Chapter 11. Reference

11.1. MicroProfile Config reference

11.1.1. Default MicroProfile Config attributes

The MicroProfile Config specification defines three ConfigSources by default.

ConfigSources are sorted according to their ordinal number. If a configuration must be overwritten for a later deployment, the lower ordinal ConfigSource is overwritten before a higher ordinal ConfigSource.

Table 11.1. Default MicroProfile Config attributes

ConfigSourceOrdinal

System properties

400

Environment variables

300

Property files META-INF/microprofile-config.properties found on the classpath

100

11.1.2. MicroProfile Config SmallRye ConfigSources

The microprofile-config-smallrye project defines more ConfigSources you can use in addition to the default MicroProfile Config ConfigSources.

Table 11.2. Additional MicroProfile Config attributes

ConfigSourceOrdinal

config-source in the Subsystem

100

ConfigSource from the Directory

100

ConfigSource from Class

100

An explicit ordinal is not specified for these ConfigSources. They inherit the default ordinal value found in the MicroProfile Config specification.

11.2. MicroProfile Fault Tolerance reference

11.2.1. MicroProfile Fault Tolerance configuration properties

SmallRye Fault Tolerance specification defines the following properties in addition to the properties defined in the MicroProfile Fault Tolerance specification.

Table 11.3. MicroProfile Fault Tolerance configuration properties

PropertyDefault valueDescription

io.smallrye.faulttolerance.mainThreadPoolSize

100

Maximum number of threads in the thread pool.

io.smallrye.faulttolerance.mainThreadPoolQueueSize

-1 (unbounded)

Size of the queue that the thread pool should use.

11.3. MicroProfile JWT reference

11.3.1. MicroProfile Config JWT standard properties

The microprofile-jwt-smallrye subsystem supports the following MicroProfile Config standard properties.

Table 11.4. MicroProfile Config JWT standard properties

PropertyDefaultDescription

mp.jwt.verify.publickey

NONE

String representation of the public key encoded using one of the supported formats. Do not set if you have set mp.jwt.verify.publickey.location.

mp.jwt.verify.publickey.location

NONE

The location of the public key, may be a relative path or URL. Do not be set if you have set mp.jwt.verify.publickey.

mp.jwt.verify.issuer

NONE

The expected value of any iss claim of any JWT token being validated.

Example microprofile-config.properties configuration: 

mp.jwt.verify.publickey.location=META-INF/public.pem
mp.jwt.verify.issuer=jwt-issuer

11.4. MicroProfile OpenAPI reference

11.4.1. MicroProfile OpenAPI configuration properties

In addition to the standard MicroProfile OpenAPI configuration properties, JBoss EAP supports the following additional MicroProfile OpenAPI properties. These properties can be applied in both the global and the application scope.

Table 11.5. MicroProfile OpenAPI properties in JBoss EAP

PropertyDefault valueDescription

mp.openapi.extensions.enabled

true

Enables or disables registration of an OpenAPI endpoint.

When set to false, disables generation of OpenAPI documentation. You can set the value globally using the config subsystem, or for each application in a configuration file such as /META-INF/microprofile-config.properties.

You can parameterize this property to selectively enable or disable microprofile-openapi-smallrye in different environments, such as production or development.

You can use this property to control which application associated with a given virtual host should generate a MicroProfile OpenAPI model.

mp.openapi.extensions.path

/openapi

You can use this property for generating OpenAPI documentation for multiple applications associated with a virtual host.

Set a distinct mp.openapi.extensions.path on each application associated with the same virtual host.

mp.openapi.extensions.servers.relative

true

Indicates whether auto-generated server records are absolute or relative to the location of the OpenAPI endpoint.

Server records are necessary to ensure, in the presence of a non-root context path, that consumers of an OpenAPI document can construct valid URLs to REST services relative to the host of the OpenAPI endpoint.

The value true indicates that the server records are relative to the location of the OpenAPI endpoint. The generated record contains the context path of the deployment.

When set to false, JBoss EAP XP generates server records including all the protocols, hosts, and ports at which the deployment is accessible.

11.5. MicroProfile Reactive Messaging reference

11.5.1. MicroProfile reactive messaging connectors for integrating with external messaging systems

The following is a list of reactive messaging property key prefixes required by the MicroProfile Config specification:

  • mp.messaging.incoming.[channel-name].[attribute]=[value]
  • mp.messaging.outgoing.[channel-name].[attribute]=[value]
  • mp.messaging.connector.[connector-name].[attribute]=[value]

Note that channel-name is either the @Incoming.value() or the @Outgoing.value(). For clarification, look at this example of a pair of connector methods: 

@Outgoing("to")
public int send() {
   int i = // Randomly generated...
   return i;
}

@Incoming("from")
public void receive(int i) {
   // Process payload
}

In this example, the required property prefixes are as follows:

  • mp.messaging.incoming.from. This defines the receive() method.
  • mp.messaging.outgoing.to. This defines the send() method.

Remember that this is an example. Because different connectors recognize different properties, the prefixes you indicate depend on the connector you want to configure.

11.5.2. Example of the data exchange between reactive messaging streams and user-initialized code

The following is an example of data exchange between reactive messaging streams and code that a user triggered through the @Channel and Emitter constructs: 

@Path("/")
@ApplicationScoped
class MyBean {
    @Inject @Channel("my-stream")
    Emitter<String> emitter; 1

    Publisher<String> dest;

    public MyBean() { 2
    }

    @Inject
    public MyBean(@Channel("my-stream") Publisher<String> dest) {
        this.dest = subscribeAndAllowMultipleSubscriptions(dest);
    }

    private Publisher subscribeAndAllowMultipleSubscriptions(Publisher delegate) {
    } 3 4 5

    @POST
    public PublisherBuilder<String> publish(@FormParam("value") String value) {
        return emitter.send(value);
    }

    @GET
    public Publisher poll() {
        return dest;
    }

    @PreDestroy
    public void close() { 6

    }
}

In-line details:

1
Wraps the constructor-injected publisher.
2
You need this empty constructor to satisfy the Contexts and Dependency Injection (CDI) for Java specification.
3
Subscribe to the delegate.
4
Wrap the delegate in a publisher that can handle multiple subscriptions.
5
The wrapping publisher forwards data from the delegate.
6
Unsubscribe from the reactive messaging-provided publisher.

In this example, MicroProfile Reactive Messaging is listening to the my-stream memory stream, so messages sent through the Emitter are received on this injected publisher. Note, though, that the following conditions must be true for this data exchange to succeed:

  1. There must be an active subscription on the channel before you call Emitter.send(). In this example, notice that the subscribeAndAllowMultipleSubscriptions() method called by the constructor ensures that there’s an active subscription by the time the bean is available for user code calls.
  2. You can have only one Subscription on the injected Publisher. If you want to expose the receiving publisher with a REST call, where each call to the poll() method results in a new subscription to the dest publisher, you have to implement your own publisher to broadcast data from the injected to each client.

11.5.3. The Apache Kafka user API

You can use the Apache Kafka user API to get more information about messages Kafka received, and to influence how Kafka handles messages. This API is stored in the io/smallrye/reactive/messaging/kafka/api package, and it consists of the following classes:

  • IncomingKafkaRecordMetadata. This metadata contains the following information:

    • The Kafka record key, represented by a Message.
    • The Kafka topic and partition used for the Message, and the offset within those.
    • The Message timestamp and timestampType.
    • The Message headers. These are pieces of information that the application can attach on the producing side, and receive on the consuming side.

  • OutgoingKafkaRecordMetadata. With this metadata, you can specify or override how Kafka handles messages. It contains the following information:

    • The key. which Kafka treats as the message key.
    • The topic you want Kafka to use.
    • The partition.
    • The timestamp, if you don’t want the one that Kafka generates.
    • headers.
  • KafkaMetadataUtil contains utility methods to write OutgoingKafkaRecordMetadata to a Message, and to read IncomingKafkaRecordMetadata from a Message.
Important

If you write OutgoingKafkaRecordMetadata to a Message sent to a channel that’s not mapped to Kafka, the reactive messaging framework ignores it. Conversely, if you read IncomingKafkaRecordMetadata from a Message from a channel that’s not mapped to Kafka, that message returns as null.

Example of how to write and read a message key
@Inject
@Channel("from-user")
Emitter<Integer> emitter;

@Incoming("from-user")
@Outgoing("to-kafka")
public Message<Integer> send(Message<Integer> msg) {
    // Set the key in the metadata
    OutgoingKafkaRecordMetadata<String> md =
            OutgoingKafkaRecordMetadata.<String>builder()
                .withKey("KEY-" + i)
                .build();
    // Note that Message is immutable so the copy returned by this method
    // call is not the same as the parameter to the method
    return KafkaMetadataUtil.writeOutgoingKafkaMetadata(msg, md);
}

@Incoming("from-kafka")
public CompletionStage<Void> receive(Message<Integer> msg) {
    IncomingKafkaRecordMetadata<String, Integer> metadata =
        KafkaMetadataUtil.readIncomingKafkaMetadata(msg).get();

    // We can now read the Kafka record key
    String key = metadata.getKey();

    // When using the Message wrapper around the payload we need to explicitly ack
    // them
    return msg.ack();
}
Example of Kafka mapping in a microprofile-config.properties file
kafka.bootstrap.servers=kafka:9092

mp.messaging.outgoing.to-kafka.connector=smallrye-kafka
mp.messaging.outgoing.to-kafka.topic=some-topic
mp.messaging.outgoing.to-kafka.value.serializer=org.apache.kafka.common.serialization.IntegerSerializer
mp.messaging.outgoing.to-kafka.key.serializer=org.apache.kafka.common.serialization.StringSerializer

mp.messaging.incoming.from-kafka.connector=smallrye-kafka
mp.messaging.incoming.from-kafka.topic=some-topic
mp.messaging.incoming.from-kafka.value.deserializer=org.apache.kafka.common.serialization.IntegerDeserializer
mp.messaging.incoming.from-kafka.key.deserializer=org.apache.kafka.common.serialization.StringDeserializer
Note

You must specify the key.serializer for the outgoing channel and the key.deserializer for the incoming channel.

11.5.4. Example MicroProfile Config properties file for the Kafka connector

This is an example of a simple microprofile-config.properties file for a Kafka connector. Its properties correspond to the properties in the example in "MicroProfile reactive messaging connectors for integrating with external messaging systems." 

kafka.bootstrap.servers=kafka:9092

mp.messaging.outgoing.to.connector=smallrye-kafka
mp.messaging.outgoing.to.topic=my-topic
mp.messaging.outgoing.to.value.serializer=org.apache.kafka.common.serialization.IntegerSerializer

mp.messaging.incoming.from.connector=smallrye-kafka
mp.messaging.incoming.from.topic=my-topic
mp.messaging.incoming.from.value.deserializer=org.apache.kafka.common.serialization.IntegerDeserializer

Table 11.6. Discussion of entries

EntryDescription

to, from

These are "channels."

send, receive

These are "methods."

Note that the to channel is on the send() method and the from channel is on the receive() method.

kafka.bootstrap.servers=kafka:9092

This specifies the URL of the Kafka broker that the application must connect to. You can also specify a URL at the channel level, like this: mp.messaging.outgoing.to.bootstrap.servers=kafka:9092

mp.messaging.outgoing.to.connector=smallrye-kafka

This indicates that you want the to channel to receive messages from Kafka.

SmallRye reactive messaging is a framework for building applications. Note that the smallrye-kafka value is SmallRye reactive messaging-specific. If you’re provisioning your own server using Galleon, you can enable the Kafka integration by including the microprofile-reactive-messaging-kafka Galleon layer.

mp.messaging.outgoing.to.topic=my-topic

This indicates that you want to send data to a Kafka topic called my-topic.

