Chapter 4. Reference
4.1. custom-realm
attributes
You can configure your custom-realm
by setting its attributes.
Attribute | Description |
---|---|
| Fully qualified class name of the implementation of the custom realm. |
|
The optional |
| Name of the module to use to load the custom realm. |
4.2. filesystem-realm
attributes
You can configure filesystem-realm
by setting its attributes.
Attribute | Description |
---|---|
credential-store |
Reference to the credential store that contains the secret key to encrypt and decrypt the clear passwords, hashed passwords, and attributes in the realm. When you use this attribute, you must also specify the secret key to use by defining it in the |
encoded |
The attribute that indicates whether the identity names should be stored encoded (Base32) in file names. The default value is |
hash-charset | The character set to use when converting the password string to a byte array. The default is UTF-8. |
hash-encoding | The string format for the password if it is not stored in plain text. It can be one of:
The default is base64. |
key-store |
Reference to the key store that contains the key pair to use to verify integrity. When you define this attribute, you must also specify the key store alias in the |
key-store-alias |
The alias that identifies the private key entry within the key store to use to verify integrity. Use this attribute if you have added a reference to a key store by defining the |
levels |
The number of levels of directory hashing to apply. The default value is |
path | The path to the directory containing the realm. |
relative-to |
The predefined relative path to use with |
secret-key |
The alias of the secret key to encrypt and decrypt the clear passwords, hashed passwords, and attributes in the realm. Use this attribute if you have added a reference to a credential store by defining the |
4.3. http-authentication-factory
attributes
You can configure http-authentication-factory
by setting its attributes.
Attribute | Description |
---|---|
http-server-mechanism-factory |
The |
mechanism-configurations | The list of mechanism-specific configurations. |
security-domain | The security domain to associate with the resource. |
Attribute | Description |
---|---|
credential-security-factory | The security factory to use to obtain a credential as required by the mechanism. |
final-principal-transformer | A final principal transformer to apply for this mechanism realm. |
host-name | The host name this configuration applies to. |
mechanism-name | This configuration will only apply where a mechanism with the name specified is used. If this attribute is omitted then this will match any mechanism name. |
mechanism-realm-configurations | The list of definitions of the realm names as understood by the mechanism. |
pre-realm-principal-transformer | A principal transformer to apply before the realm is selected. |
post-realm-principal-transformer | A principal transformer to apply after the realm is selected. |
protocol | The protocol this configuration applies to. |
realm-mapper | The realm mapper to be used by the mechanism. |
Attribute | Description |
---|---|
final-principal-transformer | A final principal transformer to apply for this mechanism realm. |
post-realm-principal-transformer | A principal transformer to apply after the realm is selected. |
pre-realm-principal-transformer | A principal transformer to apply before the realm is selected. |
realm-mapper | The realm mapper to be used by the mechanism. |
realm-name | The name of the realm to be presented by the mechanism. |
4.4. identity-realm
attributes
You can configure your identity-realm
by setting its attributes.
Attribute | Description |
---|---|
| The name of the attribute associated with this identity. |
| The list of values associated with the identity’s attribute. |
| The identity available from the security realm. |
4.5. jdbc-realm
attributes
You can configure jdbc-realm
by setting its attributes.
Attribute | Description |
---|---|
hash-charset | The character set to use when converting the password string to a byte array. The default is UTF-8. |
principal-query | The list of authentication queries used to authenticate users based on specific key types. |
Attribute | Description |
---|---|
attribute-mapping | The list of attribute mappings defined for this resource. |
bcrypt-mapper |
A key mapper that maps a column returned from a SQL query to a |
clear-password-mapper |
A key mapper that maps a column returned from a SQL query to a clear password key type. This has a |
data-source | The name of the data source used to connect to the database. |
salted-simple-digest-mapper |
A key mapper that maps a column returned from a SQL query to a |
scram-mapper |
A key mapper that maps a column returned from a SQL query to a |
simple-digest-mapper |
A key mapper that maps a column returned from a SQL query to a |
sql | The SQL statement used to obtain the keys as table columns for a specific user and map them accordingly with their type. |
Attribute | Description |
---|---|
index | The column index from the SQL query that represents the mapped attribute. |
to | The name of the identity attribute mapped from a column returned from the SQL query. |
Additional resources
4.6. ldap-realm
attributes
You can configure ldap-realm
by setting its attributes.
