Sun Java System Application Server Platform Edition 8.1 2005Q2 Update 2 Administration Reference
auth-realm
Defines a realm for authentication.
Authentication realms require provider-specific properties, which vary
depending on what a particular implementation needs.
For more information about how to define realms, see the Sun Java System Application Server Platform Edition 8.1 2005Q2 Update 2 Developer’s Guide.
Here is an example of the default file realm:
<auth-realm name="file"
classname="com.iplanet.ias.security.auth.realm.file.FileRealm">
<property name="file" value="domain-dir/config/keyfile"/>
<property name="jaas-context" value="fileRealm"/>
</auth-realm>
Which properties an auth-realm element uses depends
on the value of the auth-realm element’s name attribute.
The file realm uses file and jaas-context properties. Other realms use different properties.
Superelements
security-service
Subelements
The following table describes subelements for the auth-realm element.
Table 1–14
auth-realm Subelements
|
Element
|
Required
|
Description
|
|
property
|
zero or more
|
Specifies a property or a variable.
|
Attributes
The following table describes attributes for the auth-realm element.
Table 1–15
auth-realm Attributes
|
Attribute
|
Default
|
Description
|
|
name
|
none
|
Specifies the name of this realm.
|
|
classname
|
none
|
Specifies the Java class that implements this realm.
|
Properties
The standard realms provided with Application Server have required and optional
properties. A custom realm might have different properties.
The following table describes properties for the auth-realm element.
Table 1–16
auth-realm Properties
|
Property
|
Realms
|
Description
|
|
jaas-context
|
file, ldap, solaris
|
Specifies the JAAS (Java Authentication and Authorization Service) context.
|
|
file
|
file
|
Specifies the file that stores user names. The default is domain-dir/config/keyfile.
|
|
assign-groups
|
certificate
|
(optional) If this property is set, its value is taken to be a comma-separated
list of group names. All clients who present valid certificates are assigned membership to these groups
for the purposes of authorization decisions in the web and EJB containers.
|
|
directory
|
ldap
|
Specifies the LDAP URL to your server.
|
|
base-dn
|
ldap
|
Specifies the LDAP base DN for the location of user data. This base
DN can be at any level above the user data, since a tree scope search is performed.
The smaller the search tree, the better the performance.
|
|
search-filter
|
ldap
|
(optional) Specifies the search filter to use to find the user. The
default is uid=%s (%s expands to the
subject name).
|
|
group-base-dn
|
ldap
|
(optional) Specifies the base DN for the location of groups data. By
default, it is same as the base-dn, but it can be tuned,
if necessary.
|
|
group-search-filter
|
ldap
|
(optional) Specifies the search filter to find group memberships for
the user. The default is uniquemember=%d (%d expands
to the user element DN).
|
|
group-target
|
ldap
|
(optional) Specifies the LDAP attribute name that contains group name
entries. The default is CN.
|
|
search-bind-dn
|
ldap
|
(optional) Specifies an optional DN used to authenticate to the directory
for performing the search-filter lookup. Only required
for directories that do not allow anonymous search.
|
|
search-bind-password
|
ldap
|
(optional) Specifies the LDAP password for the DN given in search-bind-dn .
|
