tomee-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Blevins <david.blev...@visi.com>
Subject Re: Antwort: Re: Antwort: Re: Using OpenEJB Security for JAAS LoginModule
Date Thu, 12 Jun 2008 06:58:23 GMT
Hi Josef,

Looks like you do have some custom LoginModules, the Geronimo ones :)   
Those aren't going to run outside of Geronimo, but I've started a  
thread to see if we can get them to be less dependent on the Geronimo  
runtime and therefore more reusable in other settings, like unit tests.

Hopefully we can get some good news for you.

Aside from the login part, I can promise you that the code and process  
*after* the login is exactly the same as the RunAs.  So if you have  
ejbs with security constraints (@RolesAllowed, @DenyAll, @PermitAll,  
etc.) I absolutely guarantee that those *are* testable, just the test  
are assuming a positive login is possible.  Another way to think of it  
as that the login is "mocked" and the enforcement of that Subject is  
100% real.  It should at least allow you to get started and test that  
@RolesAllowed, @DenyAll, @PermitAll, @DeclareRoles and isCallerInRole  
all function as you want them to.  The login part could be added later  
and the RunAs removed with little change to the tests.

-David

On Jun 11, 2008, at 5:03 AM, Josef.Eisele@bgs-ag.de wrote:

> Hi David,
>
> thank you very much for your assistance. If I understand you right the
> Realm-Name of the Default Security Service is called
> "PropertiesLogin".
> If I could change that to "vesuv-db-sha256", my problems are solved.
>
> definition of the realm 'vesuv-db-sha256' in Geronimo 2.1.1:
>
> <module xmlns="http://geronimo.apache.org/xml/ns/deployment-1.2">
>    <environment>
>        <moduleId>
>            <groupId>console.realm</groupId>
>            <artifactId>vesuv-db-sha256</artifactId>
>            <version>1.0</version>
>            <type>car</type>
>        </moduleId>
>        <dependencies>
>            <dependency>
>                <groupId>org.apache.geronimo.framework</groupId>
>                <artifactId>j2ee-security</artifactId>
>                <type>car</type>
>            </dependency>
>            <dependency>
>                <groupId>console.dbpool</groupId>
>                <artifactId>Postgres.postgres.vesuv</artifactId>
>                <version>1.0</version>
>                <type>rar</type>
>            </dependency>
>        </dependencies>
>    </environment>
>    <gbean name="vesuv-db-sha256"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm"
> xsi:type="dep:gbeanType" xmlns:dep="
> http://geronimo.apache.org/xml/ns/deployment-1.2" xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance">
>        <attribute name="realmName">vesuv-db-sha256</attribute>
>        <reference name="ServerInfo">
>            <name>ServerInfo</name>
>        </reference>
>        <xml-reference name="LoginModuleConfiguration">
>            <log:login-config xmlns:log="
> http://geronimo.apache.org/xml/ns/loginconfig-2.0">
>                <log:login-module control-flag="REQUIRED"
> wrap-principals="false">
> <log:login-domain-name>vesuv-db-sha256</log:login-domain-name>
>
> <log:login-module- 
> class>org.apache.geronimo.security.realm.providers.SQLLoginModule</ 
> log:login-module-class>
>                    <log:option
> name="dataSourceName">Postgres.postgres.vesuv</log:option>
>                    <log:option name="encoding">hex</log:option>
>                    <log:option
> name="dataSourceApplication">null</log:option>
>                    <log:option name="digest">SHA-256</log:option>
>                    <log:option name="groupSelect">select bla
> bla</log:option>
>                    <log:option name="userSelect">select  bla
> bla</log:option>
>                </log:login-module>
>                <log:login-module control-flag="OPTIONAL"
> wrap-principals="false">
> <log:login-domain-name>vesuv-db-sha256-Audit</log:login-domain-name>
>
> <log:login-module- 
> class 
> >org.apache.geronimo.security.realm.providers.FileAuditLoginModule</ 
> log:login-module-class>
>                    <log:option
> name="file">var/log/vesuv-login.log</log:option>
>                </log:login-module>
