You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@geronimo.apache.org by Brian Dellert <bd...@rcn.com> on 2007/12/18 20:55:07 UTC
Custom LoginModule classloading issue in gernimo 2.0.2
Hi.
I have created a simple custom login module which uses the principal created
by the standard PropertiesFileLoginModule and adds a principal containing a
group (which is looked up in a DB). I have configured a security realm in
the geronimo-application.xml contained in my application ear file including
both of these login modules as follows:
<gbean name="my-realm"
class="org.apache.geronimo.security.realm.GenericSecurityRealm"
xsi:type="dep:gbeanType"
xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<attribute name="realmName">my-realm</attribute>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<log:login-config
xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
<log:login-module control-flag="REQUISITE"
wrap-principals="false">
<log:login-domain-name>my-properties-file</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
<log:option
name="usersURI">var/security/users.properties</log:option>
<log:option
name="groupsURI">var/security/groups.properties</log:option>
</log:login-module>
<log:login-module control-flag="OPTIONAL"
wrap-principals="false">
<log:login-domain-name>my-sql-role</log:login-domain-name>
<log:login-module-class>my.company.security.realm.providers.SqlRoleLoginModule</log:login-module-class>
<log:option name="roleSelect">SELECT username,
group_name FROM user_groups WHERE username=?</log:option>
<log:option
name="dataSourceApplication">null</log:option>
<log:option name="dataSourceName">MyPool</log:option>
</log:login-module>
</log:login-config>
</xml-reference>
</gbean>
Further, I have packaged the
"my.company.security.realm.providers.SqlRoleLoginModule" class in a jar file
(my-login-module-1.0.jar). I have tried the following approaches to get
this login module to load:
- Added my-login-module-1.0.jar to the root of my ear file.
- Added my-login-module-1.0.jar to the root of my ear file and added this
jar file to the MANIFEST classpath of an ejb-jar file which is also in the
ear file.
- Added my-login-module-1.0.jar to the geronimo repository by placing it
in the repository/my/company/my-login-module/1.0/my-login-module-1.0.jar
and added the following dependency to the dependency list in the
environment section of my geronimo-application.xml file:
<dependency>
<groupId>my.company</groupId>
<artifactId>my-login-module</artifactId>
<version>1.0</version>
<type>jar</type>
</dependency>
I am attempting to connect/authenicate in a remote JVM by setting up the
JNDI context and performing an EJB lookup as follows:
Properties p = new Properties();
p.put(Context.INITIAL_CONTEXT_FACTORY,
"org.openejb.client.RemoteInitialContextFactory");
p.put(Context.PROVIDER_URL, "ejbd://localhost:4201");
p.put("openejb.authentication.realmName", "my-realm");
p.put(Context.SECURITY_PRINCIPAL, "my_username");
p.put(Context.SECURITY_CREDENTIALS, "my_password");
InitialContext ctx = new InitialContext(p);
Object obj = ctx.lookup("MyBusinessBeanRemote");
In all cases, I get the following error:
Caused by: javax.security.auth.login.LoginException: unable to find
LoginModule class: my.company.security.realm.providers.SqlRoleLoginModule in
classloader org.apache.geronimo.configs/openejb/2.0.2/car
[INFO] at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:808)
[INFO] at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
[INFO] at
javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
[INFO] at java.security.AccessController.doPrivileged(Native Method)
[INFO] at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
[INFO] at
javax.security.auth.login.LoginContext.login(LoginContext.java:579)
[INFO] at
org.apache.geronimo.security.ContextManager.login(ContextManager.java:77)
[INFO] at
org.apache.geronimo.openejb.GeronimoSecurityService.login(GeronimoSecurityService.java:52)
[INFO] at
org.apache.openejb.server.ejbd.AuthRequestHandler.processRequest(AuthRequestHandler.java:56)
[INFO] at
org.apache.openejb.server.ejbd.EjbDaemon.processAuthRequest(EjbDaemon.java:172)
[INFO] at
org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:130)
[INFO] at
org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:84)
[INFO] at
org.apache.openejb.server.ejbd.EjbServer.service(EjbServer.java:60)
[INFO] at
org.apache.openejb.server.ServiceLogger.service(ServiceLogger.java:73)
[INFO] at
org.apache.openejb.server.ServiceAccessController.service(ServiceAccessController.java:55)
[INFO] at
org.apache.openejb.server.ServiceDaemon$1.run(ServiceDaemon.java:117)
[INFO] at java.lang.Thread.run(Thread.java:619)
I know that the dependency is getting at least recognized at ear deployment
time since, if I remove the login module jar file from the geronimo
repository, the deployment of the ear fails.
The only way I have been able to get the class to load is by placing it in
the lib/ext directory of my JRE installation, which doesn't seem like the
correct approach. I am using geronimo 2.0.2 on Windows XP and the 1.6.0_03
Sun JVM. Any help with resolving this issue, and getting geronimo to
correctly load this login module class, would be greatly appreciated. If
any additional information is needed, please let me know. Thanks.
- Brian
Re: Custom LoginModule classloading issue in gernimo 2.0.2
Posted by Brian Dellert <bd...@rcn.com>.
If this is the case, is there somewhere I can put the
my-login-module-1.0.jar such that the OpenEJB class loader can load it? It
seems like this might be a bug in 2.0.2. If so, I'm wondering if there is
some recommended workaround. Thanks.
- Brian
----- Original Message -----
From: "Aaron Mulder" <am...@alumni.princeton.edu>
To: <us...@geronimo.apache.org>
Sent: Tuesday, December 18, 2007 3:46 PM
Subject: Re: Custom LoginModule classloading issue in gernimo 2.0.2
> It's curious that, from the error, it appears to be looking for the
> security realm in the OpenEJB class loader (which I guess is receiving
> the remote call) instead of the application's class loader. Perhaps
> the context class loader should be set by e.g.
> EjbDaemon.processAuthRequest?
>
> Thanks,
> Aaron
>
> On Dec 18, 2007 2:55 PM, Brian Dellert <bd...@rcn.com> wrote:
>> Hi.
>>
>> I have created a simple custom login module which uses the principal
>> created
>> by the standard PropertiesFileLoginModule and adds a principal containing
>> a
>> group (which is looked up in a DB). I have configured a security realm
>> in
>> the geronimo-application.xml contained in my application ear file
>> including
>> both of these login modules as follows:
>>
>> <gbean name="my-realm"
>> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
>> xsi:type="dep:gbeanType"
>> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>> <attribute name="realmName">my-realm</attribute>
>> <reference name="ServerInfo">
>> <name>ServerInfo</name>
>> </reference>
>> <xml-reference name="LoginModuleConfiguration">
>> <log:login-config
>> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>> <log:login-module control-flag="REQUISITE"
>> wrap-principals="false">
>>
>> <log:login-domain-name>my-properties-file</log:login-domain-name>
>>
>> <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
>> <log:option
>> name="usersURI">var/security/users.properties</log:option>
>> <log:option
>> name="groupsURI">var/security/groups.properties</log:option>
>> </log:login-module>
>> <log:login-module control-flag="OPTIONAL"
>> wrap-principals="false">
>>
>> <log:login-domain-name>my-sql-role</log:login-domain-name>
>>
>> <log:login-module-class>my.company.security.realm.providers.SqlRoleLoginModule</log:login-module-class>
>> <log:option name="roleSelect">SELECT username,
>> group_name FROM user_groups WHERE username=?</log:option>
>> <log:option
>> name="dataSourceApplication">null</log:option>
>> <log:option name="dataSourceName">MyPool</log:option>
>> </log:login-module>
>> </log:login-config>
>> </xml-reference>
>> </gbean>
>>
>> Further, I have packaged the
>> "my.company.security.realm.providers.SqlRoleLoginModule" class in a jar
>> file
>> (my-login-module-1.0.jar). I have tried the following approaches to get
>> this login module to load:
>>
>> - Added my-login-module-1.0.jar to the root of my ear file.
