Documentation : Security Definition Schema
This page last changed on Dec 14, 2005 by hcunico@gmail.com.
Security schema is the main syntax for the security-related definitions of any deployment plan. Security schema is normally imported by the host schema. The usual namespace prefix for the security schema is security. So if you want to refer to the elements of this namespace from some other namespace, you will do it this way: security:security. Here is the syntactic reference for the security schema. All security schema types are global (in the xml schema sense). There are only two global security elements: security:security and security:defaultPrincipal. Note that although default-principal is declared to be a global element, security schema does not make use of it and defines local default-principal element of the same type every time it needs it. The following sections describe the syntax and meaning of the security schema element.
Type securityTypesecurity:securityType is the global type that defines security requirements of an application with respect to the J2EE role mapping to Principals. <xsd:complexType name="securityType"> <xsd:sequence> <xsd:element name="description" type="security:descriptionType" minOccurs="0" maxOccurs="unbounded"/> <xsd:element name="default-principal" type="security:default-principalType"/> <xsd:element name="role-mappings" type="security:role-mappingsType" minOccurs="0"/> </xsd:sequence> <xsd:attribute name="doas-current-caller" type="xsd:boolean" default="false"/> <xsd:attribute name="use-context-handler" type="xsd:boolean" default="false"/> <xsd:attribute name="default-role" type="xsd:string"/> </xsd:complexType> @doas-current-caller - Set this attribute to true if the work is to be performed as the calling Subject. This attribute is optional, the default value is false. description - optional element. 0 to many description elements. Type defaultPrincipalTypeDefault principal is used for anonymous access. security:default-principalType is a sequence of optional description, the choice of principal, login-domain-principal, realm-principal, followed by a sequence of <xsd:complexType name="default-principalType"> <xsd:sequence> <xsd:element name="description" type="security:descriptionType" minOccurs="0" maxOccurs="unbounded"/> <xsd:choice> <xsd:element name="principal" type="security:principalType"/> <xsd:element name="login-domain-principal" type="security:loginDomainPrincipalType"/> <xsd:element name="realm-principal" type="security:realmPrincipalType"/> </xsd:choice> <xsd:element name="named-username-password-credential" type="security:named-username-password-credentialType" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> </xsd:complexType> description - optional. 0 to many description elements. Type principalTypesecurity:principalType defines authenticated principal. <xsd:complexType name="principalType"> <xsd:sequence> <xsd:element name="description" type="geronimo:descriptionType" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> <xsd:attribute name="class" type="xsd:string" use="required"/> <xsd:attribute name="name" type="xsd:string" use="required"/> <xsd:attribute name="designated-run-as" type="xsd:boolean" default="false"/> </xsd:complexType> @class is principal implementation class. Type loginDomainPrincipalTypesecurity:loginDomainPrincipalType type associates a Principal with the Login Domain that authenticated that principal. If Security Realm into which login module (Login Domain) is wired up is configured to wrap Principals, every Principal produced by every login module will be wrapped into the DomainPrincipal. login-domainPrincipalType extends principalType. <xsd:complexType name="loginDomainPrincipalType"> <xsd:complexContent> <xsd:extension base="security:principalType"> <xsd:attribute name="domain-name" type="xsd:string" use="required"/> </xsd:extension> </xsd:complexContent> </xsd:complexType> @domain-name - Login Domain name. Note that elements of the security:loginDomainPrincipalType wrap elements of security:principalType, so the @class attribute value must be the value of the Principal implementation class that is wrapped by the security:loginDomainPrincipal. Type realmPrincipalTypeRealm principal associates a Principal with the realm in which it was authenticated. If Security Realm is configured to wrap Principals, each DomainPrincipal will be wrapped into the RealmPrincipal. realmPrincipalType extends security:loginDomainPrincipalType. <xsd:complexType name="realmPrincipalType"> <xsd:complexContent> <xsd:extension base="security:loginDomainPrincipalType"> <xsd:attribute name="realm-name" type="xsd:string" use="required"/> </xsd:extension> </xsd:complexContent> </xsd:complexType> @realm-name is required attribute that defines realm name. Note that elements of security:realmPrincipalType wrap elements of security:principalType, that wrap elements of security:loginDomainPrincipalType. So the @class attribute value must be the value of the Principal implementation class that is wrapped by the security:loginDomainPrincipal. Type named-username-password-credentialTypeThis element defines username - password credential. <xsd:complexType name="named-username-password-credentialType"> <xsd:sequence> <xsd:element name="name" type="xsd:string"/> <xsd:element name="username" type="xsd:string"/> <xsd:element name="password" type="xsd:string"/> </xsd:sequence> </xsd:complexType> name - required element. Names this credential set. Type role-mappingsTypesecurity:role-mappingsType defines mappings of J2EE roles to principals. <xsd:complexType name="role-mappingsType"> role - required sequence of 1 or more elements of security:roleType. Type roleTypesecurity:roleType element defines J2EE role mapping to a set of Principals. Mapped principals can be any kind of principal: domain-principal, realm-principal, principal, or a distinguished name (dn). Note that ideally we want to map to DomainPrincipals or RealmPrincipals. This type of mapping is not supported in Geronimo M5 or earlier milestones. The only type of mapping in M5 and before is principalType mapping and dn mapping. <xsd:complexType name="roleType"> <xsd:sequence> <xsd:element name="description" type="security:descriptionType" minOccurs="0" maxOccurs="unbounded"/> <xsd:element name="realm-principal" type="security:realmPrincipalType" minOccurs="0" maxOccurs="unbounded"/> <xsd:element name="login-domain-principal" type="security:loginDomainPrincipalType" minOccurs="0" maxOccurs="unbounded"/> <xsd:element name="principal" type="security:principalType" minOccurs="0" maxOccurs="unbounded"/> <xsd:element name="distinguished-name" type="security:distinguishedNameType" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> <xsd:attribute name="role-name" type="xsd:string" use="required"/> </xsd:complexType> @role-name - J2EE role name. This is required attribute. description - optional sequence from 0 to many security:description elements. Type distinguishedNameType<xsd:complexType name="distinguishedNameType"> <xsd:sequence> <xsd:element name="description" type="security:descriptionType" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> <xsd:attribute name="name" type="xsd:string" use="required"/> <xsd:attribute name="designated-run-as" type="xsd:boolean" default="false"/> </xsd:complexType> @designated-run-as - Set this attribute to true if this principal is to be used as the run-as principal for this role. This is optional attribute, default value is false. desciption - optional sequence from 0 to many elements of security:descriptionType. Type descriptionTypesecurity:descriptionType element allows description to be inserted in any other element. This type extends schema string type with the reference to the global xml:lang attribute. <xsd:complexType name="descriptionType"> <xsd:simpleContent> <xsd:extension base="xsd:string"> <xsd:attribute ref="xml:lang"/> </xsd:extension> </xsd:simpleContent> </xsd:complexType> @xml:lang - language attribute. This attribute is optional. |
![]() |
Document generated by Confluence on Dec 15, 2005 19:14 |