The Application Server comes preconfigured with three realms: file
, certificate
, and admin-realm
. It is also possible to create ldap
, solaris
, and custom realms. Generally, you will have one realm of each type on a server, but on the Application Server there are two file realms: file
and admin-realm
. These are two realms of the same type used for two different purposes. It is also possible to have a different certificate database for each virtual server on your system.
To create a security realm, follow these steps.
The Create Realm page is displayed.
To add a property:
file
realm properties, see "Editing the file and admin-realm Realms".certificate
realm properties, see "Editing the certificate Realm".ldap
realm properties, see "Creating an ldap Realm".solaris
realm properties, see "Creating the solaris Realm".
Equivalent asadmin
command: create-auth-realm
The ldap
realm performs authentication using information from an LDAP server. User information includes user name, password, and the groups to which the user belongs. To use an LDAP realm, the users and groups must already be defined in your LDAP directory.
To create an LDAP realm, follow the steps in "Creating a Realm" for adding a new realm, then add the properties as shown in Table 0-36.
Optional properties for the ldap
realm are shown in Table 0-37:
For example, suppose an LDAP user, Joe Java, is defined in the LDAP directory as follows:
uid=jjava,ou=People,dc=acme,dc=com
uid=jjava
givenName=joe
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=inetorgperson
sn=java
cn=Joe Java
Using the example code, when creating or editing the ldap
realm, you can enter the values as shown in Table 0-38.
The solaris
realm gets user and group information from the underlying Solaris user database, as determined by the system’s configuration. The solaris
realm invokes the underlying PAM infrastructure for authenticating. If the configured PAM modules require root privileges, the domain must run as root to use this realm. For details, see the Solaris documentation for security services.
The solaris
realm has one required property, jaas-context
that specifies the type of login module to use. The property value must be solarisRealm
.
Note: The solaris
realm is supported only for Solaris 9 or later.
In addition to the four built-in realms, you can also create custom realms that store user data in some other way, such as in a relational database. Development of a custom realm is outside the scope of this document. For more information, see the Application Server Developer's Guide chapter titled Securing Applications.
As an administrator, the main thing you need to know is that a custom realm is implemented by a class (called the LoginModule
) derived from the Java Authentication and Authorization Service (JAAS) package.
To configure the Application Server to use a custom realm:
LoginModule
class. Any unique name can be used for the custom realm, for example myCustomRealm
./domains/
domain_name/config/login.conf
, and add the fully-qualified class name of the JAAS LoginModule
at the end of the file, as follows:
realmName {
fully-qualified-LoginModule-classname required;
};
For example,
myCustomRealm {
com.foo.bar.security.customrealm.simpleCustomLoginModule required;
};
LoginModule
class and all dependent classes into the directory install_dir/domains/
domain_name/lib/classes
.
Check install_dir/domains/
domain_name/logs/server.log
to make sure the server loaded the realm. The server should invoke the realm’s init()
method.
See also: