Sun Java System Web Server 6.1 SP11 Administrator's Guide

How to Configure a Realm

You can configure realms in one of these ways:

Using the Administration Interface

ProcedureTo configure a realm using the Administration interface

  1. From the Administration Server interface, access the server instance you want to manage, then click on the Java tab.

  2. Click Security Realms.

    By default, the following realms are provided:

    - file

    - native

    - ldap

  3. To add a realm, click New. To delete a realm, check the checkbox next to the name of the realm, and click OK. To edit a realm, click on the name of the realm.

  4. If you are adding or editing a realm, enter the realm’s name, classname, properties, and users (file realm only).

  5. Click OK.

Editing the server.xml File

Behind the scenes, the default realm is set in the SECURITY element in the server.xml file. The SECURITY configuration looks like this:

<SECURITY defaultrealm="file" anonymousrole="ANYJava System"
   <AUTHREALM name="file"
       <property name="file" value="instance_dir/config/keyfile">
       <property name="jaas-context" value="fileRealm">

The defaultrealm attribute points to the realm the server is using by default. The default realm will be used by all web applications that do not provide a valid realm in their web.xml. It must point to one of the configured AUTHREALM names. The default is the file realm.

The audit flag determines whether auditing information is logged. If set to true, the server logs audit messages for all authentication and authorization events.

If you change the realm configuration, you must restart the server for the change to take effect.

For more information about the server.xml file, see the Sun Java System Web Server 6.1 SP11 Administrator’s Configuration File Reference.

Configuring the Native Realm

As with all realms, you can configure the Native realm using the AUTHREALM element within the SECURITY element in server.xml. Example:

<AUTHREALM name="native" 
    <PROPERTY name="auth-db" value="mykeyfile">
    <PROPERTY name="jaas-context" value="nativeRealm">

The auth-db property points to the core authentication database to which the Native realm instance delegates all authentication requests. In this example, an authentication database named “mykeyfile”. This property is optional. If not specified, the core authentication engine will use the default auth-db to process all requests from this Native realm. As in the case of most realms, the jaas-context property is a pointer to the JAAS login context to be used (defined in login.conf).

No other configuration is needed by the Native realm. However, since requests are being delegated to a core authentication database, that particular authentication database must also be property configured. The rest of this section provides an example of configuring a core authentication database.

To configure a core (native) authentication database, in server.xml, the VS element must contain a USERDB element which maps the auth-db name to a database name. For example:

<VS id=""  ....
    <USERDB id="mykeyfile" database="myalt">

Note that if the auth-db property is not given (in which case "default" is used) you could have a USERDB entry mapping id="default" to some database name. If no mapping is present, the mapping is to default.

Next, the file install-root/userdb/dbswitch.conf must contain the configuration for the myalt database. The following example defines myalt to be a file-based authentication database.

directory myalt file
myalt:syntax keyfile
myalt:keyfile /local/ws61/

The above configuration is not specific to the Native realm. Any valid authentication directory configuration can be used as the destination authentication database by the Native realm. This means the Native realm can be configured to delegate to native LDAP authentication databases or even to custom native authentication databases.

Note –

In Sun Java System web Server 6.1, web applications have two distinct mechanisms for using LDAP as the authentication engine: