You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomee.apache.org by Jo...@bgs-ag.de on 2008/06/06 10:24:28 UTC
Using OpenEJB Security for JAAS LoginModule
Hi All,
we use embedded openejb to test our JavaEE-5 (Geronimo App.server)
Application. With the great help of David Blevins the JUNIT-Tests can
invoke our session beans and even Transaction Handling is working fine.
At the moment I use a trick to avoid the Login-Procedure, but this won't
work on the long run.
With Geronimo 2.1.1 we use the JAAS API. Our usage is described in
http://cwiki.apache.org/GMOxDOC10/geronimo-and-jaas.html. For my
junit-testcase I need therefore anything which can provide me a
javax.security.auth.Subject after successful login. With the default -
Security Service
<SecurityService id="Default Security Service"/>
and the configuration in users.properties and groups.properties I get the
error:
Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
konfiguriert.
(Anmeldemodule = security realm, I think...)
I tried also PseudoSecurityService, but I got an exception as well.
JUNIT-Testcase
Properties properties = new Properties();
....
// Minimum required for login
properties.setProperty(Context.SECURITY_PRINCIPAL,
benutzer);
properties.setProperty(Context.SECURITY_CREDENTIALS,
passwort);
// Optional param for specifying a specific Geronimo
security realm
properties.put("openejb.authentication.realmName",
"vesuv-db-sha256");
properties.put("mySecurityService",
"new://PseudoSecurityService");
....
loginManager = (LoginManager)
initialContext.lookup("LoginManagerImplLocal");
loginManager.loginContainer(benutzer, passwort);
....
LoginManager-Session Bean:
...
try {
LoginCallback logcb = new LoginCallback(benutzer,
passwort);
LoginContext lc = new
LoginContext("vesuv-db-sha256",logcb);
lc.login();
subject = lc.getSubject();
}
...
The realm "vesuv-db-sha256" is defined under
Geronimo-Applicationserver-Console Security - Security Realms.
I read http://openejb.apache.org/3.0/security.html, but I don't
understand how to configure the Security for embedded openejb.
Thanx in advance for any help on this.
Mit freundlichen Grüßen / Kind regards
Josef Eisele
Direkt: +49 (0) 6131 / 914-180
BGS Beratungsgesellschaft
Software Systemplanung AG Niederlassung Rhein/Main
Robert-Koch-Straße 41
55129 Mainz
Fon: +49 (0) 6131 / 914-0
Fax: +49 (0) 6131 / 914-400
www.bgs-ag.de Geschäftssitz Mainz
Registergericht
Amtsgericht Mainz
HRB 62 50
Aufsichtsratsvorsitzender
Dr. Wolfgang Trommer
Vorstand
Hanspeter Gau
Hermann Kiefer
Nils Manegold
Heinz-Jörg Zimmermann
Re: Antwort: Re: Antwort: Re: Antwort: Re: Using OpenEJB Security for JAAS LoginModule
Posted by Dain Sundstrom <da...@iq80.com>.
On Jun 30, 2008, at 7:32 AM, Josef.Eisele@bgs-ag.de wrote:
> Hi David,
>
> Germany lost the Euro2008 therefore I need good news ;-) Do you have
> any
> for me?
>
> I confinced my team to use all junit-Tests with openejb as embedded
> container in Eclipse :-)
>
> Using my tests, sometimes strange things happen:
> * I test the public CRUD-functions of my business class and often I
> get
> the expected GREEN color as the result.
> * But sometimes the first function of my business class fails. It is a
> creation of the business object. The failure happens without any
> code-change.
>
> There are two SQL-Insert-Statemens which depend on each other. We
> use the
> EntityManager.persist Method. Is it possible the transaction manager
> in
> embedded-openejb sometimes use the wrong order for the insert-
> statements ?
FWIU, yes. By default, OpenJPA does not reorder SQL statements to
respect foreign keys. There is an UpdateManager which will respect
foreign keys, but you have to turn it on with this property:
openjpa
.jdbc
.UpdateManager=org.apache.openjpa.jdbc.kernel.ConstraintUpdateManager
BTW, this is about the limits of my knowledge of OpenJPA, so you may
be better served by asking on the OpenJPA Users mailing list (users@openjpa.apache.org
).
-dain
Antwort: Re: Antwort: Re: Antwort: Re: Using OpenEJB Security for JAAS
LoginModule
Posted by Jo...@bgs-ag.de.
Hi David,
Germany lost the Euro2008 therefore I need good news ;-) Do you have any
for me?
I confinced my team to use all junit-Tests with openejb as embedded
container in Eclipse :-)
Using my tests, sometimes strange things happen:
* I test the public CRUD-functions of my business class and often I get
the expected GREEN color as the result.
* But sometimes the first function of my business class fails. It is a
creation of the business object. The failure happens without any
code-change.
There are two SQL-Insert-Statemens which depend on each other. We use the
EntityManager.persist Method. Is it possible the transaction manager in
embedded-openejb sometimes use the wrong order for the insert-statements ?
We have no errors at all using the code in Geronimo 2.1.1 and sometimes
errors with the junit-Tests. Where are possible differences in these two
scenarios?
-Josef
David Blevins <da...@visi.com>
12.06.2008 09:02
Bitte antworten an
users@openejb.apache.org
An
users@openejb.apache.org
Kopie
Thema
Re: Antwort: Re: Antwort: Re: Using OpenEJB Security for JAAS LoginModule
Hi Josef,
Looks like you do have some custom LoginModules, the Geronimo ones :)
Those aren't going to run outside of Geronimo, but I've started a
thread to see if we can get them to be less dependent on the Geronimo
runtime and therefore more reusable in other settings, like unit tests.
Hopefully we can get some good news for you.
Aside from the login part, I can promise you that the code and process
*after* the login is exactly the same as the RunAs. So if you have
ejbs with security constraints (@RolesAllowed, @DenyAll, @PermitAll,
etc.) I absolutely guarantee that those *are* testable, just the test
are assuming a positive login is possible. Another way to think of it
as that the login is "mocked" and the enforcement of that Subject is
100% real. It should at least allow you to get started and test that
@RolesAllowed, @DenyAll, @PermitAll, @DeclareRoles and isCallerInRole
all function as you want them to. The login part could be added later
and the RunAs removed with little change to the tests.
-David
BGS Beratungsgesellschaft
Software Systemplanung AG Niederlassung Rhein/Main
Robert-Koch-Stra�e 41
55129 Mainz
Fon: +49 (0) 6131 / 914-0
Fax: +49 (0) 6131 / 914-400
www.bgs-ag.de Gesch�ftssitz Mainz
Registergericht
Amtsgericht Mainz
HRB 62 50
Aufsichtsratsvorsitzender
Dr. Wolfgang Trommer
Vorstand
Hanspeter Gau
Hermann Kiefer
Nils Manegold
Heinz-J�rg Zimmermann
Re: Antwort: Re: Antwort: Re: Using OpenEJB Security for JAAS LoginModule
Posted by David Blevins <da...@visi.com>.
Hi Josef,
Looks like you do have some custom LoginModules, the Geronimo ones :)
Those aren't going to run outside of Geronimo, but I've started a
thread to see if we can get them to be less dependent on the Geronimo
runtime and therefore more reusable in other settings, like unit tests.
Hopefully we can get some good news for you.
Aside from the login part, I can promise you that the code and process
*after* the login is exactly the same as the RunAs. So if you have
ejbs with security constraints (@RolesAllowed, @DenyAll, @PermitAll,
etc.) I absolutely guarantee that those *are* testable, just the test
are assuming a positive login is possible. Another way to think of it
as that the login is "mocked" and the enforcement of that Subject is
100% real. It should at least allow you to get started and test that
@RolesAllowed, @DenyAll, @PermitAll, @DeclareRoles and isCallerInRole
all function as you want them to. The login part could be added later
and the RunAs removed with little change to the tests.
-David
On Jun 11, 2008, at 5:03 AM, Josef.Eisele@bgs-ag.de wrote:
> Hi David,
>
> thank you very much for your assistance. If I understand you right the
> Realm-Name of the Default Security Service is called
> "PropertiesLogin".
> If I could change that to "vesuv-db-sha256", my problems are solved.
>
> definition of the realm 'vesuv-db-sha256' in Geronimo 2.1.1:
>
> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
> <environment>
> <moduleId>
> <groupId>console.realm</groupId>
> <artifactId>vesuv-db-sha256</artifactId>
> <version>1.0</version>
> <type>car</type>
> </moduleId>
> <dependencies>
> <dependency>
> <groupId>org.apache.geronimo.framework</groupId>
> <artifactId>j2ee-security</artifactId>
> <type>car</type>
> </dependency>
> <dependency>
> <groupId>console.dbpool</groupId>
> <artifactId>Postgres.postgres.vesuv</artifactId>
> <version>1.0</version>
> <type>rar</type>
> </dependency>
> </dependencies>
> </environment>
> <gbean name="vesuv-db-sha256"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
> xsi:type="dep:gbeanType" xmlns:dep="
> http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance">
> <attribute name="realmName">vesuv-db-sha256</attribute>
> <reference name="ServerInfo">
> <name>ServerInfo</name>
> </reference>
> <xml-reference name="LoginModuleConfiguration">
> <log:login-config xmlns:log="
> http://geronimo.apache.org/xml/ns/loginconfig-2.0">
> <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
> <log:login-domain-name>vesuv-db-sha256</log:login-domain-name>
>
> <log:login-module-
> class>org.apache.geronimo.security.realm.providers.SQLLoginModule</
> log:login-module-class>
> <log:option
> name="dataSourceName">Postgres.postgres.vesuv</log:option>
> <log:option name="encoding">hex</log:option>
> <log:option
> name="dataSourceApplication">null</log:option>
> <log:option name="digest">SHA-256</log:option>
> <log:option name="groupSelect">select bla
> bla</log:option>
> <log:option name="userSelect">select bla
> bla</log:option>
> </log:login-module>
> <log:login-module control-flag="OPTIONAL"
> wrap-principals="false">
> <log:login-domain-name>vesuv-db-sha256-Audit</log:login-domain-name>
>
> <log:login-module-
> class
> >org.apache.geronimo.security.realm.providers.FileAuditLoginModule</
> log:login-module-class>
> <log:option
> name="file">var/log/vesuv-login.log</log:option>
> </log:login-module>
> <log:login-module control-flag="REQUISITE"
> wrap-principals="false">
> <log:login-domain-name>vesuv-db-sha256-Lockout</log:login-domain-name>
>
> <log:login-module-
> class
> >
> org
> .apache
> .geronimo
> .security.realm.providers.RepeatedFailureLockoutLoginModule</
> log:login-module-class>
> <log:option name="failureCount">3</log:option>
> <log:option name="failurePeriodSecs">180</
> log:option>
> <log:option
> name="lockoutDurationSecs">1800</log:option>
> </log:login-module>
> </log:login-config>
> </xml-reference>
> </gbean>
> </module>
>
>
> Session Bean LoginManagerImpl.java
>
> import javax.ejb.*;
> import javax.security.auth.login.LoginContext;
>
> import de.nrw.hagen.ggrz.Exception.StdAppException;
> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
> import de.nrw.hagen.ggrz.bv.benutzer.*;
> import de.nrw.hagen.ggrz.log.Logger;
> import javax.security.auth.login.*;
> ....
> /**
> * Login beim Container durchfhren lassen mit JAAS.
> *
> * @param benutzer
> * @param kennwort
> * @return
> */
> public boolean loginContainer(String benutzer, String
> kennwort) {
> logger.info("Login EJB Container:" + benutzer + "/" +
> kennwort);
> try {
> LoginCallback logcb = new
> LoginCallback(benutzer,
> kennwort);
> LoginContext lc = new
> LoginContext("vesuv-db-sha256",logcb);
> lc.login();
> subject = lc.getSubject();
> }
> catch (LoginException ex) {
> logger.error("Exception bei login:" +
> ex.getMessage());
> //if (ex.getMessage().equals("SQL error"))
> //throw ex;
> throw new StdAppException("Exception bei
> Login",
> ex);
>
> }
> }
>
>
> JUnit-Test Class:
>
> ....
> import java.util.Properties;
>
> import javax.naming.Context;
> import javax.naming.InitialContext;
> import javax.naming.NamingException;
>
> import org.junit.After;
>
> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
> import de.nrw.hagen.ggrz.login.LoginManager;
> import de.nrw.hagen.ggrz.security.Subject;
>
> public class BaseTest {
>
> private String benutzer = "sys";
> private String passwort = "chief";
> private Subject user = null;
> private BenutzerKontext benutzerKontext = null;
>
> private InitialContext initialContext;
>
> public BaseTest() {
> initEnvironment();
> }
>
> public void initEnvironment() {
>
> System.out.println("------------------
> initEnvironment--------------------------");
> Properties properties = new Properties();
> properties.setProperty(Context.INITIAL_CONTEXT_FACTORY,
> "org.apache.openejb.client.LocalInitialContextFactory");
>
> // Minimum required for login
>
> properties.setProperty(Context.SECURITY_PRINCIPAL,
> benutzer);
> properties.setProperty(Context.SECURITY_CREDENTIALS, passwort);
>
> // Optional param for specifying a specific
> Geronimo security realm
>
> properties.put("openejb.authentication.realmName",
> "vesuv-db-sha256");
>
> properties.put("openejb.home",
> "/home/user/workspace/VesuvUnit/openejb");
>
> properties.put("Postgres.postgres.vesuv",
> "new://Resource?type=DataSource");
> properties.put("Postgres.postgres.vesuv.JdbcDriver",
> "org.postgresql.Driver");
>
> properties.put("Postgres.postgres.vesuv.JdbcUrl",
> "jdbc:postgresql://localhost/bgsdev1");
>
> properties.put("Postgres.postgres.vesuv.UserName",
> "bgsdev1");
>
> properties.put("Postgres.postgres.vesuv.Password",
> "bgsdev1");
>
> properties.put("openjpa.jdbc.SynchronizeMappings",
> "false");
> properties.put("openjpa.jdbc.Schema", "vesuv");
>
> try {
> initialContext = new
> InitialContext(properties);
> user = readUserFromLogin();
> } catch (Exception e) {
> e.printStackTrace();
> }
>
> }
>
>
> private Subject readUserFromLogin() {
> LoginManager loginManager = null;
>
> try {
> loginManager = (LoginManager)
> initialContext.lookup("LoginManagerImplLocal");
> loginManager.loginContainer(benutzer,
> passwort);
> } catch (NamingException e1) {
> // TODO Auto-generated catch block
> e1.printStackTrace();
> } catch (Exception e) {
> // TODO Auto-generated catch block
> e.printStackTrace();
> }
>
> try {
> benutzerKontext =
> loginManager.bestimmeBenutzerKontext(benutzer);
> } catch (Exception e) {
> // TODO Auto-generated catch block
> e.printStackTrace();
> }
>
> return new
> Subject(benutzerKontext,loginManager.getSubject());
>
> }
> ....
>
> }
>
>
> Mit freundlichen Grüßen / Kind regards
> Josef Eisele
>
> Direkt: +49 (0) 6131 / 914-180
>
>
>
>
> David Blevins <da...@visi.com>
> 09.06.2008 22:55
> Bitte antworten an
> users@openejb.apache.org
>
>
> An
> users@openejb.apache.org
> Kopie
>
> Thema
> Re: Antwort: Re: Using OpenEJB Security for JAAS LoginModule
>
>
>
>
>
>
>
> On Jun 9, 2008, at 5:26 AM, Josef.Eisele@bgs-ag.de wrote:
>
>> Hi David,
>>
>> thank you very much for the link. I got it twice and I read it
>> twice ;-)
>> but it doesn't help concerning my actual problem.
>>
>> To run our business code it is necessary to login into an
>> 'SecurityService' with user/password/realm and as result there must
>> be a
>> Secuity-Object (javax.security.auth.Subject). This Security-Object is
>> nessary to invoke our business code. The magic
>> @RunAs("Employee")won't
>> work in our case.
>
> If you could give me some more detail here, that'd be great. Both
> login and runas result in a javax.security.auth.Subject being created
> by and enforced by the SecurityService. The creation is slightly
> different, but the subject is tracked and enforced by the
> SecurityService in exactly the same way.
>
> If you have any sample code on what doesn't work that would also be
> helpful.
