-
Language:
English
-
Language:
English
Red Hat Training
A Red Hat training course is available for Red Hat JBoss Data Virtualization
14.4. JAAS Configuration
Each JAAS implementation will be configured differently. In the case of the PicketBox implementation, configuration is done via a
jaas.conf.xml
file on the classpath. There are quite a few modules to choose from, including LDAP, database, XACML, and even a simple file-based option. Here is an example of a jaas.conf.xml
file that uses the users and roles defined in local files:
<?xml version='1.0'?> <policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:jboss:security-config:5.0" xmlns="urn:jboss:security-config:5.0"> <application-policy name="modeshape-jcr"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="usersProperties">security/users.properties</module-option> <module-option name="rolesProperties">security/roles.properties</module-option> </login-module> </authentication> </application-policy> </policy>
This file sets up a JAAS policy named
modeshape-jcr
that uses the User-Roles Login Module, and defines the users and passwords in the security/users.properties
file and the roles in the security/roles.properties
file.
The users file contains a line for each user, of the form
username=password
. The roles file also contains a line for each user, but this format is a little more complicated:
{{<username>=<role>\[,<role>,...\]}}
where:
<username>
is the name of the user,<role>
is an expression describing a role for the user and which adheres to the format<role>=<roleName>[.<workspaceName]
, where:<roleName>
is one of admin, readonly, readwrite, or (for WebDAV and RESTful access) connect<workspaceName>
is the name of the repository workspace to which the role is granted; if absent, the role will be granted for all workspaces in the repository
For example, the following line provides all roles to user 'jsmith' for all workspaces in the configured repository:
jsmith=admin,connect,readonly,readwrite
while
jsmith=connect,readonly,readwrite.ws1
provides connect and read access to all workspaces, but only write access to the
ws1
workspace.