3.13.1.1. LoginModule Configuration in jaas.conf

The properties/corem/jaas.conf file contains the following default configuration for login modules:

JaasCap {
   hox.corem.server.CapLoginModule sufficient

     /* System builtin users are not allowed to use the 
     editor service */
     predicate.1.class="hox.corem.login.NameLoginPredicate"
     predicate.1.args="negative=true,editor.regex=
       (serverdump|publisher|watchdog|workflow
       |webserver|importer|feeder)"

     /* only specific system user is allowed for the respective 
     service */
     predicate.2.class="hox.corem.login.NameLoginPredicate"
     predicate.2.args="webserver.regex=webserver,
       publisher.regex=publisher,replicator.regex=replicator,
       workflow.regex=workflow,feeder.regex=feeder"

     /* if not forbidden by other rules, other services are 
     accessible for all users */
     predicate.3.class="hox.corem.login.NameLoginPredicate"
     predicate.3.args="editor.regex=.*,debug.regex=.*,
       filesystem.regex=.*,importer.regex=.*,system.regex=.*,
       dotnetappbridge.regex=.*"
   ;
   /*
   hox.corem.login.LdapLoginModule sufficient 
   host="@ldap.host@"  port="@ldap.port@" 
   domain="@ldap.domain@"; 

     predicate.1.class="hox.corem.login.NameLoginPredicate"
     predicate.1.args="editor.regex=.*,debug.regex=.*,
       filesystem.regex=.*,importer.regex=.*,system.regex=.*,
       dotnetappbridge.regex=.*"
   ; 
   */
};

Example 3.6. The jaas.conf file


[Note]Note

You have to replace the placeholders @ldap.host@, @ldap.port@ and @ldap.domain@ for the LdapLoginModule with your actual settings.

The syntax conforms to the default configuration syntax in JAAS:

Application {
	      ModuleClass  Flag    ModuleOptions;
	      ModuleClass  Flag    ModuleOptions;
	      ModuleClass  Flag    ModuleOptions;
      };

Example 3.7. JAAS syntax


The syntax is defined in detail in the Javadoc for the Java class javax.security.auth.login.Configuration. The application name in jaas.conf is JaasCap. This value is fix and must not be changed. The ModuleClass values in jaas.conf can be one of:

  • hox.corem.server.CapLoginModule,

  • hox.corem.login.LdapLoginModule

  • or another user-defined LoginModule.

The value of Flag is always set to sufficient. The ModuleOptions is a space separated list of login module-related arguments. For each domain especially sub domains you have to configure a dedicated LdapLoginModule block containing the corresponding domain in the 'domain' attribute of the key 'host'.

The following table contains the module options of CapLoginModule:

CapLoginModule Options

Description

predicate.<n>.class

Java class name of a login predicate

predicate.<n>.args

Arguments to the login predicate. Use space value “ “ for no arguments.

Table 3.5. Options of CapLoginModule


The two login predicate module options are optional. <n> is an integer value. If a login predicate is configured, both options must be set. It is not allowed to omit the second option in the table, for instance. Login predicates are described in Section 3.13.1.2, “License Management and Login Predicates”. The following table contains the module options for LdapLoginModule.

LdapLoginModule Options

Description

predicate.<n>.class

Java class name of a login predicate

predicate.<n>.args

Arguments for the login predicate. Use space value “ “ for no arguments.

host

LDAP server host name

port

LDAP server port number. If you want to use LDAP over SSL switch to 636, which is the default port for SSL connection.

domain

Domain to serve

protocol The protocol to use. Change to "ssl" if you want to use LDAP over SSL.

Table 3.6. Options of the LdapLoginModule


The meaning of the first two predicate options for the LdapLoginModule is the same as in the CapLoginModule. The last three options are mandatory.