Sun Java System Application Server Enterprise Edition 8.1 2005Q2 Administration Reference

auth-realm

Defines a realm for authentication.

Authentication realms require provider-specific properties, which vary depending on what a particular implementation needs.

For more information about how to define realms, see the Sun Java System Application Server Enterprise Edition 8.1 2005Q2 Developer’s Guide.

Here is an example of the default file realm:

<auth-realm name="file"
     classname="com.iplanet.ias.security.auth.realm.file.FileRealm">
     <property name="file" value="domain-dir/config/keyfile"/>
     <property name="jaas-context" value="fileRealm"/>
 </auth-realm>

Which properties an auth-realm element uses depends on the value of the auth-realm element’s name attribute. The file realm uses file and jaas-context properties. Other realms use different properties.

Superelements

node-agent, security-service

Subelements

The following table describes subelements for the auth-realm element.

Table 1–15 auth-realm Subelements

Element 

Required 

Description 

property

zero or more 

Specifies a property or a variable. 

Attributes

The following table describes attributes for the auth-realm element.

Table 1–16 auth-realm Attributes

Attribute 

Default 

Description 

name

none 

Specifies the name of this realm. 

classname

none 

Specifies the Java class that implements this realm. 

Properties

The standard realms provided with Application Server have required and optional properties. A custom realm might have different properties.

The following table describes properties for the auth-realm element.

Table 1–17 auth-realm Properties

Property 

Realms 

Description 

jaas-context

file, ldap, solaris

Specifies the JAAS (Java Authentication and Authorization Service) context. 

file

file

Specifies the file that stores user names. The default is domain-dir/config/keyfile.

assign-groups

certificate

(optional) If this property is set, its value is taken to be a comma-separated list of group names. All clients who present valid certificates are assigned membership to these groups for the purposes of authorization decisions in the web and EJB containers.

directory

ldap

Specifies the LDAP URL to your server. 

base-dn

ldap

Specifies the LDAP base DN for the location of user data. This base DN can be at any level above the user data, since a tree scope search is performed. The smaller the search tree, the better the performance. 

search-filter

ldap

(optional) Specifies the search filter to use to find the user. The default is uid=%s (%s expands to the subject name).

group-base-dn

ldap

(optional) Specifies the base DN for the location of groups data. By default, it is same as the base-dn, but it can be tuned, if necessary.

group-search-filter

ldap

(optional) Specifies the search filter to find group memberships for the user. The default is uniquemember=%d (%d expands to the user element DN).

group-target

ldap

(optional) Specifies the LDAP attribute name that contains group name entries. The default is CN.

search-bind-dn

ldap

(optional) Specifies an optional DN used to authenticate to the directory for performing the search-filter lookup. Only required for directories that do not allow anonymous search.

search-bind-password

ldap

(optional) Specifies the LDAP password for the DN given in search-bind-dn .