>                <log:login-module control-flag="REQUISITE"
> wrap-principals="false">
> <log:login-domain-name>vesuv-db-sha256-Lockout</log:login-domain-name>
>
> <log:login-module- 
> class 
> > 
> org 
> .apache 
> .geronimo 
> .security.realm.providers.RepeatedFailureLockoutLoginModule</ 
> log:login-module-class>
>                    <log:option name="failureCount">3</log:option>
>                    <log:option name="failurePeriodSecs">180</ 
> log:option>
>                    <log:option
> name="lockoutDurationSecs">1800</log:option>
>                </log:login-module>
>            </log:login-config>
>        </xml-reference>
>    </gbean>
> </module>
>
>
> Session Bean LoginManagerImpl.java
>
> import javax.ejb.*;
> import javax.security.auth.login.LoginContext;
>
> import de.nrw.hagen.ggrz.Exception.StdAppException;
> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
> import de.nrw.hagen.ggrz.bv.benutzer.*;
> import de.nrw.hagen.ggrz.log.Logger;
> import javax.security.auth.login.*;
> ....
>        /**
>         * Login beim Container durchfhren lassen mit JAAS.
>         *
>         * @param benutzer
>         * @param kennwort
>         * @return
>         */
>        public boolean loginContainer(String benutzer, String  
> kennwort)  {
>                logger.info("Login EJB Container:" + benutzer + "/" +
> kennwort);
>                try {
>                        LoginCallback logcb = new  
> LoginCallback(benutzer,
> kennwort);
>                        LoginContext lc = new
> LoginContext("vesuv-db-sha256",logcb);
>                        lc.login();
>                        subject = lc.getSubject();
>                }
>                catch (LoginException ex) {
>                        logger.error("Exception bei login:" +
> ex.getMessage());
>                        //if (ex.getMessage().equals("SQL error"))
>                                //throw ex;
>                        throw new StdAppException("Exception bei  
> Login",
> ex);
>
>                }
>                 }
>
>
> JUnit-Test Class:
>
> ....
> import java.util.Properties;
>
> import javax.naming.Context;
> import javax.naming.InitialContext;
> import javax.naming.NamingException;
>
> import org.junit.After;
>
> import de.nrw.hagen.ggrz.bv.bo.BenutzerKontext;
> import de.nrw.hagen.ggrz.login.LoginManager;
> import de.nrw.hagen.ggrz.security.Subject;
>
> public class BaseTest {
>
>        private String benutzer = "sys";
>        private String passwort = "chief";
>        private Subject user = null;
>        private BenutzerKontext benutzerKontext = null;
>
>        private InitialContext initialContext;
>
>        public BaseTest() {
>                initEnvironment();
>        }
>
>        public void initEnvironment() {
>
> System.out.println("------------------ 
> initEnvironment--------------------------");
>                        Properties properties = new Properties();
> properties.setProperty(Context.INITIAL_CONTEXT_FACTORY,
> "org.apache.openejb.client.LocalInitialContextFactory");
>
>                        // Minimum required for login
>                         
> properties.setProperty(Context.SECURITY_PRINCIPAL,
> benutzer);
> properties.setProperty(Context.SECURITY_CREDENTIALS, passwort);
>
>                        // Optional param for specifying a specific
> Geronimo security realm
>                         
> properties.put("openejb.authentication.realmName",
> "vesuv-db-sha256");
>
>                        properties.put("openejb.home",
> "/home/user/workspace/VesuvUnit/openejb");
>
>                        properties.put("Postgres.postgres.vesuv",
> "new://Resource?type=DataSource");
> properties.put("Postgres.postgres.vesuv.JdbcDriver",
> "org.postgresql.Driver");
>                         
> properties.put("Postgres.postgres.vesuv.JdbcUrl",
> "jdbc:postgresql://localhost/bgsdev1");
>                         
> properties.put("Postgres.postgres.vesuv.UserName",
> "bgsdev1");
>                         
> properties.put("Postgres.postgres.vesuv.Password",
> "bgsdev1");
>                         
> properties.put("openjpa.jdbc.SynchronizeMappings",
> "false");
>                        properties.put("openjpa.jdbc.Schema", "vesuv");
>
>                        try {
>                                initialContext = new
> InitialContext(properties);
>                                user = readUserFromLogin();
>                        } catch (Exception e) {
>                                e.printStackTrace();
>                        }
>
>                }
>
>
>        private Subject readUserFromLogin() {
>                LoginManager loginManager = null;
>
>                try {
>                        loginManager = (LoginManager)
> initialContext.lookup("LoginManagerImplLocal");
>                        loginManager.loginContainer(benutzer,  
> passwort);
>                } catch (NamingException e1) {
>                        // TODO Auto-generated catch block
>                        e1.printStackTrace();
>                } catch (Exception e) {
>                        // TODO Auto-generated catch block
>                        e.printStackTrace();
>                }
>
>                try {
>                        benutzerKontext =
> loginManager.bestimmeBenutzerKontext(benutzer);
>                } catch (Exception e) {
>                        // TODO Auto-generated catch block
>                        e.printStackTrace();
>                }
>
>                return new
> Subject(benutzerKontext,loginManager.getSubject());
>
>        }
>        ....
>
> }
>
>
> Mit freundlichen Grüßen / Kind regards
> Josef Eisele
>
> Direkt: +49 (0) 6131 / 914-180
>
>
>
>
> David Blevins <david.blevins@visi.com>
> 09.06.2008 22:55
> Bitte antworten an
> users@openejb.apache.org
>
>
> An
> users@openejb.apache.org
> Kopie
>
> Thema
> Re: Antwort: Re: Using OpenEJB Security for JAAS LoginModule
>
>
>
>
>
>
>
> On Jun 9, 2008, at 5:26 AM, Josef.Eisele@bgs-ag.de wrote:
>
>> Hi David,
>>
>> thank you very much for the link. I got it twice and I read it
>> twice ;-)
>> but it doesn't help concerning my actual problem.
>>
>> To run our business code it is necessary to login into an
>> 'SecurityService' with user/password/realm and as result there must
>> be a
>> Secuity-Object (javax.security.auth.Subject). This Security-Object is
>> nessary to invoke our business code. The magic  
>> @RunAs("Employee")won't
>> work in our case.
>
> If you could give me some more detail here, that'd be great.  Both
> login and runas result in a javax.security.auth.Subject being created
> by and enforced by the SecurityService.  The creation is slightly
> different, but the subject is tracked and enforced by the
> SecurityService in exactly the same way.
>
> If you have any sample code on what doesn't work that would also be
> helpful.
>
>> The default implementation from the security service with the
>> parameters
>> user/password is fine, but we miss the realm-Parameter. And if we
>> add it,
>> the Security Service says
>>
>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>> konfiguriert.
>>
>> Anmeldemodule = Login module
>
> The realm in OpenEJB refers to the JAAS LoginModule.  The login module
> that is setup in the SecurityServices login.config file is called
> "PropertiesLogin".  This is the default value for realm when left
> unspecified.
>
> If you have a custom javax.security.auth.spi.LoginModule there is a
> way to set one up.  Let me know if that is what you're trying to do
> and I'll see if I can get an example working.
>
> -David
>
>
>>
>>
>>
>> cu Josef
>>
>>
>>
>>
>>
>> David Blevins <david.blevins@visi.com>
>> 06.06.2008 23:06
>> Bitte antworten an
>> users@openejb.apache.org
>>
>>
>> An
>> users@openejb.apache.org
>> Kopie
>>
>> Thema
>> Re: Using OpenEJB Security for JAAS LoginModule
>>
>>
>>
>>
>>
>>
>> Hi Josef,
>>
>> Looks this post arrived at about the same time as my last response,  
>> so
>> this might be repeat information :)
>>
>> This example shows a good technique for unit testing various security
>> permissions.
>>
>>  http://openejb.apache.org/3.0/testing-security-example.html
>>
>> The JNDI login approach isn't really optimal as there is no "logout"
>> option and it tends to make a mess of things.  With the above  
>> approach
>> you can wrap your calls with any security context you like and test
