auth-realm (Sun GlassFish Enterprise Server v2.1.1 Administration Reference)

Sun GlassFish Enterprise Server v2.1.1 Administration Reference

auth-realm

Defines a realm for authentication.

Authentication realms require provider-specific properties, which vary depending on what a particular implementation needs.

For more information about how to define realms, see the Sun GlassFish Enterprise Server v2.1.1 Administration Guide.

Here is an example of the default file realm:

<auth-realm name="file"
     classname="com.sun.enterprise.security.auth.realm.file.FileRealm">
     <property name="file" value="domain-dir/config/keyfile"/>
     <property name="jaas-context" value="fileRealm"/>
 </auth-realm>

Which properties an auth-realm element uses depends on the value of the auth-realm element’s name attribute. The file realm uses file and jaas-context properties. Other realms use different properties.

Superelements

node-agent, security-service

Subelements

The following table describes subelements for the auth-realm element.

Table 1–16 auth-realm Subelements


Element	Required	Description
property	zero or more	Specifies a property or a variable.

Attributes

The following table describes attributes for the auth-realm element.

Table 1–17 auth-realm Attributes


Attribute	Default	Description
`name`	none	Specifies the name of this realm.
`classname`	none	Specifies the Java class that implements this realm.

Properties

The standard realms provided with Enterprise Server have required and optional properties. A custom realm might have different properties.

The following table describes properties for the auth-realm element.

Table 1–18 auth-realm Properties


Property	Realms	Description
`jaas-context`	`file, ldap, jdbc, solaris`	Specifies the JAAS (Java Authentication and Authorization Service) context.
`file`	`file`	Specifies the file that stores user names, passwords, and group names. The default is `domain-dir/config/keyfile`.
`assign-groups`	`certificate, file, jdbc, ldap, solaris`	(optional) If this property is set, its value is taken to be a comma-separated list of group names. All clients who present valid certificates are assigned membership to these groups for the purposes of authorization decisions in the web and EJB containers.
`directory`	`ldap`	Specifies the LDAP URL to your server.
`base-dn`	`ldap`	Specifies the LDAP base DN for the location of user data. This base DN can be at any level above the user data, since a tree scope search is performed. The smaller the search tree, the better the performance.
`search-filter`	`ldap`	(optional) Specifies the search filter to use to find the user. The default is `uid=%s` (`%s` expands to the subject name).
`group-base-dn`	`ldap`	(optional) Specifies the base DN for the location of groups data. By default, it is same as the `base-dn`, but it can be tuned, if necessary.
`group-search-filter`	`ldap`	(optional) Specifies the search filter to find group memberships for the user. The default is `uniquemember=%d` (`%d` expands to the user element DN).
`group-target`	`ldap`	(optional) Specifies the LDAP attribute name that contains group name entries. The default is `CN`.
`search-bind-dn`	`ldap`	(optional) Specifies an optional DN used to authenticate to the directory for performing the `search-filter` lookup. Only required for directories that do not allow anonymous search.
`search-bind-password`	`ldap`	(optional) Specifies the LDAP password for the DN given in `search-bind-dn` .
`datasource-jndi`	`jdbc`	Specifies the `jndi-name` of the jdbc-resource for the database.
`user-table`	`jdbc`	Specifies the name of the user table in the database.
`user-name-column`	`jdbc`	Specifies the name of the user name column in the database's user table.
`password-column`	`jdbc`	Specifies the name of the password column in the database's user table.
`group-table`	`jdbc`	Specifies the name of the group table in the database.
`group-name-column`	`jdbc`	Specifies the name of the group name column in the database's group table.
`db-user`	`jdbc`	(optional) Allows you to specify the database user name in the realm instead of the jdbc-connection-pool. This prevents other applications from looking up the database, getting a connection, and browsing the user table. By default, the `jdbc-connection-pool` configuration is used.
`db-password`	`jdbc`	(optional) Allows you to specify the database password in the realm instead of the jdbc-connection-pool. This prevents other applications from looking up the database, getting a connection, and browsing the user table. By default, the `jdbc-connection-pool` configuration is used.
`digest-algorithm`	`jdbc`	(optional) Specifies the digest algorithm. The default is `MD5`. You can use any algorithm supported in the JDK, or `none`.
`encoding`	`jdbc`	(optional) Specifies the encoding. Allowed values are `Hex` and `Base64`. If `digest-algorithm` is specified, the default is `Hex`. If `digest-algorithm` is not specified, by default no encoding is specified.
`charset`	`jdbc`	(optional) Specifies the charset for the digest algorithm.