>>
>> - Added my-login-module-1.0.jar to the root of my ear file and added
>> this
>> jar file to the MANIFEST classpath of an ejb-jar file which is also in
>> the
>> ear file.
>>
>> - Added my-login-module-1.0.jar to the geronimo repository by placing
>> it
>> in the repository/my/company/my-login-module/1.0/my-login-module-1.0.jar
>> and added the following dependency to the dependency list in the
>> environment section of my geronimo-application.xml file:
>>
>> <dependency>
>> <groupId>my.company</groupId>
>> <artifactId>my-login-module</artifactId>
>> <version>1.0</version>
>> <type>jar</type>
>> </dependency>
>>
>> I am attempting to connect/authenicate in a remote JVM by setting up the
>> JNDI context and performing an EJB lookup as follows:
>>
>> Properties p = new Properties();
>> p.put(Context.INITIAL_CONTEXT_FACTORY,
>> "org.openejb.client.RemoteInitialContextFactory");
>> p.put(Context.PROVIDER_URL, "ejbd://localhost:4201");
>> p.put("openejb.authentication.realmName", "my-realm");
>> p.put(Context.SECURITY_PRINCIPAL, "my_username");
>> p.put(Context.SECURITY_CREDENTIALS, "my_password");
>> InitialContext ctx = new InitialContext(p);
>> Object obj = ctx.lookup("MyBusinessBeanRemote");
>>
>> In all cases, I get the following error:
>>
>> Caused by: javax.security.auth.login.LoginException: unable to find
>> LoginModule class: my.company.security.realm.providers.SqlRoleLoginModule
>> in
>> classloader org.apache.geronimo.configs/openejb/2.0.2/car
>> [INFO] at
>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:808)
>> [INFO] at
>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
>> [INFO] at
>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
>> [INFO] at java.security.AccessController.doPrivileged(Native Method)
>> [INFO] at
>> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
>> [INFO] at
>> javax.security.auth.login.LoginContext.login(LoginContext.java:579)
>> [INFO] at
>> org.apache.geronimo.security.ContextManager.login(ContextManager.java:77)
>> [INFO] at
>> org.apache.geronimo.openejb.GeronimoSecurityService.login(GeronimoSecurityService.java:52)
>> [INFO] at
>> org.apache.openejb.server.ejbd.AuthRequestHandler.processRequest(AuthRequestHandler.java:56)
>> [INFO] at
>> org.apache.openejb.server.ejbd.EjbDaemon.processAuthRequest(EjbDaemon.java:172)
>> [INFO] at
>> org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:130)
>> [INFO] at
>> org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:84)
>> [INFO] at
>> org.apache.openejb.server.ejbd.EjbServer.service(EjbServer.java:60)
>> [INFO] at
>> org.apache.openejb.server.ServiceLogger.service(ServiceLogger.java:73)
>> [INFO] at
>> org.apache.openejb.server.ServiceAccessController.service(ServiceAccessController.java:55)
>> [INFO] at
>> org.apache.openejb.server.ServiceDaemon$1.run(ServiceDaemon.java:117)
>> [INFO] at java.lang.Thread.run(Thread.java:619)
>>
>> I know that the dependency is getting at least recognized at ear
>> deployment
>> time since, if I remove the login module jar file from the geronimo
>> repository, the deployment of the ear fails.
>>
>> The only way I have been able to get the class to load is by placing it
>> in
>> the lib/ext directory of my JRE installation, which doesn't seem like the
>> correct approach. I am using geronimo 2.0.2 on Windows XP and the
>> 1.6.0_03
>> Sun JVM. Any help with resolving this issue, and getting geronimo to
>> correctly load this login module class, would be greatly appreciated. If
>> any additional information is needed, please let me know. Thanks.
>>
>> - Brian
>>
Re: Custom LoginModule classloading issue in gernimo 2.0.2
Posted by Brian Dellert <bd...@rcn.com>.
David,
I followed your instructions, and things are now working. Thanks for
helping with this. Now all I need to do is automate the described process
as part of my build :)
Is there somewhere I should file a bug report for the underlying issue (IE,
in the geronimo and/or Open EJB bug tracking systems), since any
documentation I have read has stated that you should be able to define a
security realm which uses a custom login module within an application ear?
- Brian
----- Original Message -----
From: "David Jencks" <da...@yahoo.com>
To: <us...@geronimo.apache.org>
Sent: Tuesday, December 18, 2007 7:15 PM
Subject: Re: Custom LoginModule classloading issue in gernimo 2.0.2
>
> On Dec 18, 2007, at 2:07 PM, Brian Dellert wrote:
>
>> Thanks for the prompt response.
>>
>> Could you elaborate a bit on how to "Deploy this plan into your geronimo
>> server", or point me to some documentation which describes how to
>> package and deploy a "config module"? I'm relatively new to geronimo,
>> and haven't deployed artifacts other than ear files, war files, etc.
>> Thanks.
>
> Yup, my response was a bit hard to follow ... even the plan I told you to
> modify is hard to find in 2.0.2 unless you build geronimo yourself. I
> tried this out using a new moduleId of o.a.g.configs/
> server-security-config2/2.0.2/car. Here's the plan with a few comments
> marked with "DAJ" about what to change:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!--Licensed to the Apache Software Foundation (ASF) under one or more
> contributor license agreements. See the NOTICE file distributed with
> this work for additional information regarding copyright ownership.
> The ASF licenses this file to You under the Apache License, Version
> 2.0
> (the "License"); you may not use this file except in compliance with
> the License. You may obtain a copy of the License at
>
> http://www.apache.org/licenses/LICENSE-2.0
>
> Unless required by applicable law or agreed to in writing, software
> distributed under the License is distributed on an "AS IS" BASIS,
> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
> implied.
> See the License for the specific language governing permissions and
> limitations under the License.-->
> <!--$Rev: 554977 $ $Date: 2007-07-10 08:32:56 -0700 (Tue, 10 Jul 2007)
> $-->
> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
> <environment>
> <!--DAJ Change the module ID to something related to your project -->
> <moduleId>
> <groupId>org.apache.geronimo.configs</groupId>
> <artifactId>server-security-config</artifactId>
> <version>2.0.2</version>
> <type>car</type>
> </moduleId>
> <dependencies>
> <dependency>
> <groupId>org.apache.geronimo.configs</groupId>
> <artifactId>j2ee-security</artifactId>
> <type>car</type>
> </dependency>
> <!--DAJ include a dependency on your jar here; you'll need to put your
> jar somewhere in the geronimo repo so this will point to something that
> exists. This would look just like what you tried in the
> geronimo-application.xml -->
> </dependencies>
> <hidden-classes/>
> <non-overridable-classes/>
> </environment>
>
> <!--DAJ include your security realm gbean here -->
>
> <gbean name="CredentialStore"
> class="org.apache.geronimo.security.credentialstore.SimpleCredentialStor
> eImpl">
> <xml-attribute name="credentialStore">
> <credential-store xmlns="http://geronimo.apache.org/xml/ns/
> credentialstore-1.0">
> <!--uncomment this and the default subject in the jettty console
> plan gives you admin console permissions-->
> <!--<realm name="geronimo-admin">
> <subject>
> <id>default</id>
> <credential>
>
> <type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</
> type>
> <value>system</value>
> </credential>
> <credential>
>
> <type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandl
> er</type>
> <value>manager</value>
> </credential>
> </subject>
> </realm>-->
> </credential-store>
> </xml-attribute>
> </gbean>
>
> <!--DAJ you may want to replace this with something related to your
> installation for non-toy admin console security -->
> <!--Default security realm using properties files-->
> <gbean name="properties-login"
> class="org.apache.geronimo.security.jaas.LoginModuleGBean">
> <attribute
> name="loginModuleClass">org.apache.geronimo.security.realm.providers.Pro
> pertiesFileLoginModule</attribute>
> <attribute name="options">usersURI=var/security/users.properties
> groupsURI=var/security/groups.properties</attribute>
> <attribute name="loginDomainName">geronimo-admin</attribute>
> </gbean>
> <gbean name="geronimo-admin"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> <attribute name="realmName">geronimo-admin</attribute>
> <reference name="LoginModuleConfiguration">
> <name>properties-login</name>
> </reference>
> <reference name="ServerInfo">
> <name>ServerInfo</name>
> </reference>
> </gbean>
> <gbean name="properties-login"
> class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
> <attribute name="controlFlag">REQUIRED</attribute>
> <reference name="LoginModule">
> <name>properties-login</name>
> </reference>
> </gbean>
> <gbean name="geronimo-default"
> class="org.apache.geronimo.security.keystore.FileKeystoreInstance">
> <attribute name="keystoreName">geronimo-default</attribute>
> <attribute name="keystorePath">var/security/keystores/geronimo-
> default</attribute>
> <attribute name="keystorePassword">secret</attribute>
> <attribute name="keyPasswords">geronimo=secret</attribute>
> <reference name="ServerInfo">
> <name>ServerInfo</name>
> </reference>
> </gbean>
> </module>
>
> This will end up as a file named say mysecurity-plan.xml.
