interfaces
interface*
Name | Type | Default | Description |
---|---|---|---|
name | string |
inet-address?
Name | Type | Default | Description |
---|---|---|---|
value | string |
global?
link-local?
loopback?
non-loopback?
site-local?
match-interface?
Name | Type | Default | Description |
---|---|---|---|
value | FIXME |
match-address?
Name | Type | Default | Description |
---|---|---|---|
value | FIXME |
socket-bindings
Name | Type | Default | Description |
---|---|---|---|
default-interface | string | ||
port-offset | string |
socket-binding*
security
security-realms
security-realm+
Name | Type | Default | Description |
---|---|---|---|
name | string |
server-identities?
ssl?
keystore
Name | Type | Default | Description |
---|---|---|---|
path | string | ||
relative-to | string | ||
keystore-password | string | ||
alias | string | ||
key-password | string | ||
generate-self-signed-certificate-host | string |
engine?
Name | Type | Default | Description |
---|---|---|---|
enabled-protocols | |||
enabled-ciphersuites | string |
kerberos*
Name | Type | Default | Description |
---|---|---|---|
principal | string | Specifies the principal that the KeyTab represents. | |
keytab-path | string | Sets the path to the KeyTab for retrieving credentials. | |
relative-to | string | Specifies the name of a named path or a standard path that the system provides. If set, the value of the "path" attribute becomes relative to this path. | |
minimum-remaining-lifetime | int | 0 | Specifies, in seconds, how long a cached credential can remain before it is recreated. |
request-lifetime | int | Specifies, in seconds, how much lifetime to request for newly created credentials. | |
fail-cache | int | Specifies the amount of time, in seconds, to wait before attempting to obtain server credential if the previous attempt failed. Prevents long waiting periods on every authentication attempt if the KDC is unavailable. | |
server | boolean | true | Specifies if the realm is server-side (default) or client-side. |
obtain-kerberos-ticket | boolean | false | Controls if a KerberosTicket is also obtained and associated with the credential. The value must be true if credentials are delegated to the server. |
debug | boolean | false | Defines if the JAAS step to obtain the credential has debug logging enabled. |
wrap-gss-credential | boolean | false | Specifies if generated GSS credentials are wrapped to prevent improper disposal. |
required | boolean | false | Specifies if the keytab file with adequate principal must exist when the service starts. |
mechanism-names | KRB5 SPNEGO | Defines the mechanism names with which the credential can be used. Names are converted to OIDs and used together with OIDs from the mechanism-oids attribute. | |
mechanism-oids | Defines the mechanism OIDs with which the credential can be used. Used with OIDs derived from names from the mechanism-names attribute. |
filesystem-realm?
Name | Type | Default | Description |
---|---|---|---|
name | string | filesystem | |
path | string | ||
relative-to | string | infinispan.server.data.path | |
levels | int | 0 | |
encoded | boolean | true |
ldap-realm?
Name | Type | Default | Description |
---|---|---|---|
name | string | Names the security realm to logically separate multiple realms of the same type. | |
url | string | Specifies the URL for LDAP server connections in the format ldap[s]://{hostname}:{port}. | |
principal | string | Specifies the user principal for LDAP server connections. | |
credential | string | Specifies the user credential for LDAP server connections. | |
direct-verification | boolean | Configures the realm to verify credentials by connecting to LDAP servers with the account. Values are true / false (default). | |
page-size | int | 50 | Sets the page size for realm iteration. The default value is 50. |
search-dn | string | Names the context for query execution. This option provides a useful method to authenticate users based on names that do not use X.500 format, such as "plainUser". In this case, you must also specify the rdn-identifier. If names to authenticate users are based on the X.500 format, you can suppress this configuration. You should also note that this option lets realms authenticate users based on simple, or X.500, names. | |
rdn-identifier | string | Specifies an LDAP attribute that contains the user name and appears in the path of new entries. | |
enable-connection-pooling | boolean | false | Enables connection pooling. |
referral-mode | follow | Specifies if LDAP server referrals are followed and corresponds to the REFERRAL ("java.naming.referral") environment property. Values are "ignore", "follow" (default), and "throw". | |
connection-timeout | integer | 5000 | Sets the timeout, in milliseconds, for LDAP server connections. The default value is 5 seconds. |
read-timeout | integer | 60000 | Sets the read timeout, in milliseconds, for LDAP server operations. The default value is 1 minute. |
name-rewriter?