>
>> The default implementation from the security service with the
>> parameters
>> user/password is fine, but we miss the realm-Parameter. And if we
>> add it,
>> the Security Service says
>>
>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>> konfiguriert.
>>
>> Anmeldemodule = Login module
>
> The realm in OpenEJB refers to the JAAS LoginModule. The login module
> that is setup in the SecurityServices login.config file is called
> "PropertiesLogin". This is the default value for realm when left
> unspecified.
>
> If you have a custom javax.security.auth.spi.LoginModule there is a
> way to set one up. Let me know if that is what you're trying to do
> and I'll see if I can get an example working.
>
> -David
>
>
>>
>>
>>
>> cu Josef
>>
>>
>>
>>
>>
>> David Blevins <da...@visi.com>
>> 06.06.2008 23:06
>> Bitte antworten an
>> users@openejb.apache.org
>>
>>
>> An
>> users@openejb.apache.org
>> Kopie
>>
>> Thema
>> Re: Using OpenEJB Security for JAAS LoginModule
>>
>>
>>
>>
>>
>>
>> Hi Josef,
>>
>> Looks this post arrived at about the same time as my last response,
>> so
>> this might be repeat information :)
>>
>> This example shows a good technique for unit testing various security
>> permissions.
>>
>> http://openejb.apache.org/3.0/testing-security-example.html
>>
>> The JNDI login approach isn't really optimal as there is no "logout"
>> option and it tends to make a mess of things. With the above
>> approach
>> you can wrap your calls with any security context you like and test
>> accessing your bean via secured and unsecured "clients" and check
>> that
>> permissions for various roles are as they need to be.
>>
>> -David
>>
>>
>> On Jun 6, 2008, at 1:24 AM, Josef.Eisele@bgs-ag.de wrote:
>>
>>> Hi All,
>>>
>>> we use embedded openejb to test our JavaEE-5 (Geronimo App.server)
>>> Application. With the great help of David Blevins the JUNIT-Tests
>>> can
>>> invoke our session beans and even Transaction Handling is working
>>> fine.
>>> At the moment I use a trick to avoid the Login-Procedure, but this
>>> won't
>>> work on the long run.
>>>
>>> With Geronimo 2.1.1 we use the JAAS API. Our usage is described in
>>> http://cwiki.apache.org/GMOxDOC10/geronimo-and-jaas.html. For my
>>> junit-testcase I need therefore anything which can provide me a
>>> javax.security.auth.Subject after successful login. With the
>>> default -
>>> Security Service
>>> <SecurityService id="Default Security Service"/>
>>> and the configuration in users.properties and groups.properties I
>>> get the
>>> error:
>>>
>>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>>> konfiguriert.
>>>
>>> (Anmeldemodule = security realm, I think...)
>>>
>>> I tried also PseudoSecurityService, but I got an exception as well.
>>>
>>> JUNIT-Testcase
>>> Properties properties = new
>>> Properties();
>>> ....
>>> // Minimum required for login
>>> properties.setProperty(Context.SECURITY_PRINCIPAL,
>>> benutzer);
>>> properties.setProperty(Context.SECURITY_CREDENTIALS,
>>> passwort);
>>>
>>> // Optional param for specifying a specific Geronimo
>>> security realm
>>> properties.put("openejb.authentication.realmName",
>>> "vesuv-db-sha256");
>>>
>>> properties.put("mySecurityService",
>>> "new://PseudoSecurityService");
>>> ....
>>> loginManager = (LoginManager)
>>> initialContext.lookup("LoginManagerImplLocal");
>>> loginManager.loginContainer(benutzer,
>>> passwort);
>>> ....
>>>
>>> LoginManager-Session Bean:
>>> ...
>>> try {
>>> LoginCallback logcb = new
>>> LoginCallback(benutzer,
>>> passwort);
>>> LoginContext lc = new
>>> LoginContext("vesuv-db-sha256",logcb);
>>> lc.login();
>>> subject = lc.getSubject();
>>> }
>>> ...
>>>
>>> The realm "vesuv-db-sha256" is defined under
>>> Geronimo-Applicationserver-Console Security - Security Realms.
>>>
>>> I read http://openejb.apache.org/3.0/security.html, but I don't
>>> understand how to configure the Security for embedded openejb.
>>>
>>> Thanx in advance for any help on this.
>>>
>>> Mit freundlichen Grüßen / Kind regards
>>> Josef Eisele
>>>
>>> Direkt: +49 (0) 6131 / 914-180
>>>
>>> BGS Beratungsgesellschaft
>>> Software Systemplanung AG Niederlassung Rhein/Main
>>> Robert-Koch-Straße 41
>>> 55129 Mainz
>>> Fon: +49 (0) 6131 / 914-0
>>> Fax: +49 (0) 6131 / 914-400
>>> www.bgs-ag.de Geschäftssitz Mainz
>>> Registergericht
>>> Amtsgericht Mainz
>>> HRB 62 50
>>> Aufsichtsratsvorsitzender
>>> Dr. Wolfgang Trommer
>>> Vorstand
>>> Hanspeter Gau
>>> Hermann Kiefer
>>> Nils Manegold
>>> Heinz-Jörg Zimmermann
>>>
>>>
>>
>>
>>
>> BGS Beratungsgesellschaft
>> Software Systemplanung AG
>>
>>
>>
>>
>> Niederlassung Rhein/Main
>> Robert-Koch-Straße 41
>> 55129 Mainz
>> Fon: +49 (0) 6131 / 914-0
>> Fax: +49 (0) 6131 / 914-400
>> www.bgs-ag.de
>> Geschäftssitz Mainz
>> Registergericht
>> Amtsgericht Mainz
>> HRB 62 50
>>
>> Aufsichtsratsvorsitzender
>> Dr. Wolfgang Trommer
>> Vorstand
>> Hanspeter Gau
>> Hermann Kiefer
>> Nils Manegold
>> Heinz-Jörg Zimmermann
>>
>>
>
>
>
> BGS Beratungsgesellschaft
> Software Systemplanung AG Niederlassung Rhein/Main
> Robert-Koch-Straße 41
> 55129 Mainz
> Fon: +49 (0) 6131 / 914-0
> Fax: +49 (0) 6131 / 914-400
> www.bgs-ag.de Geschäftssitz Mainz
> Registergericht
> Amtsgericht Mainz
> HRB 62 50
> Aufsichtsratsvorsitzender
> Dr. Wolfgang Trommer
> Vorstand
> Hanspeter Gau
> Hermann Kiefer
> Nils Manegold
> Heinz-Jörg Zimmermann
>
Re: Using OpenEJB Security for JAAS LoginModule
Posted by David Jencks <da...@yahoo.com>.
On Jun 12, 2008, at 11:20 AM, David Blevins wrote:
>
> On Jun 12, 2008, at 10:48 AM, David Jencks wrote:
>
>> Using the sql login module with a datasource name won't work
>> without the geronimo kernel running and the datasource deployed to
>> the geronimo kernel. However there's an alternate configuration
>> for this login module that uses a Driver class name and jdbc url
>> that ought to work. Most likely the geronimo kernel jar will need
>> to be on the classpath but you don't need a running kernel.
>>
>> With this configuration a plain text login.config file ought to
>> work. Since he'll need to translate the config to text anyway
>> changing the configuration to use the Driver shouldn't be
>> impossibly difficult.
>
> Is there some way we can pass the DataSource directly to the SQL
> LoginModule by possibly wrappering it. In the wrapper we'd take the
> text string, grab the datasource much like the G kernel would, and
> give it to the login module.
Geronimo provides a bunch of automatic secret options including the
kernel. The SQLLoginModule uses the "injected" kernel option to look
up the datasource from its name. So, to do this you'd have to start a
geronimo kernel and deploy something representing the datasource to it.
We could think about having a "look up in global jndi" strategy for
the SQLLoginModule but this would require a code change in geronimo.
thanks
david jencks
>
>
>
> -David
>
>> On Jun 11, 2008, at 7:34 PM, David Blevins wrote:
>>
>>> This guy (a geronimo user) wants to use the Geronimo LoginModule
>>> implementations in his unit tests with embedded openejb. Do you
>>> know if there's a way for us to support them? Ideally he could
>>> just include geronimo-security as a dependency and we could create
>>> some wrappers that would construct them and get them the right
>>> configuration (datasources, files, etc) and the wrappers could be
>>> listed in a plain-text JAAS login.config file.
>>>
>>> Is something like that possible? Are the LoginModules tightly
>>> coupled with the kernel etc. or would it be possible to "peel"
>>> them out and reuse them in a somewhat standalone fashion?
>>>
>>> -David
>>>
>>> Begin forwarded message:
>>>
>>>> Resent-From: <db...@visi.com>
>>>> From: Josef.Eisele@bgs-ag.de
>>>> Date: June 11, 2008 5:03:59 AM PDT
>>>> To: users@openejb.apache.org
>>>> Subject: Antwort: Re: Antwort: Re: Using OpenEJB Security for
>>>> JAAS LoginModule
>>>> Reply-To: users@openejb.apache.org
>>>>
>>>> Hi David,
>>>>
>>>> thank you very much for your assistance. If I understand you
>>>> right the
>>>> Realm-Name of the Default Security Service is called
>>>> "PropertiesLogin".
>>>> If I could change that to "vesuv-db-sha256", my problems are
>>>> solved.
>>>>
>>>> definition of the realm 'vesuv-db-sha256' in Geronimo 2.1.1:
>>>>
>>>> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
>>>> <environment>
>>>> <moduleId>
>>>> <groupId>console.realm</groupId>
>>>> <artifactId>vesuv-db-sha256</artifactId>
>>>> <version>1.0</version>
>>>> <type>car</type>
>>>> </moduleId>
>>>> <dependencies>
>>>> <dependency>
>>>> <groupId>org.apache.geronimo.framework</groupId>
>>>> <artifactId>j2ee-security</artifactId>
>>>> <type>car</type>
>>>> </dependency>
>>>> <dependency>
>>>> <groupId>console.dbpool</groupId>
>>>> <artifactId>Postgres.postgres.vesuv</artifactId>
>>>> <version>1.0</version>
>>>> <type>rar</type>
>>>> </dependency>
>>>> </dependencies>
>>>> </environment>
>>>> <gbean name="vesuv-db-sha256"
>>>> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
>>>> xsi:type="dep:gbeanType" xmlns:dep="
>>>> http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="
>>>> http://www.w3.org/2001/XMLSchema-instance">
>>>> <attribute name="realmName">vesuv-db-sha256</attribute>
>>>> <reference name="ServerInfo">
>>>> <name>ServerInfo</name>
>>>> </reference>
>>>> <xml-reference name="LoginModuleConfiguration">
>>>> <log:login-config xmlns:log="
>>>> http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>>>> <log:login-module control-flag="REQUIRED"
>>>> wrap-principals="false">
>>>> <log:login-domain-name>vesuv-db-sha256</log:login-domain-name>
>>>>
>>>> <log:login-module-
>>>> class
>>>> >org.apache.geronimo.security.realm.providers.SQLLoginModule</
>>>> log:login-module-class>
>>>> <log:option
>>>> name="dataSourceName">Postgres.postgres.vesuv</log:option>
>>>> <log:option name="encoding">hex</log:option>
>>>> <log:option
>>>> name="dataSourceApplication">null</log:option>
>>>> <log:option name="digest">SHA-256</log:option>
>>>> <log:option name="groupSelect">select bla
>>>> bla</log:option>
>>>> <log:option name="userSelect">select bla
>>>> bla</log:option>
>>>> </log:login-module>
>>>> <log:login-module control-flag="OPTIONAL"
>>>> wrap-principals="false">
>>>> <log:login-domain-name>vesuv-db-sha256-Audit</log:login-domain-
>>>> name>
>>>>
>>>> <log:login-module-
>>>> class
>>>> >
>>>> org
>>>> .apache.geronimo.security.realm.providers.FileAuditLoginModule</
>>>> log:login-module-class>
>>>> <log:option
>>>> name="file">var/log/vesuv-login.log</log:option>
>>>> </log:login-module>
>>>> <log:login-module control-flag="REQUISITE"
>>>> wrap-principals="false">
>>>> <log:login-domain-name>vesuv-db-sha256-Lockout</log:login-domain-
>>>> name>
>>>>
>>>> <log:login-module-
>>>> class
>>>> >
>>>> org
>>>> .apache
>>>> .geronimo
>>>> .security.realm.providers.RepeatedFailureLockoutLoginModule</
>>>> log:login-module-class>
>>>> <log:option name="failureCount">3</log:option>
>>>> <log:option name="failurePeriodSecs">180</
>>>> log:option>
>>>> <log:option
>>>> name="lockoutDurationSecs">1800</log:option>
>>>> </log:login-module>
>>>> </log:login-config>
>>>> </xml-reference>
>>>> </gbean>
>>>> </module>
>>>>
>>>>
>>>> Session Bean LoginManagerImpl.java
>>>>
>>>> import javax.ejb.*;
>>>> import javax.security.auth.login.LoginContext;
>>>>
>>>> import de.nrw.hagen.ggrz.Exception.StdAppException;
>>>> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
>>>> import de.nrw.hagen.ggrz.bv.benutzer.*;
>>>> import de.nrw.hagen.ggrz.log.Logger;
>>>> import javax.security.auth.login.*;
>>>> ....
>>>> /**
>>>> * Login beim Container durchfhren lassen mit JAAS.
>>>> *
>>>> * @param benutzer
>>>> * @param kennwort
>>>> * @return
>>>> */
>>>> public boolean loginContainer(String benutzer, String
>>>> kennwort) {
>>>> logger.info("Login EJB Container:" + benutzer + "/" +
>>>> kennwort);
>>>> try {
>>>> LoginCallback logcb = new
>>>> LoginCallback(benutzer,
>>>> kennwort);
>>>> LoginContext lc = new
>>>> LoginContext("vesuv-db-sha256",logcb);
>>>> lc.login();
>>>> subject = lc.getSubject();
>>>> }
>>>> catch (LoginException ex) {
>>>> logger.error("Exception bei login:" +
>>>> ex.getMessage());
>>>> //if (ex.getMessage().equals("SQL error"))
>>>> //throw ex;
>>>> throw new StdAppException("Exception bei
>>>> Login",
>>>> ex);
>>>>
>>>> }
>>>> }
>>>>
>>>>
>>>> JUnit-Test Class:
>>>>
>>>> ....
>>>> import java.util.Properties;
>>>>
>>>> import javax.naming.Context;
>>>> import javax.naming.InitialContext;
>>>> import javax.naming.NamingException;
>>>>
>>>> import org.junit.After;
>>>>
>>>> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
>>>> import de.nrw.hagen.ggrz.login.LoginManager;
>>>> import de.nrw.hagen.ggrz.security.Subject;
>>>>
>>>> public class BaseTest {
>>>>
>>>> private String benutzer = "sys";
>>>> private String passwort = "chief";
>>>> private Subject user = null;
>>>> private BenutzerKontext benutzerKontext = null;
>>>>
>>>> private InitialContext initialContext;
>>>>
>>>> public BaseTest() {
>>>> initEnvironment();
>>>> }
>>>>
>>>> public void initEnvironment() {
>>>>
>>>> System.out.println("------------------
>>>> initEnvironment--------------------------");
>>>> Properties properties = new Properties();
>>>> properties.setProperty(Context.INITIAL_CONTEXT_FACTORY,
>>>> "org.apache.openejb.client.LocalInitialContextFactory");
>>>>
>>>> // Minimum required for login
>>>>
>>>> properties.setProperty(Context.SECURITY_PRINCIPAL,
>>>> benutzer);
>>>> properties.setProperty(Context.SECURITY_CREDENTIALS, passwort);
>>>>
>>>> // Optional param for specifying a specific
>>>> Geronimo security realm
>>>>
>>>> properties.put("openejb.authentication.realmName",
>>>> "vesuv-db-sha256");
>>>>
>>>> properties.put("openejb.home",
>>>> "/home/user/workspace/VesuvUnit/openejb");
>>>>
>>>> properties.put("Postgres.postgres.vesuv",
>>>> "new://Resource?type=DataSource");
>>>> properties.put("Postgres.postgres.vesuv.JdbcDriver",
>>>> "org.postgresql.Driver");
>>>>
>>>> properties.put("Postgres.postgres.vesuv.JdbcUrl",
>>>> "jdbc:postgresql://localhost/bgsdev1");
>>>>
>>>> properties.put("Postgres.postgres.vesuv.UserName",
>>>> "bgsdev1");
>>>>
>>>> properties.put("Postgres.postgres.vesuv.Password",
>>>> "bgsdev1");
>>>>
>>>> properties.put("openjpa.jdbc.SynchronizeMappings",
>>>> "false");
>>>> properties.put("openjpa.jdbc.Schema", "vesuv");
>>>>
>>>> try {
>>>> initialContext = new
>>>> InitialContext(properties);
>>>> user = readUserFromLogin();
>>>> } catch (Exception e) {
>>>> e.printStackTrace();
>>>> }
>>>>
>>>> }
>>>>
>>>>
>>>> private Subject readUserFromLogin() {
>>>> LoginManager loginManager = null;
>>>>
>>>> try {
>>>> loginManager = (LoginManager)
>>>> initialContext.lookup("LoginManagerImplLocal");
>>>> loginManager.loginContainer(benutzer,
>>>> passwort);
>>>> } catch (NamingException e1) {
>>>> // TODO Auto-generated catch block
>>>> e1.printStackTrace();
>>>> } catch (Exception e) {
>>>> // TODO Auto-generated catch block
>>>> e.printStackTrace();
>>>> }
>>>>
>>>> try {
>>>> benutzerKontext =
>>>> loginManager.bestimmeBenutzerKontext(benutzer);
>>>> } catch (Exception e) {
>>>> // TODO Auto-generated catch block
>>>> e.printStackTrace();
>>>> }
>>>>
>>>> return new
>>>> Subject(benutzerKontext,loginManager.getSubject());
>>>>
>>>> }
>>>> ....
