Gitiles
Code Review Sign In
source.supwisdom.com / UniIdentify / tomcat / 7189829bb2c240044551576d8e7a5404b9798f64 / . / tomcat-cas / webapps / docs / config / realm.html
blob: 64ca7672ae2e54aea157e5490ccb5f359e9c9bf1 [file] [log] [blame]
Hongqing Liu71898292014-10-15 13:31:32 +0800[diff] [blame^]1<html><head><META http-equiv="Content-Type" content="text/html; charset=iso-8859-1"><title>Apache Tomcat Configuration Reference (6.0.41) - The Realm Component</title><meta name="author" content="Craig R. McClanahan"><style type="text/css" media="print">
Hongqing Liufd5ee812014-05-10 16:32:51 +0800[diff] [blame]2 .noPrint {display: none;}
3 td#mainBody {width: 100%;}
4 </style></head><body bgcolor="#ffffff" text="#000000" link="#525D76" alink="#525D76" vlink="#525D76"><table border="0" width="100%" cellspacing="0"><!--PAGE HEADER--><tr><td><!--PROJECT LOGO--><a href="http://tomcat.apache.org/"><img src="../images/tomcat.gif" align="right" alt="
5 The Apache Tomcat Servlet/JSP Container
Hongqing Liu71898292014-10-15 13:31:32 +0800[diff] [blame^]6 " border="0"></a></td><td><h1><font face="arial,helvetica,sanserif">Apache Tomcat 6.0</font></h1><font face="arial,helvetica,sanserif">Version 6.0.41, May 19 2014</font></td><td><!--APACHE LOGO--><a href="http://www.apache.org/"><img src="../images/asf-logo.gif" align="right" alt="Apache Logo" border="0"></a></td></tr></table><table border="0" width="100%" cellspacing="4"><!--HEADER SEPARATOR--><tr><td colspan="2"><hr noshade="noshade" size="1"></td></tr><tr><!--LEFT SIDE NAVIGATION--><td width="20%" valign="top" nowrap="nowrap" class="noPrint"><p><strong>Links</strong></p><ul><li><a href="../index.html">Docs Home</a></li><li><a href="index.html">Config Ref. Home</a></li></ul><p><strong>Top Level Elements</strong></p><ul><li><a href="server.html">Server</a></li><li><a href="service.html">Service</a></li></ul><p><strong>Executors</strong></p><ul><li><a href="executor.html">Executor</a></li></ul><p><strong>Connectors</strong></p><ul><li><a href="http.html">HTTP</a></li><li><a href="ajp.html">AJP</a></li></ul><p><strong>Containers</strong></p><ul><li><a href="context.html">Context</a></li><li><a href="engine.html">Engine</a></li><li><a href="host.html">Host</a></li><li><a href="cluster.html">Cluster</a></li></ul><p><strong>Nested Components</strong></p><ul><li><a href="globalresources.html">Global Resources</a></li><li><a href="listeners.html">Listeners</a></li><li><a href="loader.html">Loader</a></li><li><a href="manager.html">Manager</a></li><li><a href="realm.html">Realm</a></li><li><a href="resources.html">Resources</a></li><li><a href="valve.html">Valve</a></li></ul><p><strong>Cluster Elements</strong></p><ul><li><a href="cluster.html">Cluster</a></li><li><a href="cluster-manager.html">Manager</a></li><li><a href="cluster-channel.html">Channel</a></li><li><a href="cluster-membership.html">Channel/Membership</a></li><li><a href="cluster-sender.html">Channel/Sender</a></li><li><a href="cluster-receiver.html">Channel/Receiver</a></li><li><a href="cluster-interceptor.html">Channel/Interceptor</a></li><li><a href="cluster-valve.html">Valve</a></li><li><a href="cluster-deployer.html">Deployer</a></li><li><a href="cluster-listener.html">ClusterListener</a></li></ul><p><strong>web.xml</strong></p><ul><li><a href="filter.html">Filter</a></li></ul><p><strong>Other</strong></p><ul><li><a href="systemprops.html">System properties</a></li></ul></td><!--RIGHT SIDE MAIN BODY--><td width="80%" valign="top" align="left" id="mainBody"><h1>Apache Tomcat Configuration Reference</h1><h2>The Realm Component</h2><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Table of Contents"><!--()--></a><a name="Table_of_Contents"><strong>Table of Contents</strong></a></font></td></tr><tr><td><blockquote>
Hongqing Liufd5ee812014-05-10 16:32:51 +0800[diff] [blame]7<ul><li><a href="#Introduction">Introduction</a></li><li><a href="#Attributes">Attributes</a><ol><li><a href="#Common_Attributes">Common Attributes</a></li><li><a href="#JDBC_Database_Realm_-_org.apache.catalina.realm.JDBCRealm">JDBC Database Realm - org.apache.catalina.realm.JDBCRealm</a></li><li><a href="#DataSource_Database_Realm_-_org.apache.catalina.realm.DataSourceRealm">DataSource Database Realm - org.apache.catalina.realm.DataSourceRealm</a></li><li><a href="#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm">JNDI Directory Realm - org.apache.catalina.realm.JNDIRealm</a></li><li><a href="#UserDatabase_Realm_-_org.apache.catalina.realm.UserDatabaseRealm">UserDatabase Realm - org.apache.catalina.realm.UserDatabaseRealm</a></li><li><a href="#Memory_Based_Realm_-_org.apache.catalina.realm.MemoryRealm">Memory Based Realm - org.apache.catalina.realm.MemoryRealm</a></li><li><a href="#JAAS_Realm_-_org.apache.catalina.realm.JAASRealm">JAAS Realm - org.apache.catalina.realm.JAASRealm</a></li><li><a href="#Combined_Realm_-_org.apache.catalina.realm.CombinedRealm">Combined Realm - org.apache.catalina.realm.CombinedRealm</a></li><li><a href="#LockOut_Realm_-_org.apache.catalina.realm.LockOutRealm">LockOut Realm - org.apache.catalina.realm.LockOutRealm</a></li></ol></li><li><a href="#Nested_Components">Nested Components</a></li><li><a href="#Special_Features">Special Features</a></li></ul>
8</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Introduction"><strong>Introduction</strong></a></font></td></tr><tr><td><blockquote>
9
10 <p>A <strong>Realm</strong> element represents a "database" of usernames,
11 passwords, and <em>roles</em> (similar to Unix <em>groups</em>) assigned
12 to those users. Different implementations of Realm allow Catalina to be
13 integrated into environments where such authentication information is already
14 being created and maintained, and then utilize that information to implement
15 <em>Container Managed Security</em> as described in the Servlet
16 Specification.</p>
17
18 <p>You may nest a Realm inside any Catalina container
19 <a href="engine.html">Engine</a>, <a href="host.html">Host</a>, or
20 <a href="context.html">Context</a>). In addition, Realms associated with
21 an Engine or a Host are automatically inherited by lower-level
22 containers, unless explicitly overridden.</p>
23
24 <p>For more in-depth information about container managed security in web
25 applications, as well as more information on configuring and using the
26 standard realm component implementations, please see the
27 <a href="../realm-howto.html">Container-Managed Security Guide</a>.
28 </p>
29
30 <blockquote><em>
31 <p>The description below uses the variable name $CATALINA_BASE to refer the
32 base directory against which most relative paths are resolved. If you have
33 not configured Tomcat 6 for multiple instances by setting a CATALINA_BASE
34 directory, then $CATALINA_BASE will be set to the value of $CATALINA_HOME,
35 the directory into which you have installed Tomcat 6.</p>
36 </em></blockquote>
37
38</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Attributes"><strong>Attributes</strong></a></font></td></tr><tr><td><blockquote>
39
40 <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Common Attributes"><!--()--></a><a name="Common_Attributes"><strong>Common Attributes</strong></a></font></td></tr><tr><td><blockquote>
41
42 <p>All implementations of <strong>Realm</strong>
43 support the following attributes:</p>
44
45 <table border="1" cellpadding="5"><tr><th width="15%" bgcolor="#023264"><font color="#ffffff">Attribute</font></th><th width="85%" bgcolor="#023264"><font color="#ffffff">Description</font></th></tr><tr><td align="left" valign="center"><strong><code>className</code></strong></td><td align="left" valign="center">
46 <p>Java class name of the implementation to use. This class must
47 implement the <code>org.apache.catalina.Realm</code> interface.</p>
48 </td></tr></table>
49
50 <p>Unlike most Catalina components, there are several standard
51 <strong>Realm</strong> implementations available. As a result,
52 the <code>className</code> attribute MUST be used to select the
53 implementation you wish to use.</p>
54
55 </blockquote></td></tr></table>
56
57
58 <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="JDBC Database Realm - org.apache.catalina.realm.JDBCRealm"><!--()--></a><a name="JDBC_Database_Realm_-_org.apache.catalina.realm.JDBCRealm"><strong>JDBC Database Realm - org.apache.catalina.realm.JDBCRealm</strong></a></font></td></tr><tr><td><blockquote>
59
60 <p>The <strong>JDBC Database Realm</strong> connects Catalina to
61 a relational database, accessed through an appropriate JDBC driver,
62 to perform lookups of usernames, passwords, and their associated
63 roles. Because the lookup is done each time that it is required,
64 changes to the database will be immediately reflected in the
65 information used to authenticate new logins.</p>
66
67 <p>A rich set of additional attributes lets you configure the required
68 connection to the underlying database, as well as the table and
69 column names used to retrieve the required information:</p>
70
71 <table border="1" cellpadding="5"><tr><th width="15%" bgcolor="#023264"><font color="#ffffff">Attribute</font></th><th width="85%" bgcolor="#023264"><font color="#ffffff">Description</font></th></tr><tr><td align="left" valign="center"><code>allRolesMode</code></td><td align="left" valign="center">
72 <p>This attribute controls how the special role name <code>*</code> is
73 handled when processing authorization constraints in web.xml. By
74 default, the specification compliant value of <code>strict</code> is
75 used which means that the user must be assigned one of the roles defined
76 in web.xml. The alternative values are <code>authOnly</code> which means
77 that the user must be authenticated but no check is made for assigned
78 roles and <code>strictAuthOnly</code> which means that the user must be
79 authenticated and no check will be made for assigned roles unless roles
80 are defined in web.xml in which case the user must be assigned at least
81 one of those roles.</p>
82 <p>When this attribute has the value of <code>authOnly</code> or
83 <code>strictAuthOnly</code>, the <strong>roleNameCol</strong> and
84 <strong>userRoleTable</strong> attributes become optional. If those two
85 attributes are omitted, the user's roles will not be loaded by this
86 Realm.</p>
87 </td></tr><tr><td align="left" valign="center"><strong><code>connectionName</code></strong></td><td align="left" valign="center">
88 <p>The database username to use when establishing the JDBC
89 connection.</p>
90 </td></tr><tr><td align="left" valign="center"><strong><code>connectionPassword</code></strong></td><td align="left" valign="center">
91 <p>The database password to use when establishing the JDBC
92 connection.</p>
93 </td></tr><tr><td align="left" valign="center"><strong><code>connectionURL</code></strong></td><td align="left" valign="center">
94 <p>The connection URL to be passed to the JDBC driver when
95 establishing a database connection.</p>
96 </td></tr><tr><td align="left" valign="center"><code>digest</code></td><td align="left" valign="center">
97 <p>The name of the <code>MessageDigest</code> algorithm used
98 to encode user passwords stored in the database. If not specified,
99 user passwords are assumed to be stored in clear-text.</p>
100 </td></tr><tr><td align="left" valign="center"><code>digestEncoding</code></td><td align="left" valign="center">
101 <p>The charset for encoding digests. If not specified, the platform
102 default will be used.</p>
103 </td></tr><tr><td align="left" valign="center"><strong><code>driverName</code></strong></td><td align="left" valign="center">
104 <p>Fully qualified Java class name of the JDBC driver to be
105 used to connect to the authentication database.</p>
106 </td></tr><tr><td align="left" valign="center"><code>roleNameCol</code></td><td align="left" valign="center">
107 <p>Name of the column, in the "user roles" table, which contains
108 a role name assigned to the corresponding user.</p>
109 <p>This attribute is <strong>required</strong> in majority of
110 configurations. See <strong>allRolesMode</strong> attribute for
111 a rare case when it can be omitted.</p>
112 </td></tr><tr><td align="left" valign="center"><strong><code>userCredCol</code></strong></td><td align="left" valign="center">
113 <p>Name of the column, in the "users" table, which contains
114 the user's credentials (i.e. password(. If a value for the
115 <code>digest</code> attribute is specified, this component
116 will assume that the passwords have been encoded with the
117 specified algorithm. Otherwise, they will be assumed to be
118 in clear text.</p>
119 </td></tr><tr><td align="left" valign="center"><strong><code>userNameCol</code></strong></td><td align="left" valign="center">
120 <p>Name of the column, in the "users" and "user roles" table,
121 that contains the user's username.</p>
122 </td></tr><tr><td align="left" valign="center"><code>userRoleTable</code></td><td align="left" valign="center">
123 <p>Name of the "user roles" table, which must contain columns
124 named by the <code>userNameCol</code> and <code>roleNameCol</code>
125 attributes.</p>
126 <p>This attribute is <strong>required</strong> in majority of
127 configurations. See <strong>allRolesMode</strong> attribute for
128 a rare case when it can be omitted.</p>
129 </td></tr><tr><td align="left" valign="center"><strong><code>userTable</code></strong></td><td align="left" valign="center">
130 <p>Name of the "users" table, which must contain columns named
131 by the <code>userNameCol</code> and <code>userCredCol</code>
132 attributes.</p>
133 </td></tr><tr><td align="left" valign="center"><code>X509UsernameRetrieverClassName</code></td><td align="left" valign="center">
134 <p>When using X509 client certificates, this specifies the class name
135 that will be used to retrieve the user name from the certificate.
136 The class must implement the
137 <code>org.apache.catalina.realm.X509UsernameRetriever</code>
138 interface. The default is to use the certificate's SubjectDN
139 as the username.</p>
140 </td></tr></table>
141
142 <p>See the <a href="../realm-howto.html">Container-Managed Security Guide</a> for more
143 information on setting up container managed security using the
144 JDBC Database Realm component.</p>
145
146 </blockquote></td></tr></table>
147
148
149 <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="DataSource Database Realm - org.apache.catalina.realm.DataSourceRealm"><!--()--></a><a name="DataSource_Database_Realm_-_org.apache.catalina.realm.DataSourceRealm"><strong>DataSource Database Realm - org.apache.catalina.realm.DataSourceRealm</strong></a></font></td></tr><tr><td><blockquote>
150
151 <p>The <strong>DataSource Database Realm</strong> connects Catalina to
152 a relational database, accessed through a JNDI named JDBC DataSource
153 to perform lookups of usernames, passwords, and their associated
154 roles. Because the lookup is done each time that it is required,
155 changes to the database will be immediately reflected in the
156 information used to authenticate new logins.</p>
157
158 <p>The JDBC Realm uses a single db connection. This requires that
159 realm based authentication be synchronized, i.e. only one authentication
160 can be done at a time. This could be a bottleneck for applications
161 with high volumes of realm based authentications.</p>
162
163 <p>The DataSource Database Realm supports simultaneous realm based
164 authentications and allows the underlying JDBC DataSource to
165 handle optimizations like database connection pooling.</p>
166
167 <p>A rich set of additional attributes lets you configure the name
168 of the JNDI JDBC DataSource, as well as the table and
169 column names used to retrieve the required information:</p>
170
171 <table border="1" cellpadding="5"><tr><th width="15%" bgcolor="#023264"><font color="#ffffff">Attribute</font></th><th width="85%" bgcolor="#023264"><font color="#ffffff">Description</font></th></tr><tr><td align="left" valign="center"><code>allRolesMode</code></td><td align="left" valign="center">
172 <p>This attribute controls how the special role name <code>*</code> is