regex-principal-transformer
Name | Type | Default | Description |
---|---|---|---|
pattern | string | Specifies the regular expression for this PrincipalTransformer. | |
replacement | string | Specifies the replacement string for the PrincipalTransformer. | |
replace-all | boolean | false | Replaces all occurrences instead of the first occurrence. |
Name | Type | Default | Description |
---|---|---|---|
name | string | Specifies the unique name for the PrincipalTransformer. PrincipalTransformer names must be unique across the entire context. |
identity-mapping*
Name | Type | Default | Description |
---|---|---|---|
rdn-identifier | string | Specifies the RDN for the principal DN to retrieve the principal name from an LDAP entry. | |
search-dn | string | Sets the base DN for query execution. |
attribute-mapping?
attribute
Name | Type | Default | Description |
---|---|---|---|
filter | string | The filter to use to obtain the values for a specific attribute. String "{0}" will be replaced by username, "{1}" by user identity DN. |
Name | Type | Default | Description |
---|---|---|---|
filter-dn | string | The name of the context where the filter should be performed. | |
from | string | The name of the LDAP attribute to map to an identity attribute. If not defined, DN of the whole entry is used as value. | |
to | string | The name of the identity attribute mapped from a specific LDAP attribute. If not provided, the name of the attribute is the same as define in 'from'. If the 'from' is not defined too, value 'dn' is used. | |
search-recursive | boolean | true | Indicates if attribute LDAP search queries are recursive. |
role-recursion | int | 0 | Sets recursive roles assignment - value determine maximum depth of recursion. (0 for no recursion) |
role-recursion-name | string | cn | Determine LDAP attribute of role entry which will be substitute for "{0}" in filter-name when searching roles of role. Used only when role-recursion is set. |
extract-rdn | string | The RDN key to use as the value for an attribute, in case the value in its raw form is in X.500 format. |
attribute-reference
Name | Type | Default | Description |
---|---|---|---|
reference | string | The name of an LDAP attribute containing DN of entry to obtain value from. |
Name | Type | Default | Description |
---|---|---|---|
filter-dn | string | The name of the context where the filter should be performed. | |
from | string | The name of the LDAP attribute to map to an identity attribute. If not defined, DN of the whole entry is used as value. | |
to | string | The name of the identity attribute mapped from a specific LDAP attribute. If not provided, the name of the attribute is the same as define in 'from'. If the 'from' is not defined too, value 'dn' is used. | |
search-recursive | boolean | true | Indicates if attribute LDAP search queries are recursive. |
role-recursion | int | 0 | Sets recursive roles assignment - value determine maximum depth of recursion. (0 for no recursion) |
role-recursion-name | string | cn | Determine LDAP attribute of role entry which will be substitute for "{0}" in filter-name when searching roles of role. Used only when role-recursion is set. |
extract-rdn | string | The RDN key to use as the value for an attribute, in case the value in its raw form is in X.500 format. |
user-password-mapper?
Name | Type | Default | Description |
---|---|---|---|
from | string | The name of the LDAP attribute to map to an identity user password credential. | |
verifiable | boolean | If the password credential is verifiable. | |
writable | boolean | If the password credential is writable. |
local-realm?
Name | Type | Default | Description |
---|---|---|---|
name | string | local |
properties-realm?
Name | Type | Default | Description |
---|---|---|---|
groups-attribute | string |
user-properties
Name | Type | Default | Description |
---|---|---|---|
path | string | ||
relative-to | string | ||
digest-realm-name | string | ||
plain-text | boolean | false |
group-properties
Name | Type | Default | Description |
---|---|---|---|
path | string | ||
relative-to | string |
token-realm?