>
> Deploy this using the console "deploy new" page, unchecking the "Start
> app after install" checkbox.
>
> Stop geronimo.
> Edit var/config/config.xml so you have:
> <module load="false" name="org.apache.geronimo.configs/server-
> security-config/2.0.2/car"/>
> <!-- replace this with the actual moduleId you used in the plan -->
> <module name="org.apache.geronimo.configs/server-security-
> config2/2.0.2/car"/>
>
> at the end.
>
> Edit var/config/artifact_aliases.properties to include lines
> org.apache.geronimo.configs/server-security-config//
> car=org.apache.geronimo.configs/server-security-config2/2.0.2/car
> org.apache.geronimo.configs/server-security-config/2.0.2/
> car=org.apache.geronimo.configs/server-security-config2/2.0.2/car
>
> (again using the actual moduleId from your plan)
>
> Now you should be able to start geronimo and it will use your security
> config instead of the supplied one.
>
> You should be able to deploy the plan using the command line tool but I
> didn't try that. Note that you can have only one of the original config
> and your replacement running at once since they have security realms with
> the same name (they are supposed to replace each other).
>
> Hope this helps and please ask if there are more problems
> david jencks
>
>
>>
>> - Brian
>>
>> ----- Original Message ----- From: "David Jencks"
>> <da...@yahoo.com>
>> To: <us...@geronimo.apache.org>
>> Sent: Tuesday, December 18, 2007 4:38 PM
>> Subject: Re: Custom LoginModule classloading issue in gernimo 2.0.2
>>
>>
>>> My guess is that Aaron is right and this is an openejb bug.
>>>
>>> The only way I can think to fix it is to replace the server- security-
>>> config module with one that is identical except also including the jar
>>> containing your login module as a dependency and the security realm
>>> configuration you want. Deploy this plan into your geronimo server.
>>> Also, while geronimo is stopped, add a line like
>>>
>>> org.apache.geronimo.configs/server-security-config/2.0.2/ car=com.myco/
>>> myserver-security-config/1.0/car
>>>
>>> and another similar line without the 2.0.2 to var/config/
>>> artifact_aliases.properties (where com.myco/myserver-security- config/
>>> 1.0/car is the moduleId of your replacement plan). When you restart
>>> geronimo the realm should work.
>>>
>>> I actually recommend doing this for any non-toy geronimo installation.
>>> The provided server-security-config is really an example that's easy
>>> to set up, but on a real installation you probably want access to the
>>> admin console controlled by your enterprise security system, not a
>>> couple of property files stuck in a geronimo directory.
>>>
>>> let us know how this works
>>> david jencks
>>>
>>> On Dec 18, 2007, at 12:46 PM, Aaron Mulder wrote:
>>>
>>>> It's curious that, from the error, it appears to be looking for the
>>>> security realm in the OpenEJB class loader (which I guess is receiving
>>>> the remote call) instead of the application's class loader. Perhaps
>>>> the context class loader should be set by e.g.
>>>> EjbDaemon.processAuthRequest?
>>>>
>>>> Thanks,
>>>> Aaron
>>>>
>>>> On Dec 18, 2007 2:55 PM, Brian Dellert <bd...@rcn.com> wrote:
>>>>> Hi.
>>>>>
>>>>> I have created a simple custom login module which uses the principal
>>>>> created
>>>>> by the standard PropertiesFileLoginModule and adds a principal
>>>>> containing a
>>>>> group (which is looked up in a DB). I have configured a security
>>>>> realm in
>>>>> the geronimo-application.xml contained in my application ear file
>>>>> including
>>>>> both of these login modules as follows:
>>>>>
>>>>> <gbean name="my-realm"
>>>>> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
>>>>> xsi:type="dep:gbeanType"
>>>>> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>>>>> <attribute name="realmName">my-realm</attribute>
>>>>> <reference name="ServerInfo">
>>>>> <name>ServerInfo</name>
>>>>> </reference>
>>>>> <xml-reference name="LoginModuleConfiguration">
>>>>> <log:login-config
>>>>> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>>>>> <log:login-module control-flag="REQUISITE"
>>>>> wrap-principals="false">
>>>>> <log:login-domain-name>my-properties-file</
>>>>> log:login-domain-name>
>>>>> <log:login-module-
>>>>> class>org.apache.geronimo.security.realm.providers.PropertiesFileLo gi
>>>>> nModule</log:login-module-class>
>>>>> <log:option
>>>>> name="usersURI">var/security/users.properties</log:option>
>>>>> <log:option
>>>>> name="groupsURI">var/security/groups.properties</log:option>
>>>>> </log:login-module>
>>>>> <log:login-module control-flag="OPTIONAL"
>>>>> wrap-principals="false">
>>>>> <log:login-domain-name>my-sql-role</ log:login-
>>>>> domain-name>
>>>>> <log:login-module-
>>>>> class>my.company.security.realm.providers.SqlRoleLoginModule</
>>>>> log:login-module-class>
>>>>> <log:option name="roleSelect">SELECT username,
>>>>> group_name FROM user_groups WHERE username=?</log:option>
>>>>> <log:option
>>>>> name="dataSourceApplication">null</log:option>
>>>>> <log:option name="dataSourceName">MyPool</
>>>>> log:option>
>>>>> </log:login-module>
>>>>> </log:login-config>
>>>>> </xml-reference>
>>>>> </gbean>
>>>>>
>>>>> Further, I have packaged the
>>>>> "my.company.security.realm.providers.SqlRoleLoginModule" class in a
>>>>> jar file
>>>>> (my-login-module-1.0.jar). I have tried the following approaches to
>>>>> get
>>>>> this login module to load:
>>>>>
>>>>> - Added my-login-module-1.0.jar to the root of my ear file.
>>>>>
>>>>> - Added my-login-module-1.0.jar to the root of my ear file and
>>>>> added this
>>>>> jar file to the MANIFEST classpath of an ejb-jar file which is also
>>>>> in the
>>>>> ear file.
