root / gss / jboss / deploy / jbossweb.sar / server.xml @ 8270b533
History | View | Annotate | Download (7.8 kB)
1 |
<Server>
|
---|---|
2 |
|
3 |
<!-- Optional listener which ensures correct init and shutdown of APR,
|
4 |
and provides information if it is not installed -->
|
5 |
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> |
6 |
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
|
7 |
<Listener className="org.apache.catalina.core.JasperListener" /> |
8 |
|
9 |
<Service name="jboss.web"> |
10 |
|
11 |
<!-- A HTTP/1.1 Connector on port 8080 -->
|
12 |
<Connector protocol="HTTP/1.1" port="8080" address="${jboss.bind.address}" |
13 |
connectionTimeout="20000" redirectPort="8443" URIEncoding="UTF-8"/> |
14 |
|
15 |
<!-- Add this option to the connector to avoid problems with
|
16 |
.NET clients that don't implement HTTP/1.1 correctly
|
17 |
restrictedUserAgents="^.*MS Web Services Client Protocol 1.1.4322.*$"
|
18 |
-->
|
19 |
|
20 |
<!-- A AJP 1.3 Connector on port 8009 -->
|
21 |
<!-- The recommended value of maxThreads is 200 per CPU -->
|
22 |
<Connector protocol="AJP/1.3" port="8009" address="${jboss.bind.address}" |
23 |
maxThreads="200" connectionTimeout="600000" redirectPort="8443" URIEncoding="UTF-8"/> |
24 |
|
25 |
<!-- SSL/TLS Connector configuration using the admin devl guide keystore
|
26 |
<Connector protocol="HTTP/1.1" SSLEnabled="true"
|
27 |
port="8443" address="${jboss.bind.address}"
|
28 |
scheme="https" secure="true" clientAuth="false"
|
29 |
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
|
30 |
keystorePass="rmi+ssl" sslProtocol = "TLS" />
|
31 |
-->
|
32 |
|
33 |
<Engine name="jboss.web" defaultHost="localhost"> |
34 |
|
35 |
<!-- The JAAS based authentication and authorization realm implementation
|
36 |
that is compatible with the jboss 3.2.x realm implementation.
|
37 |
- certificatePrincipal : the class name of the
|
38 |
org.jboss.security.auth.certs.CertificatePrincipal impl
|
39 |
used for mapping X509[] cert chains to a Princpal.
|
40 |
- allRolesMode : how to handle an auth-constraint with a role-name=*,
|
41 |
one of strict, authOnly, strictAuthOnly
|
42 |
+ strict = Use the strict servlet spec interpretation which requires
|
43 |
that the user have one of the web-app/security-role/role-name
|
44 |
+ authOnly = Allow any authenticated user
|
45 |
+ strictAuthOnly = Allow any authenticated user only if there are no
|
46 |
web-app/security-roles
|
47 |
-->
|
48 |
<Realm className="org.jboss.web.tomcat.security.JBossWebRealm" |
49 |
certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" |
50 |
allRolesMode="authOnly" |
51 |
/>
|
52 |
<!-- A subclass of JBossSecurityMgrRealm that uses the authentication
|
53 |
behavior of JBossSecurityMgrRealm, but overrides the authorization
|
54 |
checks to use JACC permissions with the current java.security.Policy
|
55 |
to determine authorized access.
|
56 |
- allRolesMode : how to handle an auth-constraint with a role-name=*,
|
57 |
one of strict, authOnly, strictAuthOnly
|
58 |
+ strict = Use the strict servlet spec interpretation which requires
|
59 |
that the user have one of the web-app/security-role/role-name
|
60 |
+ authOnly = Allow any authenticated user
|
61 |
+ strictAuthOnly = Allow any authenticated user only if there are no
|
62 |
web-app/security-roles
|
63 |
<Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm"
|
64 |
certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
|
65 |
allRolesMode="authOnly"
|
66 |
/>
|
67 |
-->
|
68 |
|
69 |
<Host name="localhost"> |
70 |
|
71 |
<!-- Uncomment to enable request dumper. This Valve "logs interesting
|
72 |
contents from the specified Request (before processing) and the
|
73 |
corresponding Response (after processing). It is especially useful
|
74 |
in debugging problems related to headers and cookies."
