In addition to the four built-in realms, you can also create custom realms that store user data in some other way, such as in a relational database. Development of a custom realm is outside the scope of this document. For more information, see Chapter 5, "Securing Applications," in Sun Java System Application Server Platform Edition 9 Developer's Guide.
As an administrator, the main thing you need to know is that a custom realm is implemented by a class (called the LoginModule) derived from the Java Authentication and Authorization Service (JAAS) package.
Follow the procedure in To create a realm, entering the name of the custom realm and the name of the LoginModule class.
Use any unique name for the custom realm, for example myCustomRealm.
Add the properties for a custom realm shown in the following table.
Property Name | Property Value |
---|---|
jaas-context | LoginModule class name, for example simpleCustomRealm |
auth-type | Description of the realm, for example "A simple example custom realm". |
Click OK.
Edit the domain's login configuration file, domain-dir/config/login.conf, and add the fully-qualified class name of the JAAS LoginModule at the end of the file, as follows:
realmName { fully-qualified-LoginModule-classname required; }; |
For example,
myCustomRealm { com.foo.bar.security.customrealm.simpleCustomLoginModule required; }; |
Copy the LoginModule class and all dependent classes into the directory domain-dir/lib/classes.
Restart the Server if Restart Required displays in the console.
Make sure that the realm is properly loaded.
Check domain-dir/logs/server.log to make sure the server loaded the realm. The server should invoke the realm's init() method.
The certificate realm supports SSL authentication. This realm sets up the user identity in the Application Server's security context, and populates it with user data obtained from cryptographically verified client certificates in the truststore and keystore files. Add users to these files using keytool. For more information, see the Java EE 5 Tutorial section on security.
With the certificate realm, Java containers handle authorization processing based on each user's Distinguished Name (DN) from his or her certificate. The DN is the name of the entity whose public key the certificate identifies. This name uses the X.500 standard, so it is intended to be unique across the Internet. For more information on key stores and trust stores, refer to the keytool documentation.
The following table lists the optional properties for the certificate realm.
Table 3 Optional properties for certificate realm
Property | Description |
---|---|
assign-groups | A comma-separated list of group names. All clients who present valid certificates are assigned to these groups. For example, employee,manager, where these are the names of user groups. |
jaas-context | Type of login module to use for this realm. For the certificate realm, the value must be certificateRealm. |
See Also:
The server maintains all user, group, and password information in a file named keyfile for the file realm and admin-keyfile for the admin-realm. For both, the file property specifies the location of the keyfile. The following table shows required properties for a file realm.
Table 4 Required properties for file realms
Property name | Description | Default Value |
---|---|---|
file | Full path and name of the keyfile. | domain-dir/config/keyfile |
jaas-context | Type of login module to use for this realm. | fileRealm is the only valid value |
The keyfile is initially empty, so users must be added before the file realm is used. For instructions, see Managing file Realm Users.
The admin-keyfile initially contains the admin user name, the admin password in an encrypted format, and the group to which this user belongs, which is asadmin by default. For more information on adding users to the admin-realm, read To grant access to administration tools.
Note - Users in the group asadmin in the admin-realm are authorized to use the Admin Console and asadmin tools. Add only users to this group that have server administrative privileges.
Manage file realm users with the Admin Console. Users and groups in the file realm are listed in the keyfile, whose location is specified by the file property.
Note - It is also possible to use these steps to add users to any file realm, including the admin-realm. Simply substitute the name of the target realm in place of the file realm referenced in this section.
A user in the file realm can belong to a Java group, a category of users classified by common traits. For example, customers of an e-commerce application might belong to the CUSTOMER group, but the big spenders would belong to the PREFERRED group. Categorizing users into groups makes it easier to control the access of large numbers of users.
Initially after installation of the Application Server, the only user is the administrator entered during installation. By default, this user belongs to the group asadmin, in the realm admin-realm, which gives rights to modify the Application Server. Any users assigned to this group will have administrator privileges, that is, they will have access to the asadmin tool and the Admin Console.
To manage file realm users, perform these tasks: