-
-
Save tristantarrant/14fa1e4e3a30320e75d7738f8aac1e20 to your computer and use it in GitHub Desktop.
infinispan-server-ldap-authz.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="UTF-8"?><server xmlns="urn:jboss:domain:5.0"> | |
<extensions> | |
<extension module="org.infinispan.extension"/> | |
<extension module="org.infinispan.server.endpoint"/> | |
<extension module="org.jboss.as.connector"/> | |
<extension module="org.jboss.as.deployment-scanner"/> | |
<extension module="org.jboss.as.jdr"/> | |
<extension module="org.jboss.as.jmx"/> | |
<extension module="org.jboss.as.logging"/> | |
<extension module="org.jboss.as.naming"/> | |
<extension module="org.jboss.as.remoting"/> | |
<extension module="org.jboss.as.security"/> | |
<extension module="org.jboss.as.transactions"/> | |
<extension module="org.jgroups.extension"/> | |
<extension module="org.wildfly.extension.elytron"/> | |
<extension module="org.wildfly.extension.io"/> | |
</extensions><system-properties> | |
<property name="java.security.krb5.conf" value="${jboss.server.config.dir}/krb5.conf"/> | |
<property name="java.security.krb5.debug" value="true"/> | |
<property name="jboss.security.disable.secdomain.option" value="true"/> | |
</system-properties> | |
<management><outbound-connections> | |
<ldap name="ldap_connection" url="ldap://localhost:10389" search-dn="uid=admin,ou=People,dc=infinispan,dc=org" search-credential="strongPassword"/> | |
</outbound-connections> | |
<security-realms><security-realm name="LdapRealm"> | |
<authentication> | |
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/> | |
</authentication> | |
<authorization> | |
<ldap connection="ldap_connection"> | |
<username-to-dn force="false"> | |
<username-filter recursive="true" base-dn="ou=People,dc=infinispan,dc=org" attribute="uid" user-dn-attribute="dn"/> | |
</username-to-dn> | |
<group-search group-dn-attribute="dn" group-name-attribute="cn"> | |
<group-to-principal recursive="true" base-dn="ou=Roles,dc=infinispan,dc=org" search-by="DISTINGUISHED_NAME"> | |
<membership-filter principal-attribute="member"/> | |
</group-to-principal> | |
</group-search> | |
</ldap> | |
</authorization> | |
</security-realm> | |
<security-realm name="ManagementRealm"> | |
<authentication> | |
<local default-user="$local"/> | |
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/> | |
</authentication> | |
<authorization map-groups-to-roles="false"> | |
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/> | |
</authorization> | |
</security-realm> | |
<security-realm name="ApplicationRealm"> | |
<server-identities> | |
<ssl> | |
<keystore path="application.keystore" relative-to="jboss.server.config.dir" keystore-password="password" alias="server" key-password="password" generate-self-signed-certificate-host="localhost"/> | |
</ssl> | |
</server-identities> | |
<authentication> | |
<local default-user="$local" allowed-users="*"/> | |
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/> | |
</authentication> | |
<authorization> | |
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/> | |
</authorization> | |
</security-realm> | |
</security-realms> | |
<audit-log> | |
<formatters> | |
<json-formatter name="json-formatter"/> | |
</formatters> | |
<handlers> | |
<file-handler name="file" formatter="json-formatter" relative-to="jboss.server.data.dir" path="audit-log.log"/> | |
</handlers> | |
<logger log-boot="true" enabled="false"> | |
<handlers> | |
<handler name="file"/> | |
</handlers> | |
</logger> | |
</audit-log> | |
<management-interfaces> | |
<http-interface security-realm="ManagementRealm"> | |
<http-upgrade enabled="true"/> | |
<socket-binding http="management-http"/> | |
</http-interface> | |
</management-interfaces> | |
<access-control> | |
<role-mapping> | |
<role name="SuperUser"> | |
<include> | |
<user name="$local"/> | |
</include> | |
</role> | |
</role-mapping> | |
</access-control> | |
</management> | |
<profile> | |
<subsystem xmlns="urn:jboss:domain:logging:3.0"> | |
<console-handler name="CONSOLE"> | |
<level name="INFO"/> | |
<formatter> | |
<named-formatter name="COLOR-PATTERN"/> | |
</formatter> | |