Name | Type | Default | Description |
---|---|---|---|
name | string | ||
auth-server-url | string | ||
client-id | string | ||
principal-claim | string | username |
jwt
Name | Type | Default | Description |
---|---|---|---|
issuer | |||
audience | |||
public-key | string | ||
jku-timeout | long | ||
client-ssl-context | string |
oauth2-introspection
Name | Type | Default | Description |
---|---|---|---|
client-id | string | ||
client-secret | string | ||
introspection-url | string | ||
client-ssl-context | string | ||
host-name-verification-policy | string |
truststore-realm?
Name | Type | Default | Description |
---|---|---|---|
path | string | ||
provider | string | ||
keystore-password | string | ||
relative-to | string | infinispan.server.data.path |
data-sources?
data-source*
Name | Type | Default | Description |
---|---|---|---|
name | token | Name for the datasource (used for management) | |
jndi-name | token | JNDI name for the datasource | |
statistics | boolean | false | Enable statistics for this datasource |
connection-factory
Configuration for the connection factory
Name | Type | Default | Description | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
driver | token | Unique reference to the JDBC driver | |||||||||||
url | token | JDBC driver connection URL (e.g. "jdbc:h2:tcp://localhost:1234") | |||||||||||
transaction-isolation |
| READ_COMMITTED | Set the java.sql.Connection transaction isolation level to use. Defaults to READ_COMMITTED | ||||||||||
new-connection-sql | token | SQL statement to be executed on a connection after creation | |||||||||||
username | token | Username to use for basic authentication with the database | |||||||||||
password | token | Password to use for basic authentication with the database |
connection-property?
Properties for the JDBC driver
connection-pool
Configuration for the connection pool
Name | Type | Default | Description |
---|---|---|---|
max-size | nonNegativeInteger | Maximum number of connections in the pool | |
min-size | nonNegativeInteger | Minimum number of connections the pool should hold | |
initial-size | nonNegativeInteger | Initial number of connections the pool should hold | |
blocking-timeout | nonNegativeInteger | 0 | Maximum time in milliseconds to block while waiting for a connection before throwing an exception This will never throw an exception if creating a new connection takes an inordinately long period of time Default is 0 meaning that a call will wait indefinitely |
background-validation | nonNegativeInteger | Time in milliseconds between background validation runs | |
leak-detection | nonNegativeInteger | Time in milliseconds a connection has to be held before a leak warning | |
idle-removal | nonNegativeInteger | Time in minutes a connection has to be idle before it can be removed |
endpoints+
Name | Type | Default | Description |
---|---|---|---|
socket-binding | string | Specifies the socket the endpoint connector binds to. | |
security-realm | string | Names the security realm to use for authentication, cache authorization, and encryption. | |
metrics | boolean | true | Enable/disable metrics authentication on this endpoint. Defaults to true. |
hotrod-connector*
Name | Type | Default | Description |
---|---|---|---|
external-host | string | Sets an external address for this node to accept client connections. Defaults to the server socket binding address. | |
external-port | int | Sets an external port for this node. Defaults to the server socket binding port. |
topology-state-transfer?
Name | Type | Default | Description |
---|---|---|---|
lock-timeout | int | Configures lock acquisition timeouts, in seconds, for topology caches. Defaults to 10. | |
replication-timeout | int | Configures replication timeouts, in seconds, for topology caches. Defaults to 10. | |
lazy-retrieval | boolean | false | Enables lazy retrieval of cluster topology from nodes via a ClusterCacheLoader. Values are true / false (default). |
await-initial-retrieval | boolean | true | Configures whether initial state retrieval should happen immediately at startup. Applies only when lazy-retrieval is false. Values are true (default) / false. |
authentication?
Name | Type | Default | Description |
---|---|---|---|
security-realm | string | Names the security realm to use for authentication and authorization. |
sasl?
Name | Type | Default | Description |
---|---|---|---|
server-principal | string | The principal to use as the server identity. The principal must be present in the security realm. This is required for Kerberos-based SASL mechs (e.g. GSSAPI, GS2_KRB5) | |
server-name | string | Names the server that is exposed to clients. | |
mechanisms | |||
qop | |||
strength |
policy?
forward-secrecy?
