Geronimo
  1. Geronimo
  2. GERONIMO-4553

Admin console does not show error when creating duplicate security realm

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.4, 2.2
    • Fix Version/s: Wish List
    • Component/s: console, security
    • Security Level: public (Regular issues)
    • Labels:
      None

      Description

      If you create a security realm with a duplicate name (such as geronimo-admin) using the admin console, everything appears to work in the ui however the command line console shows the error:

      2009-02-24 09:47:11,123 ERROR [ProxyCollection] Listener threw exception
      java.lang.IllegalArgumentException: ConfigurationEntry named: geronimo-admin already registered
      at org.apache.geronimo.security.jaas.GeronimoLoginConfiguration.addConfiguration(GeronimoLoginConfiguration.java:112)
      at org.apache.geronimo.security.jaas.GeronimoLoginConfiguration.memberAdded(GeronimoLoginConfiguration.java:97)
      at org.apache.geronimo.gbean.runtime.ProxyCollection.addTarget(ProxyCollection.java:102)
      at org.apache.geronimo.gbean.runtime.GBeanCollectionReference.targetAdded(GBeanCollectionReference.java:96)
      at org.apache.geronimo.gbean.runtime.GBeanCollectionReference.addTarget(GBeanCollectionReference.java:180)
      at org.apache.geronimo.gbean.runtime.GBeanCollectionReference$1.running(GBeanCollectionReference.java:110)
      at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.fireRunningEvent(BasicLifecycleMonitor.java:175)
      at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access$300(BasicLifecycleMonitor.java:44)
      at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor$RawLifecycleBroadcaster.fireRunningEvent(BasicLifecycleMonitor.java:253)
      at org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295)
      at org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
      at org.apache.geronimo.gbean.runtime.GBeanInstance.start(GBeanInstance.java:524)
      at org.apache.geronimo.gbean.runtime.GBeanDependency.attemptFullStart(GBeanDependency.java:110)
      at org.apache.geronimo.gbean.runtime.GBeanDependency.addTarget(GBeanDependency.java:145)
      at org.apache.geronimo.gbean.runtime.GBeanDependency$1.running(GBeanDependency.java:119)
      at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.fireRunningEvent(BasicLifecycleMonitor.java:175)
      at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access$300(BasicLifecycleMonitor.java:44)
      at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor$RawLifecycleBroadcaster.fireRunningEvent(BasicLifecycleMonitor.java:253)
      at org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295)
      at org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
      at org.apache.geronimo.gbean.runtime.GBeanInstance.start(GBeanInstance.java:524)
      at org.apache.geronimo.gbean.runtime.GBeanDependency.attemptFullStart(GBeanDependency.java:110)
      at org.apache.geronimo.gbean.runtime.GBeanDependency.addTarget(GBeanDependency.java:145)
      at org.apache.geronimo.gbean.runtime.GBeanDependency$1.running(GBeanDependency.java:119)
      at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.fireRunningEvent(BasicLifecycleMonitor.java:175)
      at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access$300(BasicLifecycleMonitor.java:44)
      at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor$RawLifecycleBroadcaster.fireRunningEvent(BasicLifecycleMonitor.java:253)
      at org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295)
      at org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
      at org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:125)
      at org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:538)
      at org.apache.geronimo.kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:377)
      at org.apache.geronimo.kernel.config.ConfigurationUtil.startConfigurationGBeans(ConfigurationUtil.java:456)
      at org.apache.geronimo.kernel.config.KernelConfigurationManager.start(KernelConfigurationManager.java:190)
      at org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:546)
      at org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:527)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:585)
      at org.apache.geronimo.gbean.runtime.ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
      at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
      at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:815)
      at org.apache.geronimo.gbean.runtime.RawInvoker.invoke(RawInvoker.java:57)
      at org.apache.geronimo.kernel.basic.RawOperationInvoker.invoke(RawOperationInvoker.java:35)
      at org.apache.geronimo.kernel.basic.ProxyMethodInterceptor.intercept(ProxyMethodInterceptor.java:96)
      at org.apache.geronimo.kernel.config.EditableConfigurationManager$$EnhancerByCGLIB$$150f4df4.startConfiguration(<generated>)
      at org.apache.geronimo.deployment.plugin.local.StartCommand.run(StartCommand.java:67)
      at java.lang.Thread.run(Thread.java:613)

      IMO we should allow users to create such duplicate realms but not try to start them but rather show instructions on how to substitute their realm for the existing one, namely:

      • edit var/config/config.xml to have load="false" for the plugin with the existing security realm
      • edit var/config/artifact-aliases.properties to use the new plugin instead of the old plugin
      • edit var/config/config.xml to start the new plugin (this is probably unnecessary as the new one will probably be started due to dependencies)

      I tried this on trunk and a user found it on 2.1.2.

      1. GERONIMO-4553-b21.patch
        4 kB
        Rex Wang
      2. GERONIMO-4553-b21-updated.patch
        18 kB
        Rex Wang
      3. dbpool_properties.patch
        3 kB
        Rex Wang
      4. realm_properties.patch
        9 kB
        Rex Wang

        Activity

        Hide
        Joe Bohn added a comment -

        It seems that the error is different when creating a duplicate "geronimo-admin" realm vs. another realm (such "test"). In either case, the realm creation fails but the stack trace is different.

        I just checked in a small change in branches/2.1 (rev. 749758) to notify the user if the save fails when attempting to create the realm for any reason. It's only moderately better than no error ... but better than what we have now in my opinion. Do you think this is sufficient David? I'll merge the same change into trunk just to keep things consistent.

        Show
        Joe Bohn added a comment - It seems that the error is different when creating a duplicate "geronimo-admin" realm vs. another realm (such "test"). In either case, the realm creation fails but the stack trace is different. I just checked in a small change in branches/2.1 (rev. 749758) to notify the user if the save fails when attempting to create the realm for any reason. It's only moderately better than no error ... but better than what we have now in my opinion. Do you think this is sufficient David? I'll merge the same change into trunk just to keep things consistent.
        Hide
        Joe Bohn added a comment - - edited

        Hmmm ... things are a bit more strange than I thought. I can create a realm named geronimo-admin (no error is returned to the portlet at all). The name is different than our default realm (which is geronimo-realm) - but there is still the error that you mentioned originally. If I attempt to create a second "geronimo-admin" realm then I get a different error (that is echoed back to the portlet) and my code will display an error to the user. So there is more going on here than I first thought. I think the change I made is still valid but I'm not sure it addresses this issue completely. Thoughts?

        Show
        Joe Bohn added a comment - - edited Hmmm ... things are a bit more strange than I thought. I can create a realm named geronimo-admin (no error is returned to the portlet at all). The name is different than our default realm (which is geronimo-realm) - but there is still the error that you mentioned originally. If I attempt to create a second "geronimo-admin" realm then I get a different error (that is echoed back to the portlet) and my code will display an error to the user. So there is more going on here than I first thought. I think the change I made is still valid but I'm not sure it addresses this issue completely. Thoughts?
        Hide
        Forrest Xia added a comment -

        Some tries on this jira, here are my understandings and findings:
        1. Actually geronimo default security realm(used by admin console and other modules) is named "geronimo-admin", not "geronimo-realm". It is created via system module "org.apache.geronimo.framework/server-security-config//car".
        2. Noticed David's proposed instruction to replace a default realm, I do not figure out a way to substitue it with a new generated duplicate-named "geronimo-admin". Because the default geronimo security realm "geronimo-admin" is created via "org.apache.geronimo.framework/server-security-config//car". The default "geronimo-admin" realm is not a standalone module and to be replacable via artifact alias method.
        3. Joe's patch just fix the case when the security realm is a standalone module, it cannot stop creation of duplicate-named security realm when it's not a standalone module.
        4. If this JIRA's goal is to make admin console shows some error message(whenever a security realm name is duplicated in standalone or not standalone) same as those in the server.log, I don't think current patch reaches that goal.
        However, if the goal is to allow user creating a self-defined security realm duplicate-named "geronimo-admin", then use it to replace the default geronimo one to login admin console(or for other module use). I think we might need to make "geronimo-admin" realm separated from "server-security-config" module first, then use artifact alias method to substitute it.

        Any thoughts? thanks!

        Show
        Forrest Xia added a comment - Some tries on this jira, here are my understandings and findings: 1. Actually geronimo default security realm(used by admin console and other modules) is named "geronimo-admin", not "geronimo-realm". It is created via system module "org.apache.geronimo.framework/server-security-config//car". 2. Noticed David's proposed instruction to replace a default realm, I do not figure out a way to substitue it with a new generated duplicate-named "geronimo-admin". Because the default geronimo security realm "geronimo-admin" is created via "org.apache.geronimo.framework/server-security-config//car". The default "geronimo-admin" realm is not a standalone module and to be replacable via artifact alias method. 3. Joe's patch just fix the case when the security realm is a standalone module, it cannot stop creation of duplicate-named security realm when it's not a standalone module. 4. If this JIRA's goal is to make admin console shows some error message(whenever a security realm name is duplicated in standalone or not standalone) same as those in the server.log, I don't think current patch reaches that goal. However, if the goal is to allow user creating a self-defined security realm duplicate-named "geronimo-admin", then use it to replace the default geronimo one to login admin console(or for other module use). I think we might need to make "geronimo-admin" realm separated from "server-security-config" module first, then use artifact alias method to substitute it. Any thoughts? thanks!
        Hide
        Forrest Xia added a comment -

        Another finding: If created a duplicated security realm "geronimo-admin", and then uninstall it, thus, the server won't be stopped gracefully. The error message shows "Invalid login".

        That seems a major problem to server. Thoughts?

        Show
        Forrest Xia added a comment - Another finding: If created a duplicated security realm "geronimo-admin", and then uninstall it, thus, the server won't be stopped gracefully. The error message shows "Invalid login". That seems a major problem to server. Thoughts?
        Hide
        Joe Bohn added a comment -

        Yes, I came to the same conclusions Forrest. My patch was only intended to provide an error message when creating a duplicate stand-alone security realm. I was not trying to support the scenario of permitting the creation of duplicate realms or making the geronimo-admin realm a standalone realm.

        It was my understanding that this JIRA was primarily created because of the lack of any indication in the console when creating duplicate realms and was specifically written against the console. My change does address the scenario of standalone realms but unfortunately does not address the case of a duplicate realm between standalone and non-standalone configurations. For that we need more than just console changes (as you noted) since the portlet receives no indication of any failure in this scenario.

        I didn't get to dig any deeper into this yet so if you want to pull together a patch that would be great. However, I think we can release 2.1.4 without a fix for this issue if necessary.

        Show
        Joe Bohn added a comment - Yes, I came to the same conclusions Forrest. My patch was only intended to provide an error message when creating a duplicate stand-alone security realm. I was not trying to support the scenario of permitting the creation of duplicate realms or making the geronimo-admin realm a standalone realm. It was my understanding that this JIRA was primarily created because of the lack of any indication in the console when creating duplicate realms and was specifically written against the console. My change does address the scenario of standalone realms but unfortunately does not address the case of a duplicate realm between standalone and non-standalone configurations. For that we need more than just console changes (as you noted) since the portlet receives no indication of any failure in this scenario. I didn't get to dig any deeper into this yet so if you want to pull together a patch that would be great. However, I think we can release 2.1.4 without a fix for this issue if necessary.
        Hide
        David Jencks added a comment -

        I haven't looked at what joe's patch does yet.

        My goal at this point is mostly to nofity the user that there is a problem that needs further investigation when a duplicate security realm name is defined. Supplying them with hints about how to fix it would be even better. IMO however we can't automatically fix the problem they have caused. On the other hand we do need to let them create a duplicate realm because they may need to switch from one to another. After doing so, they will have to edit some configuration files by hand. We could try to automate switching but I don't think it is worth the effort because it is too likely that the user will be left with no way at all to log on as the old realm has stopped and the new one not started in case of any error.

        Forrest-- server-security-config is designed to contain everything you will want to change if you want to customize the admin security for geronimo. As such it should not have anything removed. We might want to create a way of creating a plugin with everything that is in server-security-config from the console.

        For trunk I actually have a different plan in mind. I think we should make the security realms scoped to the ancestor plugins of whatever needs the realm, just like we do with gbean searches for references. When I first worked on the code I didn't realize it was possible to pass the LoginConfiguration in to the LoginContext constructor; however we can use this to prevent interference between realms.

        Show
        David Jencks added a comment - I haven't looked at what joe's patch does yet. My goal at this point is mostly to nofity the user that there is a problem that needs further investigation when a duplicate security realm name is defined. Supplying them with hints about how to fix it would be even better. IMO however we can't automatically fix the problem they have caused. On the other hand we do need to let them create a duplicate realm because they may need to switch from one to another. After doing so, they will have to edit some configuration files by hand. We could try to automate switching but I don't think it is worth the effort because it is too likely that the user will be left with no way at all to log on as the old realm has stopped and the new one not started in case of any error. Forrest-- server-security-config is designed to contain everything you will want to change if you want to customize the admin security for geronimo. As such it should not have anything removed. We might want to create a way of creating a plugin with everything that is in server-security-config from the console. For trunk I actually have a different plan in mind. I think we should make the security realms scoped to the ancestor plugins of whatever needs the realm, just like we do with gbean searches for references. When I first worked on the code I didn't realize it was possible to pass the LoginConfiguration in to the LoginContext constructor; however we can use this to prevent interference between realms.
        Hide
        Jarek Gawor added a comment -

        Updated affects/fix versions as this won't get fixed in time for 2.1.4.

        Show
        Jarek Gawor added a comment - Updated affects/fix versions as this won't get fixed in time for 2.1.4.
        Hide
        Joe Bohn added a comment -

        unassigned so that others can pick it up and provide a fix.

        Show
        Joe Bohn added a comment - unassigned so that others can pick it up and provide a fix.
        Hide
        Ashish Jain added a comment -

        This error can be avoided if the duplicate realm is not started. However there are some issues involved

        1) We need to copy the realm and deploy it manually using Deploy New or may be the command line tool
        2) An entry for the newly created realm is not reflected in config.xml if the realm is only deployed and not started. I guess this can be addressed in a JIRA if
        we feel it is an issues. I think the realm entry should come up in config.xml with load=false.

        User will have to perform few manual steps
        1) He will have to edit the config.xml and add load=false for geronimo-admin gbean in server-security-config
        2) Remove load=false for the duplicate realm.
        3) edit artifact-aliases.properties.

        The utility is that user can always revert back the configuration in case there are any issues with the duplicate realm.

        All the above steps can be suggested to the user when he inputs the name of the realm and moves to the next section.

        Please suggest if this is how we may want to address this situation

        Show
        Ashish Jain added a comment - This error can be avoided if the duplicate realm is not started. However there are some issues involved 1) We need to copy the realm and deploy it manually using Deploy New or may be the command line tool 2) An entry for the newly created realm is not reflected in config.xml if the realm is only deployed and not started. I guess this can be addressed in a JIRA if we feel it is an issues. I think the realm entry should come up in config.xml with load=false. User will have to perform few manual steps 1) He will have to edit the config.xml and add load=false for geronimo-admin gbean in server-security-config 2) Remove load=false for the duplicate realm. 3) edit artifact-aliases.properties. The utility is that user can always revert back the configuration in case there are any issues with the duplicate realm. All the above steps can be suggested to the user when he inputs the name of the realm and moves to the next section. Please suggest if this is how we may want to address this situation
        Hide
        Rex Wang added a comment -

        GERONIMO-4553-b21.patch is for branch 2.1
        The patch can block the creation of a duplicate security realm, which have existed in a standalone of non-standalone module, from Portlet.
        However, I do agree we should allow user to create the a duplicate realm without starting it, but I think this is not the concern of this jira, I will create a improvement jira to track that.
        In additional, although this patch resolves the problem in portlet, I am not sure whether or not it would occur when deploy by the command line. I will check that.
        So far, I believe this patch can help close this bug.

        -Rex

        Show
        Rex Wang added a comment - GERONIMO-4553 -b21.patch is for branch 2.1 The patch can block the creation of a duplicate security realm, which have existed in a standalone of non-standalone module, from Portlet. However, I do agree we should allow user to create the a duplicate realm without starting it, but I think this is not the concern of this jira, I will create a improvement jira to track that. In additional, although this patch resolves the problem in portlet, I am not sure whether or not it would occur when deploy by the command line. I will check that. So far, I believe this patch can help close this bug. -Rex
        Hide
        David Jencks added a comment -

        As my original report stated pretty clearly, I think we need to allow creation of duplicate-named security realms.

        With the current global security realm names, we have to prevent starting the new one. Ideally I think we should follow the same system as normal gbean visibility and only let plugins see security realms defining in their ancestor plugins. This would let us start both realms and switch between them using an artifact alias. A while back I introduced a couple new ContextManager login methods that take a Configuration to support this, but haven't been able to complete the feature.

        If we can't implement this way of allowing duplicate security realms I would prefer to just not start any duplicates rather than preventing them from being created.

        Show
        David Jencks added a comment - As my original report stated pretty clearly, I think we need to allow creation of duplicate-named security realms. With the current global security realm names, we have to prevent starting the new one. Ideally I think we should follow the same system as normal gbean visibility and only let plugins see security realms defining in their ancestor plugins. This would let us start both realms and switch between them using an artifact alias. A while back I introduced a couple new ContextManager login methods that take a Configuration to support this, but haven't been able to complete the feature. If we can't implement this way of allowing duplicate security realms I would prefer to just not start any duplicates rather than preventing them from being created.
        Hide
        David Jencks added a comment -

        I experimented a bit with scoping security realms to an apps parents. This is pretty straightforward for jetty7, slightly less so for jetty6, I'm not sure about tomcat, and AFAICT impractical for openejb at this time.

        The problem with openejb is that authentication happens independently of which app you are dealing with, for instance when trying to get the ejb remote initial context.

        I'll probably commit my jetty7/jetty6 work and keep thinking about openejb and tomcat.

        Show
        David Jencks added a comment - I experimented a bit with scoping security realms to an apps parents. This is pretty straightforward for jetty7, slightly less so for jetty6, I'm not sure about tomcat, and AFAICT impractical for openejb at this time. The problem with openejb is that authentication happens independently of which app you are dealing with, for instance when trying to get the ejb remote initial context. I'll probably commit my jetty7/jetty6 work and keep thinking about openejb and tomcat.
        Hide
        David Jencks added a comment -

        Rev 778726. I implemented scoping security realms to parents for all the web containers, renaming the "publish' attribute to 'global' and modified the console to enable editing the 'global' attribute.

        There are a couple of new strings that need chinese translations in the plugins console.

        Ejbs still use global security realms.

        I'm not convinced ejb web service security is hooked up for anything except axis1. If it is it might be broken.

        At this point the console should warn but not try to prevent creating security realms with duplicate names. I haven't checked to see what actually happens.

