Content Server Manual / Version 2107
Table Of Contents
The jaas.conf file contains the following default configuration for login
modules:
JaasCap {
hox.corem.server.CapLoginModule sufficient
/* System builtin users are not allowed to use the
editor service */
predicate.1.class="hox.corem.login.NameLoginPredicate"
predicate.1.args="negative=true,editor.regex=
(publisher|studio|watchdog|workflow
|webserver|importer|feeder)"
/* only specific system user is allowed for the respective
service */
predicate.2.class="hox.corem.login.NameLoginPredicate"
predicate.2.args="webserver.regex=webserver,
publisher.regex=publisher,replicator.regex=replicator,
workflow.regex=workflow,feeder.regex=feeder,studio.regex=studio"
/* if not forbidden by other rules, other services are
accessible for all users */
predicate.3.class="hox.corem.login.NameLoginPredicate"
predicate.3.args="editor.regex=.*,debug.regex=.*,
importer.regex=.*,system.regex=.*"
;
/*
hox.corem.login.LdapLoginModule sufficient
host="@ldap.host@" port="@ldap.port@"
domain="@ldap.domain@";
predicate.1.class="hox.corem.login.NameLoginPredicate"
predicate.1.args="editor.regex=.*,debug.regex=.*,
importer.regex=.*,system.regex=.*"
;
*/
};
Example 3.8. The jaas.conf file
Note
You have to replace the placeholders @ldap.host@, @ldap.port@
and @ldap.domain@ for the
LdapLoginModule with your actual settings.
The syntax conforms to the default configuration syntax in JAAS:
Application {
ModuleClass Flag ModuleOptions;
ModuleClass Flag ModuleOptions;
ModuleClass Flag ModuleOptions;
};
Example 3.9. JAAS syntax
The syntax is defined in detail in the Javadoc for the Java class
javax.security.auth.login.Configuration. The application name in jaas.conf is
JaasCap. This value is fix and must not be changed. The ModuleClass values in
jaas.conf can be one of:
hox.corem.server.CapLoginModule,hox.corem.login.LdapLoginModuleor another user-defined
LoginModule.
The value of Flag is always set to sufficient. The ModuleOptions is a space
separated list of login module-related arguments. For each domain especially sub domains you have to configure
a dedicated LdapLoginModule block containing the corresponding domain in the 'domain' attribute
of the key 'host'.
The following table contains the module options of CapLoginModule:
|
CapLoginModule Options |
Description |
|---|---|
|
|
Java class name of a login predicate |
|
|
Arguments to the login predicate. Use space value “ “ for no arguments. |
Table 3.5. Options of CapLoginModule
The two login predicate module options are optional. <n> is an integer value. If a login
predicate is configured, both options must be set. It is not allowed to omit the second option in the table,
for instance. Login predicates are described in Section 3.12.1.2, “License Management and Login Predicates”. The
following table contains the module options for LdapLoginModule.
|
LdapLoginModule Options |
Description |
|---|---|
|
|
Java class name of a login predicate |
|
|
Arguments for the login predicate. Use space value “ “ for no arguments. |
|
host |
LDAP server host name |
|
|
LDAP server port number. If you want to use LDAP over SSL switch to 636, which is the default port for SSL connection. |
|
|
Domain to serve |
protocol | The protocol to use. Change to "ssl" if you want to use LDAP over SSL. |
Table 3.6. Options of the LdapLoginModule
For further LDAP over SSL configuration see Section 3.12.5, “Connecting LDAP Over SSL”.
The meaning of the first two predicate options for the LdapLoginModule is the same as in the
CapLoginModule. The last three options are mandatory.