173 handled when processing authorization constraints in web.xml. By
174 default, the specification compliant value of <code>strict</code> is
175 used which means that the user must be assigned one of the roles defined
176 in web.xml. The alternative values are <code>authOnly</code> which means
177 that the user must be authenticated but no check is made for assigned
178 roles and <code>strictAuthOnly</code> which means that the user must be
179 authenticated and no check will be made for assigned roles unless roles
180 are defined in web.xml in which case the user must be assigned at least
181 one of those roles.</p>
182 <p>When this attribute has the value of <code>authOnly</code> or
183 <code>strictAuthOnly</code>, the <strong>roleNameCol</strong> and
184 <strong>userRoleTable</strong> attributes become optional. If those two
185 attributes are omitted, the user's roles will not be loaded by this
186 Realm.</p>
187 </td></tr><tr><td align="left" valign="center"><strong><code>dataSourceName</code></strong></td><td align="left" valign="center">
188 <p>The name of the JNDI JDBC DataSource for this Realm.</p>
189 </td></tr><tr><td align="left" valign="center"><code>digest</code></td><td align="left" valign="center">
190 <p>The name of the <code>MessageDigest</code> algorithm used
191 to encode user passwords stored in the database. If not specified,
192 user passwords are assumed to be stored in clear-text.</p>
193 </td></tr><tr><td align="left" valign="center"><code>localDataSource</code></td><td align="left" valign="center">
194 <p>When the realm is nested inside a Context element, this allows the
195 realm to use a DataSource defined for the Context rather than a global
196 DataSource. If not specified, the default is <code>false</code>: use a
197 global DataSource.</p>
198 </td></tr><tr><td align="left" valign="center"><code>roleNameCol</code></td><td align="left" valign="center">
199 <p>Name of the column, in the "user roles" table, which contains
200 a role name assigned to the corresponding user.</p>
201 <p>This attribute is <strong>required</strong> in majority of
202 configurations. See <strong>allRolesMode</strong> attribute for
203 a rare case when it can be omitted.</p>
204 </td></tr><tr><td align="left" valign="center"><strong><code>userCredCol</code></strong></td><td align="left" valign="center">
205 <p>Name of the column, in the "users" table, which contains
206 the user's credentials (i.e. password(. If a value for the
207 <code>digest</code> attribute is specified, this component
208 will assume that the passwords have been encoded with the
209 specified algorithm. Otherwise, they will be assumed to be
210 in clear text.</p>
211 </td></tr><tr><td align="left" valign="center"><strong><code>userNameCol</code></strong></td><td align="left" valign="center">
212 <p>Name of the column, in the "users" and "user roles" table,
213 that contains the user's username.</p>
214 </td></tr><tr><td align="left" valign="center"><code>userRoleTable</code></td><td align="left" valign="center">
215 <p>Name of the "user roles" table, which must contain columns
216 named by the <code>userNameCol</code> and <code>roleNameCol</code>
217 attributes.</p>
218 <p>This attribute is <strong>required</strong> in majority of
219 configurations. See <strong>allRolesMode</strong> attribute for
220 a rare case when it can be omitted.</p>
221 </td></tr><tr><td align="left" valign="center"><strong><code>userTable</code></strong></td><td align="left" valign="center">
222 <p>Name of the "users" table, which must contain columns named
223 by the <code>userNameCol</code> and <code>userCredCol</code>
224 attributes.</p>
225 </td></tr><tr><td align="left" valign="center"><code>X509UsernameRetrieverClassName</code></td><td align="left" valign="center">
226 <p>When using X509 client certificates, this specifies the class name
227 that will be used to retrieve the user name from the certificate.
228 The class must implement the
229 <code>org.apache.catalina.realm.X509UsernameRetriever</code>
230 interface. The default is to use the certificate's SubjectDN
231 as the username.</p>
232 </td></tr></table>
233
234 <p>See the <a href="../realm-howto.html#DataSourceRealm">
235 DataSource Realm HOW-TO</a> for more information on setting up container
236 managed security using the DataSource Database Realm component.</p>
237
238 </blockquote></td></tr></table>
239
240
241 <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="JNDI Directory Realm - org.apache.catalina.realm.JNDIRealm"><!--()--></a><a name="JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm"><strong>JNDI Directory Realm - org.apache.catalina.realm.JNDIRealm</strong></a></font></td></tr><tr><td><blockquote>
242
243 <p>The <strong>JNDI Directory Realm</strong> connects Catalina to
244 an LDAP Directory, accessed through an appropriate JNDI driver,
245 that stores usernames, passwords, and their associated
246 roles. Changes to the directory are immediately reflected in the
247 information used to authenticate new logins.</p>
248
249
250 <p>The directory realm supports a variety of approaches to using
251 LDAP for authentication:</p>
252
253 <ul>
254 <li>The realm can either use a pattern to determine the
255 distinguished name (DN) of the user's directory entry, or search
256 the directory to locate that entry.
