9.2. About the Structure of the Security Subsystem

The security subsystem is configured in the managed domain or standalone configuration file. Most of the configuration elements can be configured using the web-based management console or the console-based management CLI. The following is the XML representing an example security subsystem.

Example 9.1. Example Security Subsystsem Configuration

<subsystem xmlns="urn:jboss:domain:security:1.1">
	<security-management>
		...
	</security-management>
	<subject-factory>
		...
	</subject-factory>
    <security-domains>
        <security-domain name="other" cache-type="default">
            <authentication>
                <login-module code="Remoting" flag="optional">
                    <module-option name="password-stacking" value="useFirstPass"/>
                </login-module>
                <login-module code="RealmUsersRoles" flag="required">
                    <module-option name="usersProperties" value="${jboss.domain.config.dir}/application-users.properties"/>
                    <module-option name="rolesProperties" value="${jboss.domain.config.dir}/application-roles.properties"/>
                    <module-option name="realm" value="ApplicationRealm"/>
                    <module-option name="password-stacking" value="useFirstPass"/>
                </login-module>
            </authentication>
        </security-domain>
        <security-domain name="jboss-web-policy" cache-type="default">
            <authorization>
                <policy-module code="Delegating" flag="required"/>
            </authorization>
        </security-domain>
        <security-domain name="jboss-ejb-policy" cache-type="default">
            <authorization>
                <policy-module code="Delegating" flag="required"/>
            </authorization>
        </security-domain>
    </security-domains>
	<security-properties>
		...
	</security-properties>
</subsystem>		

The <security-management>, <subject-factory>, and <security-properties> elements are empty in the default configuration.
Each top-level element within the security subsystem contains information about a different aspect of the security configuration.
<security-management>
This section overrides high-level behaviors of the security subsystem. Each setting is optional. It is unusual to change any of these settings except for deep copy subject mode.
Option Description
deep-copy-subject-mode
Specifies whether to copy or link to security tokens, for additional thread safety.
authentication-manager-class-name
Specifies an alternate AuthenticationManager implementation class name to use.
default-callback-handler-class-name
Specifies a global class name for the CallbackHandler implementation to be used with login modules.
authorization-manager-class-name
Specifies an alternate AuthorizationManager implementation class name to use.
audit-manager-class-name
Specifies an alternate AuditManager implementation class name to use.
identity-trust-manager-class-name
Specifies an alternate IdentityTrustManager implementation class name to use.
mapping-manager-class-name
Specifies the MappingManager implementation class name to use.
<subject-factory>
The subject factory controls creation of subject instances. It may use the authentication manager to verify the caller. The main use of the subject factory is for JCA components to establish a subject.It is unusual to need to modify the subject factory.
<security-domains>
A container element which holds multiple security domains. A security domain may contain information about authentication, authorization, mapping, and auditing modules, as well as JASPI authentication and JSSE configuration. Your application would specify a security domain to manage its security information.
<security-properties>
Contains names and values of properties which are set on the java.security.Security class.