root / gss / jboss / deploy / jbossweb.sar / server.xml @ 8270b533
History | View | Annotate | Download (7.8 kB)
| 1 |
<Server>
|
|---|---|
| 2 |
|
| 3 |
<!-- Optional listener which ensures correct init and shutdown of APR,
|
| 4 |
and provides information if it is not installed -->
|
| 5 |
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> |
| 6 |
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
|
| 7 |
<Listener className="org.apache.catalina.core.JasperListener" /> |
| 8 |
|
| 9 |
<Service name="jboss.web"> |
| 10 |
|
| 11 |
<!-- A HTTP/1.1 Connector on port 8080 -->
|
| 12 |
<Connector protocol="HTTP/1.1" port="8080" address="${jboss.bind.address}" |
| 13 |
connectionTimeout="20000" redirectPort="8443" URIEncoding="UTF-8"/> |
| 14 |
|
| 15 |
<!-- Add this option to the connector to avoid problems with
|
| 16 |
.NET clients that don't implement HTTP/1.1 correctly
|
| 17 |
restrictedUserAgents="^.*MS Web Services Client Protocol 1.1.4322.*$"
|
| 18 |
-->
|
| 19 |
|
| 20 |
<!-- A AJP 1.3 Connector on port 8009 -->
|
| 21 |
<!-- The recommended value of maxThreads is 200 per CPU -->
|
| 22 |
<Connector protocol="AJP/1.3" port="8009" address="${jboss.bind.address}" |
| 23 |
maxThreads="200" connectionTimeout="600000" redirectPort="8443" URIEncoding="UTF-8"/> |
| 24 |
|
| 25 |
<!-- SSL/TLS Connector configuration using the admin devl guide keystore
|
| 26 |
<Connector protocol="HTTP/1.1" SSLEnabled="true"
|
| 27 |
port="8443" address="${jboss.bind.address}"
|
| 28 |
scheme="https" secure="true" clientAuth="false"
|
| 29 |
keystoreFile="${jboss.server.home.dir}/conf/chap8.keystore"
|
| 30 |
keystorePass="rmi+ssl" sslProtocol = "TLS" />
|
| 31 |
-->
|
| 32 |
|
| 33 |
<Engine name="jboss.web" defaultHost="localhost"> |
| 34 |
|
| 35 |
<!-- The JAAS based authentication and authorization realm implementation
|
| 36 |
that is compatible with the jboss 3.2.x realm implementation.
|
| 37 |
- certificatePrincipal : the class name of the
|
| 38 |
org.jboss.security.auth.certs.CertificatePrincipal impl
|
| 39 |
used for mapping X509[] cert chains to a Princpal.
|
| 40 |
- allRolesMode : how to handle an auth-constraint with a role-name=*,
|
| 41 |
one of strict, authOnly, strictAuthOnly
|
| 42 |
+ strict = Use the strict servlet spec interpretation which requires
|
| 43 |
that the user have one of the web-app/security-role/role-name
|
| 44 |
+ authOnly = Allow any authenticated user
|
| 45 |
+ strictAuthOnly = Allow any authenticated user only if there are no
|
| 46 |
web-app/security-roles
|
| 47 |
-->
|
| 48 |
<Realm className="org.jboss.web.tomcat.security.JBossWebRealm" |
| 49 |
certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping" |
| 50 |
allRolesMode="authOnly" |
| 51 |
/>
|
| 52 |
<!-- A subclass of JBossSecurityMgrRealm that uses the authentication
|
| 53 |
behavior of JBossSecurityMgrRealm, but overrides the authorization
|
| 54 |
checks to use JACC permissions with the current java.security.Policy
|
| 55 |
to determine authorized access.
|
| 56 |
- allRolesMode : how to handle an auth-constraint with a role-name=*,
|
| 57 |
one of strict, authOnly, strictAuthOnly
|
| 58 |
+ strict = Use the strict servlet spec interpretation which requires
|
| 59 |
that the user have one of the web-app/security-role/role-name
|
| 60 |
+ authOnly = Allow any authenticated user
|
| 61 |
+ strictAuthOnly = Allow any authenticated user only if there are no
|
| 62 |
web-app/security-roles
|
| 63 |
<Realm className="org.jboss.web.tomcat.security.JaccAuthorizationRealm"
|
| 64 |
certificatePrincipal="org.jboss.security.auth.certs.SubjectDNMapping"
|
| 65 |
allRolesMode="authOnly"
|
| 66 |
/>
|
| 67 |
-->
|
| 68 |
|
| 69 |
<Host name="localhost"> |
| 70 |
|
| 71 |
<!-- Uncomment to enable request dumper. This Valve "logs interesting
|
| 72 |
contents from the specified Request (before processing) and the
|
| 73 |
corresponding Response (after processing). It is especially useful
|
| 74 |
in debugging problems related to headers and cookies."
