Topic
15 replies Latest Post - ‏2012-03-26T09:40:42Z by SystemAdmin
SystemAdmin
SystemAdmin
2233 Posts
ACCEPTED ANSWER

Pinned topic Changing security realm of admin console

‏2007-10-11T13:17:29Z |
Hi,

is there a way to change the security realm of the admin console? I have my own written security realm which works fine for self deployed applications.
Now I wanted to change the security realm of the admin console, but I have not found a geronimo-web.xml that belongs to the admin console.

I am using WAS CE 2.0

Any ideas?
Updated on 2012-03-26T09:40:42Z at 2012-03-26T09:40:42Z by SystemAdmin
  • Ashish_Jain
    Ashish_Jain
    274 Posts
    ACCEPTED ANSWER

    Re: Changing security realm of admin console

    ‏2007-10-16T09:56:10Z  in response to SystemAdmin
    When you build the server from source, the plan file will be generated to configs\webconsole-tomcat\target\plan\plan.xml. This plan file can be edited to change the realm-name from "geronimo-admin" to "my-new-realm" plus other changes to role-mapping and then redeploy applications\console\geronimo-console-ear\target\geronimo-console-ear-2.0.1.ear using this edited plan file.
    • SystemAdmin
      SystemAdmin
      2233 Posts
      ACCEPTED ANSWER

      Re: Changing security realm of admin console

      ‏2007-10-16T12:46:26Z  in response to Ashish_Jain
      Where do I get the source? Is it just the Geronimo source from http://geronimo.apache.org/downloads.html or is there a special source with the WAS CE admin console available?
      • Ashish_Jain
        Ashish_Jain
        274 Posts
        ACCEPTED ANSWER

        Re: Changing security realm of admin console

        ‏2007-10-16T12:53:45Z  in response to SystemAdmin
        you need to take the AG source for this.
        • SystemAdmin
          SystemAdmin
          2233 Posts
          ACCEPTED ANSWER

          Re: Changing security realm of admin console

          ‏2007-10-26T17:33:28Z  in response to Ashish_Jain
          Cool, it works!!
          But: when I take the Apache Geronimo source for the console redeploy, the new console is of course the one from Geronimo. Is the source code of WebSphere CE also somewhere available to redeploy the original WAS CE console from IBM?
          • Ashish_Jain
            Ashish_Jain
            274 Posts
            ACCEPTED ANSWER

            Re: Changing security realm of admin console

            ‏2007-10-29T10:43:37Z  in response to SystemAdmin
            Hi,
            For WAS CE there are no source downloads available. It only allows binary downloads.

            Thanks
            Ashish
  • SystemAdmin
    SystemAdmin
    2233 Posts
    ACCEPTED ANSWER

    Re: Changing security realm of admin console

    ‏2012-03-19T09:33:51Z  in response to SystemAdmin
    Hello!

    I'm using WAS-CE 3.0.0 and would like to change the security realm (to use with LDAP) of admin console. I successfully deployed realm but I am not able to use it. I tried to redeploy geronimo 3 (I changed the plan.xml), but I can't find geronimo-console-ear file. Is there any other way to secure the admin console?

    Thanks.
    • Shawn_Jiang
      Shawn_Jiang
      154 Posts
      ACCEPTED ANSWER

      Re: Changing security realm of admin console

      ‏2012-03-19T10:05:56Z  in response to SystemAdmin
      Have you tried the way described in this doc[1] on how to replace the default realm in Geronimo/WAS CE ?

      [1]https://cwiki.apache.org/GMOxDOC30/replacing-default-realm-in-geronimo.html
      • SystemAdmin
        SystemAdmin
        2233 Posts
        ACCEPTED ANSWER

        Re: Changing security realm of admin console

        ‏2012-03-21T13:17:36Z  in response to Shawn_Jiang
        Thank you very much.
        I tried it and I can login but then I get 'HTTP Status 403' error (Access to the specified resource () has been forbidden). Where can I set which roles have access to the admin-console?

        I had a similar problem with my own application and I cahnged role mapping (in geronimo-web.xml) to look like this:

        <role-mappings>
        <role role-name="abc">
        <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="abc"/>
        <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="xyz"/>
        </role>
        </role-mappings>

        Any suggestions?