>> accessing your bean via secured and unsecured "clients" and check  
>> that
>> permissions for various roles are as they need to be.
>>
>> -David
>>
>>
>> On Jun 6, 2008, at 1:24 AM, Josef.Eisele@bgs-ag.de wrote:
>>
>>> Hi All,
>>>
>>> we use embedded openejb to test our JavaEE-5 (Geronimo App.server)
>>> Application. With the great help of David Blevins the JUNIT-Tests  
>>> can
>>> invoke our session beans and even Transaction Handling is working
>>> fine.
>>> At the moment I use a trick to avoid the Login-Procedure, but this
>>> won't
>>> work on the long run.
>>>
>>> With Geronimo 2.1.1 we use the JAAS API. Our usage is described in
>>> http://cwiki.apache.org/GMOxDOC10/geronimo-and-jaas.html. For my
>>> junit-testcase I need therefore anything which can provide me a
>>> javax.security.auth.Subject after successful login. With the
>>> default -
>>> Security Service
>>> <SecurityService id="Default Security Service"/>
>>> and the configuration in users.properties and groups.properties I
>>> get the
>>> error:
>>>
>>> Exception bei Login:Fr vesuv-db-sha256 sind keine Anmeldemodule
>>> konfiguriert.
>>>
>>> (Anmeldemodule = security realm, I think...)
>>>
>>> I tried also PseudoSecurityService, but I got an exception as well.
>>>
>>> JUNIT-Testcase
>>>                              Properties properties = new
>>> Properties();
>>> ....
>>>              // Minimum required for login
>>>              properties.setProperty(Context.SECURITY_PRINCIPAL,
>>> benutzer);
>>>              properties.setProperty(Context.SECURITY_CREDENTIALS,
>>> passwort);
>>>
>>>              // Optional param for specifying a specific Geronimo
>>> security realm
>>>              properties.put("openejb.authentication.realmName",
>>> "vesuv-db-sha256");
>>>
>>>              properties.put("mySecurityService",
>>> "new://PseudoSecurityService");
>>> ....
>>>                      loginManager = (LoginManager)
>>> initialContext.lookup("LoginManagerImplLocal");
>>>                      loginManager.loginContainer(benutzer,
>>> passwort);
>>> ....
>>>
>>> LoginManager-Session Bean:
>>> ...
>>>              try {
>>>                      LoginCallback logcb = new
>>> LoginCallback(benutzer,
>>> passwort);
>>>                      LoginContext lc = new
>>> LoginContext("vesuv-db-sha256",logcb);
>>>                      lc.login();
>>>                      subject = lc.getSubject();
>>>              }
>>> ...
>>>
>>> The realm "vesuv-db-sha256" is defined under
>>> Geronimo-Applicationserver-Console Security - Security Realms.
>>>
>>> I read  http://openejb.apache.org/3.0/security.html, but I don't
>>> understand how to configure the Security for embedded openejb.
>>>
>>> Thanx in advance for any help on this.
>>>
>>> Mit freundlichen Grüßen / Kind regards
>>> Josef Eisele
>>>
>>> Direkt: +49 (0) 6131 / 914-180
>>>
>>> BGS Beratungsgesellschaft
>>> Software Systemplanung AG         Niederlassung Rhein/Main
>>> Robert-Koch-Straße 41
>>> 55129 Mainz
>>> Fon: +49 (0) 6131 / 914-0
>>> Fax: +49 (0) 6131 / 914-400
>>> www.bgs-ag.de Geschäftssitz Mainz
>>> Registergericht
>>> Amtsgericht Mainz
>>> HRB 62 50
>>> Aufsichtsratsvorsitzender
>>> Dr. Wolfgang Trommer
>>> Vorstand
>>> Hanspeter Gau
>>> Hermann Kiefer
>>> Nils Manegold
>>> Heinz-Jörg Zimmermann
>>>
>>>
>>
>>
>>
>> BGS Beratungsgesellschaft
>> Software Systemplanung AG
>>
>>
>>
>>
>> Niederlassung Rhein/Main
>> Robert-Koch-Straße 41
>> 55129 Mainz
>> Fon: +49 (0) 6131 / 914-0
>> Fax: +49 (0) 6131 / 914-400
>> www.bgs-ag.de
>> Geschäftssitz Mainz
>> Registergericht
>> Amtsgericht Mainz
>> HRB 62 50
>>
>> Aufsichtsratsvorsitzender
>> Dr. Wolfgang Trommer
>> Vorstand
>> Hanspeter Gau
>> Hermann Kiefer
>> Nils Manegold
>> Heinz-Jörg Zimmermann
>>
>>
>
>
>
> BGS Beratungsgesellschaft
> Software Systemplanung AG         Niederlassung Rhein/Main
> Robert-Koch-Straße 41
> 55129 Mainz
> Fon: +49 (0) 6131 / 914-0
> Fax: +49 (0) 6131 / 914-400
> www.bgs-ag.de Geschäftssitz Mainz
> Registergericht
> Amtsgericht Mainz
> HRB 62 50
>  Aufsichtsratsvorsitzender
> Dr. Wolfgang Trommer
> Vorstand
> Hanspeter Gau
> Hermann Kiefer
> Nils Manegold
> Heinz-Jörg Zimmermann
>


Mime
View raw message