
>
>
> Edson Carlos Ericksson Richter escreveu:
>
> > Hi!
> >
> > First of all, I must say Apache products are the best. And I'm very
> > confident that Geronimo came to stay.
> > But as any very new product, lacks of high avaliability of docs and
> > tutorials (besides there are two PDFs with lot's of information I must
> > confess I had not time to read everything).
> >
> > Well, I had working developing good software with Tomcat (since 3.1
> > days), and now Tomcat 5.5 has everything a developer could desire from
> > a product: easy install (just unzip or untar), exactly same config
> > runs on Windows and Linux, very easy to deploy (just put war on
> > webapps) and very stable (I have sites running Tomcat as webserver on
> > linux for more than a year without failures).
> >
> > One things I love on Tomcat 5.5 is <Realm/> configuration, and the
> > separation "by context" (every context could have their own
> > authentication). Works like a charm for database authenticated users.
> > I have read on somewhere that Geronimo still not have this kind of
> > support (database auth users). Is this a reality, or this could be
> > already implemented? I ask this because it's a must have migrate all
> > my apps to Geronimo.
> >
> > Best regards, and good work.
> >
> > Richter
> >
> >
>
>
Re: Tomcat to Geronimo migration
Posted by Edson Carlos Ericksson Richter <ed...@brinformatica.srv.br>.
Ok, I've found database authentication module.
But, appear I can't have database authorization.
Under Tomcat, I used "select username, password from users where
username=?" so, user is authenticated. And, still under Tomcat, I used
"select username, rolename from userRoles where username=?" so user gets
authorization.
How could I accomplish this under Geronimo?
Thanks,
Richter
Edson Carlos Ericksson Richter escreveu:
> Hi!
>
> First of all, I must say Apache products are the best. And I'm very
> confident that Geronimo came to stay.
> But as any very new product, lacks of high avaliability of docs and
> tutorials (besides there are two PDFs with lot's of information I must
> confess I had not time to read everything).
>
> Well, I had working developing good software with Tomcat (since 3.1
> days), and now Tomcat 5.5 has everything a developer could desire from
> a product: easy install (just unzip or untar), exactly same config
> runs on Windows and Linux, very easy to deploy (just put war on
> webapps) and very stable (I have sites running Tomcat as webserver on
> linux for more than a year without failures).
>
> One things I love on Tomcat 5.5 is <Realm/> configuration, and the
> separation "by context" (every context could have their own
> authentication). Works like a charm for database authenticated users.
> I have read on somewhere that Geronimo still not have this kind of
> support (database auth users). Is this a reality, or this could be
> already implemented? I ask this because it's a must have migrate all
> my apps to Geronimo.
>
> Best regards, and good work.
>
> Richter
>
>