JAAS login configuration file example
This example shows the format of the JAAS login
configuration file and provides information about several file elements
and attributes.For more information about the file elements
and attributes, see the notes that
follow the example.
<?xml version="1.0" encoding="UTF-8"?>
<securityDomain xmlns="http://www.teracloud.com/xmlns/prod/streams/security/domain/config/1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<authentication>
<jaas>
<jaasConfig name="streams-jaas">
<loginModule moduleClass="com.teracloud.streams.security.authc.module.X509CertLoginModule" flag="sufficient">
</loginModule>
<loginModule moduleClass="com.teracloud.streams.security.authc.module.PAMLoginModule" flag="sufficient">
<moduleOption name="service" value="login" />
</loginModule>
<loginModule moduleClass="com.teracloud.streams.security.authc.module.LDAPLoginModule" flag="sufficient">
<moduleOption name="serverUrl" value="ldap://bluepages.teracloud.com:389" />
<moduleOption name="userDnPattern" value="uid=*,c=us,ou=bluepages,o=teracloud.com" />
<moduleOption name="userSecondaryLookup" value="(&(objectclass=teracloudperson)(notesshortname=*)) uid" />
<moduleOption name="groupObjectclass" value="groupOfUniqueNames" />
<moduleOption name="groupSearchBaseDn" value="ou=memberlist,ou=teracloudgroups,o=teracloud.com" />
<moduleOption name="groupAttributeWithUserNames" value="uniquemember" />
<moduleOption name="userAttributeStoredInGroupAttribute" value="dn" />
</loginModule>
</jaasConfig>
</jaas>
</authentication>
</securityDomain>Notes:
- You can specify one or more
<loginModule>elements under the<jaasConfig>element. - Authentication occurs in the order that you list the login modules.
- The
moduleClassattribute specifies the fully qualified implementation class name. - The
flagattribute controls the behavior as authentication proceeds down the list of modules, which is one of the following values:required: The login module is required to succeed. Authentication continues to proceed down the login module list even if the login module succeeds or fails.requisite: The login module is required to succeed. If it succeeds, authentication continues down the login module list. If it fails, authentication does not proceed down the login module list and control returns to the application.sufficient: The login module is not required to succeed. If it succeeds, authentication does not proceed down the login module list and control returns to the application. If it fails, authentication continues down the login module list.optional: The login module is not required to succeed. If it succeeds or fails, authentication continues to proceed down the login module list.
- Overall authentication succeeds if all
requiredandrequisitelogin modules succeed. If asufficientlogin module is configured and succeeds, only therequiredandrequisitelogin modules before thatsufficientlogin module need to succeed for the overall authentication to succeed. If norequiredorrequisitelogin modules are configured for an application, at least onesufficientoroptionallogin module must succeed.Table 1. Login module configuration scenarios The login module ID is in column 1, the flag value is in column 2, and columns 3 through 10 indicate whether authentication passed or failed. The last row indicates whether overall authentication passed or failed.
Login module Flag Scenario 1 Scenario 2 Scenario 3 Scenario 4 Scenario 5 Scenario 6 Scenario 7 Scenario 8 A required PASS PASS PASS PASS FAIL FAIL FAIL B sufficient PASS FAIL FAIL FAIL PASS FAIL FAIL PASS C requisite PASS PASS FAIL PASS PASS D optional PASS FAIL PASS FAIL Overall authentication PASS PASS PASS FAIL FAIL FAIL FAIL PASS - Module options can be specified in the
<moduleOption>element as a name pair value. You can specify zero or more<moduleOption>elements under the<loginModule>element.