>>>>
>>>> }
>>>>
>>>>
>>>> Mit freundlichen Grüßen / Kind regards
>>>> Josef Eisele
>>>>
>>>> Direkt: +49 (0) 6131 / 914-180
>>>>
>>>>
>>>>
>>>>
>>>> David Blevins <da...@visi.com>
>>>> 09.06.2008 22:55
>>>> Bitte antworten an
>>>> users@openejb.apache.org
>>>>
>>>>
>>>> An
>>>> users@openejb.apache.org
>>>> Kopie
>>>>
>>>> Thema
>>>> Re: Antwort: Re: Using OpenEJB Security for JAAS LoginModule
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Jun 9, 2008, at 5:26 AM, Josef.Eisele@bgs-ag.de wrote:
>>>>
>>>>> Hi David,
>>>>>
>>>>> thank you very much for the link. I got it twice and I read it
>>>>> twice ;-)
>>>>> but it doesn't help concerning my actual problem.
>>>>>
>>>>> To run our business code it is necessary to login into an
>>>>> 'SecurityService' with user/password/realm and as result there
>>>>> must
>>>>> be a
>>>>> Secuity-Object (javax.security.auth.Subject). This Security-
>>>>> Object is
>>>>> nessary to invoke our business code. The magic
>>>>> @RunAs("Employee")won't
>>>>> work in our case.
>>>>
>>>> If you could give me some more detail here, that'd be great. Both
>>>> login and runas result in a javax.security.auth.Subject being
>>>> created
>>>> by and enforced by the SecurityService. The creation is slightly
>>>> different, but the subject is tracked and enforced by the
>>>> SecurityService in exactly the same way.
>>>>
>>>> If you have any sample code on what doesn't work that would also be
>>>> helpful.
>>>>
>>>>> The default implementation from the security service with the
>>>>> parameters
>>>>> user/password is fine, but we miss the realm-Parameter. And if we
>>>>> add it,
>>>>> the Security Service says
>>>>>
>>>>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>>>>> konfiguriert.
>>>>>
>>>>> Anmeldemodule = Login module
>>>>
>>>> The realm in OpenEJB refers to the JAAS LoginModule. The login
>>>> module
>>>> that is setup in the SecurityServices login.config file is called
>>>> "PropertiesLogin". This is the default value for realm when left
>>>> unspecified.
>>>>
>>>> If you have a custom javax.security.auth.spi.LoginModule there is a
>>>> way to set one up. Let me know if that is what you're trying to do
>>>> and I'll see if I can get an example working.
>>>>
>>>> -David
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>> cu Josef
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> David Blevins <da...@visi.com>
>>>>> 06.06.2008 23:06
>>>>> Bitte antworten an
>>>>> users@openejb.apache.org
>>>>>
>>>>>
>>>>> An
>>>>> users@openejb.apache.org
>>>>> Kopie
>>>>>
>>>>> Thema
>>>>> Re: Using OpenEJB Security for JAAS LoginModule
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Hi Josef,
>>>>>
>>>>> Looks this post arrived at about the same time as my last
>>>>> response, so
>>>>> this might be repeat information :)
>>>>>
>>>>> This example shows a good technique for unit testing various
>>>>> security
>>>>> permissions.
>>>>>
>>>>> http://openejb.apache.org/3.0/testing-security-example.html
>>>>>
>>>>> The JNDI login approach isn't really optimal as there is no
>>>>> "logout"
>>>>> option and it tends to make a mess of things. With the above
>>>>> approach
>>>>> you can wrap your calls with any security context you like and
>>>>> test
>>>>> accessing your bean via secured and unsecured "clients" and
>>>>> check that
>>>>> permissions for various roles are as they need to be.
>>>>>
>>>>> -David
>>>>>
>>>>>
>>>>> On Jun 6, 2008, at 1:24 AM, Josef.Eisele@bgs-ag.de wrote:
>>>>>
>>>>>> Hi All,
>>>>>>
>>>>>> we use embedded openejb to test our JavaEE-5 (Geronimo
>>>>>> App.server)
>>>>>> Application. With the great help of David Blevins the JUNIT-
>>>>>> Tests can
>>>>>> invoke our session beans and even Transaction Handling is working
>>>>>> fine.
>>>>>> At the moment I use a trick to avoid the Login-Procedure, but
>>>>>> this
>>>>>> won't
>>>>>> work on the long run.
>>>>>>
>>>>>> With Geronimo 2.1.1 we use the JAAS API. Our usage is described
>>>>>> in
>>>>>> http://cwiki.apache.org/GMOxDOC10/geronimo-and-jaas.html. For my
>>>>>> junit-testcase I need therefore anything which can provide me a
>>>>>> javax.security.auth.Subject after successful login. With the
>>>>>> default -
>>>>>> Security Service
>>>>>> <SecurityService id="Default Security Service"/>
>>>>>> and the configuration in users.properties and groups.properties I
>>>>>> get the
>>>>>> error:
>>>>>>
>>>>>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>>>>>> konfiguriert.
>>>>>>
>>>>>> (Anmeldemodule = security realm, I think...)
>>>>>>
>>>>>> I tried also PseudoSecurityService, but I got an exception as
>>>>>> well.
>>>>>>
>>>>>> JUNIT-Testcase
>>>>>> Properties properties = new
>>>>>> Properties();
>>>>>> ....
>>>>>> // Minimum required for login
>>>>>> properties.setProperty(Context.SECURITY_PRINCIPAL,
>>>>>> benutzer);
>>>>>> properties.setProperty(Context.SECURITY_CREDENTIALS,
>>>>>> passwort);
>>>>>>
>>>>>> // Optional param for specifying a specific Geronimo
>>>>>> security realm
>>>>>> properties.put("openejb.authentication.realmName",
>>>>>> "vesuv-db-sha256");
>>>>>>
>>>>>> properties.put("mySecurityService",
>>>>>> "new://PseudoSecurityService");
>>>>>> ....
>>>>>> loginManager = (LoginManager)
>>>>>> initialContext.lookup("LoginManagerImplLocal");
>>>>>> loginManager.loginContainer(benutzer,
>>>>>> passwort);
>>>>>> ....
>>>>>>
>>>>>> LoginManager-Session Bean:
>>>>>> ...
>>>>>> try {
>>>>>> LoginCallback logcb = new
>>>>>> LoginCallback(benutzer,
>>>>>> passwort);
>>>>>> LoginContext lc = new
>>>>>> LoginContext("vesuv-db-sha256",logcb);
>>>>>> lc.login();
>>>>>> subject = lc.getSubject();
>>>>>> }
>>>>>> ...
>>>>>>
>>>>>> The realm "vesuv-db-sha256" is defined under
>>>>>> Geronimo-Applicationserver-Console Security - Security Realms.
>>>>>>
>>>>>> I read http://openejb.apache.org/3.0/security.html, but I don't
>>>>>> understand how to configure the Security for embedded openejb.
>>>>>>
>>>>>> Thanx in advance for any help on this.
>>>>>>
>>>>>> Mit freundlichen Grüßen / Kind regards
>>>>>> Josef Eisele
>>>>>>
>>>>>> Direkt: +49 (0) 6131 / 914-180
>>>>>>
>>>>>> BGS Beratungsgesellschaft
>>>>>> Software Systemplanung AG Niederlassung Rhein/Main
>>>>>> Robert-Koch-Straße 41
>>>>>> 55129 Mainz
>>>>>> Fon: +49 (0) 6131 / 914-0
>>>>>> Fax: +49 (0) 6131 / 914-400
>>>>>> www.bgs-ag.de Geschäftssitz Mainz
>>>>>> Registergericht
>>>>>> Amtsgericht Mainz
>>>>>> HRB 62 50
>>>>>> Aufsichtsratsvorsitzender
>>>>>> Dr. Wolfgang Trommer
>>>>>> Vorstand
>>>>>> Hanspeter Gau
>>>>>> Hermann Kiefer
>>>>>> Nils Manegold
>>>>>> Heinz-Jörg Zimmermann
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> BGS Beratungsgesellschaft
>>>>> Software Systemplanung AG
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Niederlassung Rhein/Main
>>>>> Robert-Koch-Straße 41
>>>>> 55129 Mainz
>>>>> Fon: +49 (0) 6131 / 914-0
>>>>> Fax: +49 (0) 6131 / 914-400
>>>>> www.bgs-ag.de
>>>>> Geschäftssitz Mainz
>>>>> Registergericht
>>>>> Amtsgericht Mainz
>>>>> HRB 62 50
>>>>>
>>>>> Aufsichtsratsvorsitzender
>>>>> Dr. Wolfgang Trommer
>>>>> Vorstand
>>>>> Hanspeter Gau
>>>>> Hermann Kiefer
>>>>> Nils Manegold
>>>>> Heinz-Jörg Zimmermann
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> BGS Beratungsgesellschaft
>>>> Software Systemplanung AG Niederlassung Rhein/Main
>>>> Robert-Koch-Straße 41
>>>> 55129 Mainz
>>>> Fon: +49 (0) 6131 / 914-0
>>>> Fax: +49 (0) 6131 / 914-400
>>>> www.bgs-ag.de Geschäftssitz Mainz
>>>> Registergericht
>>>> Amtsgericht Mainz
>>>> HRB 62 50
>>>> Aufsichtsratsvorsitzender
>>>> Dr. Wolfgang Trommer
>>>> Vorstand
>>>> Hanspeter Gau
>>>> Hermann Kiefer
>>>> Nils Manegold
>>>> Heinz-Jörg Zimmermann
>>>>
>>>
>>
>>
>
Re: Using OpenEJB Security for JAAS LoginModule
Posted by David Blevins <da...@visi.com>.
On Jun 12, 2008, at 10:48 AM, David Jencks wrote:
> Using the sql login module with a datasource name won't work without
> the geronimo kernel running and the datasource deployed to the
> geronimo kernel. However there's an alternate configuration for
> this login module that uses a Driver class name and jdbc url that
> ought to work. Most likely the geronimo kernel jar will need to be
> on the classpath but you don't need a running kernel.
>
> With this configuration a plain text login.config file ought to
> work. Since he'll need to translate the config to text anyway
> changing the configuration to use the Driver shouldn't be impossibly
> difficult.
Is there some way we can pass the DataSource directly to the SQL
LoginModule by possibly wrappering it. In the wrapper we'd take the
text string, grab the datasource much like the G kernel would, and
give it to the login module.
-David
> On Jun 11, 2008, at 7:34 PM, David Blevins wrote:
>
>> This guy (a geronimo user) wants to use the Geronimo LoginModule
>> implementations in his unit tests with embedded openejb. Do you
>> know if there's a way for us to support them? Ideally he could
>> just include geronimo-security as a dependency and we could create
>> some wrappers that would construct them and get them the right
>> configuration (datasources, files, etc) and the wrappers could be
>> listed in a plain-text JAAS login.config file.
>>
>> Is something like that possible? Are the LoginModules tightly
>> coupled with the kernel etc. or would it be possible to "peel" them
>> out and reuse them in a somewhat standalone fashion?
>>
>> -David
>>
>> Begin forwarded message:
>>
>>> Resent-From: <db...@visi.com>
>>> From: Josef.Eisele@bgs-ag.de
>>> Date: June 11, 2008 5:03:59 AM PDT
>>> To: users@openejb.apache.org
>>> Subject: Antwort: Re: Antwort: Re: Using OpenEJB Security for JAAS
>>> LoginModule
>>> Reply-To: users@openejb.apache.org
>>>
>>> Hi David,
>>>
>>> thank you very much for your assistance. If I understand you right
>>> the
>>> Realm-Name of the Default Security Service is called
>>> "PropertiesLogin".
>>> If I could change that to "vesuv-db-sha256", my problems are solved.
>>>
>>> definition of the realm 'vesuv-db-sha256' in Geronimo 2.1.1:
>>>
>>> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
>>> <environment>
>>> <moduleId>
>>> <groupId>console.realm</groupId>
>>> <artifactId>vesuv-db-sha256</artifactId>
>>> <version>1.0</version>
>>> <type>car</type>
>>> </moduleId>
>>> <dependencies>
>>> <dependency>
>>> <groupId>org.apache.geronimo.framework</groupId>
>>> <artifactId>j2ee-security</artifactId>
>>> <type>car</type>
>>> </dependency>
>>> <dependency>
>>> <groupId>console.dbpool</groupId>
>>> <artifactId>Postgres.postgres.vesuv</artifactId>
>>> <version>1.0</version>
>>> <type>rar</type>
>>> </dependency>
>>> </dependencies>
>>> </environment>
>>> <gbean name="vesuv-db-sha256"
>>> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
>>> xsi:type="dep:gbeanType" xmlns:dep="
>>> http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="
>>> http://www.w3.org/2001/XMLSchema-instance">
>>> <attribute name="realmName">vesuv-db-sha256</attribute>
>>> <reference name="ServerInfo">
>>> <name>ServerInfo</name>
>>> </reference>
>>> <xml-reference name="LoginModuleConfiguration">
>>> <log:login-config xmlns:log="
>>> http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>>> <log:login-module control-flag="REQUIRED"
>>> wrap-principals="false">
>>> <log:login-domain-name>vesuv-db-sha256</log:login-domain-name>
>>>
>>> <log:login-module-
>>> class>org.apache.geronimo.security.realm.providers.SQLLoginModule</
>>> log:login-module-class>
>>> <log:option
>>> name="dataSourceName">Postgres.postgres.vesuv</log:option>
>>> <log:option name="encoding">hex</log:option>
>>> <log:option
>>> name="dataSourceApplication">null</log:option>
>>> <log:option name="digest">SHA-256</log:option>
>>> <log:option name="groupSelect">select bla
>>> bla</log:option>
>>> <log:option name="userSelect">select bla
>>> bla</log:option>
>>> </log:login-module>
>>> <log:login-module control-flag="OPTIONAL"
>>> wrap-principals="false">
>>> <log:login-domain-name>vesuv-db-sha256-Audit</log:login-domain-name>
>>>
>>> <log:login-module-
>>> class
>>> >
>>> org.apache.geronimo.security.realm.providers.FileAuditLoginModule</
>>> log:login-module-class>
>>> <log:option
>>> name="file">var/log/vesuv-login.log</log:option>
>>> </log:login-module>
>>> <log:login-module control-flag="REQUISITE"
>>> wrap-principals="false">
>>> <log:login-domain-name>vesuv-db-sha256-Lockout</log:login-domain-
>>> name>
>>>
>>> <log:login-module-
>>> class
>>> >
>>> org
>>> .apache
>>> .geronimo
>>> .security.realm.providers.RepeatedFailureLockoutLoginModule</
>>> log:login-module-class>
>>> <log:option name="failureCount">3</log:option>
>>> <log:option name="failurePeriodSecs">180</
>>> log:option>
>>> <log:option
>>> name="lockoutDurationSecs">1800</log:option>
>>> </log:login-module>
>>> </log:login-config>
>>> </xml-reference>
>>> </gbean>
>>> </module>
>>>
>>>
>>> Session Bean LoginManagerImpl.java
>>>
>>> import javax.ejb.*;
>>> import javax.security.auth.login.LoginContext;
>>>
>>> import de.nrw.hagen.ggrz.Exception.StdAppException;
>>> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
>>> import de.nrw.hagen.ggrz.bv.benutzer.*;
>>> import de.nrw.hagen.ggrz.log.Logger;
>>> import javax.security.auth.login.*;
>>> ....
>>> /**
>>> * Login beim Container durchfhren lassen mit JAAS.
>>> *
>>> * @param benutzer
>>> * @param kennwort
>>> * @return
>>> */
>>> public boolean loginContainer(String benutzer, String
>>> kennwort) {
>>> logger.info("Login EJB Container:" + benutzer + "/" +
>>> kennwort);
>>> try {
>>> LoginCallback logcb = new
>>> LoginCallback(benutzer,
>>> kennwort);
>>> LoginContext lc = new
>>> LoginContext("vesuv-db-sha256",logcb);
>>> lc.login();
>>> subject = lc.getSubject();
>>> }
>>> catch (LoginException ex) {
>>> logger.error("Exception bei login:" +
>>> ex.getMessage());
>>> //if (ex.getMessage().equals("SQL error"))
>>> //throw ex;
>>> throw new StdAppException("Exception bei
>>> Login",
>>> ex);
>>>
>>> }
>>> }
>>>
>>>
>>> JUnit-Test Class:
>>>
>>> ....
>>> import java.util.Properties;
>>>
>>> import javax.naming.Context;
>>> import javax.naming.InitialContext;
>>> import javax.naming.NamingException;
>>>
>>> import org.junit.After;
>>>
>>> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
>>> import de.nrw.hagen.ggrz.login.LoginManager;
>>> import de.nrw.hagen.ggrz.security.Subject;
>>>
>>> public class BaseTest {
>>>
>>> private String benutzer = "sys";
>>> private String passwort = "chief";
>>> private Subject user = null;
>>> private BenutzerKontext benutzerKontext = null;
>>>
>>> private InitialContext initialContext;
>>>
>>> public BaseTest() {
>>> initEnvironment();
>>> }
>>>
>>> public void initEnvironment() {
>>>
>>> System.out.println("------------------
>>> initEnvironment--------------------------");
>>> Properties properties = new Properties();
>>> properties.setProperty(Context.INITIAL_CONTEXT_FACTORY,
>>> "org.apache.openejb.client.LocalInitialContextFactory");
>>>
>>> // Minimum required for login
>>>
>>> properties.setProperty(Context.SECURITY_PRINCIPAL,
>>> benutzer);
>>> properties.setProperty(Context.SECURITY_CREDENTIALS, passwort);
>>>
>>> // Optional param for specifying a specific
>>> Geronimo security realm
>>>
>>> properties.put("openejb.authentication.realmName",
>>> "vesuv-db-sha256");
>>>
>>> properties.put("openejb.home",
>>> "/home/user/workspace/VesuvUnit/openejb");
>>>
>>> properties.put("Postgres.postgres.vesuv",
>>> "new://Resource?type=DataSource");
>>> properties.put("Postgres.postgres.vesuv.JdbcDriver",
>>> "org.postgresql.Driver");
>>>
>>> properties.put("Postgres.postgres.vesuv.JdbcUrl",
>>> "jdbc:postgresql://localhost/bgsdev1");
>>>
>>> properties.put("Postgres.postgres.vesuv.UserName",
>>> "bgsdev1");
>>>
>>> properties.put("Postgres.postgres.vesuv.Password",
>>> "bgsdev1");
>>>
>>> properties.put("openjpa.jdbc.SynchronizeMappings",
>>> "false");
>>> properties.put("openjpa.jdbc.Schema", "vesuv");
>>>
>>> try {
>>> initialContext = new
>>> InitialContext(properties);
>>> user = readUserFromLogin();
>>> } catch (Exception e) {
>>> e.printStackTrace();
>>> }
>>>
>>> }
>>>
>>>
>>> private Subject readUserFromLogin() {
>>> LoginManager loginManager = null;
>>>
>>> try {
>>> loginManager = (LoginManager)
>>> initialContext.lookup("LoginManagerImplLocal");
>>> loginManager.loginContainer(benutzer,
>>> passwort);
>>> } catch (NamingException e1) {
>>> // TODO Auto-generated catch block
>>> e1.printStackTrace();
>>> } catch (Exception e) {
>>> // TODO Auto-generated catch block
>>> e.printStackTrace();
>>> }
>>>
>>> try {
>>> benutzerKontext =
>>> loginManager.bestimmeBenutzerKontext(benutzer);
>>> } catch (Exception e) {
>>> // TODO Auto-generated catch block
>>> e.printStackTrace();
>>> }
>>>
>>> return new
>>> Subject(benutzerKontext,loginManager.getSubject());
>>>
>>> }
>>> ....
>>>
>>> }
>>>
>>>
>>> Mit freundlichen Grüßen / Kind regards
>>> Josef Eisele
>>>
>>> Direkt: +49 (0) 6131 / 914-180
>>>
>>>
>>>
>>>
>>> David Blevins <da...@visi.com>
>>> 09.06.2008 22:55
>>> Bitte antworten an
>>> users@openejb.apache.org
>>>
>>>
>>> An
>>> users@openejb.apache.org
>>> Kopie
>>>
>>> Thema
>>> Re: Antwort: Re: Using OpenEJB Security for JAAS LoginModule
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Jun 9, 2008, at 5:26 AM, Josef.Eisele@bgs-ag.de wrote:
>>>
>>>> Hi David,
>>>>
>>>> thank you very much for the link. I got it twice and I read it
>>>> twice ;-)
>>>> but it doesn't help concerning my actual problem.
>>>>
>>>> To run our business code it is necessary to login into an
>>>> 'SecurityService' with user/password/realm and as result there must
>>>> be a
>>>> Secuity-Object (javax.security.auth.Subject). This Security-
>>>> Object is
>>>> nessary to invoke our business code. The magic
>>>> @RunAs("Employee")won't
>>>> work in our case.
>>>
>>> If you could give me some more detail here, that'd be great. Both
>>> login and runas result in a javax.security.auth.Subject being
>>> created
>>> by and enforced by the SecurityService. The creation is slightly
>>> different, but the subject is tracked and enforced by the
>>> SecurityService in exactly the same way.
>>>
>>> If you have any sample code on what doesn't work that would also be
>>> helpful.
>>>
>>>> The default implementation from the security service with the
>>>> parameters
>>>> user/password is fine, but we miss the realm-Parameter. And if we
>>>> add it,
>>>> the Security Service says
>>>>
>>>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>>>> konfiguriert.
>>>>
>>>> Anmeldemodule = Login module
>>>
>>> The realm in OpenEJB refers to the JAAS LoginModule. The login
>>> module
>>> that is setup in the SecurityServices login.config file is called
>>> "PropertiesLogin". This is the default value for realm when left
>>> unspecified.
>>>
>>> If you have a custom javax.security.auth.spi.LoginModule there is a
>>> way to set one up. Let me know if that is what you're trying to do
>>> and I'll see if I can get an example working.
>>>
>>> -David
>>>
>>>
>>>>
>>>>
>>>>
>>>> cu Josef
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> David Blevins <da...@visi.com>
>>>> 06.06.2008 23:06
>>>> Bitte antworten an
>>>> users@openejb.apache.org
>>>>
>>>>
>>>> An
>>>> users@openejb.apache.org
>>>> Kopie
>>>>
>>>> Thema
>>>> Re: Using OpenEJB Security for JAAS LoginModule
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Hi Josef,
>>>>
>>>> Looks this post arrived at about the same time as my last
>>>> response, so
>>>> this might be repeat information :)
>>>>
>>>> This example shows a good technique for unit testing various
>>>> security
>>>> permissions.
>>>>
>>>> http://openejb.apache.org/3.0/testing-security-example.html
>>>>
>>>> The JNDI login approach isn't really optimal as there is no
>>>> "logout"
>>>> option and it tends to make a mess of things. With the above
>>>> approach
>>>> you can wrap your calls with any security context you like and test
>>>> accessing your bean via secured and unsecured "clients" and check
>>>> that
>>>> permissions for various roles are as they need to be.
>>>>
>>>> -David
>>>>
>>>>
>>>> On Jun 6, 2008, at 1:24 AM, Josef.Eisele@bgs-ag.de wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> we use embedded openejb to test our JavaEE-5 (Geronimo App.server)
>>>>> Application. With the great help of David Blevins the JUNIT-
>>>>> Tests can
>>>>> invoke our session beans and even Transaction Handling is working
>>>>> fine.
>>>>> At the moment I use a trick to avoid the Login-Procedure, but this
>>>>> won't
>>>>> work on the long run.
>>>>>
>>>>> With Geronimo 2.1.1 we use the JAAS API. Our usage is described in
>>>>> http://cwiki.apache.org/GMOxDOC10/geronimo-and-jaas.html. For my
>>>>> junit-testcase I need therefore anything which can provide me a
>>>>> javax.security.auth.Subject after successful login. With the
>>>>> default -
>>>>> Security Service
>>>>> <SecurityService id="Default Security Service"/>
>>>>> and the configuration in users.properties and groups.properties I
>>>>> get the
>>>>> error:
>>>>>
>>>>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>>>>> konfiguriert.
>>>>>
>>>>> (Anmeldemodule = security realm, I think...)
>>>>>
>>>>> I tried also PseudoSecurityService, but I got an exception as
>>>>> well.
>>>>>
>>>>> JUNIT-Testcase
>>>>> Properties properties = new
>>>>> Properties();
>>>>> ....
>>>>> // Minimum required for login
>>>>> properties.setProperty(Context.SECURITY_PRINCIPAL,
>>>>> benutzer);
>>>>> properties.setProperty(Context.SECURITY_CREDENTIALS,
>>>>> passwort);
>>>>>
>>>>> // Optional param for specifying a specific Geronimo
>>>>> security realm
>>>>> properties.put("openejb.authentication.realmName",
>>>>> "vesuv-db-sha256");
>>>>>
>>>>> properties.put("mySecurityService",
>>>>> "new://PseudoSecurityService");
>>>>> ....
>>>>> loginManager = (LoginManager)
>>>>> initialContext.lookup("LoginManagerImplLocal");
>>>>> loginManager.loginContainer(benutzer,
>>>>> passwort);
>>>>> ....
>>>>>
>>>>> LoginManager-Session Bean:
>>>>> ...
>>>>> try {
>>>>> LoginCallback logcb = new
>>>>> LoginCallback(benutzer,
>>>>> passwort);
>>>>> LoginContext lc = new
>>>>> LoginContext("vesuv-db-sha256",logcb);
>>>>> lc.login();
>>>>> subject = lc.getSubject();
>>>>> }
>>>>> ...
>>>>>
>>>>> The realm "vesuv-db-sha256" is defined under
>>>>> Geronimo-Applicationserver-Console Security - Security Realms.
>>>>>
>>>>> I read http://openejb.apache.org/3.0/security.html, but I don't
>>>>> understand how to configure the Security for embedded openejb.
>>>>>
>>>>> Thanx in advance for any help on this.
>>>>>
>>>>> Mit freundlichen Grüßen / Kind regards
>>>>> Josef Eisele
>>>>>
>>>>> Direkt: +49 (0) 6131 / 914-180
>>>>>
>>>>> BGS Beratungsgesellschaft
>>>>> Software Systemplanung AG Niederlassung Rhein/Main
>>>>> Robert-Koch-Straße 41
>>>>> 55129 Mainz
>>>>> Fon: +49 (0) 6131 / 914-0
>>>>> Fax: +49 (0) 6131 / 914-400
>>>>> www.bgs-ag.de Geschäftssitz Mainz
>>>>> Registergericht
>>>>> Amtsgericht Mainz
>>>>> HRB 62 50
>>>>> Aufsichtsratsvorsitzender
>>>>> Dr. Wolfgang Trommer
>>>>> Vorstand
>>>>> Hanspeter Gau
>>>>> Hermann Kiefer
>>>>> Nils Manegold
>>>>> Heinz-Jörg Zimmermann
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> BGS Beratungsgesellschaft
>>>> Software Systemplanung AG
>>>>
>>>>
>>>>
>>>>
>>>> Niederlassung Rhein/Main
>>>> Robert-Koch-Straße 41
>>>> 55129 Mainz
>>>> Fon: +49 (0) 6131 / 914-0
>>>> Fax: +49 (0) 6131 / 914-400
>>>> www.bgs-ag.de
>>>> Geschäftssitz Mainz
>>>> Registergericht
>>>> Amtsgericht Mainz
>>>> HRB 62 50
>>>>
>>>> Aufsichtsratsvorsitzender
>>>> Dr. Wolfgang Trommer
>>>> Vorstand
>>>> Hanspeter Gau
>>>> Hermann Kiefer
>>>> Nils Manegold
>>>> Heinz-Jörg Zimmermann
>>>>
>>>>
>>>
>>>
>>>
>>> BGS Beratungsgesellschaft
>>> Software Systemplanung AG Niederlassung Rhein/Main
>>> Robert-Koch-Straße 41
>>> 55129 Mainz
>>> Fon: +49 (0) 6131 / 914-0
>>> Fax: +49 (0) 6131 / 914-400
>>> www.bgs-ag.de Geschäftssitz Mainz
>>> Registergericht
>>> Amtsgericht Mainz
>>> HRB 62 50
>>> Aufsichtsratsvorsitzender
>>> Dr. Wolfgang Trommer
>>> Vorstand
>>> Hanspeter Gau
>>> Hermann Kiefer
>>> Nils Manegold
>>> Heinz-Jörg Zimmermann
>>>
>>
>
>
Re: Using OpenEJB Security for JAAS LoginModule
Posted by David Jencks <da...@yahoo.com>.
Using the sql login module with a datasource name won't work without
the geronimo kernel running and the datasource deployed to the
geronimo kernel. However there's an alternate configuration for this
login module that uses a Driver class name and jdbc url that ought to
work. Most likely the geronimo kernel jar will need to be on the
classpath but you don't need a running kernel.
With this configuration a plain text login.config file ought to work.
Since he'll need to translate the config to text anyway changing the
configuration to use the Driver shouldn't be impossibly difficult.
Note I haven't tested this.
thanks
david jencks
On Jun 11, 2008, at 7:34 PM, David Blevins wrote:
> This guy (a geronimo user) wants to use the Geronimo LoginModule
> implementations in his unit tests with embedded openejb. Do you
> know if there's a way for us to support them? Ideally he could just
> include geronimo-security as a dependency and we could create some
> wrappers that would construct them and get them the right
> configuration (datasources, files, etc) and the wrappers could be
> listed in a plain-text JAAS login.config file.
>
> Is something like that possible? Are the LoginModules tightly
> coupled with the kernel etc. or would it be possible to "peel" them
> out and reuse them in a somewhat standalone fashion?
>
> -David
>
> Begin forwarded message:
>
>> Resent-From: <db...@visi.com>
>> From: Josef.Eisele@bgs-ag.de
>> Date: June 11, 2008 5:03:59 AM PDT
>> To: users@openejb.apache.org
>> Subject: Antwort: Re: Antwort: Re: Using OpenEJB Security for JAAS
>> LoginModule
>> Reply-To: users@openejb.apache.org
>>
>> Hi David,
>>
>> thank you very much for your assistance. If I understand you right
>> the
>> Realm-Name of the Default Security Service is called
>> "PropertiesLogin".
>> If I could change that to "vesuv-db-sha256", my problems are solved.
>>
>> definition of the realm 'vesuv-db-sha256' in Geronimo 2.1.1:
>>
>> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
>> <environment>
>> <moduleId>
>> <groupId>console.realm</groupId>
>> <artifactId>vesuv-db-sha256</artifactId>
>> <version>1.0</version>
>> <type>car</type>
>> </moduleId>
>> <dependencies>
>> <dependency>
>> <groupId>org.apache.geronimo.framework</groupId>
>> <artifactId>j2ee-security</artifactId>
>> <type>car</type>
>> </dependency>
>> <dependency>
>> <groupId>console.dbpool</groupId>
>> <artifactId>Postgres.postgres.vesuv</artifactId>
>> <version>1.0</version>
>> <type>rar</type>
>> </dependency>
>> </dependencies>
>> </environment>
>> <gbean name="vesuv-db-sha256"
>> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
>> xsi:type="dep:gbeanType" xmlns:dep="
>> http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="
>> http://www.w3.org/2001/XMLSchema-instance">
>> <attribute name="realmName">vesuv-db-sha256</attribute>
>> <reference name="ServerInfo">
>> <name>ServerInfo</name>
>> </reference>
>> <xml-reference name="LoginModuleConfiguration">
>> <log:login-config xmlns:log="
>> http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>> <log:login-module control-flag="REQUIRED"
>> wrap-principals="false">
>> <log:login-domain-name>vesuv-db-sha256</log:login-domain-name>
>>
>> <log:login-module-
>> class>org.apache.geronimo.security.realm.providers.SQLLoginModule</
>> log:login-module-class>
>> <log:option
>> name="dataSourceName">Postgres.postgres.vesuv</log:option>
>> <log:option name="encoding">hex</log:option>
>> <log:option
>> name="dataSourceApplication">null</log:option>
>> <log:option name="digest">SHA-256</log:option>
>> <log:option name="groupSelect">select bla
>> bla</log:option>
>> <log:option name="userSelect">select bla
>> bla</log:option>
>> </log:login-module>
>> <log:login-module control-flag="OPTIONAL"
>> wrap-principals="false">
>> <log:login-domain-name>vesuv-db-sha256-Audit</log:login-domain-name>
>>
>> <log:login-module-
>> class
>> >org.apache.geronimo.security.realm.providers.FileAuditLoginModule</
>> log:login-module-class>
>> <log:option
>> name="file">var/log/vesuv-login.log</log:option>
>> </log:login-module>
>> <log:login-module control-flag="REQUISITE"
>> wrap-principals="false">
>> <log:login-domain-name>vesuv-db-sha256-Lockout</log:login-domain-
>> name>
>>
>> <log:login-module-
>> class
>> >
>> org
>> .apache
>> .geronimo
>> .security.realm.providers.RepeatedFailureLockoutLoginModule</
>> log:login-module-class>
>> <log:option name="failureCount">3</log:option>
>> <log:option name="failurePeriodSecs">180</
>> log:option>
>> <log:option
>> name="lockoutDurationSecs">1800</log:option>
>> </log:login-module>
>> </log:login-config>
>> </xml-reference>
>> </gbean>
>> </module>
>>
>>
>> Session Bean LoginManagerImpl.java
>>
>> import javax.ejb.*;
>> import javax.security.auth.login.LoginContext;
>>
>> import de.nrw.hagen.ggrz.Exception.StdAppException;
>> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
>> import de.nrw.hagen.ggrz.bv.benutzer.*;
>> import de.nrw.hagen.ggrz.log.Logger;
>> import javax.security.auth.login.*;
>> ....
>> /**
>> * Login beim Container durchfhren lassen mit JAAS.
>> *
>> * @param benutzer
>> * @param kennwort
>> * @return
>> */
>> public boolean loginContainer(String benutzer, String
>> kennwort) {
>> logger.info("Login EJB Container:" + benutzer + "/" +
>> kennwort);
>> try {
>> LoginCallback logcb = new
>> LoginCallback(benutzer,
>> kennwort);
>> LoginContext lc = new
>> LoginContext("vesuv-db-sha256",logcb);
>> lc.login();
>> subject = lc.getSubject();
>> }
>> catch (LoginException ex) {
>> logger.error("Exception bei login:" +
>> ex.getMessage());
>> //if (ex.getMessage().equals("SQL error"))
>> //throw ex;
>> throw new StdAppException("Exception bei
>> Login",
>> ex);
>>
>> }
>> }
>>
>>
>> JUnit-Test Class:
>>
>> ....
>> import java.util.Properties;
>>
>> import javax.naming.Context;
>> import javax.naming.InitialContext;
>> import javax.naming.NamingException;
>>
>> import org.junit.After;
>>
>> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
>> import de.nrw.hagen.ggrz.login.LoginManager;
>> import de.nrw.hagen.ggrz.security.Subject;
>>
>> public class BaseTest {
>>
>> private String benutzer = "sys";
>> private String passwort = "chief";
>> private Subject user = null;
>> private BenutzerKontext benutzerKontext = null;
>>
>> private InitialContext initialContext;
>>
>> public BaseTest() {
>> initEnvironment();
>> }
>>
>> public void initEnvironment() {
>>
>> System.out.println("------------------
>> initEnvironment--------------------------");
>> Properties properties = new Properties();
>> properties.setProperty(Context.INITIAL_CONTEXT_FACTORY,
>> "org.apache.openejb.client.LocalInitialContextFactory");
>>
>> // Minimum required for login
>>
>> properties.setProperty(Context.SECURITY_PRINCIPAL,
>> benutzer);
>> properties.setProperty(Context.SECURITY_CREDENTIALS, passwort);
>>
>> // Optional param for specifying a specific
>> Geronimo security realm
>>
>> properties.put("openejb.authentication.realmName",
>> "vesuv-db-sha256");
>>
>> properties.put("openejb.home",
>> "/home/user/workspace/VesuvUnit/openejb");
>>
>> properties.put("Postgres.postgres.vesuv",
>> "new://Resource?type=DataSource");
>> properties.put("Postgres.postgres.vesuv.JdbcDriver",
>> "org.postgresql.Driver");
>>
>> properties.put("Postgres.postgres.vesuv.JdbcUrl",
>> "jdbc:postgresql://localhost/bgsdev1");
>>
>> properties.put("Postgres.postgres.vesuv.UserName",
>> "bgsdev1");
>>
>> properties.put("Postgres.postgres.vesuv.Password",
>> "bgsdev1");
>>
>> properties.put("openjpa.jdbc.SynchronizeMappings",
>> "false");
>> properties.put("openjpa.jdbc.Schema", "vesuv");
>>
>> try {
>> initialContext = new
>> InitialContext(properties);
>> user = readUserFromLogin();
>> } catch (Exception e) {
>> e.printStackTrace();
>> }
>>
>> }
>>
>>
>> private Subject readUserFromLogin() {
>> LoginManager loginManager = null;
>>
>> try {
>> loginManager = (LoginManager)
>> initialContext.lookup("LoginManagerImplLocal");
>> loginManager.loginContainer(benutzer,
>> passwort);
>> } catch (NamingException e1) {
>> // TODO Auto-generated catch block
>> e1.printStackTrace();
>> } catch (Exception e) {
>> // TODO Auto-generated catch block
>> e.printStackTrace();
>> }
>>
>> try {
>> benutzerKontext =
>> loginManager.bestimmeBenutzerKontext(benutzer);
>> } catch (Exception e) {
>> // TODO Auto-generated catch block
>> e.printStackTrace();
>> }
>>
>> return new
>> Subject(benutzerKontext,loginManager.getSubject());
>>
>> }
>> ....
>>
>> }
>>
>>
>> Mit freundlichen Grüßen / Kind regards
>> Josef Eisele
>>
>> Direkt: +49 (0) 6131 / 914-180
>>
>>
>>
>>
>> David Blevins <da...@visi.com>
>> 09.06.2008 22:55
>> Bitte antworten an
>> users@openejb.apache.org
>>
>>
>> An
>> users@openejb.apache.org
>> Kopie
>>
>> Thema
>> Re: Antwort: Re: Using OpenEJB Security for JAAS LoginModule
>>
>>
>>
>>
>>
>>
>>
>> On Jun 9, 2008, at 5:26 AM, Josef.Eisele@bgs-ag.de wrote:
>>
>>> Hi David,
>>>
>>> thank you very much for the link. I got it twice and I read it
>>> twice ;-)
>>> but it doesn't help concerning my actual problem.
>>>
>>> To run our business code it is necessary to login into an
>>> 'SecurityService' with user/password/realm and as result there must
>>> be a
>>> Secuity-Object (javax.security.auth.Subject). This Security-Object
>>> is
>>> nessary to invoke our business code. The magic
>>> @RunAs("Employee")won't
>>> work in our case.
>>
>> If you could give me some more detail here, that'd be great. Both
>> login and runas result in a javax.security.auth.Subject being created
>> by and enforced by the SecurityService. The creation is slightly
>> different, but the subject is tracked and enforced by the
>> SecurityService in exactly the same way.
>>
>> If you have any sample code on what doesn't work that would also be
>> helpful.
>>
>>> The default implementation from the security service with the
>>> parameters
>>> user/password is fine, but we miss the realm-Parameter. And if we
>>> add it,
>>> the Security Service says
>>>
>>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>>> konfiguriert.
>>>
>>> Anmeldemodule = Login module
>>
>> The realm in OpenEJB refers to the JAAS LoginModule. The login
>> module
>> that is setup in the SecurityServices login.config file is called
>> "PropertiesLogin". This is the default value for realm when left
>> unspecified.
>>
>> If you have a custom javax.security.auth.spi.LoginModule there is a
>> way to set one up. Let me know if that is what you're trying to do
>> and I'll see if I can get an example working.
>>
>> -David
>>
>>
>>>
>>>
>>>
>>> cu Josef
>>>
>>>
>>>
>>>
>>>
>>> David Blevins <da...@visi.com>
>>> 06.06.2008 23:06
>>> Bitte antworten an
>>> users@openejb.apache.org
>>>
>>>
>>> An
>>> users@openejb.apache.org
>>> Kopie
>>>
>>> Thema
>>> Re: Using OpenEJB Security for JAAS LoginModule
>>>
>>>
>>>
>>>
>>>
>>>
>>> Hi Josef,
>>>
>>> Looks this post arrived at about the same time as my last
>>> response, so
>>> this might be repeat information :)
>>>
>>> This example shows a good technique for unit testing various
>>> security
>>> permissions.
>>>
>>> http://openejb.apache.org/3.0/testing-security-example.html
>>>
>>> The JNDI login approach isn't really optimal as there is no "logout"
>>> option and it tends to make a mess of things. With the above
>>> approach
>>> you can wrap your calls with any security context you like and test
>>> accessing your bean via secured and unsecured "clients" and check
>>> that
>>> permissions for various roles are as they need to be.
>>>
>>> -David
>>>
>>>
>>> On Jun 6, 2008, at 1:24 AM, Josef.Eisele@bgs-ag.de wrote:
>>>
>>>> Hi All,
>>>>
>>>> we use embedded openejb to test our JavaEE-5 (Geronimo App.server)
>>>> Application. With the great help of David Blevins the JUNIT-Tests
>>>> can
>>>> invoke our session beans and even Transaction Handling is working
>>>> fine.
>>>> At the moment I use a trick to avoid the Login-Procedure, but this
>>>> won't
>>>> work on the long run.
>>>>
>>>> With Geronimo 2.1.1 we use the JAAS API. Our usage is described in
>>>> http://cwiki.apache.org/GMOxDOC10/geronimo-and-jaas.html. For my
>>>> junit-testcase I need therefore anything which can provide me a
>>>> javax.security.auth.Subject after successful login. With the
>>>> default -
>>>> Security Service
>>>> <SecurityService id="Default Security Service"/>
>>>> and the configuration in users.properties and groups.properties I
>>>> get the
>>>> error:
>>>>
>>>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>>>> konfiguriert.
>>>>
>>>> (Anmeldemodule = security realm, I think...)
>>>>
>>>> I tried also PseudoSecurityService, but I got an exception as well.
>>>>
>>>> JUNIT-Testcase
>>>> Properties properties = new
>>>> Properties();
>>>> ....
>>>> // Minimum required for login
>>>> properties.setProperty(Context.SECURITY_PRINCIPAL,
>>>> benutzer);
>>>> properties.setProperty(Context.SECURITY_CREDENTIALS,
>>>> passwort);
>>>>
>>>> // Optional param for specifying a specific Geronimo
>>>> security realm
>>>> properties.put("openejb.authentication.realmName",
>>>> "vesuv-db-sha256");
>>>>
>>>> properties.put("mySecurityService",
>>>> "new://PseudoSecurityService");
>>>> ....
>>>> loginManager = (LoginManager)
>>>> initialContext.lookup("LoginManagerImplLocal");
>>>> loginManager.loginContainer(benutzer,
>>>> passwort);
>>>> ....
>>>>
>>>> LoginManager-Session Bean:
>>>> ...
>>>> try {
>>>> LoginCallback logcb = new
>>>> LoginCallback(benutzer,
>>>> passwort);
>>>> LoginContext lc = new
>>>> LoginContext("vesuv-db-sha256",logcb);
>>>> lc.login();
>>>> subject = lc.getSubject();
>>>> }
>>>> ...
>>>>
>>>> The realm "vesuv-db-sha256" is defined under
>>>> Geronimo-Applicationserver-Console Security - Security Realms.
>>>>
>>>> I read http://openejb.apache.org/3.0/security.html, but I don't
>>>> understand how to configure the Security for embedded openejb.
>>>>
>>>> Thanx in advance for any help on this.
>>>>
>>>> Mit freundlichen Grüßen / Kind regards
>>>> Josef Eisele
>>>>
>>>> Direkt: +49 (0) 6131 / 914-180
>>>>
>>>> BGS Beratungsgesellschaft
>>>> Software Systemplanung AG Niederlassung Rhein/Main
>>>> Robert-Koch-Straße 41
>>>> 55129 Mainz
>>>> Fon: +49 (0) 6131 / 914-0
>>>> Fax: +49 (0) 6131 / 914-400
>>>> www.bgs-ag.de Geschäftssitz Mainz
>>>> Registergericht
>>>> Amtsgericht Mainz
>>>> HRB 62 50
>>>> Aufsichtsratsvorsitzender
>>>> Dr. Wolfgang Trommer
>>>> Vorstand
>>>> Hanspeter Gau
>>>> Hermann Kiefer
>>>> Nils Manegold
>>>> Heinz-Jörg Zimmermann
>>>>
>>>>
>>>
>>>
>>>
>>> BGS Beratungsgesellschaft
>>> Software Systemplanung AG
>>>
>>>
>>>
>>>
>>> Niederlassung Rhein/Main
>>> Robert-Koch-Straße 41
>>> 55129 Mainz
>>> Fon: +49 (0) 6131 / 914-0
>>> Fax: +49 (0) 6131 / 914-400
>>> www.bgs-ag.de
>>> Geschäftssitz Mainz
>>> Registergericht
>>> Amtsgericht Mainz
>>> HRB 62 50
>>>
>>> Aufsichtsratsvorsitzender
>>> Dr. Wolfgang Trommer
>>> Vorstand
>>> Hanspeter Gau
>>> Hermann Kiefer
>>> Nils Manegold
>>> Heinz-Jörg Zimmermann
>>>
>>>
>>
>>
>>
>> BGS Beratungsgesellschaft
>> Software Systemplanung AG Niederlassung Rhein/Main
>> Robert-Koch-Straße 41
>> 55129 Mainz
>> Fon: +49 (0) 6131 / 914-0
>> Fax: +49 (0) 6131 / 914-400
>> www.bgs-ag.de Geschäftssitz Mainz
>> Registergericht
>> Amtsgericht Mainz
>> HRB 62 50
>> Aufsichtsratsvorsitzender
>> Dr. Wolfgang Trommer
>> Vorstand
>> Hanspeter Gau
>> Hermann Kiefer
>> Nils Manegold
>> Heinz-Jörg Zimmermann
>>
>
Fwd: Using OpenEJB Security for JAAS LoginModule
Posted by David Blevins <da...@visi.com>.
This guy (a geronimo user) wants to use the Geronimo LoginModule
implementations in his unit tests with embedded openejb. Do you know
if there's a way for us to support them? Ideally he could just
include geronimo-security as a dependency and we could create some
wrappers that would construct them and get them the right
configuration (datasources, files, etc) and the wrappers could be
listed in a plain-text JAAS login.config file.
