Supported Realm Types
The following realms are supported:
file
The file realm is the default realm when you first install the Application Server. It has the following configuration characteristics:
- Name – file
- Classname – com.sun.enterprise.security.auth.realm.file.FileRealm
Required properties are as follows:
- file – The name of the file that stores user information. By default this file is named keyfile and is in the domain root directory; typically install_dir/domains/domain_dir/config.
- jaas-context – The value must be fileRealm.
The user information file is initially empty, so you must add users before you can use the file realm.
ldap
The ldap realm allows you to use an LDAP database for user security information. It has the following configuration characteristics:
- Name – ldap
- Classname – com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
Required properties are as follows:
- directory – The LDAP URL to your server.
- base-dn – The base DN for the location of user data. This base DN can be at any level above the user data, since a tree scope search is performed. The smaller the search tree, the better the performance.
- jaas-context – The value must be ldapRealm.
You can add the following optional properties to tailor the LDAP realm behavior.
- search-filter – The search filter to use to find the user. The default is uid=%s (%s expands to the subject name).
- group-base-dn – The base DN for the location of groups data. By default it is same as the base-dn, but it can be tuned if necessary.
- group-search-filter – The search filter to find group memberships for the user. The default is uniquemember=%d (%d expands to the user element DN).
- group-target – The LDAP attribute name that contains group name entries. The default is CN.
- search-bind-dn – An optional DN used to authenticate to the directory for performing the search-filter lookup. Only required for directories that do not allow anonymous search.
- search-bind-password – The LDAP password for the DN given in search-bind-dn.
You must create the desired user(s) in your LDAP directory. You can do this from the Directory Server console in the Users & Groups main tab, or through any other administration tool which supports LDAP and your directory’s schema.
The principal-name used in the deployment descriptors must correspond to your LDAP user information.
certificate
The certificate realm supports SSL authentication. This realm sets up the user identity in the Application Server’s security context, and populates it with user data obtained from cryptographically verified client certificates in the truststore.jks and keystore.jks files, which are located in domain_dir/config by default. (See Changing the Location of the cacerts.jks and keystore.jks Files.) The J2EE containers then handle authorization processing based on each user’s DN from his or her certificate.
This realm has the following configuration characteristics:
- Name – certificate
- Classname – com.sun.enterprise.security.auth.realm.certificate.CertificateRealm
You can add the following optional property to tailor the certificate realm behavior.
- assign-groups – If this property is set, its value is taken to be a comma-separated list of group names. All clients who present valid certificates are assigned membership to these groups for the purposes of authorization decisions in the Web and EJB containers.
solaris
The solaris realm allows authentication using Solaris username+password data. This realm is only supported on Solaris 9. It has the following configuration characteristics:
- Name – solaris
- Classname – com.sun.enterprise.security.auth.realm.solaris.SolarisRealm
Required properties are as follows:
- jaas-context – The value must be solarisRealm.
See also:
Legal Notices