|
75 |
-->
|
76 |
<!--
|
77 |
<Valve className="org.apache.catalina.valves.RequestDumperValve" />
|
78 |
-->
|
79 |
|
80 |
<!-- Access logger -->
|
81 |
<!--
|
82 |
<Valve className="org.apache.catalina.valves.AccessLogValve"
|
83 |
prefix="localhost_access_log." suffix=".log"
|
84 |
pattern="common" directory="${jboss.server.log.dir}"
|
85 |
resolveHosts="false" />
|
86 |
-->
|
87 |
|
88 |
<!-- Uncomment to enable single sign-on across web apps
|
89 |
deployed to this host. Does not provide SSO across a cluster.
|
90 |
|
91 |
If this valve is used, do not use the JBoss ClusteredSingleSignOn
|
92 |
valve shown below.
|
93 |
|
94 |
A new configuration attribute is available beginning with
|
95 |
release 4.0.4:
|
96 |
|
97 |
cookieDomain configures the domain to which the SSO cookie
|
98 |
will be scoped (i.e. the set of hosts to
|
99 |
which the cookie will be presented). By default
|
100 |
the cookie is scoped to "/", meaning the host
|
101 |
that presented it. Set cookieDomain to a
|
102 |
wider domain (e.g. "xyz.com") to allow an SSO
|
103 |
to span more than one hostname.
|
104 |
-->
|
105 |
<!--
|
106 |
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
|
107 |
-->
|
108 |
|
109 |
<!-- Uncomment to enable single sign-on across web apps
|
110 |
deployed to this host AND to all other hosts in the cluster.
|
111 |
|
112 |
If this valve is used, do not use the standard Tomcat SingleSignOn
|
113 |
valve shown above.
|
114 |
|
115 |
Valve uses a JBossCache instance to support SSO credential
|
116 |
caching and replication across the cluster. The JBossCache
|
117 |
instance must be configured separately. See the
|
118 |
"jboss-web-clusteredsso-beans.xml" file in the
|
119 |
server/all/deploy directory for cache configuration details.
|
120 |
|
121 |
Besides the attributes supported by the standard Tomcat
|
122 |
SingleSignOn valve (see the Tomcat docs), this version also
|
123 |
supports the following attributes:
|
124 |
|
125 |
cookieDomain see above
|
126 |
|
127 |
treeCacheName JMX ObjectName of the JBossCache MBean used to
|
128 |
support credential caching and replication across
|
129 |
the cluster. If not set, the default value is
|
130 |
"jboss.cache:service=ClusteredSSOCache"
|
131 |
|
132 |
maxEmptyLife The maximum number of seconds an SSO with no
|
133 |
active sessions will be usable by a request
|
134 |
|
135 |
processExpiresInterval The minimum number of seconds between
|
136 |
efforts by the valve to find and invalidate
|
137 |
SSO's that have exceeded their 'maxEmptyLife'.
|
138 |
Does not imply effort will be spent on such
|
139 |
cleanup every 'processExpiresInterval'.
|
140 |
-->
|
141 |
<!--
|
142 |
<Valve className="org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn" />
|
143 |
-->
|
144 |
|
145 |
<!-- Check for unclosed connections and transaction terminated checks
|
146 |
in servlets/jsps.
|
147 |
|
148 |
Important: The dependency on the CachedConnectionManager
|
149 |
in META-INF/jboss-service.xml must be uncommented, too
|
150 |
-->
|
151 |
|
152 |
<Valve className="org.jboss.web.tomcat.service.jca.CachedConnectionValve" |
153 |
cachedConnectionManagerObjectName="jboss.jca:service=CachedConnectionManager" |
154 |
transactionManagerObjectName="jboss:service=TransactionManager" /> |
155 |
|
156 |
</Host>
|
157 |
|
158 |
</Engine>
|
159 |
|
160 |
</Service>
|
161 |
|
162 |
</Server>
|