</console-handler> | |
<periodic-rotating-file-handler name="FILE" autoflush="true"> | |
<formatter> | |
<named-formatter name="PATTERN"/> | |
</formatter> | |
<file relative-to="jboss.server.log.dir" path="server.log"/> | |
<suffix value=".yyyy-MM-dd"/> | |
<append value="true"/> | |
</periodic-rotating-file-handler> | |
<size-rotating-file-handler name="HR-ACCESS-FILE" autoflush="true"> | |
<formatter> | |
<named-formatter name="ACCESS-LOG"/> | |
</formatter> | |
<file relative-to="jboss.server.log.dir" path="hotrod-access.log"/> | |
<append value="true"/> | |
<rotate-size value="10M"/> | |
<max-backup-index value="10"/> | |
</size-rotating-file-handler> | |
<size-rotating-file-handler name="REST-ACCESS-FILE" autoflush="true"> | |
<formatter> | |
<named-formatter name="ACCESS-LOG"/> | |
</formatter> | |
<file relative-to="jboss.server.log.dir" path="rest-access.log"/> | |
<append value="true"/> | |
<rotate-size value="10M"/> | |
<max-backup-index value="10"/> | |
</size-rotating-file-handler> | |
<logger category="com.arjuna"> | |
<level name="WARN"/> | |
</logger> | |
<logger category="org.jboss.as.config"> | |
<level name="DEBUG"/> | |
</logger> | |
<logger category="sun.rmi"> | |
<level name="WARN"/> | |
</logger> | |
<logger category="org.infinispan.HOTROD_ACCESS_LOG" use-parent-handlers="false"> | |
<!-- Set to TRACE to enable access logging for hot rod or use DMR --> | |
<level name="INFO"/> | |
<handlers> | |
<handler name="HR-ACCESS-FILE"/> | |
</handlers> | |
</logger> | |
<logger category="org.infinispan.REST_ACCESS_LOG" use-parent-handlers="false"> | |
<!-- Set to TRACE to enable access logging for rest or use DMR --> | |
<level name="INFO"/> | |
<handlers> | |
<handler name="REST-ACCESS-FILE"/> | |
</handlers> | |
</logger> | |
<root-logger> | |
<level name="INFO"/> | |
<handlers> | |
<handler name="CONSOLE"/> | |
<handler name="FILE"/> | |
</handlers> | |
</root-logger> | |
<formatter name="PATTERN"> | |
<pattern-formatter pattern="%d{yyyy-MM-dd HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/> | |
</formatter> | |
<formatter name="COLOR-PATTERN"> | |
<pattern-formatter pattern="%K{level}%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%e%n"/> | |
</formatter> | |
<formatter name="ACCESS-LOG"> | |
<pattern-formatter pattern="%X{address} %X{user} [%d{dd/MMM/yyyy:HH:mm:ss z}] "%X{method} %m %X{protocol}" %X{status} %X{requestSize} %X{responseSize} %X{duration}%n"/> | |
</formatter> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:deployment-scanner:2.0"> | |
<deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000" runtime-failure-causes-rollback="${jboss.deployment.scanner.rollback.on.failure:false}"/> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:datasources:5.0"> | |
<datasources> | |
<datasource jndi-name="java:jboss/datasources/ExampleDS" pool-name="ExampleDS" enabled="true" use-java-context="true"> | |
<connection-url>jdbc:h2:mem:test;DB_CLOSE_DELAY=-1;DB_CLOSE_ON_EXIT=FALSE</connection-url> | |
<driver>h2</driver> | |
<security> | |
<user-name>sa</user-name> | |
<password>sa</password> | |
</security> | |
</datasource> | |
<drivers> | |
<driver name="h2" module="com.h2database.h2"> | |
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class> | |
</driver> | |
</drivers> | |
</datasources> | |
</subsystem> | |
<subsystem xmlns="urn:wildfly:elytron:1.2" final-providers="combined-providers" disallowed-providers="OracleUcrypto"> | |
<providers> | |
<aggregate-providers name="combined-providers"> | |
<providers name="elytron"/> | |
<providers name="openssl"/> | |
</aggregate-providers> | |
<provider-loader name="elytron" module="org.wildfly.security.elytron"/> | |
<provider-loader name="openssl" module="org.wildfly.openssl"/> | |
</providers> | |
<audit-logging> | |
<file-audit-log name="local-audit" path="audit.log" relative-to="jboss.server.log.dir" format="JSON"/> | |
</audit-logging> | |
<security-domains> | |
<security-domain name="ApplicationDomain" default-realm="ApplicationRealm" permission-mapper="default-permission-mapper"> | |
<realm name="ApplicationRealm" role-decoder="groups-to-roles"/> | |
<realm name="local"/> | |
</security-domain> | |
<security-domain name="ManagementDomain" default-realm="ManagementRealm" permission-mapper="default-permission-mapper"> | |
<realm name="ManagementRealm" role-decoder="groups-to-roles"/> | |
<realm name="local" role-mapper="super-user-mapper"/> | |
</security-domain> | |
</security-domains> | |
<security-realms> | |
<identity-realm name="local" identity="$local"/> | |
<properties-realm name="ApplicationRealm"> | |
<users-properties path="application-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ApplicationRealm"/> | |
<groups-properties path="application-roles.properties" relative-to="jboss.server.config.dir"/> | |
</properties-realm> | |
<properties-realm name="ManagementRealm"> | |
<users-properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" digest-realm-name="ManagementRealm"/> | |
<groups-properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/> | |
</properties-realm> | |
</security-realms> | |
<mappers> | |
<simple-permission-mapper name="default-permission-mapper" mapping-mode="first"> | |
<permission-mapping> | |
<principal name="anonymous"/> | |
</permission-mapping> | |
<permission-mapping match-all="true"> | |
<permission class-name="org.wildfly.security.auth.permission.LoginPermission"/> | |
</permission-mapping> | |
</simple-permission-mapper> | |
<constant-realm-mapper name="local" realm-name="local"/> | |
<simple-role-decoder name="groups-to-roles" attribute="groups"/> | |
<constant-role-mapper name="super-user-mapper"> | |
<role name="SuperUser"/> | |
</constant-role-mapper> | |
</mappers> | |
<http> | |
<http-authentication-factory name="management-http-authentication" http-server-mechanism-factory="global" security-domain="ManagementDomain"> | |
<mechanism-configuration> | |
<mechanism mechanism-name="DIGEST"> | |
<mechanism-realm realm-name="ManagementRealm"/> | |
</mechanism> | |
</mechanism-configuration> | |
</http-authentication-factory> | |
<http-authentication-factory name="application-http-authentication" http-server-mechanism-factory="global" security-domain="ApplicationDomain"> | |
<mechanism-configuration> | |
<mechanism mechanism-name="BASIC"> | |
<mechanism-realm realm-name="Application Realm"/> | |
</mechanism> | |
<mechanism mechanism-name="FORM"/> | |
</mechanism-configuration> | |
</http-authentication-factory> | |
<provider-http-server-mechanism-factory name="global"/> | |
</http> | |
<sasl> | |
<sasl-authentication-factory name="management-sasl-authentication" sasl-server-factory="configured" security-domain="ManagementDomain"> | |
<mechanism-configuration> | |
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/> | |
<mechanism mechanism-name="DIGEST-MD5"> | |
<mechanism-realm realm-name="ManagementRealm"/> | |
</mechanism> | |
</mechanism-configuration> | |
</sasl-authentication-factory> | |
<sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain"> | |
<mechanism-configuration> | |
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/> | |
<mechanism mechanism-name="DIGEST-MD5"> | |
<mechanism-realm realm-name="ApplicationRealm"/> | |
</mechanism> | |
</mechanism-configuration> | |
</sasl-authentication-factory> | |
<configurable-sasl-server-factory name="configured" sasl-server-factory="elytron"> | |
<properties> | |
<property name="wildfly.sasl.local-user.default-user" value="$local"/> | |
</properties> | |
</configurable-sasl-server-factory> | |
<mechanism-provider-filtering-sasl-server-factory name="elytron" sasl-server-factory="global"> | |
<filters> | |
<filter provider-name="WildFlyElytron"/> | |
</filters> | |
</mechanism-provider-filtering-sasl-server-factory> | |
<provider-sasl-server-factory name="global"/> | |
</sasl> | |
</subsystem> | |
<subsystem xmlns="urn:infinispan:server:core:9.2"> | |
<cache-container name="clustered" default-cache="testcache"> | |
<security> | |
<authorization> | |
<identity-role-mapper/> | |
<role name="AdminIspnRole" permissions="ALL"/> | |
<role name="ReaderIspnRole" permissions="READ"/> | |
<role name="WriterIspnRole" permissions="WRITE"/> | |
<role name="SupervisorIspnRole" permissions="READ WRITE EXEC BULK_READ"/> | |
