Search
SupportConsoleDevelopersStart a trialContact

Chapter 4. Reference

download PDF

4.1. aggregate-realm attributes

You can configure aggregate-realm by setting its attributes.

Table 4.1. aggregate-realm sttributes
AttributeDescription

authentication-realm

Reference to the security realm to use for authentication steps. This is used for obtaining or validating credentials.

authorization-realm

Reference to the security realm to use for loading the identity for authorization steps.

authorization-realms

Reference to the security realms to aggregate for loading the identity for authorization steps. If an attribute is defined in more than one authorization realm, the value of the first occurrence of the attribute is used.

principal-transformer

Reference to a principal transformer to apply between loading the identity for authentication and loading the identity for authorization.

Note

The authorization-realm and authorization-realms attributes are mutually exclusive. Define only one of the two attributes in a realm.

4.2. caching-realm attributes

You can configure caching-realm by setting its attributes.

Table 4.2. caching-realm Attributes
AttributeDescription

maximum-age

The time in milliseconds that an item can stay in the cache. A value of -1 keeps items indefinitely. This defaults to -1.

maximum-entries

The maximum number of entries to keep in the cache. This defaults to 16.

realm

A reference to a cacheable security realm such as jdbc-realm, ldap-realm, filesystem-realm or a custom security realm.

4.3. distributed-realm attributes

You can configure distributed-realm by setting its attributes.

Table 4.3. distributed-realm attributes
AttributeDescription

emit-events

Whether a SecurityEvent signifying realm unavailability should be emitted. Applicable only when the ignore-unavailable-realms attribute is set to true. The default value is true.

ignore-unavailable-realms

In case the connection to any identity store fails, whether subsequent realms should be checked. Set the value to true to check the subsequent realms. The default value is false.

When the value is set to true, a SecurityEvent is emitted if the connection to any identity store fails, by default.

realms

A list of the security realms to search. The security realms are invoked sequentially in the order they are provided in this attribute.

4.4. failover-realm attributes

You can configure failover-realm by setting its attributes.

Table 4.4. failover-realm attributes
AttributeDescription

delegate-realm

The security realm to use by default.

emit-events

Specifies whether a security event of the type SecurityEvent that signifies the unavailability of a delegate-realm should be emitted. When enabled, you can capture these events in the audit log. The default values is true.

failover-realm

The security realm to use in case the delegate-realm is unavailable.

4.5. file-audit-log attributes

Table 4.5. file-audit-log attributes
AttributeDescription

autoflush

Specifies if the output stream requires flushing after every audit event. If you do not define the attribute, the synchronized attribute value is the default.

encoding

Specifies the audit file encoding. The default is UTF-8. The possible values are the following:

  • UTF-8
  • UTF-16BE
  • UTF-16LE
  • UTF-16
  • US-ASCII
  • ISO-8859-1

format

Default value is SIMPLE. Use SIMPLE for human readable text format or JSON for storing individual events in JSON.

path

Defines the location of the log files.

relative-to

Optional attribute. Defines the location of the log files.

synchronized

Default value is true. Specifies that the file descriptor gets synchronized after every audit event.

4.6. http-authentication-factory attributes

You can configure http-authentication-factory by setting its attributes.

Table 4.6. http-authentication-factory attributes
AttributeDescription

http-server-mechanism-factory

The HttpServerAuthenticationMechanismFactory to associate with this resource.

mechanism-configurations

The list of mechanism-specific configurations.

security-domain

The security domain to associate with the resource.

Table 4.7. http-authentication-factory mechanism-configurations attributes
AttributeDescription

credential-security-factory

The security factory to use to obtain a credential as required by the mechanism.

final-principal-transformer

A final principal transformer to apply for this mechanism realm.

host-name

The host name this configuration applies to.

mechanism-name

This configuration will only apply where a mechanism with the name specified is used. If this attribute is omitted then this will match any mechanism name.

mechanism-realm-configurations

The list of definitions of the realm names as understood by the mechanism.

pre-realm-principal-transformer

A principal transformer to apply before the realm is selected.

post-realm-principal-transformer

A principal transformer to apply after the realm is selected.

protocol

The protocol this configuration applies to.

realm-mapper

The realm mapper to be used by the mechanism.

Table 4.8. http-authentication-factory mechanism-configurations mechanism-realm-configurations attributes
AttributeDescription

final-principal-transformer

A final principal transformer to apply for this mechanism realm.

post-realm-principal-transformer

A principal transformer to apply after the realm is selected.

pre-realm-principal-transformer

A principal transformer to apply before the realm is selected.

realm-mapper

The realm mapper to be used by the mechanism.

realm-name

The name of the realm to be presented by the mechanism.

4.7. jaas-realm attributes

You can configure jaas-realm by setting its attributes. All the attributes except entry are optional.

Table 4.9. jaas-realm attributes
attributedescription

callback-handler

Callback handler to use with the Login Context. Security property auth.login.defaultCallbackHandler can be used instead. The default callback handler of the realm is used if none of these are defined.

entry

The entry name to use to initialize LoginContext.

module

The module with custom LoginModules and CallbackHandler classes.

path

The optional path to JAAS configuration file. You can also specify the location with java system property java.security.auth.login.config or with java security property login.config.url.

relative-to

If you provide relative-to, the value of the path attribute is treated as relative to the path specified by this attribute.

4.8. module command arguments

You can use different arguments with the module command.

Table 4.10. module command arguments
ArgumentDescription

--absolute-resources

Use this argument to specify a list of absolute file system paths to reference from its module.xml file. The files specified are not copied to the module directory.

See --resource-delimiter for delimiter details.

--allow-nonexistent-resources

Use this argument to create empty directories for resources specified by --resources that do not exist. The module add command will fail if there are resources that do not exist and this argument is not used.

--dependencies

Use this argument to provide a comma-separated list of module names that this module depends on.

--export-dependencies

Use this argument to specify exported dependencies. 

module add --name=com.mysql --resources=/path/to/{MySQLDriverJarName} --export-dependencies=wildflyee.api,java.se

--main-class

Use this argument to specify the fully qualified class name that declares the module’s main method.

--module-root-dir

Use this argument if you have defined an external JBoss EAP module directory to use instead of the default EAP_HOME/modules/ directory. 

module add --module-root-dir=/path/to/my-external-modules/ --name=com.mysql --resources=/path/to/{MySQLDriverJarName} --dependencies=wildflyee.api,java.se

--module-xml

Use this argument to provide a file system path to a module.xml to use for this new module. This file is copied to the module directory. If this argument is not specified, a module.xml file is generated in the module directory.

--name

Use this argument to provide the name of the module to add. This argument is required.

--properties

Use this argument to provide a comma-separated list of PROPERTY_NAME=PROPERTY_VALUE pairs that define module properties.

--resource-delimiter

Use this argument to set a user-defined file path separator for the list of resources provided to the --resources or absolute-resources argument. If not set, the file path separator is a colon (:) for Linux and a semicolon (;) for Windows.

--resources

Use this argument to specify the resources for this module by providing a list of file system paths. The files are copied to this module directory and referenced from its module.xml file. If you a provide a path to a directory, the directory and its contents are copied to the module directory. Symbolic links are not preserved; linked resources are copied to the module directory. This argument is required unless --absolute-resources or --module-xml is provided.

See --resource-delimiter for delimiter details.

--slot

Use this argument to add the module to a slot other than the default main slot. 

module add --name=com.mysql --slot=8.0 --resources=/path/to/{MySQLDriverJarName} --dependencies=wildflyee.api,java.se

4.9. periodic-rotating-file-audit-log attributes

Table 4.11. periodic-rotating-file-audit-log attributes
AttributeDescription

autoflush

Specifies if the output stream requires flushing after every audit event. If you do not define the attribute, the synchronized attribute value is the default.

encoding

Specifies the audit file encoding. The default is UTF-8. The possible values are the following:

  • UTF-8
  • UTF-16BE
  • UTF-16LE
  • UTF-16
  • US-ASCII
  • ISO-8859-1

format

Use SIMPLE for human readable text format or JSON for storing individual events in JSON.

path

Defines the location of the log files.

relative-to

Optional attribute. Defines the location of the log files.

suffix

Optional attribute. Adds a date suffix to a rotated log. You must use the java.time.format.DateTimeFormatter format. For example .yyyy-MM-dd.

synchronized

Default value is true. Specifies that the file descriptor gets synchronized after every audit event.

4.10. sasl-authentication-factory attributes

You can configure sasl-authentication-factory by setting its attributes.

Table 4.12. sasl-authentication-factory attributes
AttributeDescription

mechanism-configurations

The list of mechanism specific configurations.

sasl-server-factory

The SASL server factory to associate with this resource.

security-domain

The security domain to associate with this resource.

Table 4.13. sasl-authentication-factory mechanism-configurations attributes
AttributeDescription

credential-security-factory

The security factory to use to obtain a credential as required by the mechanism.

final-principal-transformer

A final principal transformer to apply for this mechanism realm.

host-name

The host name this configuration applies to.

mechanism-name

This configuration will only apply where a mechanism with the name specified is used. If this attribute is omitted then this will match any mechanism name.

mechanism-realm-configurations

The list of definitions of the realm names as understood by the mechanism.

protocol

The protocol this configuration applies to.

post-realm-principal-transformer

A principal transformer to apply after the realm is selected.

pre-realm-principal-transformer

A principal transformer to apply before the realm is selected.

realm-mapper

The realm mapper to be used by the mechanism.