>>>>>
>>>>> - Added my-login-module-1.0.jar to the geronimo repository by
>>>>> placing it
>>>>> in the repository/my/company/my-login-module/1.0/my-login-
>>>>> module-1.0.jar
>>>>> and added the following dependency to the dependency list in the
>>>>> environment section of my geronimo-application.xml file:
>>>>>
>>>>> <dependency>
>>>>> <groupId>my.company</groupId>
>>>>> <artifactId>my-login-module</artifactId>
>>>>> <version>1.0</version>
>>>>> <type>jar</type>
>>>>> </dependency>
>>>>>
>>>>> I am attempting to connect/authenicate in a remote JVM by setting up
>>>>> the
>>>>> JNDI context and performing an EJB lookup as follows:
>>>>>
>>>>> Properties p = new Properties();
>>>>> p.put(Context.INITIAL_CONTEXT_FACTORY,
>>>>> "org.openejb.client.RemoteInitialContextFactory");
>>>>> p.put(Context.PROVIDER_URL, "ejbd://localhost:4201");
>>>>> p.put("openejb.authentication.realmName", "my-realm");
>>>>> p.put(Context.SECURITY_PRINCIPAL, "my_username");
>>>>> p.put(Context.SECURITY_CREDENTIALS, "my_password");
>>>>> InitialContext ctx = new InitialContext(p);
>>>>> Object obj = ctx.lookup("MyBusinessBeanRemote");
>>>>>
>>>>> In all cases, I get the following error:
>>>>>
>>>>> Caused by: javax.security.auth.login.LoginException: unable to find
>>>>> LoginModule class:
>>>>> my.company.security.realm.providers.SqlRoleLoginModule in
>>>>> classloader org.apache.geronimo.configs/openejb/2.0.2/car
>>>>> [INFO] at
>>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java: 808)
>>>>> [INFO] at
>>>>> javax.security.auth.login.LoginContext.access$000
>>>>> (LoginContext.java:186)
>>>>> [INFO] at
>>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
>>>>> [INFO] at java.security.AccessController.doPrivileged(Native Method)
>>>>> [INFO] at
>>>>> javax.security.auth.login.LoginContext.invokePriv
>>>>> (LoginContext.java:680)
>>>>> [INFO] at
>>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:579)
>>>>> [INFO] at
>>>>> org.apache.geronimo.security.ContextManager.login
>>>>> (ContextManager.java:77)
>>>>> [INFO] at
>>>>> org.apache.geronimo.openejb.GeronimoSecurityService.login
>>>>> (GeronimoSecurityService.java:52)
>>>>> [INFO] at
>>>>> org.apache.openejb.server.ejbd.AuthRequestHandler.processRequest
>>>>> (AuthRequestHandler.java:56)
>>>>> [INFO] at
>>>>> org.apache.openejb.server.ejbd.EjbDaemon.processAuthRequest
>>>>> (EjbDaemon.java:172)
>>>>> [INFO] at
>>>>> org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java: 130)
>>>>> [INFO] at
>>>>> org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:84)
>>>>> [INFO] at
>>>>> org.apache.openejb.server.ejbd.EjbServer.service(EjbServer.java:60)
>>>>> [INFO] at
>>>>> org.apache.openejb.server.ServiceLogger.service (ServiceLogger.java:
>>>>> 73)
>>>>> [INFO] at
>>>>> org.apache.openejb.server.ServiceAccessController.service
>>>>> (ServiceAccessController.java:55)
>>>>> [INFO] at
>>>>> org.apache.openejb.server.ServiceDaemon$1.run(ServiceDaemon.java: 117)
>>>>> [INFO] at java.lang.Thread.run(Thread.java:619)
>>>>>
>>>>> I know that the dependency is getting at least recognized at ear
>>>>> deployment
>>>>> time since, if I remove the login module jar file from the geronimo
>>>>> repository, the deployment of the ear fails.
>>>>>
>>>>> The only way I have been able to get the class to load is by placing
>>>>> it in
>>>>> the lib/ext directory of my JRE installation, which doesn't seem
>>>>> like the
>>>>> correct approach. I am using geronimo 2.0.2 on Windows XP and the
>>>>> 1.6.0_03
>>>>> Sun JVM. Any help with resolving this issue, and getting geronimo to
>>>>> correctly load this login module class, would be greatly
>>>>> appreciated. If
>>>>> any additional information is needed, please let me know. Thanks.
>>>>>
>>>>> - Brian
Re: Custom LoginModule classloading issue in gernimo 2.0.2
Posted by David Jencks <da...@yahoo.com>.
On Dec 18, 2007, at 2:07 PM, Brian Dellert wrote:
> Thanks for the prompt response.
>
> Could you elaborate a bit on how to "Deploy this plan into your
> geronimo server", or point me to some documentation which describes
> how to package and deploy a "config module"? I'm relatively new to
> geronimo, and haven't deployed artifacts other than ear files, war
> files, etc. Thanks.
Yup, my response was a bit hard to follow ... even the plan I told
you to modify is hard to find in 2.0.2 unless you build geronimo
yourself. I tried this out using a new moduleId of o.a.g.configs/
server-security-config2/2.0.2/car. Here's the plan with a few
comments marked with "DAJ" about what to change:
<?xml version="1.0" encoding="UTF-8"?>
<!--Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed
with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License,
Version 2.0
(the "License"); you may not use this file except in compliance
with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied.
See the License for the specific language governing permissions and
limitations under the License.-->
<!--$Rev: 554977 $ $Date: 2007-07-10 08:32:56 -0700 (Tue, 10 Jul
2007) $-->
<module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
<environment>
<!--DAJ Change the module ID to something related to your project -->
<moduleId>
<groupId>org.apache.geronimo.configs</groupId>
<artifactId>server-security-config</artifactId>
<version>2.0.2</version>
<type>car</type>
</moduleId>
<dependencies>
<dependency>
<groupId>org.apache.geronimo.configs</groupId>
<artifactId>j2ee-security</artifactId>
<type>car</type>
</dependency>
<!--DAJ include a dependency on your jar here; you'll need to put
your jar somewhere in the geronimo repo so this will point to
something that exists. This would look just like what you tried in
the geronimo-application.xml -->
</dependencies>
<hidden-classes/>
<non-overridable-classes/>
</environment>
<!--DAJ include your security realm gbean here -->
<gbean name="CredentialStore"
class="org.apache.geronimo.security.credentialstore.SimpleCredentialStor
eImpl">
<xml-attribute name="credentialStore">
<credential-store xmlns="http://geronimo.apache.org/xml/ns/
credentialstore-1.0">
<!--uncomment this and the default subject in the jettty
console plan gives you admin console permissions-->
<!--<realm name="geronimo-admin">
<subject>
<id>default</id>
<credential>
<type>org.apache.geronimo.security.credentialstore.NameCallbackHandler</
type>
<value>system</value>
</credential>
<credential>
<type>org.apache.geronimo.security.credentialstore.PasswordCallbackHandl
er</type>
<value>manager</value>
</credential>
</subject>
</realm>-->
</credential-store>
</xml-attribute>
</gbean>
<!--DAJ you may want to replace this with something related to your
installation for non-toy admin console security -->
<!--Default security realm using properties files-->
<gbean name="properties-login"
class="org.apache.geronimo.security.jaas.LoginModuleGBean">
<attribute
name="loginModuleClass">org.apache.geronimo.security.realm.providers.Pro
pertiesFileLoginModule</attribute>
<attribute name="options">usersURI=var/security/users.properties
groupsURI=var/security/groups.properties</attribute>
<attribute name="loginDomainName">geronimo-admin</attribute>
</gbean>
<gbean name="geronimo-admin"
class="org.apache.geronimo.security.realm.GenericSecurityRealm">
<attribute name="realmName">geronimo-admin</attribute>
<reference name="LoginModuleConfiguration">
<name>properties-login</name>
</reference>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
</gbean>
<gbean name="properties-login"
class="org.apache.geronimo.security.jaas.JaasLoginModuleUse">
<attribute name="controlFlag">REQUIRED</attribute>
<reference name="LoginModule">
<name>properties-login</name>
</reference>
</gbean>
<gbean name="geronimo-default"
class="org.apache.geronimo.security.keystore.FileKeystoreInstance">
<attribute name="keystoreName">geronimo-default</attribute>
<attribute name="keystorePath">var/security/keystores/geronimo-
default</attribute>
<attribute name="keystorePassword">secret</attribute>
<attribute name="keyPasswords">geronimo=secret</attribute>
<reference name="ServerInfo">
<name>ServerInfo</name>
</reference>
</gbean>
</module>
This will end up as a file named say mysecurity-plan.xml.
Deploy this using the console "deploy new" page, unchecking the
"Start app after install" checkbox.