</authorization> | |
</security> | |
<transport lock-timeout="240000"/> | |
<distributed-cache name="testcache" remote-timeout="30000"> | |
<security> | |
<authorization roles="AdminIspnRole ReaderIspnRole WriterIspnRole SupervisorIspnRole" enabled="true"/> | |
</security> | |
</distributed-cache> | |
<!-- to get a memcached module to work, there needs to be a named cache called "memcachedCache" --> | |
<local-cache name="memcachedCache" batching="false"/> | |
<local-cache name="namedCache"/> | |
</cache-container> | |
<cache-container name="security"/> | |
</subsystem> | |
<subsystem xmlns="urn:infinispan:server:endpoint:9.2"> | |
<hotrod-connector socket-binding="hotrod" cache-container="clustered"> | |
<topology-state-transfer lazy-retrieval="false" lock-timeout="1000" replication-timeout="5000"/><authentication security-realm="LdapRealm"> | |
<sasl server-context-name="hotrod-service" server-name="node0" mechanisms="GSSAPI" qop="auth" strength="high medium low"> | |
<policy> | |
<no-anonymous value="true"/> | |
</policy> | |
</sasl> | |
</authentication> | |
</hotrod-connector> | |
<rest-connector socket-binding="rest" cache-container="clustered"> | |
</rest-connector> | |
</subsystem> | |
<subsystem xmlns="urn:infinispan:server:jgroups:9.2"> | |
<channels default="cluster"> | |
<channel name="cluster"/> | |
</channels> | |
<stacks default="${jboss.default.jgroups.stack:udp}"> | |
<stack name="udp"> | |
<transport type="UDP" socket-binding="jgroups-udp"/> | |
<protocol type="PING"/> | |
<protocol type="MERGE3"/> | |
<protocol type="FD_SOCK" socket-binding="jgroups-udp-fd"/> | |
<protocol type="FD_ALL"/> | |
<protocol type="VERIFY_SUSPECT"/> | |
<protocol type="pbcast.NAKACK2"/> | |
<protocol type="UNICAST3"/> | |
<protocol type="pbcast.STABLE"/> | |
<protocol type="pbcast.GMS"/> | |
<protocol type="UFC_NB"/> | |
<protocol type="MFC_NB"/> | |
<protocol type="FRAG3"/> | |
</stack> | |
<stack name="tcp"> | |
<transport type="TCP" socket-binding="jgroups-tcp"/> | |
<protocol type="MPING" socket-binding="jgroups-mping"/> | |
<protocol type="MERGE3"/> | |
<protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/> | |
<protocol type="FD_ALL"/> | |
<protocol type="VERIFY_SUSPECT"/> | |
<protocol type="pbcast.NAKACK2"> | |
<property name="use_mcast_xmit">false</property> | |
</protocol> | |
<protocol type="UNICAST3"/> | |
<protocol type="pbcast.STABLE"/> | |
<protocol type="pbcast.GMS"/> | |
<protocol type="MFC_NB"/> | |
<protocol type="FRAG3"/> | |
</stack> | |
<stack name="tcp-gossip"> | |
<transport type="TCP" socket-binding="jgroups-tcp"/> | |
<protocol type="TCPGOSSIP"> | |
<property name="initial_hosts">${jgroups.gossip.initial_hosts:}</property> | |
</protocol> | |
<protocol type="MERGE3"/> | |
<protocol type="FD_SOCK" socket-binding="jgroups-tcp-fd"/> | |
<protocol type="FD_ALL"/> | |
<protocol type="VERIFY_SUSPECT"/> | |
<protocol type="pbcast.NAKACK2"> | |
<property name="use_mcast_xmit">false</property> | |
</protocol> | |
<protocol type="UNICAST3"/> | |
<protocol type="pbcast.STABLE"/> | |
<protocol type="pbcast.GMS"/> | |
<protocol type="MFC_NB"/> | |
<protocol type="FRAG3"/> | |
</stack> | |
</stacks> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:io:2.0"> | |
<worker name="default"/> | |
<buffer-pool name="default"/> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:jca:5.0"> | |
<archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/> | |
<bean-validation enabled="true"/> | |
<default-workmanager> | |
<short-running-threads> | |
<core-threads count="50"/> | |
<queue-length count="50"/> | |
<max-threads count="50"/> | |
<keepalive-time time="10" unit="seconds"/> | |
</short-running-threads> | |
<long-running-threads> | |
<core-threads count="50"/> | |
<queue-length count="50"/> | |
<max-threads count="50"/> | |
<keepalive-time time="10" unit="seconds"/> | |
</long-running-threads> | |
</default-workmanager> | |
<cached-connection-manager/> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:jdr:1.0"/> | |
<subsystem xmlns="urn:jboss:domain:jmx:1.3"> | |
<expose-resolved-model/> | |
<expose-expression-model/> | |
