[66] | 1 | <html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Apache Tomcat Configuration Reference - The Realm Component</title><meta value="Craig R. McClanahan" name="author"><meta value="craigmcc@apache.org" name="email"></head><body vlink="#525D76" alink="#525D76" link="#525D76" text="#000000" bgcolor="#ffffff"><table cellspacing="0" width="100%" border="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img border="0" alt=" |
---|
| 2 | The Apache Tomcat Servlet/JSP Container |
---|
| 3 | " align="right" src="../../images/tomcat.gif"></a></td><td><font face="arial,helvetica,sanserif"><h1>Apache Tomcat 6.0</h1></font></td><td><!--APACHE LOGO--><a href="http://www.apache.org/"><img border="0" alt="Apache Logo" align="right" src="../../images/asf-logo.gif"></a></td></tr></table><table cellspacing="4" width="100%" border="0"><!--HEADER SEPARATOR--><tr><td colspan="2"><hr size="1" noshade></td></tr><tr><!--RIGHT SIDE MAIN BODY--><td align="left" valign="top" width="80%"><table cellspacing="4" width="100%" border="0"><tr><td valign="top" align="left"><h1>Apache Tomcat Configuration Reference</h1><h2>The Realm Component</h2></td><td nowrap="true" valign="top" align="right"><img border="0" hspace="0" vspace="0" height="1" width="1" src="../../images/void.gif"></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Introduction"><strong>Introduction</strong></a></font></td></tr><tr><td><blockquote> |
---|
| 4 | |
---|
| 5 | <p>A <strong>Realm</strong> element represents a "database" of usernames, |
---|
| 6 | passwords, and <em>roles</em> (similar to Unix <em>groups</em>) assigned |
---|
| 7 | to those users. Different implementations of Realm allow Catalina to be |
---|
| 8 | integrated into environments where such authentication information is already |
---|
| 9 | being created and maintained, and then utilize that information to implement |
---|
| 10 | <em>Container Managed Security</em> as described in the Servlet |
---|
| 11 | Specification.</p> |
---|
| 12 | |
---|
| 13 | <p>You may nest a Realm inside any Catalina container |
---|
| 14 | <a href="engine.html">Engine</a>, <a href="host.html">Host</a>, or |
---|
| 15 | <a href="context.html">Context</a>). In addition, Realms associated with |
---|
| 16 | an Engine or a Host are automatically inherited by lower-level |
---|
| 17 | containers, unless explicitly overridden.</p> |
---|
| 18 | |
---|
| 19 | <p>For more in-depth information about container managed security in web |
---|
| 20 | applications, as well as more information on configuring and using the |
---|
| 21 | standard realm component implementations, please see the |
---|
| 22 | <a href="../../realm-howto.html">Container-Managed Security Guide</a>. |
---|
| 23 | </p> |
---|
| 24 | |
---|
| 25 | <blockquote><em> |
---|
| 26 | <p>The description below uses the variable name $CATALINA_BASE to refer the |
---|
| 27 | base directory against which most relative paths are resolved. If you have |
---|
| 28 | not configured Tomcat 6 for multiple instances by setting a CATALINA_BASE |
---|
| 29 | directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME, |
---|
| 30 | the directory into which you have installed Tomcat 6.</p> |
---|
| 31 | </em></blockquote> |
---|
| 32 | |
---|
| 33 | </blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Attributes"><strong>Attributes</strong></a></font></td></tr><tr><td><blockquote> |
---|
| 34 | |
---|
| 35 | <table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#828DA6"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Common Attributes"><strong>Common Attributes</strong></a></font></td></tr><tr><td><blockquote> |
---|
| 36 | |
---|
| 37 | <p>All implementations of <strong>Realm</strong> |
---|
| 38 | support the following attributes:</p> |
---|
| 39 | |
---|
| 40 | <table cellpadding="5" border="1"><tr><th bgcolor="#023264" width="15%"><font color="#ffffff">Attribute</font></th><th bgcolor="#023264" width="85%"><font color="#ffffff">Description</font></th></tr><tr><td valign="center" align="left"><strong><code>className</code></strong></td><td valign="center" align="left"> |
---|
| 41 | <p>Java class name of the implementation to use. This class must |
---|
| 42 | implement the <code>org.apache.catalina.Realm</code> interface.</p> |
---|
| 43 | </td></tr></table> |
---|
| 44 | |
---|
| 45 | </blockquote></td></tr></table> |
---|
| 46 | |
---|
| 47 | |
---|
| 48 | <table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#828DA6"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Standard Implementation"><strong>Standard Implementation</strong></a></font></td></tr><tr><td><blockquote> |
---|
| 49 | |
---|
| 50 | <p>Unlike most Catalina components, there are several standard |
---|
| 51 | <strong>Realm</strong> implementations available. As a result, |
---|
| 52 | the <code>className</code> attribute MUST be used to select the |
---|
| 53 | implementation you wish to use.</p> |
---|
| 54 | |
---|
| 55 | <h3>JDBC Database Realm (org.apache.catalina.realm.JDBCRealm)</h3> |
---|
| 56 | |
---|
| 57 | <p>The <strong>JDBC Database Realm</strong> connects Catalina to |
---|
| 58 | a relational database, accessed through an appropriate JDBC driver, |
---|
| 59 | to perform lookups of usernames, passwords, and their associated |
---|
| 60 | roles. Because the lookup is done each time that it is required, |
---|
| 61 | changes to the database will be immediately reflected in the |
---|
| 62 | information used to authenticate new logins.</p> |
---|
| 63 | |
---|
| 64 | <p>A rich set of additional attributes lets you configure the required |
---|
| 65 | connection to the underlying database, as well as the table and |
---|
| 66 | column names used to retrieve the required information:</p> |
---|
| 67 | |
---|
| 68 | <table cellpadding="5" border="1"><tr><th bgcolor="#023264" width="15%"><font color="#ffffff">Attribute</font></th><th bgcolor="#023264" width="85%"><font color="#ffffff">Description</font></th></tr><tr><td valign="center" align="left"><strong><code>connectionName</code></strong></td><td valign="center" align="left"> |
---|
| 69 | <p>The database username to use when establishing the JDBC |
---|
| 70 | connection.</p> |
---|
| 71 | </td></tr><tr><td valign="center" align="left"><strong><code>connectionPassword</code></strong></td><td valign="center" align="left"> |
---|
| 72 | <p>The database password to use when establishing the JDBC |
---|
| 73 | connection.</p> |
---|
| 74 | </td></tr><tr><td valign="center" align="left"><strong><code>connectionURL</code></strong></td><td valign="center" align="left"> |
---|
| 75 | <p>The connection URL to be passed to the JDBC driver when |
---|
| 76 | establishing a database connection.</p> |
---|
| 77 | </td></tr><tr><td valign="center" align="left"><code>digest</code></td><td valign="center" align="left"> |
---|
| 78 | <p>The name of the <code>MessageDigest</code> algorithm used |
---|
| 79 | to encode user passwords stored in the database. If not specified, |
---|
| 80 | user passwords are assumed to be stored in clear-text.</p> |
---|
| 81 | </td></tr><tr><td valign="center" align="left"><code>digestEncoding</code></td><td valign="center" align="left"> |
---|
| 82 | <p>The charset for encoding digests. If not specified, the platform |
---|
| 83 | default will be used.</p> |
---|
| 84 | </td></tr><tr><td valign="center" align="left"><strong><code>driverName</code></strong></td><td valign="center" align="left"> |
---|
| 85 | <p>Fully qualified Java class name of the JDBC driver to be |
---|
| 86 | used to connect to the authentication database.</p> |
---|
| 87 | </td></tr><tr><td valign="center" align="left"><strong><code>roleNameCol</code></strong></td><td valign="center" align="left"> |
---|
| 88 | <p>Name of the column, in the "user roles" table, which contains |
---|
| 89 | a role name assigned to the corresponding user.</p> |
---|
| 90 | </td></tr><tr><td valign="center" align="left"><strong><code>userCredCol</code></strong></td><td valign="center" align="left"> |
---|
| 91 | <p>Name of the column, in the "users" table, which contains |
---|
| 92 | the user's credentials (i.e. password(. If a value for the |
---|
| 93 | <code>digest</code> attribute is specified, this component |
---|
| 94 | will assume that the passwords have been encoded with the |
---|
| 95 | specified algorithm. Otherwise, they will be assumed to be |
---|
| 96 | in clear text.</p> |
---|
| 97 | </td></tr><tr><td valign="center" align="left"><strong><code>userNameCol</code></strong></td><td valign="center" align="left"> |
---|
| 98 | <p>Name of the column, in the "users" and "user roles" table, |
---|
| 99 | that contains the user's username.</p> |
---|
| 100 | </td></tr><tr><td valign="center" align="left"><strong><code>userRoleTable</code></strong></td><td valign="center" align="left"> |
---|
| 101 | <p>Name of the "user roles" table, which must contain columns |
---|
| 102 | named by the <code>userNameCol</code> and <code>roleNameCol</code> |
---|
| 103 | attributes.</p> |
---|
| 104 | </td></tr><tr><td valign="center" align="left"><strong><code>userTable</code></strong></td><td valign="center" align="left"> |
---|
| 105 | <p>Name of the "users" table, which must contain columns named |
---|
| 106 | by the <code>userNameCol</code> and <code>userCredCol</code> |
---|
| 107 | attributes.</p> |
---|
| 108 | </td></tr></table> |
---|
| 109 | |
---|
| 110 | <p>See the <a href="../../realm-howto.html">Container-Managed Security Guide</a> for more |
---|
| 111 | information on setting up container managed security using the |
---|
| 112 | JDBC Database Realm component.</p> |
---|
| 113 | |
---|
| 114 | |
---|
| 115 | <h3> |
---|
| 116 | DataSource Database Realm (org.apache.catalina.realm.DataSourceRealm) |
---|
| 117 | </h3> |
---|
| 118 | |
---|
| 119 | <p>The <strong>DataSource Database Realm</strong> connects Catalina to |
---|
| 120 | a relational database, accessed through a JNDI named JDBC DataSource |
---|
| 121 | to perform lookups of usernames, passwords, and their associated |
---|
| 122 | roles. Because the lookup is done each time that it is required, |
---|
| 123 | changes to the database will be immediately reflected in the |
---|
| 124 | information used to authenticate new logins.</p> |
---|
| 125 | |
---|
| 126 | <p>The JDBC Realm uses a single db connection. This requires that |
---|
| 127 | realm based authentication be synchronized, i.e. only one authentication |
---|
| 128 | can be done at a time. This could be a bottleneck for applications |
---|
| 129 | with high volumes of realm based authentications.</p> |
---|
| 130 | |
---|
| 131 | <p>The DataSource Database Realm supports simultaneous realm based |
---|
| 132 | authentications and allows the underlying JDBC DataSource to |
---|
| 133 | handle optimizations like database connection pooling.</p> |
---|
| 134 | |
---|
| 135 | <p>A rich set of additional attributes lets you configure the name |
---|
| 136 | of the JNDI JDBC DataSource, as well as the table and |
---|
| 137 | column names used to retrieve the required information:</p> |
---|
| 138 | |
---|
| 139 | <table cellpadding="5" border="1"><tr><th bgcolor="#023264" width="15%"><font color="#ffffff">Attribute</font></th><th bgcolor="#023264" width="85%"><font color="#ffffff">Description</font></th></tr><tr><td valign="center" align="left"><strong><code>dataSourceName</code></strong></td><td valign="center" align="left"> |
---|
| 140 | <p>The name of the JNDI JDBC DataSource for this Realm.</p> |
---|
| 141 | </td></tr><tr><td valign="center" align="left"><code>digest</code></td><td valign="center" align="left"> |
---|
| 142 | <p>The name of the <code>MessageDigest</code> algorithm used |
---|
| 143 | to encode user passwords stored in the database. If not specified, |
---|
| 144 | user passwords are assumed to be stored in clear-text.</p> |
---|
| 145 | </td></tr><tr><td valign="center" align="left"><code>localDataSource</code></td><td valign="center" align="left"> |
---|
| 146 | <p>When the realm is nested inside a Context element, this allows the |
---|
| 147 | realm to use a DataSource defined for the Context rather than a global |
---|
| 148 | DataSource. If not specified, the default is <code>false</code>: use a |
---|
| 149 | global DataSource.</p> |
---|
| 150 | </td></tr><tr><td valign="center" align="left"><strong><code>roleNameCol</code></strong></td><td valign="center" align="left"> |
---|
| 151 | <p>Name of the column, in the "user roles" table, which contains |
---|
| 152 | a role name assigned to the corresponding user.</p> |
---|