Name | Type | Default | Description |
---|---|---|---|
value | boolean |
no-active?
Name | Type | Default | Description |
---|---|---|---|
value | boolean |
no-anonymous?
Name | Type | Default | Description |
---|---|---|---|
value | boolean |
no-dictionary?
Name | Type | Default | Description |
---|---|---|---|
value | boolean |
no-plain-text?
Name | Type | Default | Description |
---|---|---|---|
value | boolean |
pass-credentials?
Name | Type | Default | Description |
---|---|---|---|
value | boolean |
property*
encryption?
Name | Type | Default | Description |
---|---|---|---|
require-ssl-client-auth | boolean | false | Requires clients to use certificates for authentication. |
security-realm | string | Names the security realm that contains the SSL keystore. |
sni*
Name | Type | Default | Description |
---|---|---|---|
host-name | string | TLS SNI host name | |
security-realm | string | A corresponding security realm. If none is specified, the default will be used. |
Name | Type | Default | Description |
---|---|---|---|
name | string | Logically names this connector. Use this attribute to separate multiple connector declarations for the same endpoint. |
Name | Type | Default | Description |
---|---|---|---|
socket-binding | string | Specifies the socket this connector binds to. If no socket binding is declared, the server does not listen to TCP connections. | |
cache-container | string | Names the cache container this connector exposes. | |
io-threads | int | Sets the number of I/O threads. Defaults to 2 * cpu cores. | |
worker-threads | int | Sets the number of worker threads. Defaults to 160. | |
idle-timeout | int | Specifies the maximum time, in seconds, that client connections can remain inactive. Defaults to 0 (no timeout). | |
tcp-nodelay | boolean | Enables TCP NODELAY on the TCP stack. Values are enabled (default) / disabled. | |
tcp-keepalive | boolean | Enables TCP KEEPALIVE on the TCP stack. Values are enabled / disabled (default). | |
send-buffer-size | int | Sets the size of the send buffer. | |
receive-buffer-size | int | Sets the size of the receive buffer. | |
require-ssl-client-auth | boolean | Requires clients to use certificates for authentication. |
rest-connector+
Name | Type | Default | Description | ||||
---|---|---|---|---|---|---|---|
context-path | string | Sets the context path for REST connectors and defaults to the root context. The command line interface (CLI) and other internal components use the root context. For this reason, you should not change the default value or set a custom context path. | |||||
extended-headers |
| ON_DEMAND | Enables extended headers. Values are NEVER / ON_DEMAND (default). | ||||
max-content-length | int | Sets the maximum allowed content length. | |||||
compression-level | int | Sets the level for compressed requests and responses. |
authentication?
Name | Type | Default | Description |
---|---|---|---|
security-realm | string | The security realm to use for authentication/authorization purposes. Defaults to none (no authentication). | |
mechanisms | NONE | The authentication method to require. Can be NONE, BASIC, DIGEST, CLIENT_CERT, SPNEGO. Defaults to NONE. Setting it to a different value requires enabling a security-realm. | |
server-principal | string | The principal to use as the server identity. The principal must be present in the security realm. This is required for Kerberos-based SASL mechs (e.g. SPNEGO). |
cors-rules?
cors-rule+
Name | Type | Default | Description |
---|---|---|---|
name | string | Defines a name for a CORS rule. | |
allow-credentials | boolean | false | Configures if CORS requests use credentials and sets the CORS 'Access-Control-Allow-Credentials' response header. |
max-age-seconds | int | 0 | Configures how long CORS preflight request headers can be caches and sets the CORS 'Access-Control-Max-Age' response header. |
allowed-origins
Specifies a comma-separated list that sets the CORS 'Access-Control-Allow-Origin' header that controls which origins can access resources.
allowed-methods
Specifies a comma-separated list that sets the CORS 'Access-Control-Allow-Methods' header in the preflight response. Controls the methods that origins can access.
allowed-headers?
Specifies a comma-separated list that sets the CORS 'Access-Control-Allow-Headers' header in the preflight response. Controls the headers that origins can access.
expose-headers?
