Support for <distinguished-name> in geronimo-web.xml

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Support for <distinguished-name> in geronimo-web.xml

jfield
Greetings,

I have a Geronimo 3 deployment and I have configured my application to use the LDAPLoginModule against Fortress (i.e. OpenLDAP).  

I have included a security role as part of the web.xml, and I've successfully mapped that abstract role to LDAP groups using 

<principal name="myAbstractRoleName" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal/> 

in my geronimo-web.xml.

However, the configuration option for a <distinguished-name> here does not seem to work.  

Does anyone know i this is implemented in the runtime, or perhaps there is something wrong in my configuration?

Below is a simple geronimo-web.xml configuration that I've done against one of the sample EJB applications to demonstrate the problem.

TIA,
John


<?xml version="1.0" encoding="UTF-8"?>

<dep:moduleId>
<dep:artifactId>MyTimeWeb</dep:artifactId>
<dep:version>1.0</dep:version>
<dep:type>war</dep:type>
</dep:moduleId>
<dep:dependencies>
<dep:dependency>
<dep:groupId>console.realm</dep:groupId>
<dep:artifactId>FortressRealm</dep:artifactId>
<dep:version>1.0</dep:version>
<dep:type>car</dep:type>
</dep:dependency>
</dep:dependencies>
</dep:environment>

<context-root>/mytime</context-root>

<security-realm-name>FortressRealm</security-realm-name>

<sec:security>
<sec:default-principal>
<sec:principal name="anonymous"
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" />
</sec:default-principal>
<sec:role-mappings>
<sec:role role-name="EnmasseSuperUserRole">


<sec:principal name="EnmasseSuperUser" 
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />
<sec:principal name="role1" 
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />

<!-- Support for this does not seem to be implemented: -->  
<sec:distinguished-name name="uid=johnfield,ou=People,dc=jts,dc=us"></sec:distinguished-name>
<sec:distinguished-name name="cn=EnmasseSuperUser,ou=Roles,ou=RBAC,dc=jts,dc=us"></sec:distinguished-name>
<sec:distinguished-name name="cn=role1,ou=Roles,ou=RBAC,dc=jts,dc=us"></sec:distinguished-name>

 

<!-- This works, but is not my preferred approach. -->
  <sec:principal name="johnfield" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" />

 

</sec:role>
</sec:role-mappings>
</sec:security>


</web-app>

Reply | Threaded
Open this post in threaded view
|

Re: Support for <distinguished-name> in geronimo-web.xml

jfield
Answering my own post here.....

I now understand that the <sec:distingushed-name> element is meant to be used with X.509 client certificate support, and is not intended as an integration with a (back-end) LDAP realm.  

These can co-exist, with the LDAP realm configuration being independent of any DN as presented via X.509 certificates.

Sorry for the confusion.

Thanks,
John   


On Fri, May 24, 2013 at 1:47 PM, Field, John <[hidden email]> wrote:
Greetings,

I have a Geronimo 3 deployment and I have configured my application to use the LDAPLoginModule against Fortress (i.e. OpenLDAP).  

I have included a security role as part of the web.xml, and I've successfully mapped that abstract role to LDAP groups using 

<principal name="myAbstractRoleName" class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal/> 

in my geronimo-web.xml.

However, the configuration option for a <distinguished-name> here does not seem to work.  

Does anyone know i this is implemented in the runtime, or perhaps there is something wrong in my configuration?

Below is a simple geronimo-web.xml configuration that I've done against one of the sample EJB applications to demonstrate the problem.

TIA,
John


<?xml version="1.0" encoding="UTF-8"?>

<dep:moduleId>
<dep:artifactId>MyTimeWeb</dep:artifactId>
<dep:version>1.0</dep:version>
<dep:type>war</dep:type>
</dep:moduleId>
<dep:dependencies>
<dep:dependency>
<dep:groupId>console.realm</dep:groupId>
<dep:artifactId>FortressRealm</dep:artifactId>
<dep:version>1.0</dep:version>
<dep:type>car</dep:type>
</dep:dependency>
</dep:dependencies>
</dep:environment>

<context-root>/mytime</context-root>

<security-realm-name>FortressRealm</security-realm-name>

<sec:security>
<sec:default-principal>
<sec:principal name="anonymous"
class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" />
</sec:default-principal>
<sec:role-mappings>
<sec:role role-name="EnmasseSuperUserRole">


<sec:principal name="EnmasseSuperUser" 
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />
<sec:principal name="role1" 
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" />

<!-- Support for this does not seem to be implemented: -->  
<sec:distinguished-name name="uid=johnfield,ou=People,dc=jts,dc=us"></sec:distinguished-name>
<sec:distinguished-name name="cn=EnmasseSuperUser,ou=Roles,ou=RBAC,dc=jts,dc=us"></sec:distinguished-name>
<sec:distinguished-name name="cn=role1,ou=Roles,ou=RBAC,dc=jts,dc=us"></sec:distinguished-name>

 

<!-- This works, but is not my preferred approach. -->
  <sec:principal name="johnfield" class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" />

 

</sec:role>
</sec:role-mappings>
</sec:security>


</web-app>




--

John P. Field | Security Architect | Pivotal

Direct: (908) 962-3394 | [hidden email] 

cid:332B1A9B-BFB1-42CC-8C13-5949BB4B8266

goPivotal.com