security-service (Sun GlassFish Communications Server 1.5 Administration Reference)

Sun GlassFish Communications Server 1.5 Administration Reference

security-service

Defines parameters and configuration information needed by the Java EE security service. For SSL configuration, see ssl. For connector module security, see security-map.

Superelements

config

Subelements

The following table describes subelements for the security-service element.

Table 1–173 security-service Subelements


Element	Required	Description
auth-realm	one or more	Defines a realm for authentication.
jacc-provider	one or more	Specifies a Java Authorization Contract for Containers (JACC) provider for pluggable authorization.
audit-module	zero or more	Specifies an optional plug-in module that implements audit capabilities.
message-security-config	zero or more	Specifies configurations for message security providers.
identity-assertion-trust	zero or more	Specifies identity assertion trust domain configuration information.
property	zero or more	Specifies a property or a variable.

Attributes

The following table describes attributes for the security-service element.

Table 1–174 security-service Attributes


Attribute	Default	Description
`default-realm`	`file`	(optional) Specifies the active authentication realm (an `auth-realm` `name` attribute) for this server instance.
`default-principal`	none	(optional) Used as the identity of the default security context when necessary and when no principal is provided. This attribute need not be set for normal server operation.
`default-principal-password`	none	(optional) The password of the default principal. This attribute need not be set for normal server operation.
`anonymous-role`	`attribute is deprecated`	(optional) Deprecated. Do not use.
`audit-enabled`	`false`	(optional) If `true`, additional access logging is performed to provide audit information. Audit information consists of: Authentication success and failure events Servlet and EJB access grants and denials
`jacc`	`default`	(optional) Specifies the name of the jacc-provider element to use for setting up the JACC infrastructure. Do not change the default value unless you are adding a custom JACC provider.
`audit-modules`	`default`	(optional) Specifies a space-separated list of audit provider modules used by the audit subsystem. The default value refers to the internal log-based audit module.
`activate-default-principal-to-role-mapping`	`false`	(optional) Applies a default principal for role mapping to any application that does not have an application-specific mapping defined. Every role is mapped to an instance of a `java.security.Principal` implementation class defined by `mapped-principal-class`. This class has the same name as the role.
`mapped-principal-class`	`com.sun.enterprise.deployment.Group`	(optional) Customizes the `java.security.Principal` implementation class used when `activate-default-principal-to-role-mapping` is set to `true`.

Properties

The following table describes properties for the security-service element.

Table 1–175 security-service Properties


Property	Default	Description
`IdentityValidatorConfiguration`	none	Specifies a comma-separated list of `parameter=value` pairs that configure the identity authentication module (RFC 4474). Parameters are as follows: `maxClockSkew` — Specifies the maximum difference in milliseconds allowed between the system clocks of the sender and recipient. The default is `0` (zero). `timestampFreshnessLimit` — Specifies the maximum duration of time in milliseconds after which the timestamp becomes stale. The default is `600000` (600 seconds or 10 minutes). `enableRevocationCheck` — If set to `true`, uses the default revocation checking mechanism of the underlying `PKIX` service provider. The default is `false`. `certificateValidator` — Specifies the class name of a custom certificate validator implementation. This class must implement the `org.glassfish.comms.api.security.auth.CertificateValidator` interface.
`PrincipalMapper`	none	Specifies the name of a custom class that converts user names to a format understood by the SIP container. The class must implement the `com.sun.enterprise.security.auth.PrincipalMapper` interface. The Communications Server provides a default `PrincipalMapper` implementation. Each application using P-asserted identity authentication creates its own instance of the `PrincipalMapper` implementation class.
`NonceManager`	none	Specifies the Nonce Manager configuration. Identity authentication and SIP digest authentication modules need the Nonce Manager to cache `nonce` and `call-id` values respectively. The syntax for the property's `value` attribute is as follows: id=identity-nonce-config,maxNonceAge=`millis`;id=sip-nonce-config,maxNonceAge=`millis` You can specify `identity-nonce-config`, `sip-nonce-config`, or both. The `maxNonceAge` parameter units are milliseconds. The default for the `identity-nonce-config` `maxNonceAge` is `3600000` (1 hour). The default for the `sip-nonce-config` `maxNonceAge` is `600000` (10 minutes).