Is something like that possible? Are the LoginModules tightly coupled
with the kernel etc. or would it be possible to "peel" them out and
reuse them in a somewhat standalone fashion?
-David
Begin forwarded message:
> Resent-From: <db...@visi.com>
> From: Josef.Eisele@bgs-ag.de
> Date: June 11, 2008 5:03:59 AM PDT
> To: users@openejb.apache.org
> Subject: Antwort: Re: Antwort: Re: Using OpenEJB Security for JAAS
> LoginModule
> Reply-To: users@openejb.apache.org
>
> Hi David,
>
> thank you very much for your assistance. If I understand you right the
> Realm-Name of the Default Security Service is called
> "PropertiesLogin".
> If I could change that to "vesuv-db-sha256", my problems are solved.
>
> definition of the realm 'vesuv-db-sha256' in Geronimo 2.1.1:
>
> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
> <environment>
> <moduleId>
> <groupId>console.realm</groupId>
> <artifactId>vesuv-db-sha256</artifactId>
> <version>1.0</version>
> <type>car</type>
> </moduleId>
> <dependencies>
> <dependency>
> <groupId>org.apache.geronimo.framework</groupId>
> <artifactId>j2ee-security</artifactId>
> <type>car</type>
> </dependency>
> <dependency>
> <groupId>console.dbpool</groupId>
> <artifactId>Postgres.postgres.vesuv</artifactId>
> <version>1.0</version>
> <type>rar</type>
> </dependency>
> </dependencies>
> </environment>
> <gbean name="vesuv-db-sha256"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
> xsi:type="dep:gbeanType" xmlns:dep="
> http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance">
> <attribute name="realmName">vesuv-db-sha256</attribute>
> <reference name="ServerInfo">
> <name>ServerInfo</name>
> </reference>
> <xml-reference name="LoginModuleConfiguration">
> <log:login-config xmlns:log="
> http://geronimo.apache.org/xml/ns/loginconfig-2.0">
> <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
> <log:login-domain-name>vesuv-db-sha256</log:login-domain-name>
>
> <log:login-module-
> class>org.apache.geronimo.security.realm.providers.SQLLoginModule</
> log:login-module-class>
> <log:option
> name="dataSourceName">Postgres.postgres.vesuv</log:option>
> <log:option name="encoding">hex</log:option>
> <log:option
> name="dataSourceApplication">null</log:option>
> <log:option name="digest">SHA-256</log:option>
> <log:option name="groupSelect">select bla
> bla</log:option>
> <log:option name="userSelect">select bla
> bla</log:option>
> </log:login-module>
> <log:login-module control-flag="OPTIONAL"
> wrap-principals="false">
> <log:login-domain-name>vesuv-db-sha256-Audit</log:login-domain-name>
>
> <log:login-module-
> class
> >org.apache.geronimo.security.realm.providers.FileAuditLoginModule</
> log:login-module-class>
> <log:option
> name="file">var/log/vesuv-login.log</log:option>
> </log:login-module>
> <log:login-module control-flag="REQUISITE"
> wrap-principals="false">
> <log:login-domain-name>vesuv-db-sha256-Lockout</log:login-domain-name>
>
> <log:login-module-
> class
> >
> org
> .apache
> .geronimo
> .security.realm.providers.RepeatedFailureLockoutLoginModule</
> log:login-module-class>
> <log:option name="failureCount">3</log:option>
> <log:option name="failurePeriodSecs">180</
> log:option>
> <log:option
> name="lockoutDurationSecs">1800</log:option>
> </log:login-module>
> </log:login-config>
> </xml-reference>
> </gbean>
> </module>
>
>
> Session Bean LoginManagerImpl.java
>
> import javax.ejb.*;
> import javax.security.auth.login.LoginContext;
>
> import de.nrw.hagen.ggrz.Exception.StdAppException;
> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
> import de.nrw.hagen.ggrz.bv.benutzer.*;
> import de.nrw.hagen.ggrz.log.Logger;
> import javax.security.auth.login.*;
> ....
> /**
> * Login beim Container durchfhren lassen mit JAAS.
> *
> * @param benutzer
> * @param kennwort
> * @return
> */
> public boolean loginContainer(String benutzer, String
> kennwort) {
> logger.info("Login EJB Container:" + benutzer + "/" +
> kennwort);
> try {
> LoginCallback logcb = new
> LoginCallback(benutzer,
> kennwort);
> LoginContext lc = new
> LoginContext("vesuv-db-sha256",logcb);
> lc.login();
> subject = lc.getSubject();
> }
> catch (LoginException ex) {
> logger.error("Exception bei login:" +
> ex.getMessage());
> //if (ex.getMessage().equals("SQL error"))
> //throw ex;
> throw new StdAppException("Exception bei
> Login",
> ex);
>
> }
> }
>
>
> JUnit-Test Class:
>
> ....
> import java.util.Properties;
>
> import javax.naming.Context;
> import javax.naming.InitialContext;
> import javax.naming.NamingException;
>
> import org.junit.After;
>
> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
> import de.nrw.hagen.ggrz.login.LoginManager;
> import de.nrw.hagen.ggrz.security.Subject;
>
> public class BaseTest {
>
> private String benutzer = "sys";
> private String passwort = "chief";
> private Subject user = null;
> private BenutzerKontext benutzerKontext = null;
>
> private InitialContext initialContext;
>
> public BaseTest() {
> initEnvironment();
> }
>
> public void initEnvironment() {
>
> System.out.println("------------------
> initEnvironment--------------------------");
> Properties properties = new Properties();
> properties.setProperty(Context.INITIAL_CONTEXT_FACTORY,
> "org.apache.openejb.client.LocalInitialContextFactory");
>
> // Minimum required for login
>
> properties.setProperty(Context.SECURITY_PRINCIPAL,
> benutzer);
> properties.setProperty(Context.SECURITY_CREDENTIALS, passwort);
>
> // Optional param for specifying a specific
> Geronimo security realm
>
> properties.put("openejb.authentication.realmName",
> "vesuv-db-sha256");
>
> properties.put("openejb.home",
> "/home/user/workspace/VesuvUnit/openejb");
>
> properties.put("Postgres.postgres.vesuv",
> "new://Resource?type=DataSource");
> properties.put("Postgres.postgres.vesuv.JdbcDriver",
> "org.postgresql.Driver");
>
> properties.put("Postgres.postgres.vesuv.JdbcUrl",
> "jdbc:postgresql://localhost/bgsdev1");
>
> properties.put("Postgres.postgres.vesuv.UserName",
> "bgsdev1");
>
> properties.put("Postgres.postgres.vesuv.Password",
> "bgsdev1");
>
> properties.put("openjpa.jdbc.SynchronizeMappings",
> "false");
> properties.put("openjpa.jdbc.Schema", "vesuv");
>
> try {
> initialContext = new
> InitialContext(properties);
> user = readUserFromLogin();
> } catch (Exception e) {
> e.printStackTrace();
> }
>
> }
>
>
> private Subject readUserFromLogin() {
> LoginManager loginManager = null;
>
> try {
> loginManager = (LoginManager)
> initialContext.lookup("LoginManagerImplLocal");
> loginManager.loginContainer(benutzer,
> passwort);
> } catch (NamingException e1) {
> // TODO Auto-generated catch block
> e1.printStackTrace();
> } catch (Exception e) {
> // TODO Auto-generated catch block
> e.printStackTrace();
> }
>
> try {
> benutzerKontext =
> loginManager.bestimmeBenutzerKontext(benutzer);
> } catch (Exception e) {
> // TODO Auto-generated catch block
> e.printStackTrace();
> }
>
> return new
> Subject(benutzerKontext,loginManager.getSubject());
>
> }
> ....
>
> }
>
>
> Mit freundlichen Grüßen / Kind regards
> Josef Eisele
>
> Direkt: +49 (0) 6131 / 914-180
>
>
>
>
> David Blevins <da...@visi.com>
> 09.06.2008 22:55
> Bitte antworten an
> users@openejb.apache.org
>
>
> An
> users@openejb.apache.org
> Kopie
>
> Thema
> Re: Antwort: Re: Using OpenEJB Security for JAAS LoginModule
>
>
>
>
>
>
>
> On Jun 9, 2008, at 5:26 AM, Josef.Eisele@bgs-ag.de wrote:
>
>> Hi David,
>>
>> thank you very much for the link. I got it twice and I read it
>> twice ;-)
>> but it doesn't help concerning my actual problem.
>>
>> To run our business code it is necessary to login into an
>> 'SecurityService' with user/password/realm and as result there must
>> be a
>> Secuity-Object (javax.security.auth.Subject). This Security-Object is
>> nessary to invoke our business code. The magic
>> @RunAs("Employee")won't
>> work in our case.
>
> If you could give me some more detail here, that'd be great. Both
> login and runas result in a javax.security.auth.Subject being created
> by and enforced by the SecurityService. The creation is slightly
> different, but the subject is tracked and enforced by the
> SecurityService in exactly the same way.
>
> If you have any sample code on what doesn't work that would also be
> helpful.
>
>> The default implementation from the security service with the
>> parameters
>> user/password is fine, but we miss the realm-Parameter. And if we
>> add it,
>> the Security Service says
>>
>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>> konfiguriert.
>>
>> Anmeldemodule = Login module
>
> The realm in OpenEJB refers to the JAAS LoginModule. The login module
> that is setup in the SecurityServices login.config file is called
> "PropertiesLogin". This is the default value for realm when left
> unspecified.
>
> If you have a custom javax.security.auth.spi.LoginModule there is a
> way to set one up. Let me know if that is what you're trying to do
> and I'll see if I can get an example working.
>
> -David
>
>
>>
>>
>>
>> cu Josef
>>
>>
>>
>>
>>
>> David Blevins <da...@visi.com>
>> 06.06.2008 23:06
>> Bitte antworten an
>> users@openejb.apache.org
>>
>>
>> An
>> users@openejb.apache.org
>> Kopie
>>
>> Thema
>> Re: Using OpenEJB Security for JAAS LoginModule
>>
>>
>>
>>
>>
>>
>> Hi Josef,
>>
>> Looks this post arrived at about the same time as my last response,
>> so
>> this might be repeat information :)
>>
>> This example shows a good technique for unit testing various security
>> permissions.
>>
>> http://openejb.apache.org/3.0/testing-security-example.html
>>
>> The JNDI login approach isn't really optimal as there is no "logout"
>> option and it tends to make a mess of things. With the above
>> approach
>> you can wrap your calls with any security context you like and test
>> accessing your bean via secured and unsecured "clients" and check
>> that
>> permissions for various roles are as they need to be.
>>
>> -David
>>
>>
>> On Jun 6, 2008, at 1:24 AM, Josef.Eisele@bgs-ag.de wrote:
>>
>>> Hi All,
>>>
>>> we use embedded openejb to test our JavaEE-5 (Geronimo App.server)
>>> Application. With the great help of David Blevins the JUNIT-Tests
>>> can
>>> invoke our session beans and even Transaction Handling is working
>>> fine.
>>> At the moment I use a trick to avoid the Login-Procedure, but this
>>> won't
>>> work on the long run.
>>>
>>> With Geronimo 2.1.1 we use the JAAS API. Our usage is described in
>>> http://cwiki.apache.org/GMOxDOC10/geronimo-and-jaas.html. For my
>>> junit-testcase I need therefore anything which can provide me a
>>> javax.security.auth.Subject after successful login. With the
>>> default -
>>> Security Service
>>> <SecurityService id="Default Security Service"/>
>>> and the configuration in users.properties and groups.properties I
>>> get the
>>> error:
>>>
>>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>>> konfiguriert.
>>>
>>> (Anmeldemodule = security realm, I think...)
>>>
>>> I tried also PseudoSecurityService, but I got an exception as well.
>>>
>>> JUNIT-Testcase
>>> Properties properties = new
>>> Properties();
>>> ....
>>> // Minimum required for login
>>> properties.setProperty(Context.SECURITY_PRINCIPAL,
>>> benutzer);
>>> properties.setProperty(Context.SECURITY_CREDENTIALS,
>>> passwort);
>>>
>>> // Optional param for specifying a specific Geronimo
>>> security realm
>>> properties.put("openejb.authentication.realmName",
>>> "vesuv-db-sha256");
>>>
>>> properties.put("mySecurityService",
>>> "new://PseudoSecurityService");
>>> ....
>>> loginManager = (LoginManager)
>>> initialContext.lookup("LoginManagerImplLocal");
>>> loginManager.loginContainer(benutzer,
>>> passwort);
>>> ....
>>>
>>> LoginManager-Session Bean:
>>> ...
>>> try {
>>> LoginCallback logcb = new
>>> LoginCallback(benutzer,
>>> passwort);
>>> LoginContext lc = new
>>> LoginContext("vesuv-db-sha256",logcb);
>>> lc.login();
>>> subject = lc.getSubject();
>>> }
>>> ...
>>>
>>> The realm "vesuv-db-sha256" is defined under
>>> Geronimo-Applicationserver-Console Security - Security Realms.
>>>
>>> I read http://openejb.apache.org/3.0/security.html, but I don't
>>> understand how to configure the Security for embedded openejb.
>>>
>>> Thanx in advance for any help on this.
>>>
>>> Mit freundlichen Grüßen / Kind regards
>>> Josef Eisele
>>>
>>> Direkt: +49 (0) 6131 / 914-180
>>>
>>> BGS Beratungsgesellschaft
>>> Software Systemplanung AG Niederlassung Rhein/Main
>>> Robert-Koch-Straße 41
>>> 55129 Mainz
>>> Fon: +49 (0) 6131 / 914-0
>>> Fax: +49 (0) 6131 / 914-400
>>> www.bgs-ag.de Geschäftssitz Mainz
>>> Registergericht
>>> Amtsgericht Mainz
>>> HRB 62 50
>>> Aufsichtsratsvorsitzender
>>> Dr. Wolfgang Trommer
>>> Vorstand
>>> Hanspeter Gau
>>> Hermann Kiefer
>>> Nils Manegold
>>> Heinz-Jörg Zimmermann
>>>
>>>
>>
>>
>>
>> BGS Beratungsgesellschaft
>> Software Systemplanung AG
>>
>>
>>
>>
>> Niederlassung Rhein/Main
>> Robert-Koch-Straße 41
>> 55129 Mainz
>> Fon: +49 (0) 6131 / 914-0
>> Fax: +49 (0) 6131 / 914-400
>> www.bgs-ag.de
>> Geschäftssitz Mainz
>> Registergericht
>> Amtsgericht Mainz
>> HRB 62 50
>>
>> Aufsichtsratsvorsitzender
>> Dr. Wolfgang Trommer
>> Vorstand
>> Hanspeter Gau
>> Hermann Kiefer
>> Nils Manegold
>> Heinz-Jörg Zimmermann
>>
>>
>
>
>
> BGS Beratungsgesellschaft
> Software Systemplanung AG Niederlassung Rhein/Main
> Robert-Koch-Straße 41
> 55129 Mainz
> Fon: +49 (0) 6131 / 914-0
> Fax: +49 (0) 6131 / 914-400
> www.bgs-ag.de Geschäftssitz Mainz
> Registergericht
> Amtsgericht Mainz
> HRB 62 50
> Aufsichtsratsvorsitzender
> Dr. Wolfgang Trommer
> Vorstand
> Hanspeter Gau
> Hermann Kiefer
> Nils Manegold
> Heinz-Jörg Zimmermann
>
Antwort: Re: Antwort: Re: Using OpenEJB Security for JAAS LoginModule
Posted by Jo...@bgs-ag.de.
Hi David,
thank you very much for your assistance. If I understand you right the
Realm-Name of the Default Security Service is called
"PropertiesLogin".
