auth-realm
Defines a realm for authentication.
Authentication realms require provider-specific properties, which vary
depending on what a particular implementation needs.
For more information about how to define realms, see the Sun Java System Application Server Platform Edition 8.2 Developer’s Guide.
Here is an example of the default file realm:
<auth-realm name="file"
classname="com.iplanet.ias.security.auth.realm.file.FileRealm">
<property name="file" value="domain-dir/config/keyfile"/>
<property name="jaas-context" value="fileRealm"/>
</auth-realm>
Which properties an auth-realm element uses depends
on the value of the auth-realm element’s name attribute.
The file realm uses file and jaas-context properties. Other realms use different properties.
Superelements
security-service
Subelements
The following table describes subelements for the auth-realm element.
Table 1–14
auth-realm Subelements
Element
|
Required
|
Description
|
property
|
zero or more
|
Specifies a property or a variable.
|
Attributes
The following table describes attributes for the auth-realm element.
Table 1–15
auth-realm Attributes
Attribute
|
Default
|
Description
|
name
|
none
|
Specifies the name of this realm.
|
classname
|
none
|
Specifies the Java class that implements this realm.
|
Properties
The standard realms provided with Application Server have required and optional
properties. A custom realm might have different properties.
The following table describes properties for the auth-realm element.
Table 1–16
auth-realm Properties
Property
|
Realms
|
Description
|
jaas-context
|
file, ldap, solaris
|
Specifies the JAAS (Java Authentication and Authorization Service) context.
|
file
|
file
|
Specifies the file that stores user names. The default is domain-dir/config/keyfile.
|
assign-groups
|
certificate
|
(optional) If this property is set, its value is taken to be a comma-separated
list of group names. All clients who present valid certificates are assigned membership to these groups
for the purposes of authorization decisions in the web and EJB containers.
|
directory
|
ldap
|
Specifies the LDAP URL to your server.
|
base-dn
|
ldap
|
Specifies the LDAP base DN for the location of user data. This base
DN can be at any level above the user data, since a tree scope search is performed.
The smaller the search tree, the better the performance.
|
search-filter
|
ldap
|
(optional) Specifies the search filter to use to find the user. The
default is uid=%s (%s expands to the
subject name).
|
group-base-dn
|
ldap
|
(optional) Specifies the base DN for the location of groups data. By
default, it is same as the base-dn, but it can be tuned,
if necessary.
|
group-search-filter
|
ldap
|
(optional) Specifies the search filter to find group memberships for
the user. The default is uniquemember=%d (%d expands
to the user element DN).
|
group-target
|
ldap
|
(optional) Specifies the LDAP attribute name that contains group name
entries. The default is CN.
|
search-bind-dn
|
ldap
|
(optional) Specifies an optional DN used to authenticate to the directory
for performing the search-filter lookup. Only required
for directories that do not allow anonymous search.
|
search-bind-password
|
ldap
|
(optional) Specifies the LDAP password for the DN given in search-bind-dn .
|