Hide Forgot
Affects: Compatibility/Configuration securitylevel_name: Public Hi Randall, The security policy used is called 'modeshape-jcr'. Is this hardcoded or is this configurable? We tried setting it in the jboss-web.xml and in the components.xml, but these settings are ignored. Probably b/c modeshape is not configured in the web.xml, but started programmatically. Is the security policy something that can be passed in as a property in the drools_repository.properties file? --Kurt
This is confirmed as a blocker for BRMS 5.1.0
Sorry, wrong issue ;-) This is NOT a blocker for BRMS 5.1.0, but it should be resolved as part of resolving BRMS-416
The JAAS_LOGIN_CONFIG_NAME repository option [1] controls the name of the JAAS application configuration name, and currently defaults to 'modeshape-jcr'. This can easily be set programmatically [2] or within the configuration file [3]. (Examples in both those sections of the last 2 links show how to set this particular repository option.) [1] http://docs.jboss.org/modeshape/latest/api/org/modeshape/jcr/JcrRepository.Option.html#JAAS_LOGIN_CONFIG_NAME [2] http://docs.jboss.org/modeshape/latest/manuals/reference/html_single/reference-guide-en.html#programmatic_configuration [3] http://docs.jboss.org/modeshape/latest/manuals/reference/html_single/reference-guide-en.html#loading_from_file
Release Notes Docs Status: Added: Not Yet Documented Writer: Added: Darrin
What else needs to be done with this? Can it be marked as 'Resolved'?
Lets document it to custoemers on how to configure it.
The ModeShape service now adds the modeshape-jcr policy: <!--Jcr Security Domain needed for BRMS to access ModeShape--> <application-policy name="modeshape-jcr"> <authentication> So it now just works. I think this can be closed. --Kurt
This should now be a doc issue. Can we explain when one option is preferred over another? And then hand over to the docs group, please.
IIUC, users don't have to change or decide on any of these options because the ModeShape service is now being configured correctly when used within BRMS. If that is the case, does anything need to be documented?
When ModeShape is installed into SOA-P or BRMS (or EAP), it modifies the '{profile}/conf/login-conf.xml' file to add a number of policies. The number and nature of these policies depends on the platform and whether BRMS is already installed. For example, when ModeShape is installed into BRMS or SOA-P+BRMS, these four policies will be installed into the '{profile}/conf/login-conf.xml' file: <application-policy xmlns="urn:jboss:security-beans:1.0" name="modeshape"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="unauthenticatedIdentity">guest</module-option> <module-option name="usersProperties">props/brms-users.properties</module-option> <module-option name="rolesProperties">props/brms-roles.properties</module-option> </login-module> </authentication> </application-policy> <!--- - - - --> <application-policy name="ModeShapeEDSRepoDbRealm"> <authentication> <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required"> <module-option name="principal">sa</module-option> <module-option name="userName">sa</module-option> <module-option name="password"/> <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=ModeShapeEDSRepo</module-option> </login-module> </authentication> </application-policy> <!--- - - - --> <!--EDS ModeShape-BRMS JCR Security Domain--> <application-policy name="ModeShapeBRMSRepoDbRealm"> <authentication> <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required"> <module-option name="principal">sa</module-option> <module-option name="userName">sa</module-option> <module-option name="password"/> <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=ModeShapeBRMSRepo</module-option> </login-module> </authentication> </application-policy> <!--Jcr Security Domain needed for BRMS to access ModeShape--> <application-policy name="modeshape-jcr"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="usersProperties">props/brms-users.properties</module-option> <module-option name="rolesProperties">props/brms-roles.properties</module-option> </login-module> </authentication> </application-policy> Note that two of these policies define the authentication information for the two JDBC DataSources that ModeShape uses (when BRMS is installed): one for BRMS content and one for EDS content. The 'modeshape' policy is what the ModeShape services (REST, WebDAV, JCR) use for authentication, and the 'modeshape-jcr' policy is what BRMS uses. However, both the 'modeshape' and 'modeshape-jcr' policies are almost equivalent, and do reference the same 'props/brms-*.properties' files. When installing into SOA-P (without BRMS), the ModeShape installer only installs the 'modeshape' and 'ModeShapeEDSRepoDbRealm' policies, and these policies will reference the 'props/soa-*.properties' files. When installing into EAP (without BRMS), the ModeShape installer only installs 'modeshape' and 'ModeShapeEDSRepoDbRealm' policies, but they reference the 'props/jmx-*.properties' files. Sorry this is not straightforward. Again, we only have one ModeShape kit, and its installer needs to do different things depending upon the target platform (EAP/AS/SOA-P/BRMS) and to behave differently based upon whether BRMS is already installed.
Thanks Randall - QE will verify that all these scenarios happen the way you describe. We should also dicument this for the users - so that they can understand which file are changed when they perform an install.
Affects: Added: [Documentation (Ref Guide, User Guide, etc.), Compatibility/Configuration]
Found a bug in modeshape (MODE-1038), in that, the jass setting the modeshape-config.xml is not getting picked up. In order set jaas, it must be defined as: <mode:option jcr:name="jaasLoginConfigName" mode:value="modeshape-abc"/> where modeshape-abc matches the policy in the login-config.xml. If this is set to "modeshape", then the additional modeshape-jcr policy is not needed in login-config.xml
Link: Added: This issue is related to MODE-1038
Resolution: The original fragment in the configuration file was this: <jaasLoginConfigName jcr:primaryType="option" value="modeshape"/> The "mode:" prefix is missing from two places in this line. The first is that the value for the "jcr:primaryType" XML attribute should be "mode:option", not "option". Second, the "value" XML attribute also needs the "mode:" XML namespace prefix. Thus, the line should be: <jaasLoginConfigName jcr:primaryType="mode:option" mode:value="modeshape"/> This is how the other options are specified in the same configuration file. I'd recommend switching all repository options to the "mode:option" form, as that is a) slightly smaller and b) more consistent with the other parts of the configuration file. Thus the equivalent would be: <mode:option jcr:name="jaasLoginConfigName" mode:value="modeshape"/> These changes are being made to the configuration for the next build.
this is being patched into GA so no doc required
Release Notes Docs Status: Removed: Not Yet Documented Added: Not Required Labels: Removed: rn-dmison rn-open Added: rn-dmison rn-not-needed Affects: Removed: [Compatibility/Configuration, Documentation (Ref Guide, User Guide, etc.)] Added: [Compatibility/Configuration]
Can this be closed? What else needs to be done? Does it need to be reassigned?
Assign to Darrin at this point, because the issues around jaas setup have been resolved and work out-of-the-box, what's left is what do we need to document.