Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

2.8. Aggregate security realms

Aggregate realms combine multiple realms: the first one for the authentication steps and the others for loading the identity for the authorization steps. For example, this can be used to authenticate users via a client certificate, and retrieve identity from a properties or LDAP realm.

Aggregate realm configuration

XML

<server xmlns="urn:infinispan:server:16.0">
   <security>
      <security-realms>
         <security-realm name="default" default-realm="aggregate">
            <server-identities>
               <ssl>
                  <keystore path="server.pfx" password="secret" alias="server"/>
                  <truststore path="trust.pfx" password="secret"/>
               </ssl>
            </server-identities>
            <properties-realm name="properties" groups-attribute="Roles">
               <user-properties path="users.properties" relative-to="infinispan.server.config.path"/>
               <group-properties path="groups.properties" relative-to="infinispan.server.config.path"/>
            </properties-realm>
            <truststore-realm name="trust"/>
            <aggregate-realm authentication-realm="trust" authorization-realms="properties">
               <name-rewriter>
                  <common-name-principal-transformer/>
               </name-rewriter>
            </aggregate-realm>
         </security-realm>
      </security-realms>
   </security>
</server>

JSON

{
  "server": {
    "security": {
      "security-realms": [
        {
          "name": "aggregate-realm",
          "default-realm": "aggregate",
          "server-identities": {
            "ssl": {
              "keystore": {
                "path": "server.p12",
                "relative-to": "infinispan.server.config.path",
                "keystore-password": "secret",
                "alias": "server"
              },
              "truststore": {
                "path": "trust.p12",
                "relative-to": "infinispan.server.config.path",
                "password": "secret"
              }
            }
          },
          "properties-realm": {
            "name": "properties",
            "groups-attribute": "Roles",
            "user-properties": {
              "digest-realm-name": "distributed-realm",
              "path": "users.properties"
            },
            "group-properties": {
              "path": "groups.properties"
            }
          },
          "truststore-realm": {
            "name": "trust"
          },
          "aggregate-realm": {
            "authentication-realm": "trust",
            "authorization-realms": ["properties"],
            "name-rewriter": {
              "common-name-principal-transformer": {}
            }
          }
        }
      ]
    }
  }
}

YAML

server:
  security:
    securityRealms:
      - name: "aggregate-realm"
        defaultRealm: "aggregate"
        serverIdentities:
          ssl:
            keystore:
              path: "server.p12"
              relative-to: "infinispan.server.config.path"
              keystore-password: "secret"
              alias: "server"
            truststore:
              path: "trust.p12"
              relative-to: "infinispan.server.config.path"
              password: "secret"
        truststoreRealm:
          name: "trust"
        propertiesRealm:
          name: "properties"
          groupsAttribute: "Roles"
          userProperties:
            digestRealmName: "distributed-realm"
            path: "users.properties"
          groupProperties:
            path: "groups.properties"
        aggregateRealm:
          authenticationRealm: "trust"
          authorizationRealms:
            - "properties"
          nameRewriter:
            common-name-principal-transformer: ~

2.8.1. Name rewriters
링크 복사

Principal names may have different forms, depending on the security realm type:

  • Properties and Token realms may return simple strings
  • Trust and LDAP realms may return X.500-style distinguished names
  • Kerberos realms may return user@domain-style names

Names must be normalized to a common form when using the aggregate realm using one of the following transformers.

2.8.1.1. Case Principal Transformer
링크 복사

The case-principal-transformer transforms a name to all uppercase or all lowercase letters.

XML

<aggregate-realm authentication-realm="trust" authorization-realms="properties">
   <name-rewriter>
      <case-principal-transformer uppercase="false"/>
   </name-rewriter>
</aggregate-realm>

JSON

{
  "aggregate-realm": {
    "authentication-realm": "trust",
    "authorization-realms": [
      "properties"
    ],
    "name-rewriter": {
      "case-principal-transformer": {
        "uppercase": "false"
      }
    }
  }
}

YAML

aggregateRealm:
  authenticationRealm: "trust"
  authorizationRealms:
    - "properties"
  nameRewriter:
    casePrincipalTransformer:
      uppercase: false

2.8.1.2. Common Name Principal Transformer
링크 복사

The common-name-principal-transformer extracts the first CN element from a DN used by LDAP or Certificates. For example, given a principal in the form CN=app1,CN=serviceA,OU=applications,DC=infinispan,DC=org, the following configuration will extract app1 as the principal.

XML

<aggregate-realm authentication-realm="trust" authorization-realms="properties">
   <name-rewriter>
      <common-name-principal-transformer/>
   </name-rewriter>
</aggregate-realm>

JSON

{
  "aggregate-realm": {
    "authentication-realm": "trust",
    "authorization-realms": [
      "properties"
    ],
    "name-rewriter": {
      "common-name-principal-transformer": {}
    }
  }
}

YAML

aggregateRealm:
  authenticationRealm: "trust"
  authorizationRealms:
    - "properties"
  nameRewriter:
    commonNamePrincipalTransformer: ~

2.8.1.3. Regex Principal Transformer
링크 복사

The regex-principal-transformer can perform find and replace using a regular expression. The example shows how to extract the local-part from a user@domain.com identifier.

XML

<aggregate-realm authentication-realm="trust" authorization-realms="properties">
   <name-rewriter>
      <regex-principal-transformer pattern="([^@]+)@.*" replacement="$1" replace-all="false"/>
   </name-rewriter>
</aggregate-realm>

JSON

{
  "aggregate-realm": {
    "authentication-realm": "trust",
    "authorization-realms": [
      "properties"
    ],
    "name-rewriter": {
      "regex-principal-transformer": {
        "pattern" : "([^@]+)@.*",
        "replacement": "$1",
        "replace-all": false
      }
    }
  }
}

YAML

aggregateRealm:
  authenticationRealm: "trust"
  authorizationRealms:
    - "properties"
  nameRewriter:
    regexPrincipalTransformer:
      pattern: "([^@]+)@.*"
      replacement: "$1"
      replaceAll: false

Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

Legal Notice

Theme

© 2026 Red Hat맨 위로 이동