Stop geronimo.
Edit var/config/config.xml so you have:
<module load="false" name="org.apache.geronimo.configs/server-
security-config/2.0.2/car"/>
<!-- replace this with the actual moduleId you used in the plan -->
<module name="org.apache.geronimo.configs/server-security-
config2/2.0.2/car"/>
at the end.
Edit var/config/artifact_aliases.properties to include lines
org.apache.geronimo.configs/server-security-config//
car=org.apache.geronimo.configs/server-security-config2/2.0.2/car
org.apache.geronimo.configs/server-security-config/2.0.2/
car=org.apache.geronimo.configs/server-security-config2/2.0.2/car
(again using the actual moduleId from your plan)
Now you should be able to start geronimo and it will use your
security config instead of the supplied one.
You should be able to deploy the plan using the command line tool but
I didn't try that. Note that you can have only one of the original
config and your replacement running at once since they have security
realms with the same name (they are supposed to replace each other).
Hope this helps and please ask if there are more problems
david jencks
>
> - Brian
>
> ----- Original Message ----- From: "David Jencks"
> <da...@yahoo.com>
> To: <us...@geronimo.apache.org>
> Sent: Tuesday, December 18, 2007 4:38 PM
> Subject: Re: Custom LoginModule classloading issue in gernimo 2.0.2
>
>
>> My guess is that Aaron is right and this is an openejb bug.
>>
>> The only way I can think to fix it is to replace the server-
>> security- config module with one that is identical except also
>> including the jar containing your login module as a dependency
>> and the security realm configuration you want. Deploy this plan
>> into your geronimo server. Also, while geronimo is stopped, add a
>> line like
>>
>> org.apache.geronimo.configs/server-security-config/2.0.2/
>> car=com.myco/ myserver-security-config/1.0/car
>>
>> and another similar line without the 2.0.2 to var/config/
>> artifact_aliases.properties (where com.myco/myserver-security-
>> config/ 1.0/car is the moduleId of your replacement plan). When
>> you restart geronimo the realm should work.
>>
>> I actually recommend doing this for any non-toy geronimo
>> installation. The provided server-security-config is really an
>> example that's easy to set up, but on a real installation you
>> probably want access to the admin console controlled by your
>> enterprise security system, not a couple of property files stuck
>> in a geronimo directory.
>>
>> let us know how this works
>> david jencks
>>
>> On Dec 18, 2007, at 12:46 PM, Aaron Mulder wrote:
>>
>>> It's curious that, from the error, it appears to be looking for the
>>> security realm in the OpenEJB class loader (which I guess is
>>> receiving
>>> the remote call) instead of the application's class loader. Perhaps
>>> the context class loader should be set by e.g.
>>> EjbDaemon.processAuthRequest?
>>>
>>> Thanks,
>>> Aaron
>>>
>>> On Dec 18, 2007 2:55 PM, Brian Dellert <bd...@rcn.com> wrote:
>>>> Hi.
>>>>
>>>> I have created a simple custom login module which uses the
>>>> principal created
>>>> by the standard PropertiesFileLoginModule and adds a principal
>>>> containing a
>>>> group (which is looked up in a DB). I have configured a
>>>> security realm in
>>>> the geronimo-application.xml contained in my application ear
>>>> file including
>>>> both of these login modules as follows:
>>>>
>>>> <gbean name="my-realm"
>>>> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
>>>> xsi:type="dep:gbeanType"
>>>> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>>>> <attribute name="realmName">my-realm</attribute>
>>>> <reference name="ServerInfo">
>>>> <name>ServerInfo</name>
>>>> </reference>
>>>> <xml-reference name="LoginModuleConfiguration">
>>>> <log:login-config
>>>> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>>>> <log:login-module control-flag="REQUISITE"
>>>> wrap-principals="false">
>>>> <log:login-domain-name>my-properties-file</
>>>> log:login-domain-name>
>>>> <log:login-module-
>>>> class>org.apache.geronimo.security.realm.providers.PropertiesFileLo
>>>> gi nModule</log:login-module-class>
>>>> <log:option
>>>> name="usersURI">var/security/users.properties</log:option>
>>>> <log:option
>>>> name="groupsURI">var/security/groups.properties</log:option>
>>>> </log:login-module>
>>>> <log:login-module control-flag="OPTIONAL"
>>>> wrap-principals="false">
>>>> <log:login-domain-name>my-sql-role</
>>>> log:login- domain-name>
>>>> <log:login-module-
>>>> class>my.company.security.realm.providers.SqlRoleLoginModule</
>>>> log:login-module-class>
>>>> <log:option name="roleSelect">SELECT username,
>>>> group_name FROM user_groups WHERE username=?</log:option>
>>>> <log:option
>>>> name="dataSourceApplication">null</log:option>
>>>> <log:option name="dataSourceName">MyPool</
>>>> log:option>
>>>> </log:login-module>
>>>> </log:login-config>
>>>> </xml-reference>
>>>> </gbean>
>>>>
>>>> Further, I have packaged the
>>>> "my.company.security.realm.providers.SqlRoleLoginModule" class
>>>> in a jar file
>>>> (my-login-module-1.0.jar). I have tried the following
>>>> approaches to get
>>>> this login module to load:
>>>>
>>>> - Added my-login-module-1.0.jar to the root of my ear file.
>>>>
>>>> - Added my-login-module-1.0.jar to the root of my ear file
>>>> and added this
>>>> jar file to the MANIFEST classpath of an ejb-jar file which is
>>>> also in the
>>>> ear file.
>>>>
>>>> - Added my-login-module-1.0.jar to the geronimo repository by
>>>> placing it
>>>> in the repository/my/company/my-login-module/1.0/my-login-
>>>> module-1.0.jar
>>>> and added the following dependency to the dependency list
>>>> in the
>>>> environment section of my geronimo-application.xml file:
>>>>
>>>> <dependency>
>>>> <groupId>my.company</groupId>
>>>> <artifactId>my-login-module</artifactId>
>>>> <version>1.0</version>
>>>> <type>jar</type>
>>>> </dependency>
>>>>
>>>> I am attempting to connect/authenicate in a remote JVM by
>>>> setting up the
>>>> JNDI context and performing an EJB lookup as follows:
>>>>
>>>> Properties p = new Properties();
>>>> p.put(Context.INITIAL_CONTEXT_FACTORY,
>>>> "org.openejb.client.RemoteInitialContextFactory");
>>>> p.put(Context.PROVIDER_URL, "ejbd://localhost:4201");
>>>> p.put("openejb.authentication.realmName", "my-realm");
>>>> p.put(Context.SECURITY_PRINCIPAL, "my_username");
>>>> p.put(Context.SECURITY_CREDENTIALS, "my_password");
>>>> InitialContext ctx = new InitialContext(p);
>>>> Object obj = ctx.lookup("MyBusinessBeanRemote");
>>>>
>>>> In all cases, I get the following error:
>>>>
>>>> Caused by: javax.security.auth.login.LoginException: unable to find
>>>> LoginModule class:
>>>> my.company.security.realm.providers.SqlRoleLoginModule in
>>>> classloader org.apache.geronimo.configs/openejb/2.0.2/car
>>>> [INFO] at
>>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:
>>>> 808)
>>>> [INFO] at
>>>> javax.security.auth.login.LoginContext.access$000
>>>> (LoginContext.java:186)
>>>> [INFO] at
>>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
>>>> [INFO] at java.security.AccessController.doPrivileged(Native
>>>> Method)
>>>> [INFO] at
>>>> javax.security.auth.login.LoginContext.invokePriv
>>>> (LoginContext.java:680)
>>>> [INFO] at
>>>> javax.security.auth.login.LoginContext.login(LoginContext.java:579)
>>>> [INFO] at
>>>> org.apache.geronimo.security.ContextManager.login
>>>> (ContextManager.java:77)
>>>> [INFO] at
>>>> org.apache.geronimo.openejb.GeronimoSecurityService.login
>>>> (GeronimoSecurityService.java:52)
>>>> [INFO] at
>>>> org.apache.openejb.server.ejbd.AuthRequestHandler.processRequest
>>>> (AuthRequestHandler.java:56)
>>>> [INFO] at
>>>> org.apache.openejb.server.ejbd.EjbDaemon.processAuthRequest
>>>> (EjbDaemon.java:172)
>>>> [INFO] at
>>>> org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:
>>>> 130)
>>>> [INFO] at
>>>> org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:84)
>>>> [INFO] at
>>>> org.apache.openejb.server.ejbd.EjbServer.service(EjbServer.java:60)
>>>> [INFO] at
>>>> org.apache.openejb.server.ServiceLogger.service
>>>> (ServiceLogger.java: 73)
>>>> [INFO] at
>>>> org.apache.openejb.server.ServiceAccessController.service
>>>> (ServiceAccessController.java:55)
>>>> [INFO] at
>>>> org.apache.openejb.server.ServiceDaemon$1.run(ServiceDaemon.java:
>>>> 117)
>>>> [INFO] at java.lang.Thread.run(Thread.java:619)
>>>>
>>>> I know that the dependency is getting at least recognized at ear
>>>> deployment
>>>> time since, if I remove the login module jar file from the geronimo
>>>> repository, the deployment of the ear fails.
