diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronExtension.java b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronExtension.java index 2c7a1f35e04..8266ce5d18c 100644 --- a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronExtension.java +++ b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronExtension.java @@ -76,8 +76,9 @@ public class ElytronExtension implements Extension { static final ModelVersion ELYTRON_17_0_0 = ModelVersion.create(17); static final ModelVersion ELYTRON_18_0_0 = ModelVersion.create(18); static final ModelVersion ELYTRON_19_0_0 = ModelVersion.create(19); + static final ModelVersion ELYTRON_20_0_0 = ModelVersion.create(20); - private static final ModelVersion ELYTRON_CURRENT = ELYTRON_19_0_0; + private static final ModelVersion ELYTRON_CURRENT = ELYTRON_20_0_0; static final String ISO_8601_FORMAT = "yyyy-MM-dd'T'HH:mm:ss.SSSZ"; diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemSchema.java b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemSchema.java index bf7e1f567dc..af518cc5178 100644 --- a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemSchema.java +++ b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemSchema.java @@ -54,8 +54,9 @@ public enum ElytronSubsystemSchema implements PersistentSubsystemSchema CURRENT = Feature.map(EnumSet.of(VERSION_18_0, VERSION_18_0_COMMUNITY)); + static final Map CURRENT = Feature.map(EnumSet.of(VERSION_18_0, VERSION_18_0_COMMUNITY, VERSION_18_0_PREVIEW)); private final VersionedNamespace namespace; @@ -192,7 +193,9 @@ private void addCredentialStoreParser(PersistentResourceXMLDescription.Persisten private void addTlsParser(PersistentResourceXMLDescription.PersistentResourceXMLBuilder builder) { TlsParser tlsParser = new TlsParser(); - if (this.since(ElytronSubsystemSchema.VERSION_18_0_COMMUNITY) && this.enables(getDynamicClientSSLContextDefinition())) { + if (this.since(ElytronSubsystemSchema.VERSION_18_0_PREVIEW) && this.enables(SSLDefinitions.OCSP_STAPLING)) { + builder.addChild(tlsParser.tlsParserPreview_18_0); + } else if (this.since(ElytronSubsystemSchema.VERSION_18_0_COMMUNITY) && this.enables(getDynamicClientSSLContextDefinition())) { builder.addChild(tlsParser.tlsParserCommunity_18_0); } else if (this.since(ElytronSubsystemSchema.VERSION_14_0)) { builder.addChild(tlsParser.tlsParser_14_0); diff --git a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemTransformers.java b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemTransformers.java index 3adf72a7804..a5838ced758 100644 --- a/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemTransformers.java +++ b/elytron/src/main/java/org/wildfly/extension/elytron/ElytronSubsystemTransformers.java @@ -106,6 +106,8 @@ public String getSubsystemName() { public void registerTransformers(SubsystemTransformerRegistration registration) { ChainedTransformationDescriptionBuilder chainedBuilder = TransformationDescriptionBuilder.Factory.createChainedSubystemInstance(registration.getCurrentSubsystemVersion()); + // 20.0.0 (WildFly 34) to 19.0.0 (WildFly 32) + from20(chainedBuilder); // 19.0.0 (WildFly 32) to 18.0.0 (WildFly 29) from19(chainedBuilder); // 18.0.0 (WildFly 29) to 17.0.0 (WildFly 28) @@ -145,10 +147,15 @@ public void registerTransformers(SubsystemTransformerRegistration registration) // 2.0.0 (WildFly 12) to 1.2.0, (WildFly 11 and EAP 7.1.0) from2(chainedBuilder); - chainedBuilder.buildAndRegister(registration, new ModelVersion[] { ELYTRON_18_0_0, ELYTRON_17_0_0, ELYTRON_16_0_0, ELYTRON_15_1_0, ELYTRON_15_0_0, ELYTRON_14_0_0, ELYTRON_13_0_0, ELYTRON_12_0_0, ELYTRON_11_0_0, ELYTRON_10_0_0, ELYTRON_9_0_0, + chainedBuilder.buildAndRegister(registration, new ModelVersion[] { ELYTRON_19_0_0, ELYTRON_18_0_0, ELYTRON_17_0_0, ELYTRON_16_0_0, ELYTRON_15_1_0, ELYTRON_15_0_0, ELYTRON_14_0_0, ELYTRON_13_0_0, ELYTRON_12_0_0, ELYTRON_11_0_0, ELYTRON_10_0_0, ELYTRON_9_0_0, ELYTRON_8_0_0, ELYTRON_7_0_0, ELYTRON_6_0_0, ELYTRON_5_0_0, ELYTRON_4_0_0, ELYTRON_3_0_0, ELYTRON_2_0_0, ELYTRON_1_2_0 }); } + private static void from20(ChainedTransformationDescriptionBuilder chainedBuilder) { + ResourceTransformationDescriptionBuilder builder = chainedBuilder.createBuilder(ELYTRON_19_0_0, ELYTRON_18_0_0); + + } + private static void from19(ChainedTransformationDescriptionBuilder chainedBuilder) { ResourceTransformationDescriptionBuilder builder = chainedBuilder.createBuilder(ELYTRON_19_0_0, ELYTRON_18_0_0); diff --git a/elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd b/elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd new file mode 100644 index 00000000000..10545bd6ff8 --- /dev/null +++ b/elytron/src/main/resources/schema/wildfly-elytron_preview_18_0.xsd @@ -0,0 +1,6441 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Reference to the default authentication context to be associated with all deployments. + + + + + + + Reference to a capability providing a Provider[] which will be registered globally ahead of all existing Provider registrations. + + + + + + + Reference to a capability providing a Provider[] which will be registered globally after all existing Provider registrations. + + + + + + + A list of providers that are disallowed, and will be removed from the providers list. + + + + + + + Should the WildFly Elytron AuthConfigFactory implementation be automatically registered. + + + + + + + Reference to an SSLContext which should be globally registered as the default. + + + + + + + + + + + Type to contain a list of security properties to be set. + + + + + + + + + + + Representation of a key/value property pair. + + + + + + The key for this property. + + + + + + + The value for this property. + + + + + + + + + + + + Definition of a Web Services configuration. + + + + + + HTTP mechanism web services client will use when connecting to the server. + + + + + + + WS-security method web services client will use when connecting to the server. + + + + + + + + + Container for the authentication client definitions. + + + + + + + + + + + + Authentication configuration definition. + + + + + + + An ordered list of properties to be used to configure all of the providers. + + + + + + + + + + + + Credential to be used by the configuration. + + + + + + + Web Services client configuration definition. + + + + + + + + The unique name for the authentication-configuration, note names used for authentication-configurations must be unique across the whole context. + + + + + + + Reference to a previously defined authentication configuration to extend. + + + + + + + Enables anonymous authentication. + + + + + + + The name to use for authentication. + + + + + + + The name to use for authorization. + + + + + + + The name of the host to use. + + + + + + + The protocol to use. + + + + + + + The port to use. + + + + + + + The realm to use. + + + + + + + Reference to a security domain to use for a forwarded identity. + + + + + + + + The type of identity forwarding to use when security-domain is specified. The value "authenticaiton" forwards + the identity of the currently authenticated user, including credentials. The value "authorization" forwards + the underlying authorization identity, which allows for a different identity to be used for authentication. + + + + + + + + + + + + The SASL mechanism selector string. Allows to specify allowed/forbidden SASL mechanisms. + + + + + + + Reference to a kerberos security factory used to obtain a GSS kerberos credential. + + + + + + + + + Authentication context definition. + + + + + + + An ordered list of match-rules to be defined on this authentication context. + + + + + + + Match based on abstract type. + + + + + + + Match based on abstract type authority. + + + + + + + Match based on host. + + + + + + + Match based on local security domain. + + + + + + + Match based on no user. + + + + + + + Match based on path. + + + + + + + Match based on port. + + + + + + + Match based on protocol. + + + + + + + Match based on urn. + + + + + + + Match based on user. + + + + + + + The AuthenticationConfiguration to use with this match. + + + + + + + The SSLContext to use with this match. + + + + + + + + + + The unique name for the authentication-context, note names used for authentication-contexts must be unique across the whole context. + + + + + + + Reference to a previously defined authentication context to extend. + + match-rules defined here are added after the rules of the parent. + + + + + + + + + + + Container of Provider configuration. + + + + + + + + + + + + A PrincipalDecoder definition that is actually an aggregation of other PrincipalDecoders. + + + + + + + + + The name to use to represent this provider loader in the management model. + + + + + + + + + A reference to a Provider[] resource. + + + + + + + + + Definition of a single provider loader. + + + + + + + + + + + + + + + The name to use to represent this provider loader in the management model. + + + + + + + The name of the module to use to load the providers. + + If this is not specified the ClassLoader used to load the service will be used instead. + + + + + + + The fully qualified class names of the providers to load. + + If this attribute is not specified then service loader based discovery will be used instead. + + + + + + + The path to the configuration to use to initialise the provider. + + + + + + + A reference to a previously defined path that the path of the configuration is + relative to. + + + + + + + Argument to pass into the constructor as the Provider is instantiated. + + Can only be used where the class names to load are specified. + + + + + + + + + + + Container for the security domain definitions. + + + + + + + + + + + + + + + + The format type. + + + + + + + + + + + + The syslog transport method type. + + + + + + + + + + + + + Base type for all audit log types. + + + + + + The unique name for the audit log. + + + + + + + + + A security event listener definition that is actually an aggregation of other security event listeners. + + + + + + + + + + + + + + + A reference to a security event listener. + + + + + + + + + An audit log definition for persisting an audit log to a local file. + + + + + + + + The path to write the audit log to. + + + + + + + A reference to a previously defined path that the path of the audit log is + relative to. + + + + + + + Whether every event should be immediately synchronised to disk. + + + + + + + Whether every event should be immediately flushed to output stream. + When not specified, "synchronized" value is used. + + + + + + + The format to use to log the event. + + + + + + + The file encoding to use. + + + + + + + + + + + An audit log definition for persisting an audit log to a local file rotating the log after a time period + derived from the given suffix string, which should be in a format understood by java.time.format.DateTimeFormatter. + + + + + + + + The suffix string in a format which can be understood by java.time.format.DateTimeFormatter. + The period of the rotation is automatically calculated based on the suffix. + + + + + + + + + + + An audit log definition for persisting an audit log to a local file rotating the log after the + size of the file grows beyond a certain point and keeping a fixed number of backups. + + + + + + + + The maximum number of files to backup when rotating. + + + + + + + Whether the file should be rotated before the a new file is set. + + + + + + + The log file size the file should rotate at. + + + + + + + Format of date used as suffix of log file names in java.time.format.DateTimeFormatter. + The suffix does not play a role in determining when the file should be rotated. + + + + + + + + + + + An audit log definition for persisting an audit log to a local file. + + + + + + + + Address of the server to send syslog messages to. + + + + + + + The port number the remote syslog server is listening on. + + + + + + + The transport to use to communicate with the syslog server. + + + + + + + The format to use to log the event. + + + + + + + The host name to send within all events sent to the syslog server. + + + + + + + The name of ssl-context used to secure connection to the syslog server. + Applies only when SSL_TCP transport is used. + + + + + + + The RFC format to be used for formatting the log entry, default value of RFC5424. + + + + + + + The maximum amount of failed reconnect attempts that should be made for sending messages to a syslog server before the endpoint is closed, default value of 0 (no reconnect attempts). + + + + + + + + + + + A security event listener definition for a custom security event listener implementation. + + + + + + + + + The configuration to apply to the security event listener implementation. + + Note: If configuration is supplied the listener MUST implement a void initialize(Map<String, String>) method. + + + + + + + + + + + + + + + Container for the security domain definitions. + + + + + + + + + + + + Complex type for the definition of a single security domain. + + + + + + + + + + Which of the listed realms should be the default? + + + + + + + Reference to the PrincipalTransformer to be applied before the realm is selected. + + + + + + + Reference to the PrincipalTransformer to be applied after the realm is selected. + + + + + + + Reference to the PrincipalDecoder to be used by this domain. + + + + + + + Reference to an EvidenceDecoder to be used by the domain. + + + + + + + Reference to a RoleDecoder to be used by the domain. + + + + + + + Reference to a RealmMapper to be used by this security domain. + + + + + + + Reference to a RoleMapper to be used by the domain. + + + + + + + Reference to the PermissionMapper to be used by the domain. + + + + + + + A list of references to security domains that are trusted by this security domain. + + + + + + + A list of references to virtual security domains that are trusted by this security domain. + + + + + + + Where automatic outflow to a security domain is configured, if outflowing + the current identity is not authorized should the + anonymous identity of that domain be used instead? + + Outflowing an identity replaces any previously + established identity for the outflow domain for the + ongoing call, outflowing anonymous has the effect of + clearing the identity. + + + + + + + A list of references to security domains that any identity established for this + domain should automatically outflow to. + + + + + + + Reference to a security event listener to be notified of security events + emitted from this domain. + + + + + + + + + A reference to a security realm. + + + + + + + The PrincipalTransformer to be associated with this realm. + + + + + + + The RoleDecoder to be associated with this realm. + + + + + + + The RoleMapper to be associated with this realm. + + + + + + + + + Container for the security realm definitions. + + + + + + + + Custom realm definitions can implement either the SecurityRealm interface or the ModifiableSecurityRealm interface. + + Regardless of which interface is implemented management operations will not be exposed to manage the realm. However other + services that depend on the realm will still be able to perform a type check and cast to gain access to the modification API. + + + + + + + Custom realm configured as being modifiable will be expected to implement the ModifiableSecurityRealm interface. + + By configuring a realm as being modifiable management operations will be made available to manipulate the realm. + + + + + + + + + + + + + + + + + + + + + Base type for all realm definitions. + + + + + + The unique name for the realm, note names used for realms must be unique across the whole context. + + + + + + + + + A realm definition that is an aggregation of two realms, one for the authentication steps + and one for loading the identity for the authorization steps. + + + + + + + + The name of the realm to use for the authentication steps (obtaining or validating credentials). + + + + + + + The name of the realm to use for the authorization steps (loading of the identity). + + Exactly one of 'authorization-realm' and 'authorization-realms' must be specified. + + + + + + + A list of security realms that should be used for the authorizations steps resulting in an + aggregation of attributes if the identity is contained in multiple realms. + + Exactly one of 'authorization-realm' and 'authorization-realms' must be specified. + + + + + + + A principal transformer to be applied after the authentication steps but before the authorization + steps. + + + + + + + + + + + A realm definition that enables caching to another security realm. Caching strategy is LRU (Least Recently Used) where least accessed entries are discarded when maximum number of entries is reached. + + + + + + + + A reference to a cacheable security realm. + + + + + + + The maximum number of entries to keep in the cache. + + + + + + + The time in milliseconds that an item can stay in the cache. + + + + + + + + + + + Realm definition for a custom realm implementation. + + Generally subsystems that provide security realms should make them available + using the capabilities and requirements features of the application + server, this custom mechanism is provided for truly isolated realm implementations. + + + + + + + + + The configuration to apply to the SecurityRealm implementation. + + Note: If configuration is supplied the realm MUST implement initialize(Map<String, String>) method. + + + + + + + + + + + + + A realm definition for authentication and authorization of identities distributed between multiple realms. + + + + + + + + A list of security realms that should be used for authentication until one succeeds. + At least one realm must be specified. + + + + + + + Whether subsequent realms should be checked after an unavailable realm is reached. + If set to false or not set, when the unavailable realm is reached org.wildfly.security.auth.server.RealmUnavailableException is thrown and the search stops. + + + + + + + Whether a SecurityEvent signifying realm unavailability should be emitted. + + + + + + + + + + + A realm definition which wraps one realm and delegates to another in case the first is unavailable. + + + + + + + + The name of the realm to use as a default. + + + + + + + The name of the realm to use in case the default realm is unavailable. + + + + + + + Whenever security events should be emitted when failover takes place. + + + + + + + + + + + Realm definition for a realm which contains a single pre-defined identity. + + + + + + + + The name of the identity available from the security realm. + + + + + + + The name of the attribute associated with this identity. + + + + + + + The values associated with the identity attributes. + + + + + + + + + + + A security realm definition backed by database using JDBC. + + + + + + + + + + + The character set to use when converting the password string + to a byte array. + + + + + + + + + + + A realm definition which uses JAAS Login Context to verify user's credentials. + + + + + + + + + The location of the file with JAAS Login Context configuration. + + + + + + + + The name of the entry defined in JAAS configuration file that should be used. + + + + + + + The module with custom login module classes and optional custom callback handler class. + + + + + + + The class name of the callback handler to pass to JAAS Login Context. + + + + + + + + + + + The authentication query used to authenticate users based on specific key types. + + + + + + + + + + + + + + + The SQL statement used to obtain the keys(as table columns) for a specific user and map them accordingly with their type. + + + + + + + The name of the datasource used to connect to the database. + + + + + + + + + + + + + + + The configuration used to map a specific column in a table as an identity attribute. + + + + + + The column index from a query that representing the mapped attribute. + + + + + + + + + + + + The name of the identity attribute mapped from a column returned from a SQL query. + + + + + + + + + A key mapper that maps a column returned