You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@geronimo.apache.org by Markku Saarela <ma...@iki.fi> on 2008/11/10 18:28:24 UTC
[RESOLVED]Re: Geronimo not found at login subject for Jackrabbit
JCA.
After removing <container-managed-security /> from geronimo-ra.xml and
res-auth element from jackrabbit resource-ref in web.xml it works.
jackrabbit in my case is running in-vm so i remove any pooling.
Thanks to all for help.
- markku
ps. still my ultimate goal is to go for container managed security, so i
look for code to realize that.
David Jencks wrote:
>
> On Nov 8, 2008, at 2:27 AM, Markku Saarela wrote:
>
>> Here is configuration documentation:
>> http://jackrabbit.apache.org/jackrabbit-configuration.html#JackrabbitConfiguration-Securityconfiguration
>>
>>
>> After read this documentation i thought that i do not need to use
>> jaas, but now i realize that there is jaas available and in
>> geronimo-ra.xml i found element <container-managed-security /> so i'm
>> actually using container managed security.
>>
>> So how to configure that (geronimo documentation is little bit
>> confusing)?
>
> I looked around the somewhat confusingly organized jackrabbit svn
> (j2ca stuff seems to be present only in branches???) and found
> http://svn.eu.apache.org/viewvc/jackrabbit/branches/1.5/jackrabbit-jca which
> seems like it might bear some resemblance to the code you are using.
> This code does not support container managed security at all. Unless
> you want to add this capability to jackrabbit you need to stop
> configuring container managed security in your geronimo plan.
>
> If you do want to add this capability to jackrabbit, the place to
> start is in
> http://svn.eu.apache.org/viewvc/jackrabbit/branches/1.5/jackrabbit-jca/src/main/java/org/apache/jackrabbit/jca/JCAManagedConnectionFactory.java?annotate=703899
>
>
> 162 : public ManagedConnection
> createManagedConnection(Subject subject, ConnectionRequestInfo cri)
> 163 : throws ResourceException {
> 164 : dpfister 510465
> 165 : if (cri == null) {
> 166 : return new AnonymousConnection();
> 167 : }
> 168 : dpfister 230772 return
> createManagedConnection((JCAConnectionRequestInfo) cri);
> 169 : }
>
>
> and
>
> 182 : public ManagedConnection
> matchManagedConnections(Set set, Subject subject,
> ConnectionRequestInfo cri)
> 183 : throws ResourceException {
> 184 : for (Iterator i = set.iterator(); i.hasNext();) {
> 185 : Object next = i.next();
> 186 :
> 187 : if (next instanceof JCAManagedConnection) {
> 188 : JCAManagedConnection mc = (JCAManagedConnection)
> next;
> 189 : if (equals(mc.getManagedConnectionFactory())) {
> 190 : JCAConnectionRequestInfo otherCri =
> mc.getConnectionRequestInfo();
> 191 : if (equals(cri, otherCri)) {
> 192 : return mc;
> 193 : }
> 194 : }
> 195 : }
> 196 : }
> 197 :
> 198 : return null;
> 199 : }
>
>
> where the Subject supplied from container managed security is ignored.
>
> Out of curiousity, does jackrabbit run in-vm or are connections to a
> remote server? If in-vm it might be better to run with pooling turned
> off as it is likely that creating a new managed connection is lighter
> weight than the synchronization involved in pooling existing connections.
>
> thanks
> david jencks
>
>
>
>>
>>
>> - markku
>>
>> David Jencks wrote:
>>> Could you point to some documentation on the JCARepositoryHandle
>>> and the ra.xml for this connector?
>>>
>>> For container managed security you need to use something like the
>>> plugins/connector/geronimo-connector/src/main/java/org/apache/geronimo/connector/outbound/security/CallerIdentityPasswordCredentialLoginModule.java
>>> which you can deploy in a JAAS configuration using the
>>> PasswordCredentialLoginModuleWrapperGBean.java
>>>
>>> Since you are trying to supply the credentials in what appears to be
>>> a "get connection" call I wonder if you actually want container
>>> managed security?
>>>
>>> thanks
>>> david jencks
>>>
>>>
>>> On Nov 7, 2008, at 11:17 PM, Markku Saarela wrote:
>>>
>>>> Hi,
>>>>
>>>> Jackrabbit 1.4 (1.4.1 core) JCA deployed to Geronimo 2.1.1. Web
>>>> application or ejb session bean failed with repository login.
>>>> InitialContext lookup find Repository but calling repository.login(
>>>> new SimpleCredentials( "system", "manager".toCharArray() ) );
>>>> method results exception:
>>>>
>>>> Caused by: javax.resource.ResourceException: No subject for
>>>> container managed security
>>>> at
>>>> org.apache.geronimo.connector.outbound.SubjectInterceptor.getConnection(SubjectIntercepto
>>>>
>>>> r.java:51)
>>>> at
>>>> org.apache.geronimo.connector.outbound.ConnectionHandleInterceptor.getConnection(Connecti
>>>>
>>>> onHandleInterceptor.java:43)
>>>> at
>>>> org.apache.geronimo.connector.outbound.TCCLInterceptor.getConnection(TCCLInterceptor.java
>>>>
>>>> :39)
>>>> at
>>>> org.apache.geronimo.connector.outbound.ConnectionTrackingInterceptor.getConnection(Connec
>>>>
>>>> tionTrackingInterceptor.java:66)
>>>> at
>>>> org.apache.geronimo.connector.outbound.AbstractConnectionManager.allocateConnection(Abstr
>>>>
>>>> actConnectionManager.java:87)
>>>> at
>>>> org.apache.jackrabbit.jca.JCARepositoryHandle.login(JCARepositoryHandle.java:98)
>>>>
>>>>
>>>> So how to configure Geronimo to provide subject to connector?
>>>>
>>>> rgds,
>>>>
>>>> Markku
>>>
>>
>
Re: [RESOLVED]Re: Geronimo not found at login subject for Jackrabbit JCA.
Posted by David Jencks <da...@yahoo.com>.
On Nov 10, 2008, at 9:28 AM, Markku Saarela wrote:
> After removing <container-managed-security /> from geronimo-ra.xml
> and res-auth element from jackrabbit resource-ref in web.xml it works.
Excellent!
>
>
> jackrabbit in my case is running in-vm so i remove any pooling.
>
> Thanks to all for help.
>
> - markku
>
> ps. still my ultimate goal is to go for container managed security,
> so i look for code to realize that.
I'm happy to provide advice but I'm not subscribed to the jackrabbit
lists (and can't deal with any more mailing lists). If you ask
questions here on the g. user list I'll do my best to answer.
My impression from the link you gave earlier was that jackrabbit
currently uses the supplied username and password to log into a JAAS
realm to get a Subject which is then used for authorization. If this
is correct then you ought to be able to simply pass the Subject from
container managed security directly through to the authorization
code. This is not exactly what is envisaged by the J2CA spec but I
expect it would work better than what is normally done. In this case
you wouldn't need to set up the special ManagedConnectionFactory-aware
login module.
The other possibility I can see is to use the spec-recommended
approach and extract the username/password from the MCF-specific
Credential in the container-managed-security Subject.
thanks
david jencks
>
>
> David Jencks wrote:
>>
>> On Nov 8, 2008, at 2:27 AM, Markku Saarela wrote:
>>
>>> Here is configuration documentation:
>>> http://jackrabbit.apache.org/jackrabbit-configuration.html#JackrabbitConfiguration-Securityconfiguration
>>>
>>> After read this documentation i thought that i do not need to use
>>> jaas, but now i realize that there is jaas available and in
>>> geronimo-ra.xml i found element <container-managed-security /> so
>>> i'm actually using container managed security.
>>>
>>> So how to configure that (geronimo documentation is little bit
>>> confusing)?
>>
>> I looked around the somewhat confusingly organized jackrabbit svn
>> (j2ca stuff seems to be present only in branches???) and found http://svn.eu.apache.org/viewvc/jackrabbit/branches/1.5/jackrabbit-jca
>> which seems like it might bear some resemblance to the code you
>> are using. This code does not support container managed security
>> at all. Unless you want to add this capability to jackrabbit you
>> need to stop configuring container managed security in your
>> geronimo plan.
