Discussions

News: Apache Geronimo 1.0 M3 Released

  1. Apache Geronimo 1.0 M3 Released (5 messages)

    The Apache Geronimo team is proud to announce the 1.0 M3 release of the Geronimo application server.

    Features
    • CMP Entity beans are now supported. However, there are still significant limitations (no EJB QL support). This is one of the last outstanding core J2EE features.
    • Geronimo security realms have been integrated with the J2EE containers, so J2EE container-managed authentication works.
    • The web container now supports HTTPS with configurable SSL certificates, etc.
    • The transaction system is more robust, with bug fixes, transaction log support, etc.
    • An application client container is now included with Geronimo
    • Configuration changes to core Geronimo services and running applications are persisted, though we still lack a user-friendly interface for making such changes.
    • Manifest Class-Path entries in J2EE application modules are supported.
    • JDBC database pools and JMS connection factories, topics, and queues are now fully supported "out of the box".
    • When deploying a J2EE connector, multiple instances of the same resource adapter can be declared in the same deployment plan.
    • The command-line deployment tool supports authentication and hot deployment to a running server.
    • JAX-RPC and SAAJ features are available to applications acting as Web Services clients (though Web Services server features are not yet available)

    Download here:
      http://cvs.apache.org/dist/geronimo/v1.0-M3/geronimo-1.0-M3.zip
    http://cvs.apache.org/dist/geronimo/v1.0-M3/geronimo-1.0-M3.tar.gz

    Release notes:
      http://cvs.apache.org/dist/geronimo/v1.0-M3/RELEASE-NOTES-1.0-M3.txt

    Enjoy!

    The Geronimo Team

    Threaded Messages (5)

  2. Apache Geronimo 1.0 M3 Released[ Go to top ]

    Geronimo security realms have been integrated with the J2EE containers, so J2EE container-managed authentication works.

    Any plans on closing WebApp security gap in cooperation with Sun or as an extension?
    I am talking about role-ref element in web.xml which is defined for servlet but not for security-constraint.

    What I was trying to do: to define a mapping from SSO defined role: lets say 'Administrator' to a webapp specific role 'myappadmin'.

    I seem to be able to do it for servlet by:
    <servlet>
       <servlet-class>xxxx.xxx</servlet-class>
       <servlet-name>xx</servlet-name>
    <security-role-ref>
       <role-name>myappadmin</role-name>
       <role-link>Administrator</role-link>
    </security-role-ref>
    </servlet>

    <security-role>
    <role-name>Administrator </role-name>
    </security-role>

    I do not see anything like that for:

    <security-constraint>
    <web-resource-collection>
    <url-pattern>/protected/*</url-pattern>

    </web-resource-collection>
    ..........
    </security-constraint>
    That does not look consistent.
  3. Servlet security[ Go to top ]

    The role ref linking from myappadmin to Administrator is meant to decouple the role that the servlet code is using, myappadmin, from the declarative security roles in the descriptor, Administrator. This is so that the declarative security roles in the descritor can be changed without any modification/compilation of the servlet code. There is no need for such a mapping in security constraints since these roles are not in the servlet code.

    Geronimo's security is based on the Principals that are obtained from a JAAS login. The mapping by a Deployer from principals to servlet roles takes place in the geronimo-web.xml descriptor; we are working on simpler methods of mapping as well as using "live" role mappings from the security server.
  4. Servlet security[ Go to top ]

    The role ref linking from myappadmin to Administrator is meant to decouple the role that the servlet code is using, myappadmin, from the declarative security roles in the descriptor, Administrator. This is so that the declarative security roles in the descritor can be changed without any modification/compilation of the servlet code.
    Exactly.
    There is no need for such a mapping in security constraints since these roles are not in the servlet code.

    Are you trying to say that it is illegal to include JSPs in the web-resource-collection and and call isUserInRile()?

    You must be kidding...
  5. Servlet security[ Go to top ]

    Ahh, I now understand what you mean. Geronimo aggregates existing web containers from both Jetty and Tomcat. I would address your question to their development groups.
  6. So how the flip do you use them except for find by primary key!