257 </li>
258
259 <li>The realm can authenticate the user either by binding to the
260 directory with the DN of the user's entry and the password
261 presented by the user, or by retrieving the password from the
262 user's entry and performing a comparison locally.
263 </li>
264
265 <li>Roles may be represented in the directory as explicit entries
266 found by a directory search (e.g. group entries of which the user
267 is a member), as the values of an attribute in the user's entry,
268 or both.
269 </li>
270 </ul>
271
272 <p> A rich set of additional attributes lets you configure the
273 required behaviour as well as the connection to the underlying
274 directory and the element and attribute names used to retrieve
275 information from the directory:</p>
276
277 <table border="1" cellpadding="5"><tr><th width="15%" bgcolor="#023264"><font color="#ffffff">Attribute</font></th><th width="85%" bgcolor="#023264"><font color="#ffffff">Description</font></th></tr><tr><td align="left" valign="center"><code>adCompat</code></td><td align="left" valign="center">
278 <p>Microsoft Active Directory often returns referrals.
279 When iterating over NamingEnumerations these lead to
280 PartialResultExceptions. If you want us to ignore those exceptions,
281 set this attribute to "true". Unfortunately there's no stable way
282 to detect, if the Exceptions really come from an AD referral.
283 The default value is "false".</p>
284 </td></tr><tr><td align="left" valign="center"><code>allRolesMode</code></td><td align="left" valign="center">
285 <p>This attribute controls how the special role name <code>*</code> is
286 handled when processing authorization constraints in web.xml. By
287 default, the specification compliant value of <code>strict</code> is
288 used which means that the user must be assigned one of the roles defined
289 in web.xml. The alternative values are <code>authOnly</code> which means
290 that the user must be authenticated but no check is made for assigned
291 roles and <code>strictAuthOnly</code> which means that the user must be
292 authenticated and no check will be made for assigned roles unless roles
293 are defined in web.xml in which case the user must be assigned at least
294 one of those roles.</p>
295 </td></tr><tr><td align="left" valign="center"><code>alternateURL</code></td><td align="left" valign="center">
296 <p>If a socket connection can not be made to the provider at
297 the <code>connectionURL</code> an attempt will be made to use the
298 <code>alternateURL</code>.</p>
299 </td></tr><tr><td align="left" valign="center"><code>authentication</code></td><td align="left" valign="center">
300 <p>A string specifying the type of authentication to use.
301 "none", "simple", "strong" or a provider specific definition
302 can be used. If no value is given the providers default is used.</p>
303 </td></tr><tr><td align="left" valign="center"><code>commonRole</code></td><td align="left" valign="center">
304 <p>A role name assigned to each successfully authenticated user in
305 addition to the roles retrieved from LDAP. If not specified, only
306 the roles retrieved via LDAP are used.</p>
307 </td></tr><tr><td align="left" valign="center"><code>connectionName</code></td><td align="left" valign="center">
308 <p>The directory username to use when establishing a
309 connection to the directory for LDAP search operations. If not
310 specified an anonymous connection is made, which is often
311 sufficient unless you specify the <code>userPassword</code>
312 property.</p>
313 </td></tr><tr><td align="left" valign="center"><code>connectionPassword</code></td><td align="left" valign="center">
314 <p>The directory password to use when establishing a
315 connection to the directory for LDAP search operations. If not
316 specified an anonymous connection is made, which is often
317 sufficient unless you specify the <code>userPassword</code>
318 property.</p>
319 </td></tr><tr><td align="left" valign="center"><code>connectionTimeout</code></td><td align="left" valign="center">
320 <p>The timeout in milliseconds to use when establishing the connection
321 to the LDAP directory. If not specified, a value of 5000 (5 seconds) is
322 used.</p>
323 </td></tr><tr><td align="left" valign="center"><strong><code>connectionURL</code></strong></td><td align="left" valign="center">
324 <p>The connection URL to be passed to the JNDI driver when
325 establishing a connection to the directory.</p>
326 </td></tr><tr><td align="left" valign="center"><code>contextFactory</code></td><td align="left" valign="center">
327 <p>Fully qualified Java class name of the factory class used
328 to acquire our JNDI <code>InitialContext</code>. By default,
329 assumes that the standard JNDI LDAP provider will be utilized.</p>
330 </td></tr><tr><td align="left" valign="center"><code>derefAliases</code></td><td align="left" valign="center">
331 <p>A string specifying how aliases are to be dereferenced during
332 search operations. The allowed values are "always", "never",
333 "finding" and "searching". If not specified, "always" is used.</p>
334 </td></tr><tr><td align="left" valign="center"><code>digest</code></td><td align="left" valign="center">
335 <p>The digest algorithm to apply to the plaintext password offered
336 by the user before comparing it with the value retrieved from the
337 directory. Valid values are those accepted for the algorithm name
338 by the <code>java.security.MessageDigest</code> class. If not
339 specified the plaintext password is assumed to be retrieved. Not
340 required unless <code>userPassword</code> is specified</p>
341 </td></tr><tr><td align="left" valign="center"><code>protocol</code></td><td align="left" valign="center">
342 <p>A string specifying the security protocol to use. If not given
343 the providers default is used.</p>
344 </td></tr><tr><td align="left" valign="center"><code>referrals</code></td><td align="left" valign="center">
345 <p>How do we handle JNDI referrals? Allowed values are
346 "ignore", "follow", or "throw" (see javax.naming.Context.REFERRAL
347 for more information).