>>>>
>>>> The only way I have been able to get the class to load is by
>>>> placing it in
>>>> the lib/ext directory of my JRE installation, which doesn't
>>>> seem like the
>>>> correct approach. I am using geronimo 2.0.2 on Windows XP and
>>>> the 1.6.0_03
>>>> Sun JVM. Any help with resolving this issue, and getting
>>>> geronimo to
>>>> correctly load this login module class, would be greatly
>>>> appreciated. If
>>>> any additional information is needed, please let me know. Thanks.
>>>>
>>>> - Brian
Re: Custom LoginModule classloading issue in gernimo 2.0.2
Posted by Brian Dellert <bd...@rcn.com>.
Thanks for the prompt response.
Could you elaborate a bit on how to "Deploy this plan into your geronimo
server", or point me to some documentation which describes how to package
and deploy a "config module"? I'm relatively new to geronimo, and haven't
deployed artifacts other than ear files, war files, etc. Thanks.
- Brian
----- Original Message -----
From: "David Jencks" <da...@yahoo.com>
To: <us...@geronimo.apache.org>
Sent: Tuesday, December 18, 2007 4:38 PM
Subject: Re: Custom LoginModule classloading issue in gernimo 2.0.2
> My guess is that Aaron is right and this is an openejb bug.
>
> The only way I can think to fix it is to replace the server-security-
> config module with one that is identical except also including the jar
> containing your login module as a dependency and the security realm
> configuration you want. Deploy this plan into your geronimo server.
> Also, while geronimo is stopped, add a line like
>
> org.apache.geronimo.configs/server-security-config/2.0.2/car=com.myco/
> myserver-security-config/1.0/car
>
> and another similar line without the 2.0.2 to var/config/
> artifact_aliases.properties (where com.myco/myserver-security-config/
> 1.0/car is the moduleId of your replacement plan). When you restart
> geronimo the realm should work.
>
> I actually recommend doing this for any non-toy geronimo installation.
> The provided server-security-config is really an example that's easy to
> set up, but on a real installation you probably want access to the admin
> console controlled by your enterprise security system, not a couple of
> property files stuck in a geronimo directory.
>
> let us know how this works
> david jencks
>
> On Dec 18, 2007, at 12:46 PM, Aaron Mulder wrote:
>
>> It's curious that, from the error, it appears to be looking for the
>> security realm in the OpenEJB class loader (which I guess is receiving
>> the remote call) instead of the application's class loader. Perhaps
>> the context class loader should be set by e.g.
>> EjbDaemon.processAuthRequest?
>>
>> Thanks,
>> Aaron
>>
>> On Dec 18, 2007 2:55 PM, Brian Dellert <bd...@rcn.com> wrote:
>>> Hi.
>>>
>>> I have created a simple custom login module which uses the principal
>>> created
>>> by the standard PropertiesFileLoginModule and adds a principal
>>> containing a
>>> group (which is looked up in a DB). I have configured a security realm
>>> in
>>> the geronimo-application.xml contained in my application ear file
>>> including
>>> both of these login modules as follows:
>>>
>>> <gbean name="my-realm"
>>> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
>>> xsi:type="dep:gbeanType"
>>> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>>> <attribute name="realmName">my-realm</attribute>
>>> <reference name="ServerInfo">
>>> <name>ServerInfo</name>
>>> </reference>
>>> <xml-reference name="LoginModuleConfiguration">
>>> <log:login-config
>>> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>>> <log:login-module control-flag="REQUISITE"
>>> wrap-principals="false">
>>> <log:login-domain-name>my-properties-file</
>>> log:login-domain-name>
>>> <log:login-module-
>>> class>org.apache.geronimo.security.realm.providers.PropertiesFileLogi
>>> nModule</log:login-module-class>
>>> <log:option
>>> name="usersURI">var/security/users.properties</log:option>
>>> <log:option
>>> name="groupsURI">var/security/groups.properties</log:option>
>>> </log:login-module>
>>> <log:login-module control-flag="OPTIONAL"
>>> wrap-principals="false">
>>> <log:login-domain-name>my-sql-role</log:login-
>>> domain-name>
>>> <log:login-module-
>>> class>my.company.security.realm.providers.SqlRoleLoginModule</
>>> log:login-module-class>
>>> <log:option name="roleSelect">SELECT username,
>>> group_name FROM user_groups WHERE username=?</log:option>
>>> <log:option
>>> name="dataSourceApplication">null</log:option>
>>> <log:option name="dataSourceName">MyPool</
>>> log:option>
>>> </log:login-module>
>>> </log:login-config>
>>> </xml-reference>
>>> </gbean>
>>>
>>> Further, I have packaged the
>>> "my.company.security.realm.providers.SqlRoleLoginModule" class in a jar
>>> file
>>> (my-login-module-1.0.jar). I have tried the following approaches to
>>> get
>>> this login module to load:
>>>
>>> - Added my-login-module-1.0.jar to the root of my ear file.
>>>
>>> - Added my-login-module-1.0.jar to the root of my ear file and added
>>> this
>>> jar file to the MANIFEST classpath of an ejb-jar file which is also in
>>> the
>>> ear file.
>>>
>>> - Added my-login-module-1.0.jar to the geronimo repository by
>>> placing it
>>> in the repository/my/company/my-login-module/1.0/my-login-
>>> module-1.0.jar
>>> and added the following dependency to the dependency list in the
>>> environment section of my geronimo-application.xml file:
>>>
>>> <dependency>
>>> <groupId>my.company</groupId>
>>> <artifactId>my-login-module</artifactId>
>>> <version>1.0</version>
>>> <type>jar</type>
>>> </dependency>
>>>
>>> I am attempting to connect/authenicate in a remote JVM by setting up
>>> the
>>> JNDI context and performing an EJB lookup as follows:
>>>
>>> Properties p = new Properties();
>>> p.put(Context.INITIAL_CONTEXT_FACTORY,
>>> "org.openejb.client.RemoteInitialContextFactory");
>>> p.put(Context.PROVIDER_URL, "ejbd://localhost:4201");
>>> p.put("openejb.authentication.realmName", "my-realm");
>>> p.put(Context.SECURITY_PRINCIPAL, "my_username");
>>> p.put(Context.SECURITY_CREDENTIALS, "my_password");
>>> InitialContext ctx = new InitialContext(p);
>>> Object obj = ctx.lookup("MyBusinessBeanRemote");
>>>
>>> In all cases, I get the following error:
>>>
>>> Caused by: javax.security.auth.login.LoginException: unable to find
>>> LoginModule class:
>>> my.company.security.realm.providers.SqlRoleLoginModule in
>>> classloader org.apache.geronimo.configs/openejb/2.0.2/car
>>> [INFO] at
>>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:808)
>>> [INFO] at
>>> javax.security.auth.login.LoginContext.access$000
>>> (LoginContext.java:186)
>>> [INFO] at
>>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
>>> [INFO] at java.security.AccessController.doPrivileged(Native Method)
>>> [INFO] at
>>> javax.security.auth.login.LoginContext.invokePriv
>>> (LoginContext.java:680)
>>> [INFO] at
>>> javax.security.auth.login.LoginContext.login(LoginContext.java:579)
>>> [INFO] at
>>> org.apache.geronimo.security.ContextManager.login
>>> (ContextManager.java:77)
>>> [INFO] at
>>> org.apache.geronimo.openejb.GeronimoSecurityService.login
>>> (GeronimoSecurityService.java:52)
>>> [INFO] at
>>> org.apache.openejb.server.ejbd.AuthRequestHandler.processRequest
>>> (AuthRequestHandler.java:56)
>>> [INFO] at
>>> org.apache.openejb.server.ejbd.EjbDaemon.processAuthRequest
>>> (EjbDaemon.java:172)
>>> [INFO] at
>>> org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:130)
>>> [INFO] at
>>> org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:84)
>>> [INFO] at
>>> org.apache.openejb.server.ejbd.EjbServer.service(EjbServer.java:60)
>>> [INFO] at
>>> org.apache.openejb.server.ServiceLogger.service(ServiceLogger.java: 73)
>>> [INFO] at
>>> org.apache.openejb.server.ServiceAccessController.service
>>> (ServiceAccessController.java:55)
>>> [INFO] at
>>> org.apache.openejb.server.ServiceDaemon$1.run(ServiceDaemon.java:117)
>>> [INFO] at java.lang.Thread.run(Thread.java:619)
>>>
>>> I know that the dependency is getting at least recognized at ear
>>> deployment
>>> time since, if I remove the login module jar file from the geronimo
>>> repository, the deployment of the ear fails.
>>>
>>> The only way I have been able to get the class to load is by placing it
>>> in
>>> the lib/ext directory of my JRE installation, which doesn't seem like
>>> the
>>> correct approach. I am using geronimo 2.0.2 on Windows XP and the
>>> 1.6.0_03
>>> Sun JVM. Any help with resolving this issue, and getting geronimo to
>>> correctly load this login module class, would be greatly appreciated.
>>> If
>>> any additional information is needed, please let me know. Thanks.
>>>
>>> - Brian
>>>
Re: Custom LoginModule classloading issue in gernimo 2.0.2
Posted by David Jencks <da...@yahoo.com>.
My guess is that Aaron is right and this is an openejb bug.
The only way I can think to fix it is to replace the server-security-
config module with one that is identical except also including the
jar containing your login module as a dependency and the security
realm configuration you want. Deploy this plan into your geronimo
server. Also, while geronimo is stopped, add a line like
org.apache.geronimo.configs/server-security-config/2.0.2/car=com.myco/
myserver-security-config/1.0/car
and another similar line without the 2.0.2 to var/config/
artifact_aliases.properties (where com.myco/myserver-security-config/
1.0/car is the moduleId of your replacement plan). When you restart
geronimo the realm should work.
I actually recommend doing this for any non-toy geronimo
installation. The provided server-security-config is really an
example that's easy to set up, but on a real installation you
probably want access to the admin console controlled by your
enterprise security system, not a couple of property files stuck in a
geronimo directory.
let us know how this works
david jencks
On Dec 18, 2007, at 12:46 PM, Aaron Mulder wrote:
> It's curious that, from the error, it appears to be looking for the
> security realm in the OpenEJB class loader (which I guess is receiving
> the remote call) instead of the application's class loader. Perhaps
> the context class loader should be set by e.g.
> EjbDaemon.processAuthRequest?
>
> Thanks,
> Aaron
>
> On Dec 18, 2007 2:55 PM, Brian Dellert <bd...@rcn.com> wrote:
>> Hi.
>>
>> I have created a simple custom login module which uses the
>> principal created
>> by the standard PropertiesFileLoginModule and adds a principal
>> containing a
>> group (which is looked up in a DB). I have configured a security
>> realm in
>> the geronimo-application.xml contained in my application ear file
>> including
>> both of these login modules as follows:
>>
>> <gbean name="my-realm"
>> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
>> xsi:type="dep:gbeanType"
>> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>> <attribute name="realmName">my-realm</attribute>
>> <reference name="ServerInfo">
>> <name>ServerInfo</name>
>> </reference>
>> <xml-reference name="LoginModuleConfiguration">
>> <log:login-config
>> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>> <log:login-module control-flag="REQUISITE"
>> wrap-principals="false">
>> <log:login-domain-name>my-properties-file</
>> log:login-domain-name>
>> <log:login-module-
>> class>org.apache.geronimo.security.realm.providers.PropertiesFileLogi
>> nModule</log:login-module-class>
>> <log:option
>> name="usersURI">var/security/users.properties</log:option>
>> <log:option
>> name="groupsURI">var/security/groups.properties</log:option>
>> </log:login-module>
>> <log:login-module control-flag="OPTIONAL"
>> wrap-principals="false">
>> <log:login-domain-name>my-sql-role</log:login-
>> domain-name>
>> <log:login-module-
>> class>my.company.security.realm.providers.SqlRoleLoginModule</
>> log:login-module-class>
>> <log:option name="roleSelect">SELECT username,
>> group_name FROM user_groups WHERE username=?</log:option>
>> <log:option
>> name="dataSourceApplication">null</log:option>
>> <log:option name="dataSourceName">MyPool</
>> log:option>
>> </log:login-module>
>> </log:login-config>
>> </xml-reference>
>> </gbean>
>>
>> Further, I have packaged the
>> "my.company.security.realm.providers.SqlRoleLoginModule" class in
>> a jar file
>> (my-login-module-1.0.jar). I have tried the following approaches
>> to get
>> this login module to load:
>>
>> - Added my-login-module-1.0.jar to the root of my ear file.
>>
>> - Added my-login-module-1.0.jar to the root of my ear file and
>> added this
>> jar file to the MANIFEST classpath of an ejb-jar file which is
>> also in the
>> ear file.
>>
>> - Added my-login-module-1.0.jar to the geronimo repository by
>> placing it
>> in the repository/my/company/my-login-module/1.0/my-login-
>> module-1.0.jar
>> and added the following dependency to the dependency list in the
>> environment section of my geronimo-application.xml file:
>>
>> <dependency>
>> <groupId>my.company</groupId>
>> <artifactId>my-login-module</artifactId>
>> <version>1.0</version>
>> <type>jar</type>
>> </dependency>
>>
>> I am attempting to connect/authenicate in a remote JVM by setting
>> up the
>> JNDI context and performing an EJB lookup as follows:
>>
>> Properties p = new Properties();
>> p.put(Context.INITIAL_CONTEXT_FACTORY,
>> "org.openejb.client.RemoteInitialContextFactory");
>> p.put(Context.PROVIDER_URL, "ejbd://localhost:4201");
>> p.put("openejb.authentication.realmName", "my-realm");
>> p.put(Context.SECURITY_PRINCIPAL, "my_username");
>> p.put(Context.SECURITY_CREDENTIALS, "my_password");
>> InitialContext ctx = new InitialContext(p);
>> Object obj = ctx.lookup("MyBusinessBeanRemote");
>>
>> In all cases, I get the following error:
>>
>> Caused by: javax.security.auth.login.LoginException: unable to find
>> LoginModule class:
>> my.company.security.realm.providers.SqlRoleLoginModule in
>> classloader org.apache.geronimo.configs/openejb/2.0.2/car
>> [INFO] at
>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:808)
>> [INFO] at
>> javax.security.auth.login.LoginContext.access$000
>> (LoginContext.java:186)
>> [INFO] at
>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
>> [INFO] at java.security.AccessController.doPrivileged(Native Method)
>> [INFO] at
>> javax.security.auth.login.LoginContext.invokePriv
>> (LoginContext.java:680)
>> [INFO] at
>> javax.security.auth.login.LoginContext.login(LoginContext.java:579)
>> [INFO] at
>> org.apache.geronimo.security.ContextManager.login
>> (ContextManager.java:77)
>> [INFO] at
>> org.apache.geronimo.openejb.GeronimoSecurityService.login
>> (GeronimoSecurityService.java:52)
>> [INFO] at
>> org.apache.openejb.server.ejbd.AuthRequestHandler.processRequest
>> (AuthRequestHandler.java:56)
>> [INFO] at
>> org.apache.openejb.server.ejbd.EjbDaemon.processAuthRequest
>> (EjbDaemon.java:172)
>> [INFO] at
>> org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:130)
>> [INFO] at
>> org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:84)
>> [INFO] at
>> org.apache.openejb.server.ejbd.EjbServer.service(EjbServer.java:60)
>> [INFO] at
>> org.apache.openejb.server.ServiceLogger.service(ServiceLogger.java:
>> 73)
>> [INFO] at
>> org.apache.openejb.server.ServiceAccessController.service
>> (ServiceAccessController.java:55)
>> [INFO] at
>> org.apache.openejb.server.ServiceDaemon$1.run(ServiceDaemon.java:117)
>> [INFO] at java.lang.Thread.run(Thread.java:619)
>>
>> I know that the dependency is getting at least recognized at ear
>> deployment
>> time since, if I remove the login module jar file from the geronimo
>> repository, the deployment of the ear fails.