Attribute | Description |
---|---|
allow-blank-password | Whether this realm supports blank password direct verification. If this attribute is not set, a blank password attempt is rejected. |
dir-context |
The name of the |
direct-verification |
If this attribute is set to |
hash-charset | The character set to use when converting the password string to a byte array. The default is UTF-8. |
hash-encoding | The string format for the password if it is not stored in plain text. It can be one of:
The default is base64. |
identity-mapping | The configuration options that define how principals are mapped to their corresponding entries in the underlying LDAP server. |
Attribute | Description |
---|---|
attribute-mapping | List of attribute mappings defined for this resource. |
filter-name | The LDAP filter for getting identity by name. |
iterator-filter | The LDAP filter for iterating over identities of the realm. |
new-identity-attributes |
The list of attributes of newly created identities. It is required for the modifiability of the realm. This is a list of |
new-identity-parent-dn | The DN of the parent of newly created identities. Required for modifiability of the realm. |
otp-credential-mapper | The credential mapping for OTP credential. |
rdn-identifier | The RDN part of the principal’s DN to be used to obtain the principal’s name from an LDAP entry. This is also used when creating new identities. |
search-base-dn | The base DN to search for identities. |
use-recursive-search |
If this attribute is set to |
user-password-mapper | The credential mapping for a credential, similar to userPassword. |
x509-credential-mapper |
The configuration that enables using LDAP as storage of X509 credentials. If none of the |
Attribute | Description |
---|---|
extract-rdn | The RDN key to use as the value for an attribute, in case the value in its raw form is in X.500 format. |
filter |
The filter to use to obtain the values for a specific attribute. The string |
filter-base-dn | The name of the context where the filter should be performed. |
from | The name of the LDAP attribute to map to an identity attribute. If not defined, DN of entry is used. |
reference | The name of the LDAP attribute containing DN of entry to obtain value from. |
role-recursion |
Maximum depth for recursive role assignment. Use |
role-recursion-name |
Determine the LDAP attribute of role entry which will be a substitute for "{0}" in |
search-recursive |
If |
to |
The name of the identity attribute mapped from a specific LDAP attribute. If not provided, the name of the attribute is the same as defined in |
Attribute | Description |
---|---|
from | The name of the LDAP attribute to map to an identity attribute. If not defined, DN of entry is used. |
verifiable |
If |
writable |
If |
Attribute | Description |
---|---|
algorithm-from | The name of the LDAP attribute of OTP algorithm. |
hash-from | The name of the LDAP attribute of OTP hash function. |
seed-from | The name of the LDAP attribute of OTP seed. |
sequence-from | The name of the LDAP attribute of OTP sequence number. |
Attribute | Description |
---|---|
certificate-from | The name of the LDAP attribute to map to an encoded user certificate. If not defined, the encoded certificate will not be checked. |
digest-algorithm |
The digest algorithm, which is the hash function, that is used to compute the digest of the user certificate. It will be used only if |
digest-from | The name of the LDAP attribute to map to a user certificate digest. If not defined, the certificate digest will not be checked. |
serial-number-from | The name of the LDAP attribute to map to a serial number of the user certificate. If not defined, the serial number will not be checked. |
subject-dn-from | The name of the LDAP attribute to map to a subject DN of user certificate. If not defined, the subject DN will not be checked. |
4.7. Password mapper attributes
A password mapper constructs a password from multiple fields in a database using one of the following algorithm types:
- Clear text
- Simple digest
- Salted simple digest
- bcrypt
- SCRAM
- Modular crypt
A password mapper has the following attributes:
The index of the first column is 1
for all the mappers.
Mapper name | Attributes | Encryption method |
---|---|---|
|
| No encryption. |
|
| A simple hashing mechanism is used. |
|
| A simple hashing mechanism is used with a salt. |
|
| Blowfish algorithm used for hashing. |
|
| Salted Challenge Response Authentication mechanism is used for hashing. |
|
| The modular-crypt encoding supports multiple pieces of information to be encoded in a single string. The information can include the following:
|
4.8. properties-realm
attributes
You can configure properties-realm
by setting its attributes.
Attribute | Description |
---|---|
|
The name of the attribute in the returned |
| The properties file containing the users and their groups. |
|
Specifies the name of the character set to use when converting the client provided password string to a byte array for hashing calculations. Set to |
|
Specifies the string format for the hashed password if the password is not being stored in plain text. It may specify one of two: |
| The properties file containing the users and their passwords. |
Attribute | Description |
---|---|
| The default realm name to use for digested passwords if one is not discovered in the properties file. |
| The path to the file containing the users and their passwords. The file should contain realm name declaration. |
|
If |
| The predefined path that the path is relative to. |
Attribute | Description |
---|---|
| The path to the file containing the users and their groups. |
| The predefined path that the path is relative to. |
4.9. sasl-authentication-factory
attributes
You can configure sasl-authentication-factory
by setting its attributes.
Attribute | Description |
---|---|
mechanism-configurations | The list of mechanism specific configurations. |
sasl-server-factory | The SASL server factory to associate with this resource. |
security-domain | The security domain to associate with this resource. |
Attribute | Description |
---|---|
credential-security-factory | The security factory to use to obtain a credential as required by the mechanism. |
final-principal-transformer | A final principal transformer to apply for this mechanism realm. |
host-name | The host name this configuration applies to. |
mechanism-name | This configuration will only apply where a mechanism with the name specified is used. If this attribute is omitted then this will match any mechanism name. |
mechanism-realm-configurations | The list of definitions of the realm names as understood by the mechanism. |
protocol | The protocol this configuration applies to. |
post-realm-principal-transformer | A principal transformer to apply after the realm is selected. |
pre-realm-principal-transformer | A principal transformer to apply before the realm is selected. |
realm-mapper | The realm mapper to be used by the mechanism. |
Attribute | Description |
---|---|
final-principal-transformer | A final principal transformer to apply for this mechanism realm. |
post-realm-principal-transformer | A principal transformer to apply after the realm is selected. |
pre-realm-principal-transformer | A principal transformer to apply before the realm is selected. |
realm-mapper | The realm mapper to be used by the mechanism. |
realm-name | The name of the realm to be presented by the mechanism. |
4.10. secret-key-credential-store
Attributes
You can configure secret-key-credential-store
by setting its attributes.
Attribute | Description |
---|---|
create |
Set the value to |
default-alias |
The alias name for a key generated by default. The default value is |
key-size | The size of a generated key. The default size is 256 bits. You can set the value to one of the following:
|
path | The path to the credential store. |
populate |
If a credential store does not contain a |
relative-to |
A reference to a previously defined path that the attribute |
4.11. security-domain
attributes
You can configure security-domain
by setting its attributes.
Attribute | Description |
---|---|
default-realm | The default realm contained by this security domain. |
evidence-decoder | A reference to an EvidenceDecoder to be used by this domain. |
outflow-anonymous | This attribute specifies whether the anonymous identity should be used if outflow to a security domain is not possible. Outflowing anonymous identity has the effect of clearing any identity already established for that domain. |
outflow-security-domains | The list of security domains that the security identity from this domain should automatically outflow to. |
permission-mapper | A reference to a PermissionMapper to be used by this domain. |
post-realm-principal-transformer | A reference to a principal transformer to be applied after the realm has operated on the supplied identity name. |
pre-realm-principal-transformer | A reference to a principal transformer to be applied before the realm is selected. |
principal-decoder | A reference to a PrincipalDecoder to be used by this domain. |
realm-mapper | Reference to the RealmMapper to be used by this domain. |
realms | The list of realms contained by this security domain. |
role-decoder | Reference to the RoleDecoder to be used by this domain. |
role-mapper | Reference to the RoleMapper to be used by this domain. |
security-event-listener | Reference to a listener for security events. |
trusted-security-domains | The list of security domains that are trusted by this security domain. |
4.12. simple-role-decoder
attributes
You can configure simple role decoder by setting its attribute.
Attribute | Description |
---|---|
attribute | The name of the attribute from the identity to map directly to roles. |