348 Microsoft Active Directory often returns referrals.
349 If you need to follow them set referrals to "follow".
350 Caution: if your DNS is not part of AD, the LDAP client lib might try
351 to resolve your domain name in DNS to find another LDAP server.</p>
352 </td></tr><tr><td align="left" valign="center"><code>roleBase</code></td><td align="left" valign="center">
353 <p>The base directory entry for performing role searches. If
354 not specified the top-level element in the directory context
355 will be used.</p>
356 </td></tr><tr><td align="left" valign="center"><code>roleName</code></td><td align="left" valign="center">
357 <p>The name of the attribute that contains role names in the
358 directory entries found by a role search. In addition you can
359 use the <code>userRoleName</code> property to specify the name
360 of an attribute, in the user's entry, containing additional
361 role names. If <code>roleName</code> is not specified a role
362 search does not take place, and roles are taken only from the
363 user's entry.</p>
364 </td></tr><tr><td align="left" valign="center"><code>roleSearch</code></td><td align="left" valign="center">
365 <p>The LDAP filter expression used for performing role
366 searches. Use <code>{0}</code> to substitute the
367 distinguished name (DN) of the user, and/or <code>{1}</code> to
368 substitute the username. If not specified a role search does
369 not take place and roles are taken only from the attribute in
370 the user's entry specified by the <code>userRoleName</code>
371 property.</p>
372 </td></tr><tr><td align="left" valign="center"><code>roleSubtree</code></td><td align="left" valign="center">
373 <p>Set to <code>true</code> if you want to search the entire
374 subtree of the element specified by the <code>roleBase</code>
375 property for role entries associated with the user. The
376 default value of <code>false</code> causes only the top level
377 to be searched.</p>
378 </td></tr><tr><td align="left" valign="center"><code>userBase</code></td><td align="left" valign="center">
379 <p>The base element for user searches performed using the
380 <code>userSearch</code> expression. Not used if you are using
381 the <code>userPattern</code> expression.</p>
382 </td></tr><tr><td align="left" valign="center"><code>userPassword</code></td><td align="left" valign="center">
383 <p>Name of the attribute in the user's entry containing the
384 user's password. If you specify this value, JNDIRealm will
385 bind to the directory using the values specified by
386 <code>connectionName</code> and
387 <code>connectionPassword</code> properties, and retrieve the
388 corresponding attribute for comparison to the value specified
389 by the user being authenticated. If you do
390 <strong>not</strong> specify this value, JNDIRealm will
391 attempt a simple bind to the directory using the DN of the
392 user's entry and the password presented by the user, with a
393 successful bind being interpreted as an authenticated
394 user.</p>
395 </td></tr><tr><td align="left" valign="center"><code>userPattern</code></td><td align="left" valign="center">
396 <p>Pattern for the distinguished name (DN) of the user's
397 directory entry, with <code>{0}</code> marking where the
398 actual username should be inserted. You can use this property
399 instead of <code>userSearch</code>, <code>userSubtree</code>
400 and <code>userBase</code> when the distinguished name contains
401 the username and is otherwise the same for all users.</p>
402 </td></tr><tr><td align="left" valign="center"><code>userRoleName</code></td><td align="left" valign="center">
403 <p>The name of an attribute in the user's directory entry
404 containing zero or more values for the names of roles assigned
405 to this user. In addition you can use the
406 <code>roleName</code> property to specify the name of an
407 attribute to be retrieved from individual role entries found
408 by searching the directory. If <code>userRoleName</code> is
409 not specified all the roles for a user derive from the role
410 search.</p>
411 </td></tr><tr><td align="left" valign="center"><code>userSearch</code></td><td align="left" valign="center">
412 <p>The LDAP filter expression to use when searching for a
413 user's directory entry, with <code>{0}</code> marking where
414 the actual username should be inserted. Use this property
415 (along with the <code>userBase</code> and
416 <code>userSubtree</code> properties) instead of
417 <code>userPattern</code> to search the directory for the
418 user's entry.</p>
419 </td></tr><tr><td align="left" valign="center"><code>userSubtree</code></td><td align="left" valign="center">
420 <p>Set to <code>true</code> if you want to search the entire
421 subtree of the element specified by the <code>userBase</code>
422 property for the user's entry. The default value of
423 <code>false</code> causes only the top level to be searched.
424 Not used if you are using the <code>userPattern</code>
425 expression.</p>
426 </td></tr><tr><td align="left" valign="center"><code>X509UsernameRetrieverClassName</code></td><td align="left" valign="center">
427 <p>When using X509 client certificates, this specifies the class name
428 that will be used to retrieve the user name from the certificate.