        Show
        David Jencks added a comment - Rev 778726. I implemented scoping security realms to parents for all the web containers, renaming the "publish' attribute to 'global' and modified the console to enable editing the 'global' attribute. There are a couple of new strings that need chinese translations in the plugins console. Ejbs still use global security realms. I'm not convinced ejb web service security is hooked up for anything except axis1. If it is it might be broken. At this point the console should warn but not try to prevent creating security realms with duplicate names. I haven't checked to see what actually happens.
        Hide
        Rex Wang added a comment -

        Hi David, I modified the previous patch based on your suggestion:GERONIMO-4553-b21-updated.patch
        Currently the portlet won't prevent duplicated realm from being created, and will just not start it and provide a message on the page.
        In future, if you think it is comfortable to allow duplicate security realms, we can adjust the page again to fit new needs. So far, I hope we don't give the end user a chance to run into the wrong path.

        Thanks
        -Rex

        Show
        Rex Wang added a comment - Hi David, I modified the previous patch based on your suggestion: GERONIMO-4553 -b21-updated.patch Currently the portlet won't prevent duplicated realm from being created, and will just not start it and provide a message on the page. In future, if you think it is comfortable to allow duplicate security realms, we can adjust the page again to fit new needs. So far, I hope we don't give the end user a chance to run into the wrong path. Thanks -Rex
        Hide
        Rex Wang added a comment -

        Ooops.........I didn't see your head commit ....
        let me check what happened.

        Show
        Rex Wang added a comment - Ooops.........I didn't see your head commit .... let me check what happened.
        Hide
        Rex Wang added a comment -

        hi David, what is the difference between "Server-side" and "Global". When I create a realm from web console that can be either server-side and non-global, is there some scenario needs such realm?

        thanks
        -Rex

        Show
        Rex Wang added a comment - hi David, what is the difference between "Server-side" and "Global". When I create a realm from web console that can be either server-side and non-global, is there some scenario needs such realm? thanks -Rex
        Hide
        David Jencks added a comment -

        Rex, sorry for letting this drop for so long...

        server-side shouldn't be there any more, at one time there was a way to have a client side login where some login modules ran on the client and some on the server. This didn't work very well and had conceptual problems.

        global means that the security realm is registered with the single global Configuration instance. non-global means you have to call LoginContext.login(..... realmConfiguration) with the Configuration for that particular security realm. non-global security realms are how this feature works.

        Is any more work needed on this jira?

        Show
        David Jencks added a comment - Rex, sorry for letting this drop for so long... server-side shouldn't be there any more, at one time there was a way to have a client side login where some login modules ran on the client and some on the server. This didn't work very well and had conceptual problems. global means that the security realm is registered with the single global Configuration instance. non-global means you have to call LoginContext.login(..... realmConfiguration) with the Configuration for that particular security realm. non-global security realms are how this feature works. Is any more work needed on this jira?
        Hide
        Rex Wang added a comment - - edited

        Sorry, I had a typo in ahead comments... I should said "Server-wide" not "Server-side"...
        Anyway, I used some time to understand the difference between server-wide/non-server-wide and global/non-global, IIUC, the server-wide means the realm is a standalone realm. If we want duplicate-named security realms, they can not be both global. Right?

        Thanks
        -Rex

        Show
        Rex Wang added a comment - - edited Sorry, I had a typo in ahead comments... I should said "Server-wide" not "Server-side"... Anyway, I used some time to understand the difference between server-wide/non-server-wide and global/non-global, IIUC, the server-wide means the realm is a standalone realm. If we want duplicate-named security realms, they can not be both global. Right? Thanks -Rex
        Hide
        David Jencks added a comment -

        The idea "server-wide" is highly misleading since you can use a security realm anywhere whether it is deployed in a non-javaee plugin (called "server-wide") or inside a javaee app (not "server-wide"). If the realm is global you can just use it and if it is non-global you need a dependency on whatever the realm is deployed in. I think the term "server-wide" only confuses everyone and hides geronimo's flexibility.

        That said.... if you want security realms with duplicate names, at most one of them can be global.

        Show
        David Jencks added a comment - The idea "server-wide" is highly misleading since you can use a security realm anywhere whether it is deployed in a non-javaee plugin (called "server-wide") or inside a javaee app (not "server-wide"). If the realm is global you can just use it and if it is non-global you need a dependency on whatever the realm is deployed in. I think the term "server-wide" only confuses everyone and hides geronimo's flexibility. That said.... if you want security realms with duplicate names, at most one of them can be global.
        Hide
        Rex Wang added a comment - - edited

        So, it is better to call "standalone" insteadof "server-wide"? we should change that together with the data source portlet to keep consistent in terms.

        I am trying to translate your new properties to chinese, you say"In any case, realm plugin must be a parent of a web app to be visible to that app."
        And if the realm is global, does a war still need a <dependency> on the realm plugin? I remember we don't need that before.

        -Rex

        Show
        Rex Wang added a comment - - edited So, it is better to call "standalone" insteadof "server-wide"? we should change that together with the data source portlet to keep consistent in terms. I am trying to translate your new properties to chinese, you say"In any case, realm plugin must be a parent of a web app to be visible to that app." And if the realm is global, does a war still need a <dependency> on the realm plugin? I remember we don't need that before. -Rex
        Hide
        David Jencks added a comment -

        I agree, "standalone" is a much better term. Thanks for thinking of it!

        Let me try to explain again... maybe you can fix the english text as well as do translations

        global – visible to all applications no matter what their dependencies. However, without a dependency there is no guarantee that the relam will be there if the application that uses it is.

        non-global – visible to applications that have the realm's plugin as an ancestor (parent or more distant ancestor). The dependency this establishes ensures that the realm will be installed and started when that app is installed and started.

        And, IIRC, ejb security can only use global realms or ones that are ancestors of the openejb plugin itself since there is only the single login facility in the ejbd.

        Show
        David Jencks added a comment - I agree, "standalone" is a much better term. Thanks for thinking of it! Let me try to explain again... maybe you can fix the english text as well as do translations global – visible to all applications no matter what their dependencies. However, without a dependency there is no guarantee that the relam will be there if the application that uses it is. non-global – visible to applications that have the realm's plugin as an ancestor (parent or more distant ancestor). The dependency this establishes ensures that the realm will be installed and started when that app is installed and started. And, IIRC, ejb security can only use global realms or ones that are ancestors of the openejb plugin itself since there is only the single login facility in the ejbd.
        Hide
        Rex Wang added a comment -

        Two patches for the properties files.
        -Rex

        Show
        Rex Wang added a comment - Two patches for the properties files. -Rex
        Hide
        viola.lu added a comment -

        hi, David:
        As you said: "global - visible to all applications no matter what their dependencies
        non-global - visible to applications that have the realm's plugin as an ancestor (parent or more distant ancestor)."But after i created a global security reaml, but still have to add it to my web app as dependency, otherwise there is a deployment failure, pls check https://issues.apache.org/jira/browse/GERONIMO-4772 to get more details, thanks.

        Show
        viola.lu added a comment - hi, David: As you said: "global - visible to all applications no matter what their dependencies non-global - visible to applications that have the realm's plugin as an ancestor (parent or more distant ancestor)."But after i created a global security reaml, but still have to add it to my web app as dependency, otherwise there is a deployment failure, pls check https://issues.apache.org/jira/browse/GERONIMO-4772 to get more details, thanks.
        Hide
        David Jencks added a comment -

        Rex, if this is actually fixed could you close it?

        Show
        David Jencks added a comment - Rex, if this is actually fixed could you close it?

          People

          • Assignee:
            Rex Wang
            Reporter:
            David Jencks
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development