>>
>> If you do want to add this capability to jackrabbit, the place to
>> start is in http://svn.eu.apache.org/viewvc/jackrabbit/branches/1.5/jackrabbit-jca/src/main/java/org/apache/jackrabbit/jca/JCAManagedConnectionFactory.java?annotate=703899
>>
>> 162 : public ManagedConnection
>> createManagedConnection(Subject subject, ConnectionRequestInfo cri)
>> 163 : throws ResourceException {
>> 164 : dpfister 510465 165 : if (cri ==
>> null) {
>> 166 : return new AnonymousConnection();
>> 167 : }
>> 168 : dpfister 230772 return
>> createManagedConnection((JCAConnectionRequestInfo) cri);
>> 169 : }
>>
>>
>> and
>>
>> 182 : public ManagedConnection
>> matchManagedConnections(Set set, Subject subject,
>> ConnectionRequestInfo cri)
>> 183 : throws ResourceException {
>> 184 : for (Iterator i = set.iterator();
>> i.hasNext();) {
>> 185 : Object next = i.next();
>> 186 : 187 : if (next instanceof
>> JCAManagedConnection) {
>> 188 : JCAManagedConnection mc =
>> (JCAManagedConnection) next;
>> 189 : if (equals(mc.getManagedConnectionFactory())) {
>> 190 : JCAConnectionRequestInfo otherCri =
>> mc.getConnectionRequestInfo();
>> 191 : if (equals(cri, otherCri)) {
>> 192 : return mc;
>> 193 : }
>> 194 : }
>> 195 : }
>> 196 : }
>> 197 : 198 : return null;
>> 199 : }
>>
>>
>> where the Subject supplied from container managed security is
>> ignored.
>>
>> Out of curiousity, does jackrabbit run in-vm or are connections to
>> a remote server? If in-vm it might be better to run with pooling
>> turned off as it is likely that creating a new managed connection
>> is lighter weight than the synchronization involved in pooling
>> existing connections.
>>
>> thanks
>> david jencks
>>
>>
>>
>>>
>>>
>>> - markku
>>>
>>> David Jencks wrote:
>>>> Could you point to some documentation on the JCARepositoryHandle
>>>> and the ra.xml for this connector?
>>>>
>>>> For container managed security you need to use something like the
>>>> plugins/connector/geronimo-connector/src/main/java/org/apache/
>>>> geronimo/connector/outbound/security/
>>>> CallerIdentityPasswordCredentialLoginModule.java which you can
>>>> deploy in a JAAS configuration using the
>>>> PasswordCredentialLoginModuleWrapperGBean.java
>>>>
>>>> Since you are trying to supply the credentials in what appears to
>>>> be a "get connection" call I wonder if you actually want
>>>> container managed security?
>>>>
>>>> thanks
>>>> david jencks
>>>>
>>>>
>>>> On Nov 7, 2008, at 11:17 PM, Markku Saarela wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Jackrabbit 1.4 (1.4.1 core) JCA deployed to Geronimo 2.1.1. Web
>>>>> application or ejb session bean failed with repository login.
>>>>> InitialContext lookup find Repository but calling
>>>>> repository.login( new SimpleCredentials( "system",
>>>>> "manager".toCharArray() ) ); method results exception:
>>>>>
>>>>> Caused by: javax.resource.ResourceException: No subject for
>>>>> container managed security
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .connector
>>>>> .outbound.SubjectInterceptor.getConnection(SubjectIntercepto
>>>>> r.java:51)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .connector
>>>>> .outbound.ConnectionHandleInterceptor.getConnection(Connecti
>>>>> onHandleInterceptor.java:43)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .connector
>>>>> .outbound.TCCLInterceptor.getConnection(TCCLInterceptor.java
>>>>> :39)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .connector
>>>>> .outbound.ConnectionTrackingInterceptor.getConnection(Connec
>>>>> tionTrackingInterceptor.java:66)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .connector
>>>>> .outbound.AbstractConnectionManager.allocateConnection(Abstr
>>>>> actConnectionManager.java:87)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .jackrabbit
>>>>> .jca.JCARepositoryHandle.login(JCARepositoryHandle.java:98)
>>>>>
>>>>> So how to configure Geronimo to provide subject to connector?
>>>>>
>>>>> rgds,
>>>>>
>>>>> Markku
>>>>
>>>
>>
>