429 The class must implement the
430 <code>org.apache.catalina.realm.X509UsernameRetriever</code>
431 interface. The default is to use the certificate's SubjectDN
432 as the username.</p>
433 </td></tr></table>
434
435 <p>See the <a href="../realm-howto.html">Container-Managed Security Guide</a> for more
436 information on setting up container managed security using the
437 JNDI Directory Realm component.</p>
438
439 </blockquote></td></tr></table>
440
441
442 <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="UserDatabase Realm - org.apache.catalina.realm.UserDatabaseRealm"><!--()--></a><a name="UserDatabase_Realm_-_org.apache.catalina.realm.UserDatabaseRealm"><strong>UserDatabase Realm - org.apache.catalina.realm.UserDatabaseRealm</strong></a></font></td></tr><tr><td><blockquote>
443
444 <p>The <strong>UserDatabase Realm</strong> is a Realm implementation
445 that is based on a UserDatabase resource made available through the global
446 JNDI resources configured for this Tomcat instance.</p>
447
448 <p>The UserDatabase Realm implementation supports the following
449 additional attributes:</p>
450
451 <table border="1" cellpadding="5"><tr><th width="15%" bgcolor="#023264"><font color="#ffffff">Attribute</font></th><th width="85%" bgcolor="#023264"><font color="#ffffff">Description</font></th></tr><tr><td align="left" valign="center"><code>allRolesMode</code></td><td align="left" valign="center">
452 <p>This attribute controls how the special role name <code>*</code> is
453 handled when processing authorization constraints in web.xml. By
454 default, the specification compliant value of <code>strict</code> is
455 used which means that the user must be assigned one of the roles defined
456 in web.xml. The alternative values are <code>authOnly</code> which means
457 that the user must be authenticated but no check is made for assigned
458 roles and <code>strictAuthOnly</code> which means that the user must be
459 authenticated and no check will be made for assigned roles unless roles
460 are defined in web.xml in which case the user must be assigned at least
461 one of those roles.</p>
462 </td></tr><tr><td align="left" valign="center"><strong><code>resourceName</code></strong></td><td align="left" valign="center">
463 <p>The name of the global <code>UserDatabase</code> resource
464 that this realm will use for user, password and role information.</p>
465 </td></tr><tr><td align="left" valign="center"><code>X509UsernameRetrieverClassName</code></td><td align="left" valign="center">
466 <p>When using X509 client certificates, this specifies the class name
467 that will be used to retrieve the user name from the certificate.
468 The class must implement the
469 <code>org.apache.catalina.realm.X509UsernameRetriever</code>
470 interface. The default is to use the certificate's SubjectDN
471 as the username.</p>
472 </td></tr></table>
473
474 <p>See the
475 <a href="../realm-howto.html">Container-Managed Security Guide</a> for more
476 information on setting up container managed security using the UserDatabase
477 Realm component and the
478 <a href="../jndi-resources-howto.html">JNDI resources how-to</a> for more
479 information on how to configure a UserDatabase resource.</p>
480
481 </blockquote></td></tr></table>
482
483
484 <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Memory Based Realm - org.apache.catalina.realm.MemoryRealm"><!--()--></a><a name="Memory_Based_Realm_-_org.apache.catalina.realm.MemoryRealm"><strong>Memory Based Realm - org.apache.catalina.realm.MemoryRealm</strong></a></font></td></tr><tr><td><blockquote>
485
486 <p>The <strong>Memory Based Realm</strong> is a simple Realm implementation
487 that reads user information from an XML format, and represents it as a
488 collection of Java objects in memory. This implementation is intended
489 solely to get up and running with container managed security - it is NOT
490 intended for production use. As such, there are no mechanisms for
491 updating the in-memory collection of users when the content of the
492 underlying data file is changed.</p>
493
494 <p>The Memory Based Realm implementation supports the following
495 additional attributes:</p>
496
497 <table border="1" cellpadding="5"><tr><th width="15%" bgcolor="#023264"><font color="#ffffff">Attribute</font></th><th width="85%" bgcolor="#023264"><font color="#ffffff">Description</font></th></tr><tr><td align="left" valign="center"><code>allRolesMode</code></td><td align="left" valign="center">
498 <p>This attribute controls how the special role name <code>*</code> is
499 handled when processing authorization constraints in web.xml. By
500 default, the specification compliant value of <code>strict</code> is
501 used which means that the user must be assigned one of the roles defined
502 in web.xml. The alternative values are <code>authOnly</code> which means
503 that the user must be authenticated but no check is made for assigned
504 roles and <code>strictAuthOnly</code> which means that the user must be
505 authenticated and no check will be made for assigned roles unless roles
506 are defined in web.xml in which case the user must be assigned at least
507 one of those roles.</p>
508 </td></tr><tr><td align="left" valign="center"><code>digest</code></td><td align="left" valign="center">
509 <p>The digest algorithm used to store passwords in non-plaintext
510 formats. Valid values are those accepted for the algorithm name by the
511 <code>java.security.MessageDigest</code> class. If not specified,
512 passwords are stored in clear text.</p>
513 </td></tr><tr><td align="left" valign="center"><code>pathname</code></td><td align="left" valign="center">
514 <p>Absolute or relative (to $CATALINA_BASE) pathname to the XML file
515 containing our user information. See below for details on the
516 XML element format required. If no pathname is specified, the
517 default value is <code>conf/tomcat-users.xml</code>.</p>
518 </td></tr><tr><td align="left" valign="center"><code>X509UsernameRetrieverClassName</code></td><td align="left" valign="center">
519 <p>When using X509 client certificates, this specifies the class name
520 that will be used to retrieve the user name from the certificate.
521 The class must implement the
522 <code>org.apache.catalina.realm.X509UsernameRetriever</code>
523 interface. The default is to use the certificate's SubjectDN
524 as the username.</p>
525 </td></tr></table>
526
527 <p>The XML document referenced by the <code>pathname</code> attribute must
528 conform to the following requirements:</p>
529 <ul>
530 <li>The root (outer) element must be <code>&lt;tomcat-users&gt;</code>.