from a SQL query to a Clear Password key type. + + + + + + The column index from an authentication query that represents the user's password. + + + + + + + + + + + + + + A key mapper that maps a column returned from a SQL query to a Bcrypt key type. + + + + + + The column index from an authentication query that represents the user's password. + + + + + + + + + + + + The column index from an authentication query that represents the password's salt, if supported. + + + + + + + + + + + + The column index from an authentication query that represents the password's iteration count, if supported. + + + + + + + + + + + + The encoding of the password hash. + + + + + + + + + + + + + The encoding of the password salt. + + + + + + + + + + + + + + + A key mapper that maps a column returned from a SQL query to a Salted Simple Digest key type. + + + + + + The encryption algorithm name to use. + + + + + + + + + + + + + + + + + + + + + The column index from an authentication query that represents the user's password. + + + + + + + + + + + + The column index from an authentication query that represents the password's salt, if supported. + + + + + + + + + + + + The encoding of the password hash. + + + + + + + + + + + + + The encoding of the password salt. + + + + + + + + + + + + + + + A key mapper that maps a column returned from a SQL query to a Simple Digest key type. + + + + + + The encryption algorithm name to use. + + + + + + + + + + + + + + + + + The column index from an authentication query that represents the user's password. + + + + + + + + + + + + The encoding of the password hash. + + + + + + + + + + + + + + + A key mapper that maps a column returned from a SQL query to a Scram key type. + + + + + + The encryption algorithm name to use. + + + + + + + + + + + + + + + The column index from an authentication query that represents the user's password. + + + + + + + + + + + + The column index from an authentication query that represents the password's salt, if supported. + + + + + + + + + + + + The column index from an authentication query that represents the password's iteration count, if supported. + + + + + + + + + + + + The encoding of the password hash. + + + + + + + + + + + + + The encoding of the password salt. + + + + + + + + + + + + + + + A key mapper that maps a column returned from a SQL query to a Modular Crypt key type. + + + + + + The column index from an authentication query that represents the user password in Modular Crypt Format. + + + + + + + + + + + + + + + + + Reference to the KeyStore to be used by this realm. + + + + + + + + + + + Realm definition for a realm backed by a properties file. + + + + + + + + + The location of the properties file containing the users and their passwords. + The file should contain realm name declaration. + + + + + + + + + Are the passwords in properties file stored in plain text or pre-hashed? + (Pre-hashed form: HEX( MD5( username ":" realm ":" password ) ) ) + + + + + + + The realm name to use for digested passwords if one is not discovered in the properties file. + + + + + + + + + + + The location of the properties file containing the users and their groups. + + + + + + + + The name of the attribute in the returned AuthorizationIdentity that should contain the group membership information for the identity. + + + + + + + The string format for the password in the properties file if they are not + stored in plain text. + + + + + + + + + + + + + The character set to use when converting the password string + to a byte array. + + + + + + + + + + + + + A security realm definition backed by LDAP. + + + + + + + + + + + The name of dir-context used to connect to the LDAP server. + + + + + + + Should this realm instance support verification of credentials by directly connecting to LDAP as the account being authenticated? + + + + + + + Should direct verification in this realm to allow login attempt with blank password? + + + + + + + The string format for the password in the properties file if they are not + stored in plain text. + + + + + + + + + + + + + The character set to use when converting the password string + to a byte array. + + + + + + + + + + + + A simple security realm definition backed by the filesystem. + + + + + + + + + The location of the file to use to handle the security realm. + + + + + + + + The number of levels of directory hashing to apply + + + + + + + Whether the identity names should be stored encoded (Base32) in file names. + + + + + + + The string format for the password in the properties file if they are not + stored in plain text. + + + + + + + + + + + + + The character set to use when converting the password string + to a byte array. + + + + + + + A reference to the credential store that contains the secret key used to encrypt and decrypt the filesystem-realm. + + + + + + + An alias to the secret key used to encrypt and decrypt the filesystem-realm. + + + + + + + A reference to the key store that contains the key pair to perform filesystem integrity checks. + + + + + + + The alias within the key-store that identifies the PrivateKeyEntry to use to perform filesystem integrity checks + + + + + + + + + + + + Realm definition for a token realm where authentication and authorization are handled by + a given token validator. + + + + + + + + + + + + The name of the claim that should be used to obtain the principal's name. Defaults to 'username'. + + + + + + + + + + + A token validator to be used in conjunction with a token-based realm that handles security tokens based on the JWT/JWS standard. + + + + + + + + + The JWK kid. Tokens with the same kid will use this public key for signature verification. + + + + + + + RSA public key in PEM format. + + + + + + + + + + A list of strings representing the issuers supported by this configuration. During validation JWT tokens must have an "iss" claim that contains one of the values defined here. + + + + + + + A list of strings representing the audiences supported by this configuration. During validation JWT tokens must have an "aud" claim that contains one of the values defined here. + + + + + + + A public key in PEM Format. During validation, if a public key is provided, signature will be verified based on the key you provided here. + + + + + + + A key store from where the certificate with a public key should be loaded from. + + + + + + + The name of the certificate with a public key to load from the key store. + + + + + + + A predefined client-ssl-context that will be used to connect to the jwks endpoint specified in the jku token claim. This configuration is mandatory if you want to use remote keys with jku. + + + + + + + A policy that defines how host names should be verified when using HTTPS for fetching jwks. + + + + + + + + + A token validator to be used in conjunction with a token-based realm that handles OAuth2 Access Tokens and validate them based on RFC-7662 (OAuth2 Token Introspection). + + + + + + The identifier of a client registered within the OAuth2 Authorization Server that will be used to authenticate this server in order to validate bearer tokens arriving to this server. + + + + + + + The secret of the client identified by the given client-id. + + + + + + + An URL pointing to a RFC-7662 OAuth2 Token Introspection compatible endpoint. + + + + + + + A predefined client-ssl-context that will be used to connect to the token introspection endpoint when using SSL/TLS. This configuration is mandatory if the given token introspection url is using SSL/TLS. + + + + + + + A policy that defines how host names should be verified when using HTTPS. Allowed values: "ANY". + + + + + + + + + The configuration options that define how to connect to the LDAP server. + + + + + + + + + + + The configuration options that define how to connect to the LDAP server. + + + + + + + + + + + + + + The credential reference to credential store or clear text (password) + to use to authenticate and connect to the LDAP server. + Can be omitted if authentication-level is "none" (anonymous). + + + + + + + + Name of the connection. Allows to refer the DirContext. + + + + + + + The connection url. + + + + + + + The authentication level (security level/authentication mechanism) to use. + Corresponds to SECURITY_AUTHENTICATION ("java.naming.security.authentication") environment property. + Allowed values: "none", "simple", sasl_mech, where sasl_mech is a space-separated list of SASL mechanism names. + + + + + + + The principal to authenticate and connect to the LDAP server. + Can be omitted if authentication-level is "none" (anonymous). + + + + + + + Indicates if connection pooling is enabled. + + + + + + + If LDAP referrals should be followed. + Corresponds to REFERRAL ("java.naming.referral") environment property. + Allowed values: "ignore", "follow", "throw". + + + + + + + The name of ssl-context used to secure connection to the LDAP server. + + + + + + + The name of authentication-context used to secure connection and to authenticate to the LDAP server. + + + + + + + The timeout for connecting to the LDAP server in milliseconds. + + + + + + + The read timeout for an LDAP operation in milliseconds. + + + + + + + Name of module that will be used to load custom context. + + + + + + + + + The configuration options that define how principals are mapped to their corresponding entries in the underlying LDAP server. + + + + + + + The attribute mappings defined for this resource. + + + + + + + The user password credential mapping defined for this resource. + + + + + + + The user password credential mapping defined for this resource. + + + + + + + The X509 user certificate credential mapping defined for this resource. + + + + + + + The attributes of newly created identities. Required for modifiability. + + + + + + + + The RDN part of the principal's DN to be used to obtain the principal's name from an LDAP entry. + + + + + + + The base DN to be used when executing queries. + + + + + + + Indicates if queries are recursive. + + + + + + + The LDAP filter