A Kafka "topic" is a category or feed name that messages are stored on and published to. All Kafka messages are organized into topics. Producer applications write data to topics and consumer applications read data from topics.

mp.messaging.outgoing.to.value.serializer=org.apache.kafka.common.serialization.IntegerSerializer

This tells the connector to use IntegerSerializer to serialize the values that the send() method outputs when it writes to a topic. Kafka provides serializers for standard Java types. You can implement your own serializer by writing a class that implements org.apache.kafka.common.serialization.Serializer, and then include that class in your deployment.

mp.messaging.incoming.from.connector=smallrye-kafka

This indicates that you want to use the from channel to receive messages from Kafka. Again, the smallrye-kafka value is SmallRye reactive messaging-specific.

mp.messaging.incoming.from.topic=my-topic

This indicates that your connector should read data from the Kafka topic called my-topic.

mp.messaging.incoming.from.value.deserializer=org.apache.kafka.common.serialization.IntegerDeserializer

This tells the connector to use IntegerDeserializer to deserialize the values from the topic before calling the receive() method. You can implement your own deserializer by writing a class that implements org.apache.kafka.common.serialization.Deserializer, and then include that class in your deployment.

Note

This list of properties is not comprehensive. See the SmallRye Reactive Messaging Apache Kafka documentation for more information.

Mandatory MicroProfile Reactive Messaging prefixes

The MicroProfile Reactive Messaging specification requires the following method property key prefixes for Kafka:

  • mp.messaging.incoming.[channel-name].[attribute]=[value]`
  • mp.messaging.outgoing.[channel-name].[attribute]=[value]`
  • mp.messaging.connector.[connector-name].[attribute]=[value]`

Note that channel-name is either the @Incoming.value() or the @Outgoing.value().

Now consider the following method pair example: 

@Outgoing("to")
public int send() {
    int i = // Randomly generated...
    return i;
}

@Incoming("from")
public void receive(int i) {
    // Process payload
}

In this method pair example, note the following required property prefixes:

  • mp.messaging.incoming.from. This prefix selects the property as your configuration of the receive() method.
  • mp.messaging.outgoing.to. This prefix selects the property as your configuration of the send() method.

11.6. OpenId Connect reference

11.6.1. elytron-oidc-client subsystem attributes

The elytron-oidc-client subsystem provides attributes to configure its behavior.

Table 11.7. elytron-oidc-client subsystem attributes

AttributeDescription

provider

Configuration for an OpenID Connect provider.

secure-deployment

A deployment secured by an OpenID Connect provider.

realm

Configuration for a Red Hat Single Sign-On realm. This is provided for convenience. You can copy the configuration in the keycloak client adapter and use it here. Using the provider is recommended instead.

Important

Do not use the following provider, realm, and secure-deployment attributes in your configuration as they are not supported at present:

  • autodetect-bearer-only
  • bearer-only

Do not use the following secure-deployment attributes in your configuration as it is not supported at present

  • enable-basic-auth

Use the three elytron-oidc-client attributes for the following purposes:

  • provider: For configuring the OpenID Connect provider. For more information, see provider attributes.
  • secure-deployment: For configuring the deployment secured by an OpenID Connect. For more information, see secure-deployment attributes
  • realm: For configuring Red Hat Single Sign-On. For more information, see realm attributes. The use of realm is not recommended. It is provided for convenience. You can copy the configuration in the keycloak client adapter and use it here. Using the provider attribute is recommended instead.

Table 11.8. provider attributes

AttributeDefault valueDescription

allow-any-hostname

false

If you set the value to true, hostname verification is skipped when communicating with the OpenID provider. This is useful when testing. Do not set this to ture in a production environment.

always-refresh-token

 

If set to true, JBoss EAP refreshes tokens on every web request.

auth-server-url

 

The base URL of the Red Hat Single Sign-On realm authorization server. If you use this attribute, you must also define the realm attribute.

You can alternatively use the provider-url attribute to provide both base URL and the realm in a single attribute.

client-id

 

The client-id of JBoss EAP registered with the OpenID provider.

client-key-password

 

If you specify client-keystore, specify it’s password in this attribute.

client-keystore

 

If your application communicates with the OpenID provider over HTTPS, set the path to the client keystore in this attribute.

client-keystore-password

 

If you specify the client keystore, provide the password for accessing it in this attribute.

confidential-port

8443

Specify the confidential port (SSL/TLS) used by the OpenID provider.

connection-pool-size

 

Specify the connection pool size to be used when communicating with the OpenID provider.

connection-timeout-millis

 

Specify the timeout for establishing a connection with the remote host in milliseconds. The minimum is -1L, and the maximum 2147483647L.-1L indicates that the value is undefined, which is the default.

