Chapter 10. Security Mapping Modules

rolesProperties

String

roles.properties

Properties formatted file name. Expansion of JBoss EAP variables can be used in form of ${jboss.variable}.

dsJndiName

String

JNDI name of data source used to map roles to the user.

rolesQuery

String

This option should be a prepared statement equivalent to select RoleName from Roles where User=?. ? is substituted with current principal name.

suspendResume

boolean

true

If true, will suspend and later resume transaction associated with current thread while performing search for roles.

transactionManagerJndiName

String

java:/TransactionManager

JNDI name of transaction manager.

bindDN

String

The DN used to bind against the LDAP server for the user and roles queries. This DN needs read and search permissions on the baseCtxDN and rolesCtxDN values.

bindCredential

String

The password for the bindDN. This can be encrypted via the vault mechanism.

rolesCtxDN

String

The fixed DN of the context to search for user roles. This is not the DN where the actual roles are, but the DN where the objects containing the user roles are. For example, in a Microsoft Active Directory server, this is the DN where the user account is.

roleAttributeID

String

role

The LDAP attribute which contains the names of authorization roles.

roleAttributeIsDN

boolean

false

Whether or not the roleAttributeID contains the fully qualified DN of a role object. If false, the role name is taken from the value of the roleNameAttributeId attribute of the context name. Certain directory schemas, such as Microsoft Active Directory, require this attribute to be set to true.

roleNameAttributeID

String

name

Name of the attribute within the roleCtxDN context which contains the role name. If the roleAttributeIsDN property is set to true, this property is used to find the role object’s name attribute.

parseRoleNameFromDN

boolean

false

A flag indicating if the DN returned by a query contains the roleNameAttributeID. If set to true, the DN is checked for the roleNameATtributeID. If set to false, the DN is not checked for the roleNameAttributeID. This flag can improve the performance of LDAP queries.

roleFilter

String

A search filter used to locate the roles associated with the authenticated user. The input username or userDN obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. An example search filter that matches on the input username is (member={0}).

roleRecursion

number

0

The numbers of levels of recursion the role search will go below a matching context. Disable recursion by setting this to 0.

searchTimeLimit

number

10000

The timeout in milliseconds for the user/role searches.

searchScope

String

SUBTREE_SCOPE

The search scope to use.

bindDN

String

The DN used to bind against the LDAP server for the user and roles queries. This DN needs read and search permissions on the baseCtxDN and rolesCtxDN values.

bindCredential

String

The password for the bindDN. This can be encrypted if the jaasSecurityDomain is specified.

baseCtxDN

String

The fixed DN of the context to start the user search from.

baseFilter

String

A search filter used to locate the context of the user to authenticate. The input username or userDN as obtained from the login module callback is substituted into the filter anywhere a {0} expression is used. This substitution behavior comes from the standard DirContext.search(Name, String, Object[], SearchControls cons) method. A common example search filter is (uid={0}).

searchTimeLimit

number

10000

The timeout in milliseconds for the user/role searches.

attributeList

String

A comma-separated list of attributes for the user. For example, mail,cn,sn,employeeType,employeeNumber.

jaasSecurityDomain

String

The JaasSecurityDomain to use to decrypt the java.naming.security.credentials. The encrypted form of the password is that returned by the JaasSecurityDomain#decode64(String) method. The org.jboss.security.plugins.PBEUtils can also be used to generate the encrypted form.