Topic
  • 15 replies
  • Latest Post - ‏2012-03-26T09:40:42Z by SystemAdmin
SystemAdmin
SystemAdmin
2233 Posts

Pinned topic Changing security realm of admin console

‏2007-10-11T13:17:29Z |
Hi,

is there a way to change the security realm of the admin console? I have my own written security realm which works fine for self deployed applications.
Now I wanted to change the security realm of the admin console, but I have not found a geronimo-web.xml that belongs to the admin console.

I am using WAS CE 2.0

Any ideas?
Updated on 2012-03-26T09:40:42Z at 2012-03-26T09:40:42Z by SystemAdmin
  • Ashish_Jain
    Ashish_Jain
    274 Posts

    Re: Changing security realm of admin console

    ‏2007-10-16T09:56:10Z  
    When you build the server from source, the plan file will be generated to configs\webconsole-tomcat\target\plan\plan.xml. This plan file can be edited to change the realm-name from "geronimo-admin" to "my-new-realm" plus other changes to role-mapping and then redeploy applications\console\geronimo-console-ear\target\geronimo-console-ear-2.0.1.ear using this edited plan file.
  • SystemAdmin
    SystemAdmin
    2233 Posts

    Re: Changing security realm of admin console

    ‏2007-10-16T12:46:26Z  
    When you build the server from source, the plan file will be generated to configs\webconsole-tomcat\target\plan\plan.xml. This plan file can be edited to change the realm-name from "geronimo-admin" to "my-new-realm" plus other changes to role-mapping and then redeploy applications\console\geronimo-console-ear\target\geronimo-console-ear-2.0.1.ear using this edited plan file.
    Where do I get the source? Is it just the Geronimo source from http://geronimo.apache.org/downloads.html or is there a special source with the WAS CE admin console available?
  • Ashish_Jain
    Ashish_Jain
    274 Posts

    Re: Changing security realm of admin console

    ‏2007-10-16T12:53:45Z  
    Where do I get the source? Is it just the Geronimo source from http://geronimo.apache.org/downloads.html or is there a special source with the WAS CE admin console available?
    you need to take the AG source for this.
  • SystemAdmin
    SystemAdmin
    2233 Posts

    Re: Changing security realm of admin console

    ‏2007-10-26T17:33:28Z  
    you need to take the AG source for this.
    Cool, it works!!
    But: when I take the Apache Geronimo source for the console redeploy, the new console is of course the one from Geronimo. Is the source code of WebSphere CE also somewhere available to redeploy the original WAS CE console from IBM?
  • Ashish_Jain
    Ashish_Jain
    274 Posts

    Re: Changing security realm of admin console

    ‏2007-10-29T10:43:37Z  
    Cool, it works!!
    But: when I take the Apache Geronimo source for the console redeploy, the new console is of course the one from Geronimo. Is the source code of WebSphere CE also somewhere available to redeploy the original WAS CE console from IBM?
    Hi,
    For WAS CE there are no source downloads available. It only allows binary downloads.

    Thanks
    Ashish
  • SystemAdmin
    SystemAdmin
    2233 Posts

    Re: Changing security realm of admin console

    ‏2012-03-19T09:33:51Z  
    Hello!

    I'm using WAS-CE 3.0.0 and would like to change the security realm (to use with LDAP) of admin console. I successfully deployed realm but I am not able to use it. I tried to redeploy geronimo 3 (I changed the plan.xml), but I can't find geronimo-console-ear file. Is there any other way to secure the admin console?

    Thanks.
  • Shawn_Jiang
    Shawn_Jiang
    154 Posts

    Re: Changing security realm of admin console

    ‏2012-03-19T10:05:56Z  
    Hello!

    I'm using WAS-CE 3.0.0 and would like to change the security realm (to use with LDAP) of admin console. I successfully deployed realm but I am not able to use it. I tried to redeploy geronimo 3 (I changed the plan.xml), but I can't find geronimo-console-ear file. Is there any other way to secure the admin console?

    Thanks.
    Have you tried the way described in this doc[1] on how to replace the default realm in Geronimo/WAS CE ?

    [1]https://cwiki.apache.org/GMOxDOC30/replacing-default-realm-in-geronimo.html
  • SystemAdmin
    SystemAdmin
    2233 Posts

    Re: Changing security realm of admin console

    ‏2012-03-21T13:17:36Z  
    Have you tried the way described in this doc[1] on how to replace the default realm in Geronimo/WAS CE ?

    [1]https://cwiki.apache.org/GMOxDOC30/replacing-default-realm-in-geronimo.html
    Thank you very much.
    I tried it and I can login but then I get 'HTTP Status 403' error (Access to the specified resource () has been forbidden). Where can I set which roles have access to the admin-console?

    I had a similar problem with my own application and I cahnged role mapping (in geronimo-web.xml) to look like this:

    <role-mappings>
    <role role-name="abc">
    <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="abc"/>
    <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="xyz"/>
    </role>
    </role-mappings>

    Any suggestions?

    Thank you.
  • X75J_Li_Yanli
    X75J_Li_Yanli
    45 Posts

    Re: Changing security realm of admin console

    ‏2012-03-22T06:46:28Z  
    Thank you very much.
    I tried it and I can login but then I get 'HTTP Status 403' error (Access to the specified resource () has been forbidden). Where can I set which roles have access to the admin-console?

    I had a similar problem with my own application and I cahnged role mapping (in geronimo-web.xml) to look like this:

    <role-mappings>
    <role role-name="abc">
    <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="abc"/>
    <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="xyz"/>
    </role>
    </role-mappings>

    Any suggestions?

