Sun Java System Application Server Platform Edition 9 Administration Guide

Configuring Security

This section contains the following topics:

Configuring General Security Settings

Use the Security page in the Admin Console to set a variety of system-wide security settings.

Go to Configuration > Security. The Security page displays with general security options. These options are summarized in the following table.

Setting	Description
Security Manager	Select the Enable checkbox to turn on the security manager for the domain. When enabled, a JVM option, `–Djava.security.manager`, will be added to the JVM setting of the Application Server. You must restart the server to enable this change. Ensure that you have granted correct permissions for all applications. You can turn off the security manger to enhance performance.
Audit Logging	Select to enable audit logging. If enabled, the server will load and run all the audit modules specified in the Audit Modules setting. If disabled, the server does not access audit modules. Disabled by default.
Default Realm	The active (default) realm the server uses for authentication. Applications use this realm unless they specify a different realm in their deployment descriptor. All configured realms appear in the list. The initial default realm is the `file` realm.
Anonymous Role	The name for the default or anonymous role. The anonymous role is assigned to all users. Applications can use this role in their deployment descriptors to grant authorization to anyone.
Default Principal	Specifies the default user name. The server uses this when no principal is provided. If you enter a value in this field, enter a corresponding value in the Default Principal Password field. This attribute is not required for normal server operation.
Default Principal Password	Password of the default principal specified in the Default Principal field. This attribute is not required for normal server operation.
JACC	Class name of a configured JACC provider. See Creating a JACC Provider
Audit Modules	List of audit module provider classes, delimited by commas. A module listed here must already be configured. If Audit Logging is enabled, this setting must list audit modules. By default, the server uses an audit module named `default`. For information on creating new audit modules, see Creating an Audit Module.
Default Principal To Role Mapping	Check to apply a default principal-to-role mapping to applications that do not have an application-specific mapping.
Mapped Principal Classes	Customize the `java.security.Principal` implementation class used in the default principal-to-role mapping.

For more details on configuring all the options on the Security page, click Help in the Admin Console.

Granting Access to Administration Tools

Only users in the asadmin group are able to access Admin Console and the asadmin command line utility.

To give a user access to these administration tools, add them to the asadmin group in the admin-realm. In the Admin Console, go to Configuration> Security > Realms > admin-realm > Edit Realm > Manage Users. If the user name exists, click on the user name to edit settings or click New to add a new user name.

Initially after installation, the administrator user name and password entered during installation are listed in a file named admin-keyfile. By default, this user belongs to the group asadmin, which gives rights to modify the Application Server. Assign users to this group only if you want to grant them administrator privileges for the Application Server.

If you add users to the admin-realm realm, but assign the user to a group other than asadmin, the user information will still be written to the file named admin-keyfile, but the user will have no access to administrative tools or to applications in the file realm.

To authorize a user to make modifications to the Application Server, include the asadmin group in the Group List.

For detailed instructions on setting up a new user account with admin privileges, click Help in the Admin Console.