for getting identity by name. + The string "{0}" will be replaced by searched identity name and the "rdn_identifier" will be the value of the attribute "rdn-identifier". + + + + + + + The LDAP filter for iterating over identities of the realm. Optional, but required for modifiability. + + + + + + + The DN of parent of newly created identities. Optional, but required for modifiability. + + + + + + + + + + + + + + + The configuration used to map a specific LDAP attribute as an identity attribute. + + + + + + The name of the LDAP attribute to map to an identity attribute. + If not defined, DN of the whole entry is used as value. + + + + + + + The name of the identity attribute mapped from a specific LDAP attribute. + If not provided, the name of the attribute is the same as define in 'from'. + If the 'from' is not defined too, value 'dn' is used. + + + + + + + The name of LDAP attribute containing DN of entry to obtain value from. + + + + + + + The filter to use to obtain the values for a specific attribute. + String "{0}" will be replaced by username, "{1}" by user identity DN. + + + + + + + The name of the context where the filter should be performed. + + + + + + + Indicates if attribute LDAP search queries are recursive. + + + + + + + Sets recursive roles assignment - value determine maximum depth of recursion. (0 for no recursion) + + + + + + + Determine LDAP attribute of role entry which will be substitute for "{0}" in filter-name when searching roles of role. + Used only when role-recursion is set. + + + + + + + The RDN key to use as the value for an attribute, in case the value in its raw form is in X.500 format. + + + + + + + + + The configuration used to map a specific LDAP attribute (userPassword usually) as an identity password credential. + + + + + + The name of the LDAP attribute to map to an identity user password credential. + + + + + + + If the password credential is writable. + + + + + + + If the password credential is verifiable. + + + + + + + + + The configuration allowing to use the LDAP as storage of one time password (OTP) credentials. + + + + + + The name of the LDAP attribute to map to an OTP credential algorithm. + + + + + + + The name of the LDAP attribute to map to a Base64 encoded OTP credential hash. + + + + + + + The name of the LDAP attribute to map to an OTP credential seed. + + + + + + + The name of the LDAP attribute to map to an OTP credential sequence number. + + + + + + + + + The configuration allowing to use LDAP as storage of X509 credentials. + X509 credential is user certificate or information allowing to identify it. + (serial number, subject DN, digest of certificate) + At least one *-from attribute should be specified. This definition will be ignored otherwise. + If more *-from attributes is defined, user certificate must match all defined criteria. + + + + + + The name of the LDAP attribute to map to a user certificate digest. + If not defined, certificate digest will not be checked. + + + + + + + The digest algorithm (hash function) used to compute digest of the user certificate. + Will be used only if digest-from have been defined. + + + + + + + The name of the LDAP attribute to map to an encoded user certificate. + If not defined, encoded certificate will not be checked. + + + + + + + The name of the LDAP attribute to map to a serial number of user certificate. + If not defined, serial number will not be checked. + + + + + + + The name of the LDAP attribute to map to a subject DN of user certificate. + If not defined, subject DN will not be checked. + + + + + + + + + + + + + + + Attribute of newly created LDAP identity. + + + + + + The name of the LDAP attribute. + + + + + + + The value(s) of LDAP attribute delimited by space. + + + + + + + + + A container type to hold SecurityFactory definitions to obtain Credential instances. + + + + + + + + + + + + Base type for all SecurityFactory definitions which return a Credential. + + + + + + The unique name for the SecurityFactory, note names used for SecurityFactories must be unique + across the whole context. + + + + + + + + + Generic definition for a custom credential SecurityFactory implementation. + + + + + + + + + The configuration to apply to the SecurityFactory implementation. + + Note: If configuration is supplied the SecurityFactory MUST implement initialize(Map<String, String>) method. + + + + + + + + + + + + + + + + + The Krb5LoginModule additional option. + + + + + + + The key of the option. + + + + + + + The value of the option. + + + + + + + + + + The principal represented by the KeyTab + + + + + + + The path to the KeyTab to use to obtain the credential. + + + + + + + The name of another previously named path, or of one of the standard paths provided by the system. + If 'relative-to' is provided, the value of the 'path' attribute is treated as relative + to the path specified by this attribute. + + + + + + + How much lifetime (in seconds) should a cached credential have remaining before it is recreated. + + + + + + + How much lifetime (in seconds) should be requested for newly created credentials. + + + + + + + Amount of seconds before new try to obtain server credential should be done if it has failed last time. + Allows to prevent long waiting to unavailable KDC on every authentication. + + + + + + + If this for use server side or client side? + + + + + + + Should the KerberosTicket also be obtained and associated with the credential. + + This is required to be true where credentials are delegated to the server. + + + + + + + Should the JAAS step of obtaining the credential have debug logging enabled. + + + + + + + Should generated GSS credentials be wrapped to prevent improper disposal or not? + + + + + + + Is the keytab file with adequate principal required to exist at the time the service starts? + + + + + + + The mechanism names the credential should be usable with. + Names will be converted to OIDs and used together with OIDs from mechanism-oids attribute. + + + + + + + The mechanism OIDs the credential should be usable with. + Will be used together with OIDs derived from names from mechanism-names attribute. + + + + + + + + + + + + + A general container type to hold the various name rewriter and mapper definitions + as used within the subsystem. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Base type for all PermissionMapper definitions. + + + + + + The unique name for the PermissionMapper, note names used for PermissionMappers must be unique + across the whole context. + + + + + + + + + Generic definition for a custom PermissionMapper implementation. + + + + + + + + + The configuration to apply to the PermissionMapper implementation. + + Note: If configuration is supplied the PermissionMapper MUST implement initialize(Map<String, String>) method. + + + + + + + + + + + + + A PermissionMapper definition for a PermissionMapper that performs a logical operation using two referenced PermissionMappers. + + + + + + + + The logical operation to perform using the two referenced PermissionMappers. + + + + + + + Reference to the PermissionMapper to use to the left of the operation. + + + + + + + Reference to the PermissionMapper to use to the right of the operation. + + + + + + + + + + + The supported set of logical operations. + "and" assigns permissions which was assigned by both mappers + "or" assigns permissions which was assigned by at least one of mappers + "xor" assigns permissions which was assigned by exactly one of mappers + "unless" assigns permissions which was assigned by left mapper but not by right mapper + + + + + + + + + + + + + + A simple permission mapper that maps from defined principal and role names to predefined permissions. + + + + + + + + + + + + + + The name of the principal. + + + + + + + + + + + The name of the role. + + + + + + + + + + Deprecated. Use a reference to a 'permission-set' instead. + + + + + + The fully qualified class name of the permission. + + + + + + + The module to use to load the permission class. + + + + + + + The target-name to pass to the constructor of the permission. + + + + + + + The action to pass to the constructor of the permission. + + + + + + + + + + + + + + + + + + + + A RoleMapper definition that always returns a pre-defined set of permissions. + + + + + + + + + + Deprecated. Use a reference to a 'permission-set' instead. + + + + + + The fully qualified class name of the permission. + + + + + + + The module to use to load the permission class. + + + + + + + The target-name to pass to the constructor of the permission. + + + + + + + The action to pass to the constructor of the permission. + + + + + + + + + + + + + + + A reference to a permission set. + + + + + + + + + How multiple matching permission mappings will be combined. + + + + + + + + + + + + + + + + Base type for all PrincipalDecoder definitions. + + + + + + The unique name for the PrincipalDecoder, note names used for PrincipalDecoders must be unique + across the whole context. + + + + + + + + + Generic definition for a custom PrincipalDecoder implementation. + + + + + + + + + The configuration to apply to the PrincipalDecoder implementation. + + Note: If configuration is supplied the PrincipalDecoder MUST implement initialize(Map<String, String>) method. + + + + + + + + + + + + + A PrincipalDecoder definition that is actually an aggregation of other PrincipalDecoders. + + + + + + + + + + + + + + + A reference to a PrincipalDecoder + + + + + + + + + A PrincipalDecoder definition that is actually a concatenation of other PrincipalDecoders. + + + + + + + + + + + The string to use to join the results of the other PrincipalDecoders. + + + + + + + + + + + A PrincipalDecoder that always returns the same constant. + + + + + + + + The constant value that will always be returned by this PrincipalDecoder. + + + + + + + + + + + A PrincipalDecoder definition based on a X500 attribute. + + + + + + + + The oid of the attribute to map. + + + + + + + The oid of the attribute to map. + + + + + + + + + The