| 153 | </td></tr><tr><td valign="center" align="left"><strong><code>userCredCol</code></strong></td><td valign="center" align="left"> |
---|
| 154 | <p>Name of the column, in the "users" table, which contains |
---|
| 155 | the user's credentials (i.e. password(. If a value for the |
---|
| 156 | <code>digest</code> attribute is specified, this component |
---|
| 157 | will assume that the passwords have been encoded with the |
---|
| 158 | specified algorithm. Otherwise, they will be assumed to be |
---|
| 159 | in clear text.</p> |
---|
| 160 | </td></tr><tr><td valign="center" align="left"><strong><code>userNameCol</code></strong></td><td valign="center" align="left"> |
---|
| 161 | <p>Name of the column, in the "users" and "user roles" table, |
---|
| 162 | that contains the user's username.</p> |
---|
| 163 | </td></tr><tr><td valign="center" align="left"><strong><code>userRoleTable</code></strong></td><td valign="center" align="left"> |
---|
| 164 | <p>Name of the "user roles" table, which must contain columns |
---|
| 165 | named by the <code>userNameCol</code> and <code>roleNameCol</code> |
---|
| 166 | attributes.</p> |
---|
| 167 | </td></tr><tr><td valign="center" align="left"><strong><code>userTable</code></strong></td><td valign="center" align="left"> |
---|
| 168 | <p>Name of the "users" table, which must contain columns named |
---|
| 169 | by the <code>userNameCol</code> and <code>userCredCol</code> |
---|
| 170 | attributes.</p> |
---|
| 171 | </td></tr></table> |
---|
| 172 | |
---|
| 173 | <p>See the <a href="../../realm-howto.html#DataSourceRealm"> |
---|
| 174 | DataSource Realm HOW-TO</a> for more information on setting up container |
---|
| 175 | managed security using the DataSource Database Realm component.</p> |
---|
| 176 | |
---|
| 177 | |
---|
| 178 | <h3>JNDI Directory Realm (org.apache.catalina.realm.JNDIRealm)</h3> |
---|
| 179 | |
---|
| 180 | |
---|
| 181 | <p>The <strong>JNDI Directory Realm</strong> connects Catalina to |
---|
| 182 | an LDAP Directory, accessed through an appropriate JNDI driver, |
---|
| 183 | that stores usernames, passwords, and their associated |
---|
| 184 | roles. Changes to the directory are immediately reflected in the |
---|
| 185 | information used to authenticate new logins.</p> |
---|
| 186 | |
---|
| 187 | |
---|
| 188 | <p>The directory realm supports a variety of approaches to using |
---|
| 189 | LDAP for authentication:</p> |
---|
| 190 | |
---|
| 191 | <ul> |
---|
| 192 | <li>The realm can either use a pattern to determine the |
---|
| 193 | distinguished name (DN) of the user's directory entry, or search |
---|
| 194 | the directory to locate that entry. |
---|
| 195 | </li> |
---|
| 196 | |
---|
| 197 | <li>The realm can authenticate the user either by binding to the |
---|
| 198 | directory with the DN of the user's entry and the password |
---|
| 199 | presented by the user, or by retrieving the password from the |
---|
| 200 | user's entry and performing a comparison locally. |
---|
| 201 | </li> |
---|
| 202 | |
---|
| 203 | <li>Roles may be represented in the directory as explicit entries |
---|
| 204 | found by a directory search (e.g. group entries of which the user |
---|
| 205 | is a member), as the values of an attribute in the user's entry, |
---|
| 206 | or both. |
---|
| 207 | </li> |
---|
| 208 | </ul> |
---|
| 209 | |
---|
| 210 | <p> A rich set of additional attributes lets you configure the |
---|
| 211 | required behaviour as well as the connection to the underlying |
---|
| 212 | directory and the element and attribute names used to retrieve |
---|
| 213 | information from the directory:</p> |
---|
| 214 | |
---|
| 215 | <table cellpadding="5" border="1"><tr><th bgcolor="#023264" width="15%"><font color="#ffffff">Attribute</font></th><th bgcolor="#023264" width="85%"><font color="#ffffff">Description</font></th></tr><tr><td valign="center" align="left"><code>alternateURL</code></td><td valign="center" align="left"> |
---|
| 216 | <p>If a socket connection can not be made to the provider at |
---|
| 217 | the <code>connectionURL</code> an attempt will be made to use the |
---|
| 218 | <code>alternateURL</code>.</p> |
---|
| 219 | </td></tr><tr><td valign="center" align="left"><code>authentication</code></td><td valign="center" align="left"> |
---|
| 220 | <p>A string specifying the type of authentication to use. |
---|
| 221 | "none", "simple", "strong" or a provider specific definition |
---|
| 222 | can be used. If no value is given the providers default is used.</p> |
---|
| 223 | </td></tr><tr><td valign="center" align="left"><code>connectionName</code></td><td valign="center" align="left"> |
---|
| 224 | <p>The directory username to use when establishing a |
---|
| 225 | connection to the directory for LDAP search operations. If not |
---|
| 226 | specified an anonymous connection is made, which is often |
---|
| 227 | sufficient unless you specify the <code>userPassword</code> |
---|
| 228 | property.</p> |
---|
| 229 | </td></tr><tr><td valign="center" align="left"><code>connectionPassword</code></td><td valign="center" align="left"> |
---|
| 230 | <p>The directory password to use when establishing a |
---|
| 231 | connection to the directory for LDAP search operations. If not |
---|
| 232 | specified an anonymous connection is made, which is often |
---|
| 233 | sufficient unless you specify the <code>userPassword</code> |
---|
| 234 | property.</p> |
---|
| 235 | </td></tr><tr><td valign="center" align="left"><strong><code>connectionURL</code></strong></td><td valign="center" align="left"> |
---|
| 236 | <p>The connection URL to be passed to the JNDI driver when |
---|
| 237 | establishing a connection to the directory.</p> |
---|
| 238 | </td></tr><tr><td valign="center" align="left"><code>contextFactory</code></td><td valign="center" align="left"> |
---|
| 239 | <p>Fully qualified Java class name of the factory class used |
---|
| 240 | to acquire our JNDI <code>InitialContext</code>. By default, |
---|
| 241 | assumes that the standard JNDI LDAP provider will be utilized.</p> |
---|
| 242 | </td></tr><tr><td valign="center" align="left"><code>derefAliases</code></td><td valign="center" align="left"> |
---|
| 243 | <p>A string specifying how aliases are to be dereferenced during |
---|
| 244 | search operations. The allowed values are "always", "never", |
---|
| 245 | "finding" and "searching". If not specified, "always" is used.</p> |
---|
| 246 | </td></tr><tr><td valign="center" align="left"><code>digest</code></td><td valign="center" align="left"> |
---|
| 247 | <p>The digest algorithm to apply to the plaintext password offered |
---|
| 248 | by the user before comparing it with the value retrieved from the |
---|
| 249 | directory. Valid values are those accepted for the algorithm name |
---|
| 250 | by the <code>java.security.MessageDigest</code> class. If not |
---|
| 251 | specified the plaintext password is assumed to be retrieved. Not |
---|
| 252 | required unless <code>userPassword</code> is specified</p> |
---|
| 253 | </td></tr><tr><td valign="center" align="left"><code>protocol</code></td><td valign="center" align="left"> |
---|
| 254 | <p>A string specifying the security protocol to use. If not given |
---|
| 255 | the providers default is used.</p> |
---|
| 256 | </td></tr><tr><td valign="center" align="left"><code>roleBase</code></td><td valign="center" align="left"> |
---|
| 257 | <p>The base directory entry for performing role searches. If |
---|
| 258 | not specified the top-level element in the directory context |
---|
| 259 | will be used.</p> |
---|
| 260 | </td></tr><tr><td valign="center" align="left"><code>roleName</code></td><td valign="center" align="left"> |
---|
| 261 | <p>The name of the attribute that contains role names in the |
---|
| 262 | directory entries found by a role search. In addition you can |
---|
| 263 | use the <code>userRoleName</code> property to specify the name |
---|
| 264 | of an attribute, in the user's entry, containing additional |
---|
| 265 | role names. If <code>roleName</code> is not specified a role |
---|
| 266 | search does not take place, and roles are taken only from the |
---|
| 267 | user's entry.</p> |
---|
| 268 | </td></tr><tr><td valign="center" align="left"><code>roleSearch</code></td><td valign="center" align="left"> |
---|
| 269 | <p>The LDAP filter expression used for performing role |
---|
| 270 | searches. Use <code>{0}</code> to substitute the |
---|
| 271 | distinguished name (DN) of the user, and/or <code>{1}</code> to |
---|
| 272 | substitute the username. If not specified a role search does |
---|
| 273 | not take place and roles are taken only from the attribute in |
---|
| 274 | the user's entry specified by the <code>userRoleName</code> |
---|
| 275 | property.</p> |
---|
| 276 | </td></tr><tr><td valign="center" align="left"><code>roleSubtree</code></td><td valign="center" align="left"> |
---|
| 277 | <p>Set to <code>true</code> if you want to search the entire |
---|
| 278 | subtree of the element specified by the <code>roleBase</code> |
---|
| 279 | property for role entries associated with the user. The |
---|
| 280 | default value of <code>false</code> causes only the top level |
---|
| 281 | to be searched.</p> |
---|
| 282 | </td></tr><tr><td valign="center" align="left"><code>userBase</code></td><td valign="center" align="left"> |
---|
| 283 | <p>The base element for user searches performed using the |
---|
| 284 | <code>userSearch</code> expression. Not used if you are using |
---|
| 285 | the <code>userPattern</code> expression.</p> |
---|
| 286 | </td></tr><tr><td valign="center" align="left"><code>userPassword</code></td><td valign="center" align="left"> |
---|
| 287 | <p>Name of the attribute in the user's entry containing the |
---|
| 288 | user's password. If you specify this value, JNDIRealm will |
---|
| 289 | bind to the directory using the values specified by |
---|
| 290 | <code>connectionName</code> and |
---|
| 291 | <code>connectionPassword</code> properties, and retrieve the |
---|
| 292 | corresponding attribute for comparison to the value specified |
---|
| 293 | by the user being authenticated. If you do |
---|
| 294 | <strong>not</strong> specify this value, JNDIRealm will |
---|
| 295 | attempt a simple bind to the directory using the DN of the |
---|
| 296 | user's entry and the password presented by the user, with a |
---|
| 297 | successful bind being interpreted as an authenticated |
---|
| 298 | user.</p> |
---|
| 299 | </td></tr><tr><td valign="center" align="left"><code>userPattern</code></td><td valign="center" align="left"> |
---|
| 300 | <p>Pattern for the distinguished name (DN) of the user's |
---|
| 301 | directory entry, with <code>{0}</code> marking where the |
---|
| 302 | actual username should be inserted. You can use this property |
---|
| 303 | instead of <code>userSearch</code>, <code>userSubtree</code> |
---|
| 304 | and <code>userBase</code> when the distinguished name contains |
---|
| 305 | the username and is otherwise the same for all users.</p> |
---|
| 306 | </td></tr><tr><td valign="center" align="left"><code>userRoleName</code></td><td valign="center" align="left"> |
---|
| 307 | <p>The name of an attribute in the user's directory entry |
---|
| 308 | containing zero or more values for the names of roles assigned |
---|
| 309 | to this user. In addition you can use the |
---|
| 310 | <code>roleName</code> property to specify the name of an |
---|
| 311 | attribute to be retrieved from individual role entries found |
---|
| 312 | by searching the directory. If <code>userRoleName</code> is |
---|
| 313 | not specified all the roles for a user derive from the role |
---|
| 314 | search.</p> |
---|
| 315 | </td></tr><tr><td valign="center" align="left"><code>userSearch</code></td><td valign="center" align="left"> |
---|
| 316 | <p>The LDAP filter expression to use when searching for a |
---|
| 317 | user's directory entry, with <code>{0}</code> marking where |
---|
| 318 | the actual username should be inserted. Use this property |
---|
| 319 | (along with the <code>userBase</code> and |
---|
| 320 | <code>userSubtree</code> properties) instead of |
---|
| 321 | <code>userPattern</code> to search the directory for the |
---|
| 322 | user's entry.</p> |
---|
| 323 | </td></tr><tr><td valign="center" align="left"><code>userSubtree</code></td><td valign="center" align="left"> |
---|
| 324 | <p>Set to <code>true</code> if you want to search the entire |
---|
| 325 | subtree of the element specified by the <code>userBase</code> |
---|
| 326 | property for the user's entry. The default value of |
---|
| 327 | <code>false</code> causes only the top level to be searched. |
---|
| 328 | Not used if you are using the <code>userPattern</code> |
---|
| 329 | expression.</p> |
---|
| 330 | </td></tr></table> |
---|
| 331 | |
---|
| 332 | <p>See the <a href="../../realm-howto.html">Container-Managed Security Guide</a> for more |
---|
| 333 | information on setting up container managed security using the |
---|
| 334 | JNDI Directory Realm component.</p> |
---|
| 335 | |
---|
| 336 | |
---|
| 337 | <h3>Memory Based Realm (org.apache.catalina.realm.MemoryRealm)</h3> |
---|
| 338 | |
---|
| 339 | <p>The <strong>Memory Based Realm</strong> is a simple Realm implementation |
---|
| 340 | that reads user information from an XML format, and represents it as a |
---|
| 341 | collection of Java objects in memory. This implementation is intended |
---|
| 342 | solely to get up and running with container managed security - it is NOT |
---|
| 343 | intended for production use. As such, there are no mechanisms for |
---|
| 344 | updating the in-memory collection of users when the content of the |
---|
| 345 | underlying data file is changed.</p> |
---|
| 346 | |
---|
| 347 | <p>The Memory Based Realm implementation supports the following |
---|
| 348 | additional attributes:</p> |
---|
| 349 | |
---|
| 350 | <table cellpadding="5" border="1"><tr><th bgcolor="#023264" width="15%"><font color="#ffffff">Attribute</font></th><th bgcolor="#023264" width="85%"><font color="#ffffff">Description</font></th></tr><tr><td valign="center" align="left"><code>digest</code></td><td valign="center" align="left"> |
---|
| 351 | <p>The digest algorithm used to store passwords in non-plaintext |
---|
| 352 | formats. Valid values are those accepted for the algorithm name by the |
---|
| 353 | <code>java.security.MessageDigest</code> class. If not specified, |
---|
| 354 | passwords are stored in clear text.</p> |
---|
| 355 | </td></tr><tr><td valign="center" align="left"><code>pathname</code></td><td valign="center" align="left"> |
---|
| 356 | <p>Absolute or relative (to $CATALINA_BASE) pathname to the XML file |
---|
| 357 | containing our user information. See below for details on the |
---|
| 358 | XML element format required. If no pathname is specified, the |
---|
| 359 | default value is <code>conf/tomcat-users.xml</code>.</p> |
---|
| 360 | </td></tr></table> |
---|
| 361 | |
---|
| 362 | <p>The XML document referenced by the <code>pathname</code> attribute must |
---|
| 363 | conform to the following requirements:</p> |
---|
| 364 | <ul> |
---|
| 365 | <li>The root (outer) element must be <code><tomcat-users></code>. |
---|
| 366 | </li> |
---|
| 367 | <li>Each authorized user must be represented by a single XML element |
---|
| 368 | <code><user></code>, nested inside the root element.</li> |
---|
| 369 | <li>Each <code><user></code> element must have the following |
---|
| 370 | attributes: |
---|
| 371 | <ul> |
---|
| 372 | <li><strong>name</strong> - Username of this user (must be unique |
---|
| 373 | within this file).</li> |
---|
| 374 | <li><strong>password</strong> - Password of this user (in |
---|
| 375 | clear text).</li> |
---|
| 376 | <li><strong>roles</strong> - Comma-delimited list of the role names |
---|
| 377 | assigned to this user.</li> |
---|
| 378 | </ul></li> |
---|
| 379 | </ul> |
---|
| 380 | |
---|
| 381 | <p>See the <a href="../../realm-howto.html">Container-Managed Security Guide</a> for more |
---|
| 382 | information on setting up container managed security using the |
---|
| 383 | Memory Based Realm component.</p> |
---|
| 384 | |
---|
| 385 | <h3>JAAS Realm (org.apache.catalina.realm.JAASRealm)</h3> |
---|
| 386 | |
---|
| 387 | <p><strong>JAASRealm</strong> is an implementation of the Tomcat 6 |
---|
| 388 | <code>Realm</code> interface that authenticates users through the Java |
---|
| 389 | Authentication & Authorization Service (JAAS) framework which is now |
---|
| 390 | provided as part of the standard J2SE API.</p> |
---|
| 391 | |
---|
| 392 | <p>Using JAASRealm gives the developer the ability to combine practically |
---|