connection-ttl-millis

 

Specify the amount of time in milliseconds for the connection to be kept alive. The minimum is -1L, and the maximum 2147483647L. -1L indicates that the value is undefined, which is the default.

cors-allowed-headers

 

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Headers header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-allowed-methods

 

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Methods header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-exposed-headers

 

If CORS is enabled, this sets the value of the Access-Control-Expose-Headers header. This should be a comma-separated string. This is optinal. If not set, this header is not returned in CORS responses.

cors-max-age

 

Set the value for Cross-Origin Resource Sharing (CORS) Max-Age header. The value can be between -1L and 2147483647L. This attribute only takes effect if enable-cors is set to true.

disable-trust-manager

 

Specify whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS.

enable-cors

false

Enable Red Hat Single Sign-On Cross-Origin Resource Sharing (CORS) support.

expose-token

false

If set to true, an authenticated browser client can obtain the signed access token, through a Javascript HTTP invocation, via the URL root/k_query_bearer_token. This is optional. This is specific to Red Hat Single Sign-On.

ignore-oauth-query-parameter

false

Disable query parameter parsing for access_token.

principal-attribute

 

Specify which claim value from the ID token to use as the principal for the identity

provider-url

 

Specify the OpenID provider URL.

proxy-url

 

Specify the URL for the HTTP proxy if you use one.

realm-public-key

 

Specify the public key of the realm.

register-node-at-startup

false

If set to true, a registration request is sent to Red Hat Single Sign-On. This attribute is useful only when your application is clustered.

register-node-period

 

Specify how often to re-register the node.

socket-timeout-millis

 

Specify the timeout for socket waiting for data in milliseconds.

ssl-required

external

Specify whether communication with the OpenID provider should be over HTTPS. The value can be one of the following:

  • all - all communication happens over HTTPS.
  • external - Only the communication with external clients happens over HTTPs.
  • none - HTTPs is not used.

token-signature-algorithm

RS256

Specify the token signature algorithm used by the OpenID provider. The supported algorithms are:

  • RS256
  • RS384
  • RS512
  • ES256
  • ES384
  • ES512

token-store

 

Specify cookie or session storage for auth-session data.

truststore

 

Specify the truststore used for client HTTPS requests.

truststore-password

 

Specify the truststore password.

verify-token-audience

false

If set to true, then during bearer-only authentication,verify if token contains this client name (resource) as an audience.

Table 11.9. secure-deployment attributes

AttributeDefault valueDescription

allow-any-hostname

false

If you set the value to true, hostname verification is skipped when communicating with the OpenID provider. This is useful when testing. Do not set this to ture in a production environment.

always-refresh-token

 

If set to true, JBoss EAP refreshes tokens on every web request.

auth-server-url

 

The base URL of the Red Hat Single Sign-On realm authorization server You can alternatively use the provider-url attribute.

client-id

 

The client-id of JBoss EAP registered with the OpenID provider.

client-key-password

 

If you specify client-keystore, specify it’s password in this attribute.

client-keystore

 

If your application communicates with the OpenID provider over HTTPS, set the path to the client keystore in this attribute.

client-keystore-password

 

If you specify the client keystore, provide the password for accessing it in this attribute.

confidential-port

8443

Specify the confidential port (SSL/TLS) used by OpenID provider.

connection-pool-size

 

Specify the connection pool size to be used when communicating with the OpenID provider.

connection-timeout-millis

 

Specify the timeout for establishing a connection with the remote host in milliseconds. The minimum is -1L, and the maximum 2147483647L. -1L indicates that the value is undefined, which is the default.

connection-ttl-millis

 

Specify the amount of time in milliseconds for the connection to be kept alive. The minimum is -1L, and the maximum 2147483647L. -1L indicates that the value is undefined, which is the default.

cors-allowed-headers

 

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Headers header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-allowed-methods

 

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Methods header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-exposed-headers

 

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Expose-Headers header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-max-age

 

Set the value for Cross-Origin Resource Sharing (CORS) Max-Age header. The value can be between -1L and 2147483647L. This attribute only takes effect if `enable-

credential

 