Table 4.14. sasl-authentication-factory mechanism-configurations mechanism-realm-configurations attributes
AttributeDescription

final-principal-transformer

A final principal transformer to apply for this mechanism realm.

post-realm-principal-transformer

A principal transformer to apply after the realm is selected.

pre-realm-principal-transformer

A principal transformer to apply before the realm is selected.

realm-mapper

The realm mapper to be used by the mechanism.

realm-name

The name of the realm to be presented by the mechanism.

4.11. security-domain attributes

You can configure security-domain by setting its attributes.

AttributeDescription

default-realm

The default realm contained by this security domain.

evidence-decoder

A reference to an EvidenceDecoder to be used by this domain.

outflow-anonymous

This attribute specifies whether the anonymous identity should be used if outflow to a security domain is not possible, which happens in the following scenarios:

  • The domain to outflow to does not trust this domain.
  • The identity being outflowed to a domain does not exist in that domain

Outflowing anonymous identity clears any previously established identity for that domain.

outflow-security-domains

The list of security domains that the security identity from this domain should automatically outflow to.

permission-mapper

A reference to a PermissionMapper to be used by this domain.

post-realm-principal-transformer

A reference to a principal transformer to be applied after the realm has operated on the supplied identity name.

pre-realm-principal-transformer

A reference to a principal transformer to be applied before the realm is selected.

principal-decoder

A reference to a PrincipalDecoder to be used by this domain.

realm-mapper

Reference to the RealmMapper to be used by this domain.

realms

The list of realms contained by this security domain.

role-decoder

Reference to the RoleDecoder to be used by this domain.

role-mapper

Reference to the RoleMapper to be used by this domain.

security-event-listener

Reference to a listener for security events.

trusted-security-domains

The list of security domains that are trusted by this security domain.

trusted-virtual-security-domains

The list of virtual security domains that are trusted by this security domain.

4.12. simple-role-decoder attributes

You can configure simple role decoder by setting its attribute.

Table 4.15. simple-role-decoder attributes
AttributeDescription

attribute

The name of the attribute from the identity to map directly to roles.

4.13. size-rotating-file-audit-log attributes

Table 4.16. size-rotating-file-audit-log attributes
AttributeDescription

autoflush

Specifies if the output stream requires flushing after every audit event. If you do not define the attribute, the synchronized attribute value is the default.

encoding

Specifies the audit file encoding. The default is UTF-8. The possible values are the following:

  • UTF-8
  • UTF-16BE
  • UTF-16LE
  • UTF-16
  • US-ASCII
  • ISO-8859-1

format

Default value is SIMPLE. Use SIMPLE for human readable text format or JSON for storing individual events in JSON.

max-backup-index

The maximum number of files to back up when rotating. The default value is 1.

path

Defines the location of the log files.

relative-to

Optional attribute. Defines the location of the log files.

rotate-on-boot

By default, Elytron does not create a new log file when you restart a server. Set this attribute to true to rotate the log on server restart.

rotate-size

The maximum size that the log file can reach before Elytron rotates the log. The default is 10m for 10 megabytes. You can also define the maximum size of the log with k, g, b, or t units. You can specify units in either uppercase or lowercase characters.

suffix

Optional attribute. Adds a date suffix to a rotated log. You must use the java.text.format.DateTimeFormatter format. For example .yyyy-MM-dd-HH.

synchronized

Default value is true. Specifies that the file descriptor gets synchronized after every audit event.

4.14. syslog-audit-log attributes

Table 4.17. syslog-audit-log attributes
AttributeDescription

format

The format in which audit events are recorded.

Supported values:

  • JSON
  • SIMPLE

Default value:

  • SIMPLE

host-name

The host name to be embedded into all events sent to the syslog server.

port

The listening port on the syslog server.

reconnect-attempts

The maximum number of times that Elytron will attempt to send successive messages to a syslog server before closing the connection. The value of this attribute is only valid when the transmission protocol used is UDP.

Supported values:

  • Any positive integer value.
  • -1 indicates infinite reconnect attempts.

Default value:

  • 0

server-address

IP address of the syslog server or a name that can be resolved by Java’s InetAddress.getByName() method.

ssl-context

The SSL context to use when connecting to the syslog server. This attribute is only required if transport is set to SSL_TCP.

syslog-format

The RFC format to be used for describing the audit event.

Supported values:

  • RFC3164
  • RFC5424

Default value:

  • RFC5424

transport

The transport layer protocol to use to connect to the syslog server.

Supported values:

  • SSL_TCP
  • TCP
  • UDP

Default value:

  • TCP
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.