joining string. + + + + + + + The 0-based starting occurrence of the attribute to map. + + + + + + + The maximum number of occurrences of the attribute to map. + + + + + + + When set to true, the attribute values will be processed and returned in reverse order. + + + + + + + If the Principal is not already an X500Principal should conversion be attempted? + + + + + + + The OIDs of the attributes that must be present in the principal. + + + + + + + The attribute names of the attributes that must be present in the principal. + + + + + + + + + + + Base type for all PrincipalTransformer definitions. + + + + + + The unique name for the PrincipalTransformer, note names used for PrincipalTransformer must be unique + across the whole context. + + + + + + + + + A PrincipalTransformer definition using regular expressions and Matcher based + replacement. + + + + + + + + The regular expression to use for this PrincipalTransformer. + + + + + + + The replacement string for this PrincipalTransformer. + + + + + + + Should all occurrences be replaced or just the first? + + + + + + + + + + + A PrincipalTransformer that instead of rewriting the name validates that it is + correct according to the supplied regular expression. + + + + + + + + The regular expression to use for this PrincipalTransformer. + + + + + + + If set to true, the name must match the given pattern to make validation successful. + If set to false, the name must not match the given pattern to make validation successful. + + + + + + + + + + + A PrincipalTransformer that always returns the same constant. + + + + + + + + The constant value that will always be returned by this PrincipalTransformer. + + + + + + + + + + + Generic definition for a custom PrincipalTransformer implementation. + + + + + + + + + The configuration to apply to the PrincipalTransformer implementation. + + Note: If configuration is supplied the PrincipalTransformer MUST implement initialize(Map<String, String>) method. + + + + + + + + + + + + + A PrincipalTransformer aggregating more PrincipalTransformers - original principal is tried to be transformed + by individual transformers in given order until some of them return non-null principal - that is returned. + + Typically can be used with chained principal transformers beginning with validating principal + transformer - to transform principals in different forms differently. + + + + + + + + + + + + + + + A PrincipalTransformer definition that is actually a chain of other PrincipalTransformers. + + + + + + + + + + + + + + + A PrincipalTransformer that adjusts a principal to upper or lower case. + + + + + + + + If set to true, principal is adjusted to upper case. If set to false, principal is adjusted + to lower case. + + + + + + + + + + + A reference to a PrincipalTransformer. + + + + + + + + + Base type for all RealmMapper definitions. + + + + + + The unique name for the RealmMapper, note names used for RealmMappers must be unique + across the whole context. + + + + + + + + + Generic definition for a custom RealmMapper implementation. + + + + + + + + + The configuration to apply to the RealmMapper implementation. + + Note: If configuration is supplied the RealmMapper MUST implement initialize(Map<String, String>) method. + + + + + + + + + + + + + A RealmMapper that always returns the same constant. + + + + + + + + The constant value that will always be returned by this RealmMapper. + + + + + + + + + + + A simple RealmMapper definition that attempts to extract the realm name using the capture group from the regular expression, if that does not provide a + match then the delegate RealmMapper is used instead. + + + + + + + + The regular expression which must contain at least one capture group to extract the realm from the name. + If the regular expression matches more than one capture group, the first capture group is used. + + + + + + + The RealmMapper to delegate to if the pattern does not match. If no delegate is specified then the default realm on + the domain will be used instead. + + + + + + + + + + + A RealmMapper implementation that first uses a regular expression to extract the realm name, this is then converted using the configured mapping of realm names. + + + + + + + + + + + The realm name to map from. + + + + + + + The realm name to map to. + + + + + + + + + + The regular expression which must contain at least one capture group to extract the realm from the name. + If the regular expression matches more than one capture group, the first capture group is used. + + + + + + + The RealmMapper to delegate to if the pattern does not match. If no delegate is specified then the default realm on + the domain will be used instead. + If the username does not match the pattern and a delegate realm-mapper is present, the result of delegate-realm-mapper is mapped via the realm-map. + + + + + + + + + + + Base type for all RoleDecoder definitions. + + + + + + The unique name for the RoleDecoder, note names used for RoleDecoders must be unique + across the whole context. + + + + + + + + + Generic definition for a custom RoleDecoder implementation. + + + + + + + + + The configuration to apply to the RoleDecoder implementation. + + Note: If configuration is supplied the RoleDecoder MUST implement initialize(Map<String, String>) method. + + + + + + + + + + + + + A RoleDecoder definition that maps a single attribute to roles. + + + + + + + + The attribute to take from the identity and map directly to roles. + + + + + + + + + + + A RoleDecoder definition that maps roles based on the IP address of a remote client. + + + + + + + + The IP address to match. + + Exactly one of 'source-address' and 'pattern' must be specified. + + + + + + + A regular expression that specifies the IP address to match. + + Exactly one of 'source-address' and 'pattern' must be specified. + + + + + + + The list of roles to assign if the IP address of the remote client matches. + + + + + + + + + + + A RoleDecoder definition that is actually an aggregation of other RoleDecoders. + + + + + + + + + + + + + + + A reference to a RoleDecoder. + + + + + + The name of the referenced RoleDecoder. + + + + + + + + + Base type for all RoleMapper definitions. + + + + + + The unique name for the RoleMapper, note names used for RoleMappers must be unique + across the whole context. + + + + + + + + + A RoleMapper definition that adds a specified prefix to every role. + + + + + + + + The prefix to add to each role. + + + + + + + + + + + A RoleMapper definition that adds a specified suffix to every role. + + + + + + + + The suffix to add to each role. + + + + + + + + + + + A RoleMapper definition that is actually an aggregation of other RoleMappers. + + + + + + + + + + + + + + + Generic definition for a custom RoleMapper implementation. + + + + + + + + + The configuration to apply to the RoleMapper implementation. + + Note: If configuration is supplied the RoleMapper MUST implement initialize(Map<String, String>) method. + + + + + + + + + + + + + A RoleMapper definition that always returns a pre-defined set of roles. + + + + + + + + + + + The role to be returned by the RoleMapper. + + + + + + + + + + + + + + The supported set of logical operations. + + + + + + + + + + + + + + A RoleMapper definition for a RoleMapper that performs a logical operation using two refereced RoleMappers. + + + + + + + + The logicial operation to perform using the two referenced RoleMappers. + + Allowed values: "and", "minus", "or", "xor". + + + + + + + Reference to the RoleMapper to use to the left of the operation. + + If not set the identity role mapper will be used instead. + + + + + + + Reference to the RoleMapper to use to the right of the operation. + + If not set the identity role mapper will be used instead. + + + + + + + + + + + A RoleMapper implementation that uses the configured mapping of role names. + + + + + + + + + + + The role name to map from. + + + + + + + Space separated list of roles to map to. + + + + + + + + + + When set to 'true' the mapped roles will retain all roles, that have defined mappings. + + + + + + + When set to 'true' the mapped roles will retain all roles, that have no defined mappings. + + + + + + + + + + + A RoleMapper definition that uses pattern to find matching roles and then replaces these roles with replacement pattern. + Role matches the pattern in given pattern can be found in any substring of the role name. + + + + + + + + The pattern used for matching. Can capture groups. + + + + + + + The replacement string. Can make use of captured groups. + + + + + + + If true, keep roles that did not match the provided pattern. + + + + + + + If true, replace all occurrences of pattern and not only the first one. + + + + + + + + + + + A reference to a RoleMapper + + + + + + The name of the referenced RoleMapper. + + + + + + + + + An EvidenceDecoder that derives the principal associated with the given evidence from the subject from + the first certificate in the certificate chain. + + + + + + + + + + + An EvidenceDecoder that derives the principal associated with the given evidence from an X.509 subject + alternative name from the first certificate in the given evidence. + + + + + + + + The subject alternative name type to decode from the given evidence. + + + + + + + + + + + + + + + + + The 0-based occurrence of the subject alternative name to map. This attribute is optional and only + used when there is more than one subject alternative name of the given alt-name-type + + + + + + + + + + + An EvidenceDecoder definition that is an aggregation of other EvidenceDecoders. + + + + + + + + + + + + + + + Generic definition for a custom EvidenceDecoder implementation. + + + + + + + + + The configuration to apply to the EvidenceDecoder implementation. + + Note: If configuration is supplied the EvidenceDecoder MUST implement the initialize(Map<String, String>) method. + + + + + + + + + + + + + A reference to an EvidenceDecoder + + + + + + + + + Base type for all EvidenceDecoder definitions. + + + + + + The