| 393 | any conceivable security realm with Tomcat's CMA.</p> |
---|
| 394 | |
---|
| 395 | <p>JAASRealm is prototype for Tomcat of the JAAS-based J2EE authentication |
---|
| 396 | framework for J2EE v1.4, based on the <a href="http://www.jcp.org/en/jsr/detail?id=196">JCP Specification Request |
---|
| 397 | 196</a> to enhance container-managed security and promote 'pluggable' |
---|
| 398 | authentication mechanisms whose implementations would be |
---|
| 399 | container-independent.</p> |
---|
| 400 | |
---|
| 401 | <p>Based on the JAAS login module and principal |
---|
| 402 | (see <code>javax.security.auth.spi.LoginModule</code> and |
---|
| 403 | <code>javax.security.Principal</code>), you can develop your own security |
---|
| 404 | mechanism or wrap another third-party mechanism for integration with the CMA |
---|
| 405 | as implemented by Tomcat.</p> |
---|
| 406 | |
---|
| 407 | <p>The JAAS Realm implementation supports the following additional |
---|
| 408 | attributes:</p> |
---|
| 409 | |
---|
| 410 | <table cellpadding="5" border="1"><tr><th bgcolor="#023264" width="15%"><font color="#ffffff">Attribute</font></th><th bgcolor="#023264" width="85%"><font color="#ffffff">Description</font></th></tr><tr><td valign="center" align="left"><strong><code>appName</code></strong></td><td valign="center" align="left"> |
---|
| 411 | <p>The name of the application as configured in your login configuration |
---|
| 412 | file |
---|
| 413 | (<a href="http://java.sun.com/j2se/1.4.1/docs/guide/security/jaas/tutorials/LoginConfigFile.html">JAAS LoginConfig</a>).</p> |
---|
| 414 | </td></tr><tr><td valign="center" align="left"><strong><code>userClassNames</code></strong></td><td valign="center" align="left"> |
---|
| 415 | <p>A comma-seperated list of the names of the classes that you have made |
---|
| 416 | for your user <code>Principals</code>.</p> |
---|
| 417 | </td></tr><tr><td valign="center" align="left"><code>roleClassNames</code></td><td valign="center" align="left"> |
---|
| 418 | <p>A comma-seperated list of the names of the classes that you have made |
---|
| 419 | for your role <code>Principals</code>.</p> |
---|
| 420 | </td></tr><tr><td valign="center" align="left"><code>useContextClassLoader</code></td><td valign="center" align="left"> |
---|
| 421 | <p>Instructs JAASRealm to use the context class loader for loading the |
---|
| 422 | user-specified <code>LoginModule</code> class and associated |
---|
| 423 | <code>Principal</code> classes. The default value is <code>true</code>, |
---|
| 424 | which is backwards-compatible with the way Tomcat 5 works. To load |
---|
| 425 | classes using the container's classloader, specify |
---|
| 426 | <code>false</code>.</p> |
---|
| 427 | </td></tr></table> |
---|
| 428 | |
---|
| 429 | <p>See the <a href="../../realm-howto.html">Container-Managed Security |
---|
| 430 | Guide</a> for more information on setting up container managed security |
---|
| 431 | using the JAAS Realm component.</p> |
---|
| 432 | |
---|
| 433 | </blockquote></td></tr></table> |
---|
| 434 | |
---|
| 435 | |
---|
| 436 | </blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Nested Components"><strong>Nested Components</strong></a></font></td></tr><tr><td><blockquote> |
---|
| 437 | |
---|
| 438 | <p>No components may be nested inside a <strong>Realm</strong> element.</p> |
---|
| 439 | |
---|
| 440 | </blockquote></td></tr></table><table cellpadding="2" cellspacing="0" border="0"><tr><td bgcolor="#525D76"><font face="arial,helvetica.sanserif" color="#ffffff"><a name="Special Features"><strong>Special Features</strong></a></font></td></tr><tr><td><blockquote> |
---|
| 441 | |
---|
| 442 | <p>See <a href="host.html">Single Sign On</a> for information about |
---|
| 443 | configuring Single Sign On support for a virtual host.</p> |
---|
| 444 | |
---|
| 445 | </blockquote></td></tr></table></td></tr><!--FOOTER SEPARATOR--><tr><td colspan="2"><hr size="1" noshade></td></tr><!--PAGE FOOTER--><tr><td colspan="2"><div align="center"><font size="-1" color="#525D76"><em> |
---|
| 446 | Copyright © 1999-2008, Apache Software Foundation |
---|
| 447 | </em></font></div></td></tr></table></body></html> |
---|