Specify the credential to use to communicate with the OpenID provider.

disable-trust-manager

 

Specify whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS.

enable-cors

false

Enable Red Hat Single Sign-On Cross-Origin Resource Sharing (CORS) support.

expose-token

false

If set to true, an authenticated browser client can obtain the signed access token, through a Javascript HTTP invocation, via the URL root/k_query_bearer_token. This is optional.This is specific to Red Hat Single Sign-On.

ignore-oauth-query-parameter

false

Disable query parameter parsing for access_token.

min-time-between-jwks-requests

 

If adapter recognizes a token signed by an unknown public key, JBoss EAP tries to download new public key from the elytron-oidc-client server. However, JBoss EAP deosn’t try to download new public key if it has already tried it in less than the value, in seconds, that you set for this attribute. The value can be between -1L and 2147483647L.

principal-attribute

 

Specify which claim value from the ID token to use as the principal for the identity

provider

 

Specify the OpenID provider.

provider-url

 

Specify the OpenID provider URL.

proxy-url

 

Specify the URL for the HTTP proxy if you use one.

public-client

false

If set to true, no client credentials are sent when communicating with the OpenID provider. This is optional.

realm

 

The realm with which to connect in Red Hat Single Sign-On.

realm-public-key

 

Specify the public key of the realm.

redirect-rewrite-rule

 

Specify the rewrite rule to apply to the redirect URI.

register-node-at-startup

false

If set to true, a registration request is sent to Red Hat Single Sign-On. This attribute is useful only when your application is clustered.

register-node-period

 

Specify how often to re-register the node.

resource

 

Specify the name of the application you are securing with OIDC. Alternatively, you can specify the client-id.

socket-timeout-millis

 

Specify the timeout for socket waiting for data in milliseconds.

ssl-required

external

Specify whether communication with the OpenID provider should be over HTTPS. The value can be one of the following:

  • all - all communication happens over HTTPS.
  • external - Only the communication with external clients happens over HTTPs.
  • none - HTTPs is not used.

token-minimum-time-to-live

 

The adapter refreshes the token if the current token is expired or is to expire within the amount of time you set in seconds.

token-signature-algorithm

RS256

Specify the token signature algorithm used by the OpenID provider. The supported algorithms are:

  • RS256
  • RS384
  • RS512
  • ES256
  • ES384
  • ES512

token-store

 

Specify cookie or session storage for auth-session data.

truststore

 

Specify the truststore used for adapter client HTTPS requests.

truststore-password

 

Specify the truststore password.

turn-off-change-session-id-on-login

false

The session id is changed by default on a successful login. Set the value to true to turn this off.

use-resource-role-mappings

false

Use resource-level permissions obtained from token.

verify-token-audience

false

If set to true, then during bearer-only authentication, the adapter verifies if token contains this client name (resource) as an audience.

Table 11.10. realm attributes

AttributeDefault valueDescription

allow-any-hostname

false

If you set the value to true, hostname verification is skipped when communicating with the OpenID provider. This is useful when testing. Do not set this to ture in a production environment.

always-refresh-token

 

If set to true, JBoss EAP refreshes tokens on every web request.

auth-server-url

 

The base URL of the Red Hat Single Sign-On realm authorization server You can alternatively use the provider-url attribute.

client-key-password

 

If you specify client-keystore, specify it’s password in this attribute.

client-keystore

 

If your application communicates with the OpenID provider over HTTPS, set the path to the client keystore in this attribute.

client-keystore-password

 

If you specify the client keystore, provide the password for accessing it in this attribute.

confidential-port

8443

Specify the confidential port (SSL/TLS) used by Red Hat Single Sign-On.

connection-pool-size

 

Specify the connection pool size to be used when communicating with Red Hat Single Sign-On.

connection-timeout-millis

 

Specify the timeout for establishing a connection with the remote host in milliseconds. The minimum is -1L, and the maximum 2147483647L. -1L indicates that the value is undefined, which is the default.

connection-ttl-millis

 

Specify the amount of time in milliseconds for the connection to be kept alive. The minimum is -1L, and the maximum 2147483647L. -1L indicates that the value is undefined, which is the default.

cors-allowed-headers

 

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Headers header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-allowed-methods

 

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Allow-Methods header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-exposed-headers

 

If Cross-Origin Resource Sharing (CORS) is enabled, this sets the value of the Access-Control-Expose-Headers header. This should be a comma-separated string. This is optional. If not set, this header is not returned in CORS responses.

cors-max-age

 

Set the value for Cross-Origin Resource Sharing (CORS) Max-Age header. The value can be between -1L and 2147483647L. This attribute only takes effect if enable-cors is set to true.

disable-trust-manager

 

Specify whether or not to make use of a trust manager when communicating with the OpenID provider over HTTPS._

enable-cors

false

Enable {RHProductShortName} Cross-Origin Resource Sharing (CORS) support.

expose-token

false

If set to true, an authenticated browser client can obtain the signed access token, through a Javascript HTTP invocation, via the URL root/k_query_bearer_token. This is optional.

ignore-oauth-query-parameter

false

Disable query parameter parsing for access_token.

principal-attribute

 

Specify which claim value from the ID token to use as the principal for the identity

provider-url

 

Specify the OpenID provider URL.

proxy-url

 

Specify the URL for the HTTP proxy if you use one.

realm-public-key

 

Specify the public key of the realm.

register-node-at-startup

false

If set to true, a registration request is sent to Red Hat Single Sign-On. This attribute is useful only when your application is clustered.

register-node-period

 

Specify how often to re-register the node.

socket-timeout-millis

 

Specify the timeout for socket waiting for data in milliseconds.

ssl-required

external

Specify whether communication with the OpenID provider should be over HTTPS. The value can be one of the following:

  • all - all communication happens over HTTPS.
  • external - Only the communication with external clients happens over HTTPs.
  • none - HTTPs is not used.

token-signature-algorithm

RS256

Specify the token signature algorithm used by the OpenID provider. The supported algorithms are:

  • RS256
  • RS384
  • RS512
  • ES256
  • ES384
  • ES512

token-store

 

Specify cookie or session storage for auth-session data.

truststore

 

Specify the truststore used for client HTTPS requests.

truststore-password

 

Specify the truststore password.

verify-token-audience

false

If set to true, then during bearer-only authentication, the adapter verifies if token contains this client name (resource) as an audience.

Additional resources

11.7. OpenTelemetry reference

11.7.1. OpenTelemetry subsystem attributes

You can modify opentelemetry subsystem attributes to configure its behavior. The attributes are grouped by the aspect they configure: exporter, sampler, and span processor.

Table 11.11. Exporter attribute group

AttributeDescriptionDefault value

endpoint

The URL to which OpenTelemetry pushes traces. Set this to the URL where your exporter listens.

http://localhost:14250/

exporter-type

The exporter to which traces are sent. It can be one of the following:

  • jaeger. The exporter you use is Jaeger.
  • otlp. The exporter you use works with the OpenTelemetry protocol.

jaeger

Table 11.12. Sampler attribute group

AttributeDescriptionDefault value

ratio

The ratio of traces to export. The value must be between 0.0 and 1.0. For example, to export one trace in every 100 traces created by an application, set the value to 0.01. This attribute takes effect only if you set the attribute sampler-type as ratio.

 

Table 11.13. Span processor attribute group

AttributeDescriptionDefault value

batch-delay

The interval in milliseconds between two consecutive exports by JBoss EAP. This attribute only takes effect if you set the attribute span-processor-type as batch.

5000

export-timeout

The maximum amount of time in milliseconds to allow for an export to complete before being cancelled.

30000

max-export-batch-size

The maximum number of traces that are published in each batch. This number should be should be lesser or equal to the value of max-queue-size. You can set this attribute only if you set the attribute span-processor-type as batch.

512

max-queue-size

The maximum number of traces to queue before exporting. If an application creates more traces, they are not recorded. This attribute only takes effect if you set the attribute span-processor-type as batch.

2048

span-processor-type

The type of span processor to use. The value can be one of the following:

  • batch: JBoss EAP exports traces in batches that are defined using the following attributes:

    • batch-delay
    • max-export-batch-size
    • max-queue-size
  • simple: JBoss EAP exports traces are as soon as they finish.

batch

Additional resources