unique name for the EvidenceDecoder, note names used for EvidenceDecoder must be unique + across the whole context. + + + + + + + + + + + Wrapper type to contain the configuration of the authentication mechanisms. + + + + + + + An ordered list of mechanism configurations, at the time of authentication the mechanism name, + host name, and protocol as specified by the mechanism will be compared against this list + for a first match. + + To configure a default configuration provide a definition with no mechanism-name, host-name, or + protocol and place it at the end of the list. Any definitions after a default definition will + never match. + + + + + + + + + + Definition of configuration to be used by authentication mechanisms. + + + + + + + + + This configuration will only apply where a mechanism with the name specified is used. + + If this attribute is omitted then this will match any mechanism name. + + + + + + + This configuration will only apply when the host name specified is provided by the mechanism. + + If this attribute is omitted then this will match any host name. + + + + + + + This configuration will only apply when the protocol specified is provided by the mechanism. + + If this attributed is omitted then this will match any protocol. + + + + + + + A principal transformer to apply before the realm is selected. + + + + + + + A principal transformer to apply after the realm is selected. + + + + + + + A final principal transformer to apply for this mechanism realm. + + + + + + + Reference to a RealmMapper to be used by this mechanism. + + + + + + + A reference to the security factory to obtain the credential for this mechanism. + + + + + + + + + + Definition of a realm name specific to the mechanism. + + This is the realm name that a mechanism may present to the remote client being authenticated, if a mechanism + only supports a single realm then only the first will be used and the remainder ignored. + + If a mechanism does not support realm names then the entire list will be ignored. + + + + + + The name of the realm. + + + + + + + A principal transformer to apply before the realm is selected. + + + + + + + A principal transformer to apply after the realm is selected. + + + + + + + A final principal transformer to apply for this mechanism realm. + + + + + + + Reference to a RealmMapper to be used by this mechanism realm. + + + + + + + + + Container for the permission set definitions. + + + + + + + + + + + Definition of a permission set. + + + + + + + + + The fully qualified class name of the permission. + + + + + + + The module to use to load the permission class. + + + + + + + The target-name to pass to the constructor of the permission. + + + + + + + The action to pass to the constructor of the permission. + + + + + + + + + + The unique name for the permission set, note names used for permission sets must be unique across the whole context. + + + + + + + + + + + Complex type definition to hold the various HTTP definitions within the subsystem. + + + + + + + + + + + + + + + Complex type for the definition of the server side HTTP authentication policy. + + + + + + + + + + The security-domain referenced by this resource. + + + + + + + The http-server-mechanism-factory referenced by this resource. + + + + + + + + + Base type for all http server factory definitions. + + + + + + The unique name for the http server factory, note names used for http server factories must be unique across the whole context. + + + + + + + + + A HTTP server factory definition that is actually an aggregation of other HTTP server factories. + + + + + + + + + + + + + + + A HTTP server factory definition that wraps another HTTP server factory and applies the specified configuration and filtering. + + + + + + + + + Filters to be applied to the available mechanisms by name. + + + + + + + + + + A regular expression that filters mechanism names using a regular expression pattern. + + + + + + + When set to true all mechanisms are disabled unless enabled by matching one of the defined filters. + + When set to false all mechanisms are enabled unless disabled by matching one of the defined filters. + + + + + + + + + + + + Additional properties that should be passed to the factory for HTTP mechanism detection and creation. + + + + + + + + + + + + + Reference to the HTTP server factory to be wrapped by this configuration. + + + + + + + + + + + A HTTP server factory definition that searches an array of Provider instances for all available HTTP server factories. + + + + + + + + Reference to the Provider[] capability to obtain the array of Providers to use. + + If not specified the system registered Providers are used instead. + + + + + + + + + + + A HTTP server factory definition that uses a ServiceLoader to search for HTTP server factory implementations. + + + + + + + + The name of the module to use. + + If this is not specified the ClassLoader used to load the service will be used instead. + + + + + + + + + + + A reference to a HTTP server mechanism factory. + + + + + + + + + + + Complex type definition type to hold the various SASL definitions within the subsystem. + + + + + + + + + + + + + + + + The SASL authentication policy for the server side. + + + + + + + + + + The security-domain referenced by this resource. + + + + + + + The sasl-server-factory referenced by this resource. + + + + + + + + + Base type for all sasl server factory definitions. + + + + + + The unique name for the sasl server factory, note names used for sasl server factories must be unique across the whole context. + + + + + + + + + A SASL server factory definition that is actually an aggregation of other SASL server factories. + + + + + + + + + + + + + + + A SaslServerFactory definition that wraps another SaslServerFactory and applies the specified configuration and filtering. + + + + + + + + + Filters to be applied to the available mechanisms by name. + + + + + + + + + + When set to true all mechanisms are disabled unless enabled by matching one of the defined filters. + When set to false all mechanisms are enabled unless disabled by matching one of the defined filters. + + + + + + + A regular expression filter that filters mechanism names using a regular expression pattern. + + + + + + + A predefined filter to filter mechanisms. + + + + + + + + + + + + Additional properties that should be passed to the factory for SASL mechanism detection and creation. + + + + + + + + + + + + + Reference to the SaslServerFactory to be wrapped by this configuration. + + + + + + + Override the protocol specified when creating a SASL mechanism. + + + + + + + Override the server name specified when creating a SASL mechanism. + + + + + + + + + + + The supported set of predefined filters. + + + + + + + + + + + + + + + + + + + + + + + A SaslServerFactory definition that wraps another SaslServerFactory and enables filtering of mechanisms based on the mechanism name and Provider name and version. + + Any mechanisms loaded by factories not located using a Provider will not be filtered by this definition. + + + + + + + + + Filters to be applied to the available mechanisms by name. + + + + + + + + + + This configuration will only apply where a mechanism with the name specified is used. + + If this attribute is omitted then this will match any mechanism name. + + + + + + + The name of the provider to match against. + + + + + + + Version to compare against the version reported by the provider. + + + + + + + When set to 'less-than' a Provider will match against the filter if the Provider's version is less-than the version specified here. + + Setting to 'greater-than' has the opposite effect. + + Has no effect if a provider-version has not been specified in the filter. + + + + + + + + + + + + + Reference to the SaslServerFactory to be wrapped by this configuration. + + + + + + + When set to true all provider loaded mechanisms are disabled unless macthed by one of the filters defined here. + + When set to false all provider loaded mechanisms are enabled unless matched. + + Any mechanisms from a factory not loaded by a Provider are unaffected. + + + + + + + + + + + The type of equality check to use in a comparison. + + + + + + + + + + + + A SaslServerFactory definition that searches an array of Provider instances for all available SaslServerFactories. + + + + + + + + Reference to the Provider[] capability to obtain the array of Providers to use. + + If not specified the system registered Providers are used instead. + + + + + + + + + + + A SaslServerFactory definition that uses a ServiceLoader to search for SaslServerFactory implementations. + + + + + + + + The name of the module to use. + + If this is not specified the ClassLoader used to load the service will be used instead. + + + + + + + + + + + A reference to a SaslServerFactory + + + + + + + + + + + Complex type to contain the definitions of the various components needed + for SSL, the end result being that these components can be combined together to + create a fully defined SSLContext. + + + + + + + + + + + + + + + + + + + Container for KeyManager definitions. + + + + + + + + + + + Definition of a single KeyManager. + + + + + + + Credential to be used by the underlying KeyManager when accessing the entries in the underlying KeyStore. + + + + + + + + The unique name of this KeyManager. + + + + + + + The algorithm name to use to initialise the KeyManagerFactory. + + + + + + + Reference to the KeyStore to use with the KeyManager. + + + + + + + A filter to apply to the aliases provided by KeyStore to choose key to use from keys in KeyStore. + + Can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 + + + + + + + The name of the provider to use to + instantiate the KeyManagerFactory, if the provider is not + specified then the first provider found that can + create an instance of the specified 'type' will be + used. + + + + + + + The name of the providers defined within the subsystem to obtain the Providers + to search for the one that can create the required KeyManagerFactory type. + + If this is not specified then the global list of Providers is used instead. + + + + + + + If this attribute is set and if the file that backs the KeyStore does not exist, then + a self-signed certificate will be generated on first use and it will be persisted to + the file that backs the KeyStore. The value of this attribute will be used for the + Common Name value in the self-signed certificate. + + The use of this attribute is intended for testing purposes only. This attribute is not + intended for production use. + + + + + + + + + Container for TrustManager definitions. + + + + + + + + + + + Definition of a single TrustManager. + + + + + + + + + + + The unique name of this TrustManager. + + + + + + + The algorithm name to use to initialise the TrustManagerFactory. + + + + + + + Reference to the KeyStore to use with the TrustManager. + + + + + + + A filter to apply to the aliases provided by KeyStore. + + Can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 + + + + + + + The name of the provider to use to + instantiate the TrustManagerFactory, if the provider is not + specified then the first provider found that can + create an instance of the specified 'type' will be + used. + + + + + + + The name of the providers defined within the subsystem to obtain the Providers + to search for the one that can create the required TrustManagerFactory type. + + If this is not specified then the global list of Providers is used instead. + + + + + + + The maximum number of non-self-issued intermediate certificates that may exist in a certification path for OCSP and CRL checks. If neither OCSP and CRL is configured, this attribute has no effect. + + + + + + + Check revocation status only of leaf certificates. + + + + + + + Accept certificate if revocation status is unknown. + + + + + + + + + Enables certificate revocation list checks to a trust manager. + + + + + + The path to the configuration to use to initialise the provider. + + + + + + + The base path of the certificate revocation list file. + + + + + + + The maximum number of non-self-issued intermediate certificates that may exist in a certification path. + + + + + + + + + The presence of this element enables checking the peer's certificate against multiple certificate revocation lists. + + + + + + + + + + + The presence of this element enables checking the peer's certificate against a certificate revocation list. + + + + + + Path to the certificate revocation list. + + + + + + + The base path of the certificate revocation list file. + + + + + + + + + Enables online certificate status protocol checks to a trust manager. + + + + + + OCSP responder URI to override those extracted from certificate. + + + + + + + Prefer certificate revocation list revocation over OCSP if certificate-revocation-list is defined. + + + + + + + The alias for OCSP Responder certificate. Keep undefined to use the issuer of certificate being validated. + + + + + + + The keystore for responder-certificate. Keep undefined to use trust-manager keystore. Requires responder-certificate to be defined. + + + + + + + + + Container for Server SNI SSLContext definitions. + + + + + + + + + + + Definitions of a single server side SNI SSLContext. + + + + + + + + + The unique name of this Server side SNI SSLContext. + + + + + + + The SSLContext to use if SNI is not in use + + + + + + + + + Definitions of a single server side SNI SSLContext. + + + + + + + The host name that this element matches. If it begins with a '*' it is considered a wildcard match. + + + + + + + The SSLContext to use if the name matches. + + + + + + + + + Container for Server SSLContext definitions. + + + + + + + + + + + Definitions of a single server side SSLContext. + + + + + + The unique name of this Server side SSLContext. + + + + + + + Reference to the SecurityDomain to use for authentication during SSL session establishment. + + + + + + + The filter to be applied to the cipher suites made available by this SSLContext. + + + + + + + The filter to be applied to the TLSv1.3 cipher suites made available by this SSLContext. + + + + + + + List of protocols supported by this SSLContext. + + + + + + + To request (but not to require) a client certificate on SSL handshake. + If a security domain is referenced and supports X509 evidence, this will be set to true automatically. + Ignored when need-client-auth is set. + + + + + + + To require a client certificate on SSL handshake. + Connection without trusted client certificate (see trust-manager) will be rejected. + + + + + + + Rejecting of the client certificate by the security domain will not prevent the connection. + Allows a fall through to use other authentication mechanisms (like form login) when the client certificate is rejected by security domain. + Has an effect only when the security domain is set. + This does not bypass the underlying trust manager check - see need-client-auth to allow connection without client certificate. + + + + + + + Configure the SSLContext to honor local cipher suites preference. + + + + + + + The maximum number of SSL sessions in the cache. The default value -1 means use the JVM default value. Value zero means there is no limit. + + + + + + + The timeout for SSL sessions, in seconds. The default value -1 means use the JVM default value. Value zero means there is no limit. + + + + + + + Should the resulting SSLEngine, SSLSocketFactory, and SSLSocket instances returned by this SSLContext + be wrapped to prevent further configuration changes. + + Note: The WildFly HTTP2 support requires raw access to these objects so if HTTP2 is being used this + should be set to false. + + + + + + + Reference to the KeyManager to be used by this SSLContext. + + + + + + + Reference to the TrustManager to be used by this SSLContext. + + + + + + + A principal transformer to apply before the realm is selected. + + + + + + + A principal transformer to apply after the realm is selected. + + + + + + + A final principal transformer to apply for this mechanism realm. + + + + + + + Reference to a RealmMapper to be used by this mechanism. + + + + + + + The name of the provider to use. + If not specified, all providers from providers will be passed to the SSLContext. + + + + + + + The name of the providers to obtain the Provider[] to use to load the SSLContext. + + + + + + + + + Container for client SSLContext definitions. + + + + + + + + + + + Definitions of a single client side SSLContext. + + + + + + The unique name of this client side SSLContext. + + + + + + + The filter to be applied to the cipher suites made available by this SSLContext. + + + + + + + The filter to be applied to the TLSv1.3 cipher suites made available by this SSLContext. + + + + + + + List of protocols supported by this SSLContext. + + + + + + + Reference to the KeyManager to be used by this SSLContext. + + + + + + + Reference to the TrustManagers to be used by this SSLContext. + + + + + + + The name of the provider to use. + If not specified, all providers from providers will be passed to the SSLContext. + + + + + + + The name of the providers to obtain the Provider[] to use to load the SSLContext. + + + + + + + + + Container for the KeyStore definitions. + + + + + + + + + + + + + + + keystore implementation details + + + + + + The KeyStore type, e.g. jks, pkcs#12. + + + + + + + The name of the provider to use to + instantiate the KeyStore, if the provider is not + specified then the first provider found that can + create an instance of the specified 'type' will be + used. + + + + + + + The name of the providers defined within the subsystem to obtain the Providers + to search for the one that can create the required KeyStore type. + + If this is not specified then the global list of Providers is used instead. + + + + + + + + + + An individual names KeyStore definition. + + + + + + + The credential reference to credential store or clear text (password) + to use to initialize or load the KeyStore. + + + + + + + Implementation details + + + + + + + The location of the file to use to initialise the KeyStore instance. + + + + + + + + + A filter to apply to the aliases made available by this KeyStore. + + Can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 + + + + + + + + + An individual names LdapKeyStore definition. + + + + + + + Configuration for item creation. Define how will look LDAP entry of newly created keystore item. + + + + + + + + Attribute of newly created entry. At least objectClass attribute and required + attributes (which are not part of keystore item) should be defined here. + + + + + + + The LDAP attribute name. + + + + + + + The default value(s) of LDAP attribute delimited by space. + + + + + + + + + + The LDAP path, where will be newly created keystore items created. + + + + + + + The LDAP attribute name, which will be part of new entry path. + Into value of this attribute will be passed alias of the keystore item. + (Can be independent on alias-attribute - alias is used here only as initial entry name, + as it is only identification of item, which keystore has.) + + + + + + + + + Search LDAP configuration + + + + + + + The LDAP path, where will be keystore items searched. + + + + + + + If the search in search-path should be recursive. + + + + + + + The time limit for LDAP search in milliseconds. + + + + + + + The LDAP filter, which will be used to obtain keystore item by alias. + The string "{0}" will be replaced by the searched alias and the "alias_attribute" value will be the value of the attribute "alias-attribute". + + + + + + + The LDAP filter, which will be used to obtain keystore item by certificate. + The string "{0}" will be replaced by searched encoded certificate and the "certificate_attribute" will be the value of the attribute "certificate-attribute". + + + + + + + The LDAP filter, which will be used to obtain keystore item by certificate. + The "alias_attribute" will be the value of the attribute "alias-attribute". + + + + + + + + + Mapping of keystore item parts to LDAP attributes. + + + + + + + The LDAP attribute, where is item alias expected. + + + + + + + The LDAP attribute, where is encoded certificate expected. + + + + + + + The type of certificate. Used for decoding of byte array from certificate-attribute. + For possible certificate types see Java documentation of CertificateFactory. + + + + + + + The LDAP attribute, where is encoded certificate expected. + + + + + + + The encoding of CertPath, which is used to store certificate chain into certificate-chain-attribute. + For possible chain encodings see Java documentation of CertPath. + + + + + + + + The LDAP attribute, where is encoded key expected. + + + + + + + The type of key. Used for decoding of byte array from key-attribute. + For possible KeyStore types see Java documentation of KeyStore. + + + + + + + + + + The name of ldap-key-store used to referencing it. + + + + + + + The name of dir-context used to connect to the LDAP server. + + + + + + + + + An individual names filtering KeyStore definition. + + + + + + + The name of key-store, which will be used as source of data. + + + + + + + A filter to apply to the aliases made available by this KeyStore. + + Can either be a comma separated list of aliases to return or one of the following formats ALL:-alias1:-alias2, NONE:+alias1:+alias2 + + + + + + + + + Container for certificate authority account definitions. + + + + + + + + + + + Definition of a single certificate authority account. + + + + + + + + + The unique name of this certificate authority account. + + + + + + + The reference to certificate authority to use. + + + + + + + A list of URLs that the certificate authority can contact about any issues related to this account. + + + + + + + + + Container for certificate authority definitions. + + + + + + + + + + + Definition of a single certificate authority. + + + + + + The unique name of this certificate authority. + + + + + + + URL of the certificate authority. + + + + + + + URL of the certificate authority to use in pre-production. + + + + + + + + + Definition of a certificate authority account key. + + + + + + + Credential to be used when accessing the certificate authority account key. + + + + + + + + Reference to the KeyStore that contains the certificate authority account key. + + + + + + + The alias of the certificate authority account key in the KeyStore. + + + + + + + + + + + Complex type to contain the definitions of the credential stores. + + + + + + + + + + + + An individual credential store definition. + + + + + + + Map of credentials store implementation specific properties. + + + + + + + + + + + + Credential to be used by as protection parameter for the Credential Store. + + + + + + + + + The credential store type, e.g. KeyStoreCredentialStore. + + + + + + + The name of the provider to use to instantiate the CredentialStoreSpi. + If the provider is not specified then the first provider found that can + create an instance of the specified 'type' will be used. + + + + + + + The name of the providers defined within the subsystem to obtain the Providers + to search for the one that can create the required CredentialStore type. + If this is not specified then the global list of Providers is used instead. + + + + + + + The name of the providers defined within the subsystem to obtain the Providers + to search for the one that can create the required JCA objects within credential store. + This is valid only for key-store based CredentialStore. + If this is not specified then the global list of Providers is used instead. + + + + + + + A reference to a previously defined path that the file name is + relative to. + + + + + + + File name of credential store storage. + + Deprecated: Use "path" attribute instead. + + + + + + + File name of credential store storage. + + + + + + + Specifies whether credential store is modifiable. + + + + + + + Specifies whether credential store should create storage when it doesn't exist. + + + + + + + + + A simple credential store which stores SecretKeyCredential instances in a properties file. + + This credential store does not encrypt the stored keys, the purpose of this credential store is + to provide initial access to keys used to protect other configuration values. + + + + + + The unique name of this credential store definition. + + + + + + + A reference to a previously defined path that the file name is + relative to. + + + + + + + The path to the credential store file. + + + + + + + Specifies whether credential store should create storage when it doesn't exist. + + + + + + + If an entry with the default-alias does not exist should one be dynamically added using the + configured key-size? + + + + + + + The default key size when generating secret keys. + + + + + + + The default alias to use if dynamically adding an entry. + + + + + + + + + + + An expression resolver backed by a list of sub-expression resolvers which can be used to decrypt encrypted expressions. + + + + + + + + + The default resolver to use for expressions which do not specify the name of the resolver. + + + + + + + The prefix for expressions that should be resolved using this expression resolver. + + + + + + + + + Definition of a single expression resolver. + + + + + + The unique name of this expression resolver. + + + + + + + Reference to the credential store which contains the secret key to be used by this resolver. + + + + + + + The alias of the secret key contained within the credential store. + + + + + + + + + + + Minimal attributes required to specify the location to a file. + + + + + + A reference to a previously defined path that the file name is + relative to. + + + + + + + The remaining path to the file referenced. + + + + + + + + + Minimal attributes required to specify the location to a file. + + + + + + A reference to a previously defined path that the file name is + relative to. + + + + + + + The remaining path to the file referenced. + + + + + + + + + A reference to a file. + + + + + + + + It is possible that a KeyStore definition can be created to a + non-existent file and the file be automatically created when the store is saved, however + no error will be reported where the file does not exist to begin with. + + If the intent is that the store will always exist in advance set + this to 'true' so that an error will be reported if the file is missing. + + + + + + + + + + The attributes required for a custom component. + + + + + + The module to use to load the custom component. + + + + + + + The fully qualified class name of the custom component implementation to + load. + + The specified class must have a public no-args constructor. + + + + + + + + + The optional configuration for a custom component. + + + + + + + + + + A list of String. + + + + + + + + A definition that sets up a policy provider. + + + + + + + + + + The name of the policy provider definition. + + + + + + + + + A policy provider definition that sets up JACC and related services. + + + + + + The name of a java.security.Policy implementation referencing a policy provider. + + + + + + + The name of a javax.security.jacc.PolicyConfigurationFactory implementation referencing a policy configuration factory provider. + + + + + + + The name of the module to load the provider from. + + + + + + + + + A custom policy provider definition. + + + + + + The name of a java.security.Policy implementation referencing a policy provider. + + + + + + + The name of the module to load the provider from. + + + + + + + + + JASPI Configurations. + + + + + + + + + + + An individual JASPI configuration. + + + + + + + + + + + + + + + The name of this JASPI configuration. + + + + + + + The layer this configuration should be associated with. + + If set to '*' this configuration will be associated with all layers and resolved according the the + resolution rules defined within the JSR-196 specification. + + + + + + + The application context this configuration should be associated with. + + If set to '*' this configuration will be associated with all application contexts and resolved according the the + resolution rules defined within the JSR-196 specification. + + + + + + + Descrption for this JASPI configuration. + + + + + + + + + + + Configuration options to be passed into the ServerAuthModule during initialisation. + + + + + + + + + + + + + The fully qualified class name of the class implementing the ServerAuthModule interface. + + + + + + + The name of the module to use to load the ServerAuthModule. + + + + + + + The control flag to control how the response from this module is interpreted. + + + + + + + + + The control flag for JASPI modules. + + + + + + + + + + + + + + Allowed key sizes. + + + + + + + + + + + + + A host name verification policy. + + + + + + + + + + + + Complex type for the definition of a single virtual security domain. + + + + + + + Where automatic outflow to a security domain is configured, if outflowing + the current identity is not authorized should the + anonymous identity of that domain be used instead? + + Outflowing an identity replaces any previously + established identity for the outflow domain for the + ongoing call, outflowing anonymous has the effect of + clearing the identity. + + + + + + + A list of references to security domains that any identity established for this + virtual domain should automatically outflow to. + + + + + + + The authentication mechanism that will be used with the virtual security domain. + Allowed values: 'OIDC', 'MP-JWT'. + The default value is 'OIDC'. + + + + + + + + + + Container for client dynamic SSL context definitions. + + + + + + + + + + + Definitions of a single client side dynamic SSL context. This context chooses SSL context based on peer's host and port information. + + + + + + The unique name of this client side dynamic SSL context. + + + + + + + The authentication context that will be used to query for rules when deciding which ssl context to use when connecting to a peer. + + + + + +