NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator's Guide
Security Considerations
NonStop Servlets for JavaServer Pages (NSJSP) 6.1 System Administrator’s Guide—596210-006
8-10
Realms
Connecting to the Directory
The connectionURL configuration attribute in the JNDIRealm defines the Realm’s
connection to the directory server and the JNDI provider defines the format for this
URL. Usually, an LDAP URL specifies the domain name of the directory server to
connect, and optionally the port number and distinguished name (DN) of the required
root naming context.
The alternateURL configuration attribute can be used incase of multiple providers
so that if a socket connection cannot be established to the provider on the connection
URL, the alternateURL can be used.
While making a connection, in order to search the directory and to retrieve user and
role information, the Realm authenticates itself to the directory with the username and
password specified by the connectionName and connectionPassword properties.
If these properties are not specified, the connection is anonymous.
Selecting the Directory Entry for the User
Each user that can be authenticated must be represented in the directory by an
individual entry. This entry corresponds to an element in the initial DirContext
defined by the connectionURL attribute. The user entry must have an attribute
containing the username that is presented for authentication.
Often the distinguished name of the user's entry contains the username presented for
authentication but is otherwise the same for all users. In this case, the userPattern
attribute can be used to specify the DN with a {0} marking where the username must
be substituted.
Otherwise, the JNDIRealm must search the directory to find a unique entry containing
the username. You can configure the following attributes to search the username:
userBase - Specifies the entry that is the base of the subtree containing users. If
not specified, the search base is the top-level context.
userSubtree - Specifies the search scope. Set this attribute to true, if you want
to search the entire subtree rooted at the userBase entry. You can set this
attribute to false, if you want to perform a single-level search that includes only
the top level.
userSearch - Specifies the pattern that indicates the LDAP search filter after
substituting the username.
Authenticating the User in a JNDIRealm Configuration
The user can be authenticated using the following methods depending on the
JNDIRealm configuration:
Bind Mode