| Exit Print View | |
Sun GlassFish Enterprise Server v3 Administration Guide |
|
|
|
1. Overview of Enterprise Server Administration
Default Settings and Locations
Instructions for Administering Enterprise Server
4. Administering the Virtual Machine for the Java Platform
6. Administering Web Applications
7. Administering the Logging Service
8. Administering the Monitoring Service
9. Administering Life Cycle Modules
10. Extending Enterprise Server
Part II Security Administration
11. Administering System Security
12. Administering User Security
Administering Authentication Realms
To Create an Authentication Realm
To Update an Authentication Realm
13. Administering Message Security
Part III Resources and Services Administration
14. Administering Database Connectivity
15. Administering EIS Connectivity
16. Administering Internet Connectivity
17. Administering the Object Request Broker (ORB)
18. Administering the JavaMail Service
19. Administering the Java Message Service (JMS)
20. Administering the Java Naming and Directory Interface (JNDI) Service
21. Administering Transactions
An authentication realm, also called a security policy domain or security domain, is a scope over which the Enterprise Server defines and enforces a common security policy. Enterprise Server is preconfigured with the file, certificate, and administration realms. In addition, you can set up LDAP, JDBC, digest, Solaris, or custom realms. An application can specify which realm to use in its deployment descriptor. If the application does not specify a realm, Enterprise Server uses its default realm (file).
Enterprise Server stores user credentials locally in a file named keyfile. The file realm is the initial default realm.
The administration realm is also a file realm and stores administrator user credentials locally in a file named admin-keyfile.
Enterprise Server stores user credentials in a certificate database. When using the certificate realm, the server uses certificates with the HTTPS protocol to authenticate web clients.
Enterprise Server gets user credentials from a Lightweight Directory Access Protocol (LDAP) server such as the Directory Server. LDAP is a protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. Consult your LDAP server documentation for information about managing users and groups in the LDAP realm.
Enterprise Server gets user credentials from a database. The server uses the database information and the enabled JDBC realm option in the configuration file.
Digest Authentication authenticates a user based on a user name and a password. However, the authentication is performed by transmitting the password in an encrypted form.
Enterprise Server gets user credentials from the Solaris operating system. This realm is supported on the Solaris 9 and Solaris 10 operating systems. Consult your Solaris documentation for information about managing users and groups in the Solaris realm.
You can create other repositories for user credentials, such as a relational database or third-party components. For more information about custom realms, see the Administration Console online help. For instructions on creating a custom realm, see 
Creating a Custom Realm in Sun GlassFish Enterprise Server v3 Application Development Guide.
The Enterprise Server authentication service can govern users in multiple realms.
The following tasks and information are used to administer authentication realms:
Use the create-auth-realm subcommand in remote mode to create an authentication realm.
Ensure that the server is running.
Remote subcommands require a running server.
Create a realm by using the create-auth-realm(1) subcommand.
Information about properties for this subcommand is included in this help page.
This example creates a realm named db.
asadmin> create-auth-realm --classname com.iplanet.ias.security. auth.realm.DB.Database --property defaultuser=admin:Password=admin db Command create-auth-realm executed successfully.
You can also view the full syntax and options of the subcommand by typing asadmin help create-auth-realm at the command line.
For information on creating a custom realm, see Creating a Custom Realm in Sun GlassFish Enterprise Server v3 Application Development Guide.
Use the list-auth-realms subcommand in remote mode to list the existing authentication realms.
Ensure that the server is running.
Remote subcommands require a running server.
List realms by using the list-auth-realms(1) subcommand.
This example lists the authentication realms on localhost.
asadmin> list-auth-realms db certificate file admin-realm Command list-auth-realms executed successfully.
You can also view the full syntax and options of the subcommand by typing asadmin help list-auth-realms at the command line.
Use the set subcommand to modify an existing authentication realm.
Note - A custom realm does not require server restart.
List realms by using the list-auth-realms(1) subcommand.
Modify the values for the specified thread pool by using the set(1)
subcommand.
The thread pool is identified by its dotted name.
To apply your changes, restart Enterprise Server.
See To Restart a Domain.
Use the delete-auth-realm subcommand in remote mode to delete an existing authentication realm.
Ensure that the server is running.
Remote subcommands require a running server.
List realms by using the list-auth-realms(1) subcommand.
If necessary, notify users that the realm is being deleted.
Delete the realm by using the delete-auth-realm(1) subcommand.
To apply your changes, restart Enterprise Server. See To Restart a Domain.
This example deletes an authentication realm named db.
asadmin> delete-auth-realm db Command delete-auth-realm executed successfully.
You can also view the full syntax and options of the subcommand by typing asadmin help delete-auth-realm at the command line.
Enterprise Server enables you to specify a user's credentials (user name and password) in the JDBC realm instead of in the connection pool. Using the jdbc type realm instead of the connection pool prevents other applications from browsing the database tables for user credentials.
Note - By default, storage of passwords as clear text is not supported in the JDBC realm. Under normal circumstances, passwords should not be stored as clear text.
Create the database tables in which to store user credentials for the realm.
How you create the database tables depends on the database that you are using.
Add user credentials to the database tables that you created.
How you add user credentials to the database tables depends on the database that you are using.
Create a JDBC connection pool for the database.
Create a JDBC resource for the database.
Create a realm.
For instructions, see To Create an Authentication Realm.
Note - The JAAS context should be jdbcDigestRealm for digest authentication or jdbcRealm for other authentication types.
Modify the deployment descriptor to specify the jdbc realm.
Modify the deployment descriptor that is associated with your application.
For an enterprise application in an Enterprise Archive (EAR) file, modify the sun-application.xml file.
For a web application in a Web Application Archive (WAR) file, modify the web.xml file.
For an enterprise bean in an EJB JAR file, modify the sun-ejb-jar.xml file.
For more information about how to specify a realm, see How to Configure a Realm in Sun GlassFish Enterprise Server v3 Application Development Guide.
Assign security roles to users in the realm.
To assign a security role to a user, add a security-role-mapping element to the deployment descriptor that you modified.
Verify that the database is running.
If needed, see To Start the Database
To apply the authentication, restart the server.
See To Restart a Domain.
This example shows a security-role-mapping element that assigns the security role Employee to user Calvin
<security-role-mapping>
<role-name>Employee</role-name>
<principal-name>Calvin</principal-name>
</security-role-mapping>
|
|