|
| 75 |
-->
|
| 76 |
<!--
|
| 77 |
<Valve className="org.apache.catalina.valves.RequestDumperValve" />
|
| 78 |
-->
|
| 79 |
|
| 80 |
<!-- Access logger -->
|
| 81 |
<!--
|
| 82 |
<Valve className="org.apache.catalina.valves.AccessLogValve"
|
| 83 |
prefix="localhost_access_log." suffix=".log"
|
| 84 |
pattern="common" directory="${jboss.server.log.dir}"
|
| 85 |
resolveHosts="false" />
|
| 86 |
-->
|
| 87 |
|
| 88 |
<!-- Uncomment to enable single sign-on across web apps
|
| 89 |
deployed to this host. Does not provide SSO across a cluster.
|
| 90 |
|
| 91 |
If this valve is used, do not use the JBoss ClusteredSingleSignOn
|
| 92 |
valve shown below.
|
| 93 |
|
| 94 |
A new configuration attribute is available beginning with
|
| 95 |
release 4.0.4:
|
| 96 |
|
| 97 |
cookieDomain configures the domain to which the SSO cookie
|
| 98 |
will be scoped (i.e. the set of hosts to
|
| 99 |
which the cookie will be presented). By default
|
| 100 |
the cookie is scoped to "/", meaning the host
|
| 101 |
that presented it. Set cookieDomain to a
|
| 102 |
wider domain (e.g. "xyz.com") to allow an SSO
|
| 103 |
to span more than one hostname.
|
| 104 |
-->
|
| 105 |
<!--
|
| 106 |
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
|
| 107 |
-->
|
| 108 |
|
| 109 |
<!-- Uncomment to enable single sign-on across web apps
|
| 110 |
deployed to this host AND to all other hosts in the cluster.
|
| 111 |
|
| 112 |
If this valve is used, do not use the standard Tomcat SingleSignOn
|
| 113 |
valve shown above.
|
| 114 |
|
| 115 |
Valve uses a JBossCache instance to support SSO credential
|
| 116 |
caching and replication across the cluster. The JBossCache
|
| 117 |
instance must be configured separately. See the
|
| 118 |
"jboss-web-clusteredsso-beans.xml" file in the
|
| 119 |
server/all/deploy directory for cache configuration details.
|
| 120 |
|
| 121 |
Besides the attributes supported by the standard Tomcat
|
| 122 |
SingleSignOn valve (see the Tomcat docs), this version also
|
| 123 |
supports the following attributes:
|
| 124 |
|
| 125 |
cookieDomain see above
|
| 126 |
|
| 127 |
treeCacheName JMX ObjectName of the JBossCache MBean used to
|
| 128 |
support credential caching and replication across
|
| 129 |
the cluster. If not set, the default value is
|
| 130 |
"jboss.cache:service=ClusteredSSOCache"
|
| 131 |
|
| 132 |
maxEmptyLife The maximum number of seconds an SSO with no
|
| 133 |
active sessions will be usable by a request
|
| 134 |
|
| 135 |
processExpiresInterval The minimum number of seconds between
|
| 136 |
efforts by the valve to find and invalidate
|
| 137 |
SSO's that have exceeded their 'maxEmptyLife'.
|
| 138 |
Does not imply effort will be spent on such
|
| 139 |
cleanup every 'processExpiresInterval'.
|
| 140 |
-->
|
| 141 |
<!--
|
| 142 |
<Valve className="org.jboss.web.tomcat.service.sso.ClusteredSingleSignOn" />
|
| 143 |
-->
|
| 144 |
|
| 145 |
<!-- Check for unclosed connections and transaction terminated checks
|
| 146 |
in servlets/jsps.
|
| 147 |
|
| 148 |
Important: The dependency on the CachedConnectionManager
|
| 149 |
in META-INF/jboss-service.xml must be uncommented, too
|
| 150 |
-->
|
| 151 |
|
| 152 |
<Valve className="org.jboss.web.tomcat.service.jca.CachedConnectionValve" |
| 153 |
cachedConnectionManagerObjectName="jboss.jca:service=CachedConnectionManager" |
| 154 |
transactionManagerObjectName="jboss:service=TransactionManager" /> |
| 155 |
|
| 156 |
</Host>
|
| 157 |
|
| 158 |
</Engine>
|
| 159 |
|
| 160 |
</Service>
|
| 161 |
|
| 162 |
</Server>
|