        Thank you.
        • X75J_Li_Yanli
          X75J_Li_Yanli
          45 Posts
          ACCEPTED ANSWER

          Re: Changing security realm of admin console

          ‏2012-03-22T06:46:28Z  in response to SystemAdmin
          Hello,
          Please check your web.xml and make sure the role was added in the security-constraint element, for example:

          <security-constraint>
          <web-resource-collection>
          <web-resource-name>Admin Role</web-resource-name>
          <url-pattern>/protect/*</url-pattern>
          </web-resource-collection>
          <auth-constraint>
          <role-name>abc</role-name>
          </auth-constraint>
          </security-constraint>

          That means if you click "protect" link, a login form should be displayed and you can use the account that you defined in the abc role to login.
          • SystemAdmin
            SystemAdmin
            2233 Posts
            ACCEPTED ANSWER

            Re: Changing security realm of admin console

            ‏2012-03-22T08:51:59Z  in response to X75J_Li_Yanli
            Hello.

            My web.xml looks like this:
            <display-name>WAServlet</display-name>
            <servlet-mapping>
            <servlet-name>WAServlet</servlet-name>
            <url-pattern>/*</url-pattern>
            </servlet-mapping>
            <security-constraint>
            <web-resource-collection>
            <web-resource-name>Resources</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            </web-resource-collection>
            <auth-constraint>
            <role-name>abc</role-name>
            </auth-constraint>
            <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>
            </security-constraint>
            <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>LdapRACFRealm</realm-name>
            </login-config>
            <security-role>
            <role-name>abc</role-name>
            </security-role>
            The login form is displayed and I can login with my user but then I gen the error (HTTP 403). I think that only 'admin' role can access the console (I don't have the 'admin' role in LDAP and I can't change the LDAP).

            Thank you for your reply.
            • X75J_Li_Yanli
              X75J_Li_Yanli
              45 Posts
              ACCEPTED ANSWER

              Re: Changing security realm of admin console

              ‏2012-03-23T06:41:48Z  in response to SystemAdmin
              Hello,

              Please check your geronimo-web.xml:
              <role-mappings>
              <role role-name="abc">
              <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="abc"/>
              <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="xyz"/>
              </role>
              </role-mappings>

              update to:

              <role-mappings>
              <role role-name="abc">
              <realm realm-name="your-ldap-realm">
              <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="abc"/>
              <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="xyz"/>
              </realm>
              </role>
              </role-mappings>
              • SystemAdmin
                SystemAdmin
                2233 Posts
                ACCEPTED ANSWER

                Re: Changing security realm of admin console

                ‏2012-03-23T10:04:39Z  in response to X75J_Li_Yanli
                Hello.

                My application works fine with my LDAP now. Thank you.
                Does anyone know if it is posible to change the 'admin' group to access admin console? Is it posible to access admin console with user from any other group of my LDAP.

                Thank you very much.
                • X75J_Li_Yanli
                  X75J_Li_Yanli
                  45 Posts
                  ACCEPTED ANSWER

                  Re: Changing security realm of admin console

                  ‏2012-03-26T09:22:24Z  in response to SystemAdmin
                  Hello,

                  For the group in admin console, without using ldap, you can add one user through "Users and Groups"-->Create New User in admin console, then add it to the admin group, then you can use it to loggin into admin console.
                  For the group of ldap,you can add users under ou=users,ou=system to cn=admin,ou=groups,for example,add attribute uniqueMember and the value is uid=test,ou=users,ou=system.
                  Then you can access admin console using the account: test/password.
                  • X75J_Li_Yanli
                    X75J_Li_Yanli
                    45 Posts
                    ACCEPTED ANSWER

                    Re: Changing security realm of admin console

                    ‏2012-03-26T09:25:38Z  in response to X75J_Li_Yanli
                    Using ldap configuration,for was ce, you can use the users defined under the groups of admin and monitor.Users of other groups can't access the admin console.
                    • SystemAdmin
                      SystemAdmin
                      2233 Posts
                      ACCEPTED ANSWER

                      Re: Changing security realm of admin console

                      ‏2012-03-26T09:40:42Z  in response to X75J_Li_Yanli
                      I hope they will change this in next versions.

                      Thank you very much.