>>
>> The only way I have been able to get the class to load is by
>> placing it in
>> the lib/ext directory of my JRE installation, which doesn't seem
>> like the
>> correct approach. I am using geronimo 2.0.2 on Windows XP and the
>> 1.6.0_03
>> Sun JVM. Any help with resolving this issue, and getting geronimo to
>> correctly load this login module class, would be greatly
>> appreciated. If
>> any additional information is needed, please let me know. Thanks.
>>
>> - Brian
>>
Re: Custom LoginModule classloading issue in gernimo 2.0.2
Posted by Aaron Mulder <am...@alumni.princeton.edu>.
It's curious that, from the error, it appears to be looking for the
security realm in the OpenEJB class loader (which I guess is receiving
the remote call) instead of the application's class loader. Perhaps
the context class loader should be set by e.g.
EjbDaemon.processAuthRequest?
Thanks,
Aaron
On Dec 18, 2007 2:55 PM, Brian Dellert <bd...@rcn.com> wrote:
> Hi.
>
> I have created a simple custom login module which uses the principal created
> by the standard PropertiesFileLoginModule and adds a principal containing a
> group (which is looked up in a DB). I have configured a security realm in
> the geronimo-application.xml contained in my application ear file including
> both of these login modules as follows:
>
> <gbean name="my-realm"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
> xsi:type="dep:gbeanType"
> xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <attribute name="realmName">my-realm</attribute>
> <reference name="ServerInfo">
> <name>ServerInfo</name>
> </reference>
> <xml-reference name="LoginModuleConfiguration">
> <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-2.0">
> <log:login-module control-flag="REQUISITE"
> wrap-principals="false">
> <log:login-domain-name>my-properties-file</log:login-domain-name>
> <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
> <log:option
> name="usersURI">var/security/users.properties</log:option>
> <log:option
> name="groupsURI">var/security/groups.properties</log:option>
> </log:login-module>
> <log:login-module control-flag="OPTIONAL"
> wrap-principals="false">
> <log:login-domain-name>my-sql-role</log:login-domain-name>
> <log:login-module-class>my.company.security.realm.providers.SqlRoleLoginModule</log:login-module-class>
> <log:option name="roleSelect">SELECT username,
> group_name FROM user_groups WHERE username=?</log:option>
> <log:option
> name="dataSourceApplication">null</log:option>
> <log:option name="dataSourceName">MyPool</log:option>
> </log:login-module>
> </log:login-config>
> </xml-reference>
> </gbean>
>
> Further, I have packaged the
> "my.company.security.realm.providers.SqlRoleLoginModule" class in a jar file
> (my-login-module-1.0.jar). I have tried the following approaches to get
> this login module to load:
>
> - Added my-login-module-1.0.jar to the root of my ear file.
>
> - Added my-login-module-1.0.jar to the root of my ear file and added this
> jar file to the MANIFEST classpath of an ejb-jar file which is also in the
> ear file.
>
> - Added my-login-module-1.0.jar to the geronimo repository by placing it
> in the repository/my/company/my-login-module/1.0/my-login-module-1.0.jar
> and added the following dependency to the dependency list in the
> environment section of my geronimo-application.xml file:
>
> <dependency>
> <groupId>my.company</groupId>
> <artifactId>my-login-module</artifactId>
> <version>1.0</version>
> <type>jar</type>
> </dependency>
>
> I am attempting to connect/authenicate in a remote JVM by setting up the
> JNDI context and performing an EJB lookup as follows:
>
> Properties p = new Properties();
> p.put(Context.INITIAL_CONTEXT_FACTORY,
> "org.openejb.client.RemoteInitialContextFactory");
> p.put(Context.PROVIDER_URL, "ejbd://localhost:4201");
> p.put("openejb.authentication.realmName", "my-realm");
> p.put(Context.SECURITY_PRINCIPAL, "my_username");
> p.put(Context.SECURITY_CREDENTIALS, "my_password");
> InitialContext ctx = new InitialContext(p);
> Object obj = ctx.lookup("MyBusinessBeanRemote");
>
> In all cases, I get the following error:
>
> Caused by: javax.security.auth.login.LoginException: unable to find
> LoginModule class: my.company.security.realm.providers.SqlRoleLoginModule in
> classloader org.apache.geronimo.configs/openejb/2.0.2/car
> [INFO] at
> javax.security.auth.login.LoginContext.invoke(LoginContext.java:808)
> [INFO] at
> javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
> [INFO] at
> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
> [INFO] at java.security.AccessController.doPrivileged(Native Method)
> [INFO] at
> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> [INFO] at
> javax.security.auth.login.LoginContext.login(LoginContext.java:579)
> [INFO] at
> org.apache.geronimo.security.ContextManager.login(ContextManager.java:77)
> [INFO] at
> org.apache.geronimo.openejb.GeronimoSecurityService.login(GeronimoSecurityService.java:52)
> [INFO] at
> org.apache.openejb.server.ejbd.AuthRequestHandler.processRequest(AuthRequestHandler.java:56)
> [INFO] at
> org.apache.openejb.server.ejbd.EjbDaemon.processAuthRequest(EjbDaemon.java:172)
> [INFO] at
> org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:130)
> [INFO] at
> org.apache.openejb.server.ejbd.EjbDaemon.service(EjbDaemon.java:84)
> [INFO] at
> org.apache.openejb.server.ejbd.EjbServer.service(EjbServer.java:60)
> [INFO] at
> org.apache.openejb.server.ServiceLogger.service(ServiceLogger.java:73)
> [INFO] at
> org.apache.openejb.server.ServiceAccessController.service(ServiceAccessController.java:55)
> [INFO] at
> org.apache.openejb.server.ServiceDaemon$1.run(ServiceDaemon.java:117)
> [INFO] at java.lang.Thread.run(Thread.java:619)
>
> I know that the dependency is getting at least recognized at ear deployment
> time since, if I remove the login module jar file from the geronimo
> repository, the deployment of the ear fails.
>
> The only way I have been able to get the class to load is by placing it in
> the lib/ext directory of my JRE installation, which doesn't seem like the
> correct approach. I am using geronimo 2.0.2 on Windows XP and the 1.6.0_03
> Sun JVM. Any help with resolving this issue, and getting geronimo to
> correctly load this login module class, would be greatly appreciated. If
> any additional information is needed, please let me know. Thanks.
>
> - Brian
>