If I could change that to "vesuv-db-sha256", my problems are solved.
definition of the realm 'vesuv-db-sha256' in Geronimo 2.1.1:
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
<environment>
<moduleId>
<groupId>console.realm</groupId>
<artifactId>vesuv-db-sha256</artifactId>
<version>1.0</version>
<type>car</type>
</moduleId>
<dependencies>
<dependency>
<groupId>org.apache.geronimo.framework</groupId>
<artifactId>j2ee-security</artifactId>
<type>car</type>
</dependency>
<dependency>
<groupId>console.dbpool</groupId>
<artifactId>Postgres.postgres.vesuv</artifactId>
<version>1.0</version>
<type>rar</type>
</dependency>
</dependencies>
</environment>
<gbean name="vesuv-db-sha256"
class="org.apache.geronimo.security.realm.GenericSecurityRealm"
xsi:type="dep:gbeanType" xmlns:dep="
http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance">
<attribute name="realmName">vesuv-db-sha256</attribute>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<log:login-config xmlns:log="
http://geronimo.apache.org/xml/ns/loginconfig-2.0">
<log:login-module control-flag="REQUIRED"
wrap-principals="false">
<log:login-domain-name>vesuv-db-sha256</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.SQLLoginModule</log:login-module-class>
<log:option
name="dataSourceName">Postgres.postgres.vesuv</log:option>
<log:option name="encoding">hex</log:option>
<log:option
name="dataSourceApplication">null</log:option>
<log:option name="digest">SHA-256</log:option>
<log:option name="groupSelect">select bla
bla</log:option>
<log:option name="userSelect">select bla
bla</log:option>
</log:login-module>
<log:login-module control-flag="OPTIONAL"
wrap-principals="false">
<log:login-domain-name>vesuv-db-sha256-Audit</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
<log:option
name="file">var/log/vesuv-login.log</log:option>
</log:login-module>
<log:login-module control-flag="REQUISITE"
wrap-principals="false">
<log:login-domain-name>vesuv-db-sha256-Lockout</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.RepeatedFailureLockoutLoginModule</log:login-module-class>
<log:option name="failureCount">3</log:option>
<log:option name="failurePeriodSecs">180</log:option>
<log:option
name="lockoutDurationSecs">1800</log:option>
</log:login-module>
</log:login-config>
</xml-reference>
</gbean>
</module>
Session Bean LoginManagerImpl.java
import javax.ejb.*;
import javax.security.auth.login.LoginContext;
import de.nrw.hagen.ggrz.Exception.StdAppException;
import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
import de.nrw.hagen.ggrz.bv.benutzer.*;
import de.nrw.hagen.ggrz.log.Logger;
import javax.security.auth.login.*;
....
/**
* Login beim Container durchfhren lassen mit JAAS.
*
* @param benutzer
* @param kennwort
* @return
*/
public boolean loginContainer(String benutzer, String kennwort) {
logger.info("Login EJB Container:" + benutzer + "/" +
kennwort);
try {
LoginCallback logcb = new LoginCallback(benutzer,
kennwort);
LoginContext lc = new
LoginContext("vesuv-db-sha256",logcb);
lc.login();
subject = lc.getSubject();
}
catch (LoginException ex) {
logger.error("Exception bei login:" +
ex.getMessage());
//if (ex.getMessage().equals("SQL error"))
//throw ex;
throw new StdAppException("Exception bei Login",
ex);
}
}
JUnit-Test Class:
....
import java.util.Properties;
import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import org.junit.After;
import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
import de.nrw.hagen.ggrz.login.LoginManager;
import de.nrw.hagen.ggrz.security.Subject;
public class BaseTest {
private String benutzer = "sys";
private String passwort = "chief";
private Subject user = null;
private BenutzerKontext benutzerKontext = null;
private InitialContext initialContext;
public BaseTest() {
initEnvironment();
}
public void initEnvironment() {
System.out.println("------------------initEnvironment--------------------------");
Properties properties = new Properties();
properties.setProperty(Context.INITIAL_CONTEXT_FACTORY,
"org.apache.openejb.client.LocalInitialContextFactory");
// Minimum required for login
properties.setProperty(Context.SECURITY_PRINCIPAL,
benutzer);
properties.setProperty(Context.SECURITY_CREDENTIALS, passwort);
// Optional param for specifying a specific
Geronimo security realm
properties.put("openejb.authentication.realmName",
"vesuv-db-sha256");
properties.put("openejb.home",
"/home/user/workspace/VesuvUnit/openejb");
properties.put("Postgres.postgres.vesuv",
"new://Resource?type=DataSource");
properties.put("Postgres.postgres.vesuv.JdbcDriver",
"org.postgresql.Driver");
properties.put("Postgres.postgres.vesuv.JdbcUrl",
"jdbc:postgresql://localhost/bgsdev1");
properties.put("Postgres.postgres.vesuv.UserName",
"bgsdev1");
properties.put("Postgres.postgres.vesuv.Password",
"bgsdev1");
properties.put("openjpa.jdbc.SynchronizeMappings",
"false");
properties.put("openjpa.jdbc.Schema", "vesuv");
try {
initialContext = new
InitialContext(properties);
user = readUserFromLogin();
} catch (Exception e) {
e.printStackTrace();
}
}
private Subject readUserFromLogin() {
LoginManager loginManager = null;
try {
loginManager = (LoginManager)
initialContext.lookup("LoginManagerImplLocal");
loginManager.loginContainer(benutzer, passwort);
} catch (NamingException e1) {
// TODO Auto-generated catch block
e1.printStackTrace();
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
try {
benutzerKontext =
loginManager.bestimmeBenutzerKontext(benutzer);
} catch (Exception e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
return new
Subject(benutzerKontext,loginManager.getSubject());
}
....
}
Mit freundlichen Grüßen / Kind regards
Josef Eisele
Direkt: +49 (0) 6131 / 914-180
David Blevins <da...@visi.com>
09.06.2008 22:55
Bitte antworten an
users@openejb.apache.org
An
users@openejb.apache.org
Kopie
Thema
Re: Antwort: Re: Using OpenEJB Security for JAAS LoginModule
On Jun 9, 2008, at 5:26 AM, Josef.Eisele@bgs-ag.de wrote:
> Hi David,
>
> thank you very much for the link. I got it twice and I read it
> twice ;-)
> but it doesn't help concerning my actual problem.
>
> To run our business code it is necessary to login into an
> 'SecurityService' with user/password/realm and as result there must
> be a
> Secuity-Object (javax.security.auth.Subject). This Security-Object is
> nessary to invoke our business code. The magic @RunAs("Employee")won't
> work in our case.
If you could give me some more detail here, that'd be great. Both
login and runas result in a javax.security.auth.Subject being created
by and enforced by the SecurityService. The creation is slightly
different, but the subject is tracked and enforced by the
SecurityService in exactly the same way.
If you have any sample code on what doesn't work that would also be
helpful.
> The default implementation from the security service with the
> parameters
> user/password is fine, but we miss the realm-Parameter. And if we
> add it,
> the Security Service says
>
> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
> konfiguriert.
>
> Anmeldemodule = Login module
The realm in OpenEJB refers to the JAAS LoginModule. The login module
that is setup in the SecurityServices login.config file is called
"PropertiesLogin". This is the default value for realm when left
unspecified.
If you have a custom javax.security.auth.spi.LoginModule there is a
way to set one up. Let me know if that is what you're trying to do
and I'll see if I can get an example working.
-David
>
>
>
> cu Josef
>
>
>
>
>
> David Blevins <da...@visi.com>
> 06.06.2008 23:06
> Bitte antworten an
> users@openejb.apache.org
>
>
> An
> users@openejb.apache.org
> Kopie
>
> Thema
> Re: Using OpenEJB Security for JAAS LoginModule
>
>
>
>
>
>
> Hi Josef,
>
> Looks this post arrived at about the same time as my last response, so
> this might be repeat information :)
>
> This example shows a good technique for unit testing various security
> permissions.
>
> http://openejb.apache.org/3.0/testing-security-example.html
>
> The JNDI login approach isn't really optimal as there is no "logout"
> option and it tends to make a mess of things. With the above approach
> you can wrap your calls with any security context you like and test
> accessing your bean via secured and unsecured "clients" and check that
> permissions for various roles are as they need to be.
>
> -David
>
>
> On Jun 6, 2008, at 1:24 AM, Josef.Eisele@bgs-ag.de wrote:
>
>> Hi All,
>>
>> we use embedded openejb to test our JavaEE-5 (Geronimo App.server)
>> Application. With the great help of David Blevins the JUNIT-Tests can
>> invoke our session beans and even Transaction Handling is working
>> fine.
>> At the moment I use a trick to avoid the Login-Procedure, but this
>> won't
>> work on the long run.
>>
>> With Geronimo 2.1.1 we use the JAAS API. Our usage is described in
>> http://cwiki.apache.org/GMOxDOC10/geronimo-and-jaas.html. For my
>> junit-testcase I need therefore anything which can provide me a
>> javax.security.auth.Subject after successful login. With the
>> default -
>> Security Service
>> <SecurityService id="Default Security Service"/>
>> and the configuration in users.properties and groups.properties I
>> get the
>> error:
>>
>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>> konfiguriert.
>>
>> (Anmeldemodule = security realm, I think...)
>>
>> I tried also PseudoSecurityService, but I got an exception as well.
>>
>> JUNIT-Testcase
>> Properties properties = new
>> Properties();
>> ....
>> // Minimum required for login
>> properties.setProperty(Context.SECURITY_PRINCIPAL,
>> benutzer);
>> properties.setProperty(Context.SECURITY_CREDENTIALS,
>> passwort);
>>
>> // Optional param for specifying a specific Geronimo
>> security realm
>> properties.put("openejb.authentication.realmName",
>> "vesuv-db-sha256");
>>
>> properties.put("mySecurityService",
>> "new://PseudoSecurityService");
>> ....
>> loginManager = (LoginManager)
>> initialContext.lookup("LoginManagerImplLocal");
>> loginManager.loginContainer(benutzer,
>> passwort);
>> ....
>>
>> LoginManager-Session Bean:
>> ...
>> try {
>> LoginCallback logcb = new
>> LoginCallback(benutzer,
>> passwort);
>> LoginContext lc = new
>> LoginContext("vesuv-db-sha256",logcb);
>> lc.login();
>> subject = lc.getSubject();
>> }
>> ...
>>
>> The realm "vesuv-db-sha256" is defined under
>> Geronimo-Applicationserver-Console Security - Security Realms.
>>
>> I read http://openejb.apache.org/3.0/security.html, but I don't
>> understand how to configure the Security for embedded openejb.
>>
>> Thanx in advance for any help on this.
>>
>> Mit freundlichen Grüßen / Kind regards
>> Josef Eisele
>>
>> Direkt: +49 (0) 6131 / 914-180
>>
>> BGS Beratungsgesellschaft
>> Software Systemplanung AG Niederlassung Rhein/Main
>> Robert-Koch-Straße 41
>> 55129 Mainz
>> Fon: +49 (0) 6131 / 914-0
>> Fax: +49 (0) 6131 / 914-400
>> www.bgs-ag.de Geschäftssitz Mainz
>> Registergericht
>> Amtsgericht Mainz
>> HRB 62 50
>> Aufsichtsratsvorsitzender
>> Dr. Wolfgang Trommer
>> Vorstand
>> Hanspeter Gau
>> Hermann Kiefer
>> Nils Manegold
>> Heinz-Jörg Zimmermann
>>
>>
>
>
>
> BGS Beratungsgesellschaft
> Software Systemplanung AG
>
>
>
>
> Niederlassung Rhein/Main
> Robert-Koch-Straße 41
> 55129 Mainz
> Fon: +49 (0) 6131 / 914-0
> Fax: +49 (0) 6131 / 914-400
> www.bgs-ag.de
> Geschäftssitz Mainz
> Registergericht
> Amtsgericht Mainz
> HRB 62 50
>
> Aufsichtsratsvorsitzender
> Dr. Wolfgang Trommer
> Vorstand
> Hanspeter Gau
> Hermann Kiefer
> Nils Manegold
> Heinz-Jörg Zimmermann
>
>
BGS Beratungsgesellschaft
Software Systemplanung AG Niederlassung Rhein/Main
Robert-Koch-Straße 41
55129 Mainz
Fon: +49 (0) 6131 / 914-0
Fax: +49 (0) 6131 / 914-400
www.bgs-ag.de Geschäftssitz Mainz
Registergericht
Amtsgericht Mainz
HRB 62 50
Aufsichtsratsvorsitzender
Dr. Wolfgang Trommer
Vorstand
Hanspeter Gau
Hermann Kiefer
Nils Manegold
Heinz-Jörg Zimmermann
Re: Antwort: Re: Using OpenEJB Security for JAAS LoginModule
Posted by David Blevins <da...@visi.com>.
On Jun 9, 2008, at 5:26 AM, Josef.Eisele@bgs-ag.de wrote:
> Hi David,
>
> thank you very much for the link. I got it twice and I read it
> twice ;-)
> but it doesn't help concerning my actual problem.
>
> To run our business code it is necessary to login into an
> 'SecurityService' with user/password/realm and as result there must
> be a
> Secuity-Object (javax.security.auth.Subject). This Security-Object is
> nessary to invoke our business code. The magic @RunAs("Employee")won't
> work in our case.
If you could give me some more detail here, that'd be great. Both
login and runas result in a javax.security.auth.Subject being created
by and enforced by the SecurityService. The creation is slightly
different, but the subject is tracked and enforced by the
SecurityService in exactly the same way.
If you have any sample code on what doesn't work that would also be
helpful.
> The default implementation from the security service with the
> parameters
> user/password is fine, but we miss the realm-Parameter. And if we
> add it,
> the Security Service says
>
> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
> konfiguriert.
>
> Anmeldemodule = Login module
The realm in OpenEJB refers to the JAAS LoginModule. The login module
that is setup in the SecurityServices login.config file is called
"PropertiesLogin". This is the default value for realm when left
unspecified.
If you have a custom javax.security.auth.spi.LoginModule there is a
way to set one up. Let me know if that is what you're trying to do
and I'll see if I can get an example working.
-David
>
>
>
> cu Josef
>
>
>
>
>
> David Blevins <da...@visi.com>
> 06.06.2008 23:06
> Bitte antworten an
> users@openejb.apache.org
>
>
> An
> users@openejb.apache.org
> Kopie
>
> Thema
> Re: Using OpenEJB Security for JAAS LoginModule
>
>
>
>
>
>
> Hi Josef,
>
> Looks this post arrived at about the same time as my last response, so
> this might be repeat information :)
>
> This example shows a good technique for unit testing various security
> permissions.
>
> http://openejb.apache.org/3.0/testing-security-example.html
>
> The JNDI login approach isn't really optimal as there is no "logout"
> option and it tends to make a mess of things. With the above approach
> you can wrap your calls with any security context you like and test
> accessing your bean via secured and unsecured "clients" and check that
> permissions for various roles are as they need to be.
>
> -David
>
>
> On Jun 6, 2008, at 1:24 AM, Josef.Eisele@bgs-ag.de wrote:
>
>> Hi All,
>>
>> we use embedded openejb to test our JavaEE-5 (Geronimo App.server)
>> Application. With the great help of David Blevins the JUNIT-Tests can
>> invoke our session beans and even Transaction Handling is working
>> fine.
>> At the moment I use a trick to avoid the Login-Procedure, but this
>> won't
>> work on the long run.
>>
>> With Geronimo 2.1.1 we use the JAAS API. Our usage is described in
>> http://cwiki.apache.org/GMOxDOC10/geronimo-and-jaas.html. For my
>> junit-testcase I need therefore anything which can provide me a
>> javax.security.auth.Subject after successful login. With the
>> default -
>> Security Service
>> <SecurityService id="Default Security Service"/>
>> and the configuration in users.properties and groups.properties I
>> get the
>> error:
>>
>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>> konfiguriert.
>>
>> (Anmeldemodule = security realm, I think...)
>>
>> I tried also PseudoSecurityService, but I got an exception as well.
>>
>> JUNIT-Testcase
>> Properties properties = new
>> Properties();
>> ....
>> // Minimum required for login
>> properties.setProperty(Context.SECURITY_PRINCIPAL,
>> benutzer);
>> properties.setProperty(Context.SECURITY_CREDENTIALS,
>> passwort);
>>
>> // Optional param for specifying a specific Geronimo
>> security realm
>> properties.put("openejb.authentication.realmName",
>> "vesuv-db-sha256");
>>
>> properties.put("mySecurityService",
>> "new://PseudoSecurityService");
>> ....
>> loginManager = (LoginManager)
>> initialContext.lookup("LoginManagerImplLocal");
>> loginManager.loginContainer(benutzer,
>> passwort);
>> ....
