Content Server Manual / Version 2010
Table Of Contents
The jaas.conf
file contains the following default configuration for login
modules:
JaasCap { hox.corem.server.CapLoginModule sufficient /* System builtin users are not allowed to use the editor service */ predicate.1.class="hox.corem.login.NameLoginPredicate" predicate.1.args="negative=true,editor.regex= (publisher|studio|watchdog|workflow |webserver|importer|feeder)" /* only specific system user is allowed for the respective service */ predicate.2.class="hox.corem.login.NameLoginPredicate" predicate.2.args="webserver.regex=webserver, publisher.regex=publisher,replicator.regex=replicator, workflow.regex=workflow,feeder.regex=feeder,studio.regex=studio" /* if not forbidden by other rules, other services are accessible for all users */ predicate.3.class="hox.corem.login.NameLoginPredicate" predicate.3.args="editor.regex=.*,debug.regex=.*, importer.regex=.*,system.regex=.*" ; /* hox.corem.login.LdapLoginModule sufficient host="@ldap.host@" port="@ldap.port@" domain="@ldap.domain@"; predicate.1.class="hox.corem.login.NameLoginPredicate" predicate.1.args="editor.regex=.*,debug.regex=.*, importer.regex=.*,system.regex=.*" ; */ };
Example 3.8. The jaas.conf file
Note
You have to replace the placeholders @ldap.host@
, @ldap.port@
and @ldap.domain@
for the
LdapLoginModule
with your actual settings.
The syntax conforms to the default configuration syntax in JAAS:
Application { ModuleClass Flag ModuleOptions; ModuleClass Flag ModuleOptions; ModuleClass Flag ModuleOptions; };
Example 3.9. JAAS syntax
The syntax is defined in detail in the Javadoc for the Java class
javax.security.auth.login.Configuration
. The application name in jaas.conf
is
JaasCap
. This value is fix and must not be changed. The ModuleClass
values in
jaas.conf
can be one of:
hox.corem.server.CapLoginModule
,hox.corem.login.LdapLoginModule
or another user-defined
LoginModule
.
The value of Flag
is always set to sufficient. The ModuleOptions
is a space
separated list of login module-related arguments. For each domain especially sub domains you have to configure
a dedicated LdapLoginModule
block containing the corresponding domain in the 'domain' attribute
of the key 'host'.
The following table contains the module options of CapLoginModule
:
CapLoginModule Options |
Description |
---|---|
|
Java class name of a login predicate |
|
Arguments to the login predicate. Use space value “ “ for no arguments. |
Table 3.5. Options of CapLoginModule
The two login predicate module options are optional. <n>
is an integer value. If a login
predicate is configured, both options must be set. It is not allowed to omit the second option in the table,
for instance. Login predicates are described in Section 3.12.1.2, “License Management and Login Predicates”. The
following table contains the module options for LdapLoginModule
.
LdapLoginModule Options |
Description |
---|---|
|
Java class name of a login predicate |
|
Arguments for the login predicate. Use space value “ “ for no arguments. |
host |
LDAP server host name |
|
LDAP server port number. If you want to use LDAP over SSL switch to 636, which is the default port for SSL connection. |
|
Domain to serve |
protocol | The protocol to use. Change to "ssl" if you want to use LDAP over SSL. |
Table 3.6. Options of the LdapLoginModule
For further LDAP over SSL configuration see Section 3.12.5, “Connecting LDAP Over SSL”.
The meaning of the first two predicate options for the LdapLoginModule
is the same as in the
CapLoginModule
. The last three options are mandatory.