    Thank you.
    Hello,
    Please check your web.xml and make sure the role was added in the security-constraint element, for example:

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Admin Role</web-resource-name>
    <url-pattern>/protect/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>abc</role-name>
    </auth-constraint>
    </security-constraint>

    That means if you click "protect" link, a login form should be displayed and you can use the account that you defined in the abc role to login.
  • SystemAdmin
    SystemAdmin
    2233 Posts

    Re: Changing security realm of admin console

    ‏2012-03-22T08:51:59Z  
    Hello,
    Please check your web.xml and make sure the role was added in the security-constraint element, for example:

    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Admin Role</web-resource-name>
    <url-pattern>/protect/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>abc</role-name>
    </auth-constraint>
    </security-constraint>

    That means if you click "protect" link, a login form should be displayed and you can use the account that you defined in the abc role to login.
    Hello.

    My web.xml looks like this:
    <display-name>WAServlet</display-name>
    <servlet-mapping>
    <servlet-name>WAServlet</servlet-name>
    <url-pattern>/*</url-pattern>
    </servlet-mapping>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Resources</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>abc</role-name>
    </auth-constraint>
    <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>LdapRACFRealm</realm-name>
    </login-config>
    <security-role>
    <role-name>abc</role-name>
    </security-role>
    The login form is displayed and I can login with my user but then I gen the error (HTTP 403). I think that only 'admin' role can access the console (I don't have the 'admin' role in LDAP and I can't change the LDAP).

    Thank you for your reply.
  • X75J_Li_Yanli
    X75J_Li_Yanli
    45 Posts

    Re: Changing security realm of admin console

    ‏2012-03-23T06:41:48Z  
    Hello.

    My web.xml looks like this:
    <display-name>WAServlet</display-name>
    <servlet-mapping>
    <servlet-name>WAServlet</servlet-name>
    <url-pattern>/*</url-pattern>
    </servlet-mapping>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>Resources</web-resource-name>
    <url-pattern>/*</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>abc</role-name>
    </auth-constraint>
    <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>LdapRACFRealm</realm-name>
    </login-config>
    <security-role>
    <role-name>abc</role-name>
    </security-role>
    The login form is displayed and I can login with my user but then I gen the error (HTTP 403). I think that only 'admin' role can access the console (I don't have the 'admin' role in LDAP and I can't change the LDAP).

    Thank you for your reply.
    Hello,

    Please check your geronimo-web.xml:
    <role-mappings>
    <role role-name="abc">
    <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="abc"/>
    <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="xyz"/>
    </role>
    </role-mappings>

    update to:

    <role-mappings>
    <role role-name="abc">
    <realm realm-name="your-ldap-realm">
    <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="abc"/>
    <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="xyz"/>
    </realm>
    </role>
    </role-mappings>
  • SystemAdmin
    SystemAdmin
    2233 Posts

    Re: Changing security realm of admin console

    ‏2012-03-23T10:04:39Z  
    Hello,

    Please check your geronimo-web.xml:
    <role-mappings>
    <role role-name="abc">
    <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="abc"/>
    <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="xyz"/>
    </role>
    </role-mappings>

    update to:

    <role-mappings>
    <role role-name="abc">
    <realm realm-name="your-ldap-realm">
    <principal class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" name="abc"/>
    <principal class="org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal" name="xyz"/>
    </realm>
    </role>
    </role-mappings>
    Hello.

    My application works fine with my LDAP now. Thank you.
    Does anyone know if it is posible to change the 'admin' group to access admin console? Is it posible to access admin console with user from any other group of my LDAP.

    Thank you very much.
  • X75J_Li_Yanli
    X75J_Li_Yanli
    45 Posts

    Re: Changing security realm of admin console

    ‏2012-03-26T09:22:24Z  
    Hello.

    My application works fine with my LDAP now. Thank you.
    Does anyone know if it is posible to change the 'admin' group to access admin console? Is it posible to access admin console with user from any other group of my LDAP.

    Thank you very much.
    Hello,

    For the group in admin console, without using ldap, you can add one user through "Users and Groups"-->Create New User in admin console, then add it to the admin group, then you can use it to loggin into admin console.
    For the group of ldap,you can add users under ou=users,ou=system to cn=admin,ou=groups,for example,add attribute uniqueMember and the value is uid=test,ou=users,ou=system.
    Then you can access admin console using the account: test/password.
  • X75J_Li_Yanli
    X75J_Li_Yanli
    45 Posts

    Re: Changing security realm of admin console

    ‏2012-03-26T09:25:38Z  
    Hello,

    For the group in admin console, without using ldap, you can add one user through "Users and Groups"-->Create New User in admin console, then add it to the admin group, then you can use it to loggin into admin console.
    For the group of ldap,you can add users under ou=users,ou=system to cn=admin,ou=groups,for example,add attribute uniqueMember and the value is uid=test,ou=users,ou=system.
    Then you can access admin console using the account: test/password.
    Using ldap configuration,for was ce, you can use the users defined under the groups of admin and monitor.Users of other groups can't access the admin console.
  • SystemAdmin
    SystemAdmin
    2233 Posts

    Re: Changing security realm of admin console

    ‏2012-03-26T09:40:42Z  
    Using ldap configuration,for was ce, you can use the users defined under the groups of admin and monitor.Users of other groups can't access the admin console.
    I hope they will change this in next versions.

    Thank you very much.