>>
>> LoginManager-Session Bean:
>> ...
>> try {
>> LoginCallback logcb = new
>> LoginCallback(benutzer,
>> passwort);
>> LoginContext lc = new
>> LoginContext("vesuv-db-sha256",logcb);
>> lc.login();
>> subject = lc.getSubject();
>> }
>> ...
>>
>> The realm "vesuv-db-sha256" is defined under
>> Geronimo-Applicationserver-Console Security - Security Realms.
>>
>> I read http://openejb.apache.org/3.0/security.html, but I don't
>> understand how to configure the Security for embedded openejb.
>>
>> Thanx in advance for any help on this.
>>
>> Mit freundlichen Grüßen / Kind regards
>> Josef Eisele
>>
>> Direkt: +49 (0) 6131 / 914-180
>>
>> BGS Beratungsgesellschaft
>> Software Systemplanung AG Niederlassung Rhein/Main
>> Robert-Koch-Straße 41
>> 55129 Mainz
>> Fon: +49 (0) 6131 / 914-0
>> Fax: +49 (0) 6131 / 914-400
>> www.bgs-ag.de Geschäftssitz Mainz
>> Registergericht
>> Amtsgericht Mainz
>> HRB 62 50
>> Aufsichtsratsvorsitzender
>> Dr. Wolfgang Trommer
>> Vorstand
>> Hanspeter Gau
>> Hermann Kiefer
>> Nils Manegold
>> Heinz-Jörg Zimmermann
>>
>>
>
>
>
> BGS Beratungsgesellschaft
> Software Systemplanung AG
>
>
>
>
> Niederlassung Rhein/Main
> Robert-Koch-Straße 41
> 55129 Mainz
> Fon: +49 (0) 6131 / 914-0
> Fax: +49 (0) 6131 / 914-400
> www.bgs-ag.de
> Geschäftssitz Mainz
> Registergericht
> Amtsgericht Mainz
> HRB 62 50
>
> Aufsichtsratsvorsitzender
> Dr. Wolfgang Trommer
> Vorstand
> Hanspeter Gau
> Hermann Kiefer
> Nils Manegold
> Heinz-Jörg Zimmermann
>
>
Compiling openEJB3 with maven [Virus checked]
Posted by Wo...@atosorigin.com.
Hi guys,
after inserting xbean-finder & xbean-reflect into my repository, I now get
the following error:
excerpt and bold added
-----------------------------------------------------------------------
this realm =
app0.child-container[com.envoisolutions.sxc:sxc-jaxb-maven-plugin]
urls[0] = file:/D:/Dokumente und
Einstellungen/DE16297/.m2/repository/com/envoisolutions/sxc/sxc-jaxb-maven-plugin/0.7-SNAPSHOT/sxc-jaxb-maven-plugin-0.7-SNAPSHOT.jar
urls[1] = file:/D:/Dokumente und
Einstellungen/DE16297/.m2/repository/org/codehaus/woodstox/wstx-asl/3.2.0
/wstx-asl-3.2.0.jar
urls[2] = file:/D:/Dokumente und
Einstellungen/DE16297/.m2/repository/stax/stax-api/1.0.1/stax-api-1.0.1.jar
urls[3] = file:/D:/Dokumente und
Einstellungen/DE16297/.m2/repository/com/envoisolutions/sxc/sxc-core/0.7-SNAPSHOT/sxc-core-0.7-SNAPSHOT.jar
urls[4] = file:/C:/Programme/Java/jdk1.5.0_12/jre/../lib/tools.jar
urls[5] = file:/D:/Dokumente und
Einstellungen/DE16297/.m2/repository/com/envoisolutions/sxc/sxc-runtime/0.7-SNAPSHOT/sxc-runtime-0.7-SNAPSHOT.jar
urls[6] = file:/D:/Dokumente und
Einstellungen/DE16297/.m2/repository/com/sun/xml/bind/jaxb-xjc/2.1.2
/jaxb-xjc-2.1.2.jar
urls[7] = file:/D:/Dokumente und
Einstellungen/DE16297/.m2/repository/org/codehaus/plexus/plexus-utils/1.1/plexus-utils-1.1.jar
urls[8] = file:/D:/Dokumente und
Einstellungen/DE16297/.m2/repository/com/sun/xml/bind/jaxb-impl/2.1.2
/jaxb-impl-2.1.2.jar
urls[9] = file:/D:/Dokumente und
Einstellungen/DE16297/.m2/repository/com/envoisolutions/sxc/sxc-jaxb/0.7-SNAPSHOT/sxc-jaxb-0.7-SNAPSHOT.jar
Number of imports: 6
import: org.codehaus.classworlds.Entry@4891bb28
import: org.codehaus.classworlds.Entry@f8e44ca4
import: org.codehaus.classworlds.Entry@c51bc9e7
import: org.codehaus.classworlds.Entry@bece5185
import: org.codehaus.classworlds.Entry@3fee8e37
import: org.codehaus.classworlds.Entry@3fee19d8
this realm = plexus.core
urls[0] = file:/C:/Programme/Apache Software Foundation/apache-maven-2.0.8
/lib/maven-2.0.8-uber.jar
Number of imports: 6
import: org.codehaus.classworlds.Entry@4891bb28
import: org.codehaus.classworlds.Entry@f8e44ca4
import: org.codehaus.classworlds.Entry@c51bc9e7
import: org.codehaus.classworlds.Entry@bece5185
import: org.codehaus.classworlds.Entry@3fee8e37
import: org.codehaus.classworlds.Entry@3fee19d8
-----------------------------------------------------
[INFO]
------------------------------------------------------------------------
[ERROR] BUILD ERROR
[INFO]
------------------------------------------------------------------------
[INFO] Internal error in the plugin manager executing goal
'com.envoisolutions.sxc:sxc-jaxb-maven-plugin:0.7-SNAPSHOT:generate':
Unable to find the mojo
'com.envoisolutions.sxc:sxc-jaxb-maven-plugin:0.7-SNAPSHOT:generate' in the
plugin 'com.envoisolutions.sxc:sxc-jaxb-maven-plugin'
javax/xml/bind/JAXBException
-----------------------------------------------------------------------
Any comments ? Any ideas ?
mit freundlichen Grüßen/best regards
Wolfgang Schrecker
"Der Inhalt eines Begriffs nimmt ab, wenn sein Umfang zunimmt; wird dieser
allumfassend, so muß der Inhalt ganz verloren gehen."
from G. Frege: Die Grundlagen der Arithmetik S. 40
--
--------------------------------------------------
Atos Worldline Processing GmbH
Hahnstrasse 25
60528 Frankfurt/Main
Germany
Phone: +49 69/6657-1176
mailto:Wolfgang.Schrecker@atosorigin.com
http://www.atosworldline.com
Geschäftsführer: Erik Munk Koefoed
Aufsichtsratsvorsitzender: Didier Dhennin
Sitz der Gesellschaft: Frankfurt/Main
Handelsregister: Frankfurt/Main HRB 40 417
--------------------------------------------------
Atos Worldline Processing GmbH
Hahnstraße 25
60528 Frankfurt/Main
Germany
Phone: +49 69/6657-1176
Fax :
mailto: Wolfgang.Schrecker@atosorigin.com
http://www.atosworldline.com
Geschäftsführer: Erik Munk Koefoed
Aufsichtsratsvorsitzender: Didier Dhennin
Sitz der Gesellschaft: Frankfurt/Main
Handelsregister: Frankfurt/Main HRB 40 417
* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
This e-mail is destined for the above mentioned recipient. In case you
received this e-mail by accident, we would appreciate it if you could
contact the sender and delete all copies stored on your computer.
Please be aware that the security and confidentiality of electronic data
transmitted by e-mail is not completely guaranteed and that data may be seen,
copied, downloaded or changed by third persons during transmission.
Atos Origin accepts no liability for the security and confidentiality of
data and documents sent by e-mail. Please make sure that all important
messages will be confirmed in writing by means of a telefax or a letter.
* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
Antwort: Re: Using OpenEJB Security for JAAS LoginModule
Posted by Jo...@bgs-ag.de.
Hi David,
thank you very much for the link. I got it twice and I read it twice ;-)
but it doesn't help concerning my actual problem.
To run our business code it is necessary to login into an
'SecurityService' with user/password/realm and as result there must be a
Secuity-Object (javax.security.auth.Subject). This Security-Object is
nessary to invoke our business code. The magic @RunAs("Employee")won't
work in our case.
The default implementation from the security service with the parameters
user/password is fine, but we miss the realm-Parameter. And if we add it,
the Security Service says
Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
konfiguriert.
Anmeldemodule = Login module
cu Josef
David Blevins <da...@visi.com>
06.06.2008 23:06
Bitte antworten an
users@openejb.apache.org
An
users@openejb.apache.org
Kopie
Thema
Re: Using OpenEJB Security for JAAS LoginModule
Hi Josef,
Looks this post arrived at about the same time as my last response, so
this might be repeat information :)
This example shows a good technique for unit testing various security
permissions.
http://openejb.apache.org/3.0/testing-security-example.html
The JNDI login approach isn't really optimal as there is no "logout"
option and it tends to make a mess of things. With the above approach
you can wrap your calls with any security context you like and test
accessing your bean via secured and unsecured "clients" and check that
permissions for various roles are as they need to be.
-David
On Jun 6, 2008, at 1:24 AM, Josef.Eisele@bgs-ag.de wrote:
> Hi All,
>
> we use embedded openejb to test our JavaEE-5 (Geronimo App.server)
> Application. With the great help of David Blevins the JUNIT-Tests can
> invoke our session beans and even Transaction Handling is working
> fine.
> At the moment I use a trick to avoid the Login-Procedure, but this
> won't
> work on the long run.
>
> With Geronimo 2.1.1 we use the JAAS API. Our usage is described in
> http://cwiki.apache.org/GMOxDOC10/geronimo-and-jaas.html. For my
> junit-testcase I need therefore anything which can provide me a
> javax.security.auth.Subject after successful login. With the default -
> Security Service
> <SecurityService id="Default Security Service"/>
> and the configuration in users.properties and groups.properties I
> get the
> error:
>
> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
> konfiguriert.
>
> (Anmeldemodule = security realm, I think...)
>
> I tried also PseudoSecurityService, but I got an exception as well.
>
> JUNIT-Testcase
> Properties properties = new
> Properties();
> ....
> // Minimum required for login
> properties.setProperty(Context.SECURITY_PRINCIPAL,
> benutzer);
> properties.setProperty(Context.SECURITY_CREDENTIALS,
> passwort);
>
> // Optional param for specifying a specific Geronimo
> security realm
> properties.put("openejb.authentication.realmName",
> "vesuv-db-sha256");
>
> properties.put("mySecurityService",
> "new://PseudoSecurityService");
> ....
> loginManager = (LoginManager)
> initialContext.lookup("LoginManagerImplLocal");
> loginManager.loginContainer(benutzer,
> passwort);
> ....
>
> LoginManager-Session Bean:
> ...
> try {
> LoginCallback logcb = new
> LoginCallback(benutzer,
> passwort);
> LoginContext lc = new
> LoginContext("vesuv-db-sha256",logcb);
> lc.login();
> subject = lc.getSubject();
> }
> ...
>
> The realm "vesuv-db-sha256" is defined under
> Geronimo-Applicationserver-Console Security - Security Realms.
>
> I read http://openejb.apache.org/3.0/security.html, but I don't
> understand how to configure the Security for embedded openejb.
>
> Thanx in advance for any help on this.
>
> Mit freundlichen Grüßen / Kind regards
> Josef Eisele
>
> Direkt: +49 (0) 6131 / 914-180
>
> BGS Beratungsgesellschaft
> Software Systemplanung AG Niederlassung Rhein/Main
> Robert-Koch-Straße 41
> 55129 Mainz
> Fon: +49 (0) 6131 / 914-0
> Fax: +49 (0) 6131 / 914-400
> www.bgs-ag.de Geschäftssitz Mainz
> Registergericht
> Amtsgericht Mainz
> HRB 62 50
> Aufsichtsratsvorsitzender
> Dr. Wolfgang Trommer
> Vorstand
> Hanspeter Gau
> Hermann Kiefer
> Nils Manegold
> Heinz-Jörg Zimmermann
>
>
BGS Beratungsgesellschaft
Software Systemplanung AG
Niederlassung Rhein/Main
Robert-Koch-Straße 41
55129 Mainz
Fon: +49 (0) 6131 / 914-0
Fax: +49 (0) 6131 / 914-400
www.bgs-ag.de
Geschäftssitz Mainz
Registergericht
Amtsgericht Mainz
HRB 62 50
Aufsichtsratsvorsitzender
Dr. Wolfgang Trommer
Vorstand
Hanspeter Gau
Hermann Kiefer
Nils Manegold
Heinz-Jörg Zimmermann
Re: Using OpenEJB Security for JAAS LoginModule
Posted by David Blevins <da...@visi.com>.
Hi Josef,
Looks this post arrived at about the same time as my last response, so
this might be repeat information :)
This example shows a good technique for unit testing various security
permissions.
http://openejb.apache.org/3.0/testing-security-example.html
The JNDI login approach isn't really optimal as there is no "logout"
option and it tends to make a mess of things. With the above approach
you can wrap your calls with any security context you like and test
accessing your bean via secured and unsecured "clients" and check that
permissions for various roles are as they need to be.
-David
On Jun 6, 2008, at 1:24 AM, Josef.Eisele@bgs-ag.de wrote:
> Hi All,
>
> we use embedded openejb to test our JavaEE-5 (Geronimo App.server)
> Application. With the great help of David Blevins the JUNIT-Tests can
> invoke our session beans and even Transaction Handling is working
> fine.
> At the moment I use a trick to avoid the Login-Procedure, but this
> won't
> work on the long run.
>
> With Geronimo 2.1.1 we use the JAAS API. Our usage is described in
> http://cwiki.apache.org/GMOxDOC10/geronimo-and-jaas.html. For my
> junit-testcase I need therefore anything which can provide me a
> javax.security.auth.Subject after successful login. With the default -
> Security Service
> <SecurityService id="Default Security Service"/>
> and the configuration in users.properties and groups.properties I
> get the
> error:
>
> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
> konfiguriert.
>
> (Anmeldemodule = security realm, I think...)
>
> I tried also PseudoSecurityService, but I got an exception as well.
>
> JUNIT-Testcase
> Properties properties = new
> Properties();
> ....
> // Minimum required for login
> properties.setProperty(Context.SECURITY_PRINCIPAL,
> benutzer);
> properties.setProperty(Context.SECURITY_CREDENTIALS,
> passwort);
>
> // Optional param for specifying a specific Geronimo
> security realm
> properties.put("openejb.authentication.realmName",
> "vesuv-db-sha256");
>
> properties.put("mySecurityService",
> "new://PseudoSecurityService");
> ....
> loginManager = (LoginManager)
> initialContext.lookup("LoginManagerImplLocal");
> loginManager.loginContainer(benutzer,
> passwort);
> ....
>
> LoginManager-Session Bean:
> ...
> try {
> LoginCallback logcb = new
> LoginCallback(benutzer,
> passwort);
> LoginContext lc = new
> LoginContext("vesuv-db-sha256",logcb);
> lc.login();
> subject = lc.getSubject();
> }
> ...
>
> The realm "vesuv-db-sha256" is defined under
> Geronimo-Applicationserver-Console Security - Security Realms.
>
> I read http://openejb.apache.org/3.0/security.html, but I don't
> understand how to configure the Security for embedded openejb.
>
> Thanx in advance for any help on this.
>
> Mit freundlichen Grüßen / Kind regards
> Josef Eisele
>
> Direkt: +49 (0) 6131 / 914-180
>
> BGS Beratungsgesellschaft
> Software Systemplanung AG Niederlassung Rhein/Main
> Robert-Koch-Straße 41
> 55129 Mainz
> Fon: +49 (0) 6131 / 914-0
> Fax: +49 (0) 6131 / 914-400
> www.bgs-ag.de Geschäftssitz Mainz
> Registergericht
> Amtsgericht Mainz
> HRB 62 50
> Aufsichtsratsvorsitzender
> Dr. Wolfgang Trommer
> Vorstand
> Hanspeter Gau
> Hermann Kiefer
> Nils Manegold
> Heinz-Jörg Zimmermann
>
>