You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@geronimo.apache.org by "Field, John" <jf...@gopivotal.com> on 2013/05/24 19:47:02 UTC
Support for in geronimo-web.xml
Greetings,
I have a Geronimo 3 deployment and I have configured my application to use the LDAPLoginModule against Fortress (i.e. OpenLDAP).
I have included a security role as part of the web.xml, and I've successfully mapped that abstract role to LDAP groups using
<principal name="myAbstractRoleName" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal/>
in my geronimo-web.xml.
However, the configuration option for a <distinguished-name> here does not seem to work.
Does anyone know i this is implemented in the runtime, or perhaps there is something wrong in my configuration?
Below is a simple geronimo-web.xml configuration that I've done against one of the sample EJB applications to demonstrate the problem.
TIA,
John
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-2.0" xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0">
<dep:environment xmlns:dep="http://geronimo.apache.org/xml/ns/deployment-1.2">
<dep:moduleId>
<dep:artifactId>MyTimeWeb</dep:artifactId>
<dep:version>1.0</dep:version>
<dep:type>war</dep:type>
</dep:moduleId>
<dep:dependencies>
<dep:dependency>
<dep:groupId>console.realm</dep:groupId>
<dep:artifactId>FortressRealm</dep:artifactId>
<dep:version>1.0</dep:version>
<dep:type>car</dep:type>
</dep:dependency>
</dep:dependencies>
</dep:environment>
<context-root>/mytime</context-root>
<security-realm-name>FortressRealm</security-realm-name>
<sec:security>
<sec:default-principal>
<sec:principal name="anonymous"
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" />
</sec:default-principal>
<sec:role-mappings>
<sec:role role-name="EnmasseSuperUserRole">
<sec:principal name="EnmasseSuperUser"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />
<sec:principal name="role1"
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />
<!-- Support for this does not seem to be implemented: -->
<sec:distinguished-name name="uid=johnfield,ou=People,dc=jts,dc=us"></sec:distinguished-name>
<sec:distinguished-name name="cn=EnmasseSuperUser,ou=Roles,ou=RBAC,dc=jts,dc=us"></sec:distinguished-name>
<sec:distinguished-name name="cn=role1,ou=Roles,ou=RBAC,dc=jts,dc=us"></sec:distinguished-name>
<!-- This works, but is not my preferred approach. -->
<sec:principal name="johnfield" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" />
</sec:role>
</sec:role-mappings>
</sec:security>
</web-app>
Re: Support for in geronimo-web.xml
Posted by John Field <jf...@gopivotal.com>.
Answering my own post here.....
I now understand that the <sec:distingushed-name> element is meant to be
used with X.509 client certificate support, and is not intended as an
integration with a (back-end) LDAP realm.
These can co-exist, with the LDAP realm configuration being independent of
any DN as presented via X.509 certificates.
Sorry for the confusion.
Thanks,
John
On Fri, May 24, 2013 at 1:47 PM, Field, John <jf...@gopivotal.com> wrote:
> Greetings,
>
> I have a Geronimo 3 deployment and I have configured my application to use
> the LDAPLoginModule against Fortress (i.e. OpenLDAP).
>
> I have included a security role as part of the web.xml, and I've
> successfully mapped that abstract role to LDAP groups using
>
> <principal name="myAbstractRoleName"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal/>
>
> in my geronimo-web.xml.
>
> However, the configuration option for a <distinguished-name> here does not
> seem to work.
>
> Does anyone know i this is implemented in the runtime, or perhaps there is
> something wrong in my configuration?
>
> Below is a simple geronimo-web.xml configuration that I've done against
> one of the sample EJB applications to demonstrate the problem.
>
> TIA,
> John
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-2.0"
> xmlns:sec="http://geronimo.apache.org/xml/ns/security-2.0">
>
> <dep:environment xmlns:dep="
> http://geronimo.apache.org/xml/ns/deployment-1.2">
> <dep:moduleId>
> <dep:artifactId>MyTimeWeb</dep:artifactId>
> <dep:version>1.0</dep:version>
> <dep:type>war</dep:type>
> </dep:moduleId>
> <dep:dependencies>
> <dep:dependency>
> <dep:groupId>console.realm</dep:groupId>
> <dep:artifactId>FortressRealm</dep:artifactId>
> <dep:version>1.0</dep:version>
> <dep:type>car</dep:type>
> </dep:dependency>
> </dep:dependencies>
> </dep:environment>
>
> <context-root>/mytime</context-root>
>
> <security-realm-name>FortressRealm</security-realm-name>
>
> <sec:security>
> <sec:default-principal>
> <sec:principal name="anonymous"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
> />
> </sec:default-principal>
> <sec:role-mappings>
> <sec:role role-name="EnmasseSuperUserRole">
>
>
> <sec:principal name="EnmasseSuperUser"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> />
> <sec:principal name="role1"
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> />
>
> <!-- Support for this does not seem to be implemented: -->
> <sec:distinguished-name
> name="uid=johnfield,ou=People,dc=jts,dc=us"></sec:distinguished-name>
> <sec:distinguished-name
> name="cn=EnmasseSuperUser,ou=Roles,ou=RBAC,dc=jts,dc=us"></sec:distinguished-name>
> <sec:distinguished-name
> name="cn=role1,ou=Roles,ou=RBAC,dc=jts,dc=us"></sec:distinguished-name>
>
>
> <!-- This works, but is not my preferred approach. -->
> <sec:principal name="johnfield"
> class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal"
> />
>
>
> </sec:role>
> </sec:role-mappings>
> </sec:security>
>
>
> </web-app>
>
>
--
John P. Field | Security Architect | Pivotal
Direct: (908) 962-3394 | jfield@gopivotal.com
*[image: cid:332B1A9B-BFB1-42CC-8C13-5949BB4B8266]*
*goPivotal.com <http://www.goPivotal.com>*