<remoting-connector/> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:naming:2.0"> | |
<remote-naming/> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:remoting:4.0"> | |
<endpoint/> | |
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:security:2.0"> | |
<security-domains><security-domain name="hotrod-service" cache-type="default"> | |
<authentication> | |
<login-module code="Kerberos" flag="required"> | |
<module-option name="storeKey" value="true"/> | |
<module-option name="useKeyTab" value="true"/> | |
<module-option name="refreshKrb5Config" value="true"/> | |
<module-option name="principal" value="hotrod/node0@INFINISPAN.ORG"/> | |
<module-option name="keyTab" value="${jboss.server.config.dir}/hotrod_service.keytab"/> | |
<module-option name="doNotPrompt" value="true"/> | |
</login-module> | |
</authentication> | |
</security-domain> | |
<security-domain name="other" cache-type="default"> | |
<authentication> | |
<login-module code="Remoting" flag="optional"> | |
<module-option name="password-stacking" value="useFirstPass"/> | |
</login-module> | |
<login-module code="RealmDirect" flag="required"> | |
<module-option name="password-stacking" value="useFirstPass"/> | |
</login-module> | |
</authentication> | |
</security-domain> | |
<security-domain name="jboss-web-policy" cache-type="default"> | |
<authorization> | |
<policy-module code="Delegating" flag="required"/> | |
</authorization> | |
</security-domain> | |
<security-domain name="jboss-ejb-policy" cache-type="default"> | |
<authorization> | |
<policy-module code="Delegating" flag="required"/> | |
</authorization> | |
</security-domain> | |
<security-domain name="jaspitest" cache-type="default"> | |
<authentication-jaspi> | |
<login-module-stack name="dummy"> | |
<login-module code="Dummy" flag="optional"/> | |
</login-module-stack> | |
<auth-module code="Dummy"/> | |
</authentication-jaspi> | |
</security-domain> | |
</security-domains> | |
</subsystem> | |
<subsystem xmlns="urn:jboss:domain:transactions:4.0"> | |
<core-environment> | |
<process-id> | |
<uuid/> | |
</process-id> | |
</core-environment> | |
<recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/> | |
<object-store path="tx-object-store" relative-to="jboss.server.data.dir"/> | |
</subsystem> | |
</profile> | |
<interfaces> | |
<interface name="management"> | |
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/> | |
</interface> | |
<interface name="public"> | |
<inet-address value="${jboss.bind.address:127.0.0.1}"/> | |
</interface> | |
</interfaces> | |
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}"> | |
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/> | |
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9993}"/> | |
<socket-binding name="hotrod" port="11222"/> | |
<socket-binding name="hotrod-internal" port="11223"/> | |
<socket-binding name="hotrod-multi-tenancy" port="11224"/> | |
<socket-binding name="jgroups-mping" port="0" multicast-address="${jboss.default.multicast.address:234.99.54.14}" multicast-port="45700"/> | |
<socket-binding name="jgroups-tcp" port="7600"/> | |
<socket-binding name="jgroups-tcp-fd" port="57600"/> | |
<socket-binding name="jgroups-udp" port="55200" multicast-address="${jboss.default.multicast.address:234.99.54.14}" multicast-port="45688"/> | |
<socket-binding name="jgroups-udp-fd" port="54200"/> | |
<socket-binding name="memcached" port="11211"/> | |
<socket-binding name="rest" port="8080"/> | |
<socket-binding name="rest-multi-tenancy" port="8081"/> | |
<socket-binding name="rest-ssl" port="8443"/> | |
<socket-binding name="txn-recovery-environment" port="4712"/> | |
<socket-binding name="txn-status-manager" port="4713"/> | |
<socket-binding name="websocket" port="8181"/> | |
<outbound-socket-binding name="remote-store-hotrod-server"> | |
<remote-destination host="remote-host" port="11222"/> | |
</outbound-socket-binding> | |
<outbound-socket-binding name="remote-store-rest-server"> | |
<remote-destination host="remote-host" port="8080"/> | |
</outbound-socket-binding> | |
</socket-binding-group> | |
</server> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment