1. Administering System Security
2. Administering User Security
Administering Authentication Realms
Overview of Authentication Realms
To Create an Authentication Realm
To Update an Authentication Realm
To Delete an Authentication Realm
To Configure a JDBC or Digest Authentication Realm
To Configure LDAP Authentication with OID
To configure LDAP Authentication with OVD
To Enable LDAP Authentication on the GlassFish Server DAS
3. Administering Message Security
4. Administering Security in Cluster Mode
5. Managing Administrative Security
6. Running in a Secure Environment
A user is an individual (or application program) identity that is defined in GlassFish Server. A user who has been authenticated is sometimes called a principal.
As the administrator, you are responsible for integrating users into the GlassFish Server environment so that their credentials are securely established and they are provided with access to the applications and services that they are entitled to use.
The following topics are addressed here:
Use the create-file-user subcommand in remote mode to create a new user by adding a new entry to the keyfile. The entry includes the user name, password, and any groups for the user. Multiple groups can be specified by separating the groups with colons (:).
Creating a new file realm user is a dynamic event and does not require server restart.
Remote subcommands require a running server.
Example 2-5 Creating a User
This example create user Jennifer on the default realm file (no groups are specified).
The asadmin --passwordfile option specifies the name of a file that contains the password entries in a specific format. The entry for a password must have the AS_ADMIN_ prefix followed by the password name in uppercase letters, an equals sign, and the password. See asadmin(1M) for more information.
asadmin> create-file-user --user admin --passwordfile=c:\tmp\asadminpassword.txt Jennifer Command create-file-user executed successfully.
See Also
You can also view the full syntax and options of the subcommand by typing asadmin help create-file-user at the command line.
Use the list-file-users subcommand in remote mode to list the users that are in the keyfile.
Remote subcommands require a running server.
Example 2-6 Listing File Users
This example lists file users on the default file realm file.
asadmin> list-file-users Jennifer Command list-file-users executed successfully.
See Also
You can also view the full syntax and options of the subcommand by typing asadmin help list-file-users at the command line.
A group is a category of users classified by common traits, such as job title or customer profile. For example, users of an e-commerce application might belong to the customer group, and the big spenders might also belong to the preferred group. Categorizing users into groups makes it easier to control the access of large numbers of users. A group is defined for an entire server and realm. A user can be associated with multiple groups of users.
A group is different from a role in that a role defines a function in an application, while a group is a set of users who are related in some way. For example, in the personnel application there might be groups such as full-time, part-time, and on-leave. Users in these groups are all employees (the employee role). In addition, each user has its own designation that defines an additional level of employment.
Use the list-file-groups subcommand in remote mode to list groups for a file user, or all file groups if the --name option is not specified.
Remote subcommands require a running server.
Example 2-7 Listing Groups for a User
This example lists the groups for user joesmith.
asadmin> list-file-groups --name joesmith staff manager Command list-file-groups executed successfully
Use the update-file-user subcommand in remote mode to modify the information in the keyfile for a specified user.
Remote subcommands require a running server.
See To Restart a Domain in Oracle GlassFish Server 3.1 Administration Guide.
Example 2-8 Updating a User
The following subcommand updates the groups for user Jennifer.
asadmin> update-file-user --passwordfile c:\tmp\asadminpassword.txt --groups staff:manager:engineer Jennifer Command update-file-user executed successfully.
See Also
You can also view the full syntax and options of the subcommand by typing asadmin help update-file-user at the command line.
Use the delete-file-user subcommand in remote mode to remove a user entry from the keyfile by specifying the user name. You cannot delete yourself, that is, the user you are logged in as cannot be deleted during your session.
Remote subcommands require a running server.
Example 2-9 Deleting a User
This example deletes user Jennifer from the default file realm.
asadmin> delete-file-user Jennifer Command delete-file-user executed successfully.
See Also
You can also view the full syntax and options of the subcommand by typing asadmin help delete-file-user at the command line.