Specifies a comma-separated list that sets the CORS 'Access-Control-Expose-Headers' header in the preflight response. Controls the headers that are exposed to origins.
encryption?
Name | Type | Default | Description |
---|---|---|---|
require-ssl-client-auth | boolean | false | Requires clients to use certificates for authentication. |
security-realm | string | Names the security realm that contains the SSL keystore. |
sni*
Name | Type | Default | Description |
---|---|---|---|
host-name | string | TLS SNI host name | |
security-realm | string | A corresponding security realm. If none is specified, the default will be used. |
Name | Type | Default | Description |
---|---|---|---|
name | string | Logically names this connector. Use this attribute to separate multiple connector declarations for the same endpoint. |
Name | Type | Default | Description |
---|---|---|---|
socket-binding | string | Specifies the socket this connector binds to. If no socket binding is declared, the server does not listen to TCP connections. | |
cache-container | string | Names the cache container this connector exposes. | |
io-threads | int | Sets the number of I/O threads. Defaults to 2 * cpu cores. | |
worker-threads | int | Sets the number of worker threads. Defaults to 160. | |
idle-timeout | int | Specifies the maximum time, in seconds, that client connections can remain inactive. Defaults to 0 (no timeout). | |
tcp-nodelay | boolean | Enables TCP NODELAY on the TCP stack. Values are enabled (default) / disabled. | |
tcp-keepalive | boolean | Enables TCP KEEPALIVE on the TCP stack. Values are enabled / disabled (default). | |
send-buffer-size | int | Sets the size of the send buffer. | |
receive-buffer-size | int | Sets the size of the receive buffer. | |
require-ssl-client-auth | boolean | Requires clients to use certificates for authentication. |
memcached-connector*
Name | Type | Default | Description |
---|---|---|---|
cache | string | Names the cache that the Memcached connector exposes. Defaults to memcachedCache. | |
client-encoding | string | Sets client encoding for values. Applies to memcached text protocol only. |
Name | Type | Default | Description |
---|---|---|---|
name | string | Logically names this connector. Use this attribute to separate multiple connector declarations for the same endpoint. |
Name | Type | Default | Description |
---|---|---|---|
socket-binding | string | Specifies the socket this connector binds to. If no socket binding is declared, the server does not listen to TCP connections. | |
cache-container | string | Names the cache container this connector exposes. | |
io-threads | int | Sets the number of I/O threads. Defaults to 2 * cpu cores. | |
worker-threads | int | Sets the number of worker threads. Defaults to 160. | |
idle-timeout | int | Specifies the maximum time, in seconds, that client connections can remain inactive. Defaults to 0 (no timeout). | |
tcp-nodelay | boolean | Enables TCP NODELAY on the TCP stack. Values are enabled (default) / disabled. | |
tcp-keepalive | boolean | Enables TCP KEEPALIVE on the TCP stack. Values are enabled / disabled (default). | |
send-buffer-size | int | Sets the size of the send buffer. | |
receive-buffer-size | int | Sets the size of the receive buffer. | |
require-ssl-client-auth | boolean | Requires clients to use certificates for authentication. |
Name | Type | Default | Description |
---|---|---|---|
socket-binding | string | Specifies the socket this connector binds to. If no socket binding is declared, the server does not listen to TCP connections. | |
cache-container | string | Names the cache container this connector exposes. | |
io-threads | int | Sets the number of I/O threads. Defaults to 2 * cpu cores. | |
worker-threads | int | Sets the number of worker threads. Defaults to 160. | |
idle-timeout | int | Specifies the maximum time, in seconds, that client connections can remain inactive. Defaults to 0 (no timeout). | |
tcp-nodelay | boolean | Enables TCP NODELAY on the TCP stack. Values are enabled (default) / disabled. | |
tcp-keepalive | boolean | Enables TCP KEEPALIVE on the TCP stack. Values are enabled / disabled (default). | |
send-buffer-size | int | Sets the size of the send buffer. | |
receive-buffer-size | int | Sets the size of the receive buffer. | |
require-ssl-client-auth | boolean | Requires clients to use certificates for authentication. |