531 </li>
532 <li>Each authorized user must be represented by a single XML element
533 <code>&lt;user&gt;</code>, nested inside the root element.</li>
534 <li>Each <code>&lt;user&gt;</code> element must have the following
535 attributes:
536 <ul>
537 <li><strong>name</strong> - Username of this user (must be unique
538 within this file).</li>
539 <li><strong>password</strong> - Password of this user (in
540 clear text).</li>
541 <li><strong>roles</strong> - Comma-delimited list of the role names
542 assigned to this user.</li>
543 </ul></li>
544 </ul>
545
546 <p>See the <a href="../realm-howto.html">Container-Managed Security Guide</a> for more
547 information on setting up container managed security using the
548 Memory Based Realm component.</p>
549
550 </blockquote></td></tr></table>
551
552
553 <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="JAAS Realm - org.apache.catalina.realm.JAASRealm"><!--()--></a><a name="JAAS_Realm_-_org.apache.catalina.realm.JAASRealm"><strong>JAAS Realm - org.apache.catalina.realm.JAASRealm</strong></a></font></td></tr><tr><td><blockquote>
554
555 <p><strong>JAASRealm</strong> is an implementation of the Tomcat 6
556 <code>Realm</code> interface that authenticates users through the Java
557 Authentication &amp; Authorization Service (JAAS) framework which is now
558 provided as part of the standard J2SE API.</p>
559
560 <p>Using JAASRealm gives the developer the ability to combine practically
561 any conceivable security realm with Tomcat's CMA.</p>
562
563 <p>JAASRealm is prototype for Tomcat of the JAAS-based J2EE authentication
564 framework for J2EE v1.4, based on the <a href="http://www.jcp.org/en/jsr/detail?id=196">JCP Specification Request
565 196</a> to enhance container-managed security and promote 'pluggable'
566 authentication mechanisms whose implementations would be
567 container-independent.</p>
568
569 <p>Based on the JAAS login module and principal
570 (see <code>javax.security.auth.spi.LoginModule</code> and
571 <code>javax.security.Principal</code>), you can develop your own security
572 mechanism or wrap another third-party mechanism for integration with the CMA
573 as implemented by Tomcat.</p>
574
575 <p>The JAAS Realm implementation supports the following additional
576 attributes:</p>
577
578 <table border="1" cellpadding="5"><tr><th width="15%" bgcolor="#023264"><font color="#ffffff">Attribute</font></th><th width="85%" bgcolor="#023264"><font color="#ffffff">Description</font></th></tr><tr><td align="left" valign="center"><code>allRolesMode</code></td><td align="left" valign="center">
579 <p>This attribute controls how the special role name <code>*</code> is
580 handled when processing authorization constraints in web.xml. By
581 default, the specification compliant value of <code>strict</code> is
582 used which means that the user must be assigned one of the roles defined
583 in web.xml. The alternative values are <code>authOnly</code> which means
584 that the user must be authenticated but no check is made for assigned
585 roles and <code>strictAuthOnly</code> which means that the user must be
586 authenticated and no check will be made for assigned roles unless roles
587 are defined in web.xml in which case the user must be assigned at least
588 one of those roles.</p>
589 </td></tr><tr><td align="left" valign="center"><strong><code>appName</code></strong></td><td align="left" valign="center">
590 <p>The name of the application as configured in your login configuration
591 file
592 (<a href="http://docs.oracle.com/javase/1.4.2/docs/guide/security/jaas/tutorials/LoginConfigFile.html">JAAS LoginConfig</a>).</p>
593 </td></tr><tr><td align="left" valign="center"><strong><code>userClassNames</code></strong></td><td align="left" valign="center">
594 <p>A comma-separated list of the names of the classes that you have made
595 for your user <code>Principals</code>.</p>
596 </td></tr><tr><td align="left" valign="center"><code>roleClassNames</code></td><td align="left" valign="center">
597 <p>A comma-separated list of the names of the classes that you have made
598 for your role <code>Principals</code>.</p>
599 </td></tr><tr><td align="left" valign="center"><code>useContextClassLoader</code></td><td align="left" valign="center">
600 <p>Instructs JAASRealm to use the context class loader for loading the
601 user-specified <code>LoginModule</code> class and associated
602 <code>Principal</code> classes. The default value is <code>true</code>,
603 which is backwards-compatible with the way Tomcat 5 works. To load
604 classes using the container's classloader, specify
605 <code>false</code>.</p>
606 </td></tr><tr><td align="left" valign="center"><code>X509UsernameRetrieverClassName</code></td><td align="left" valign="center">
607 <p>When using X509 client certificates, this specifies the class name
608 that will be used to retrieve the user name from the certificate.
609 The class must implement the
610 <code>org.apache.catalina.realm.X509UsernameRetriever</code>
611 interface. The default is to use the certificate's SubjectDN
612 as the username.</p>
613 </td></tr></table>
614
615 <p>See the <a href="../realm-howto.html">Container-Managed Security
616 Guide</a> for more information on setting up container managed security
617 using the JAAS Realm component.</p>
618
619 </blockquote></td></tr></table>
620
621
622 <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Combined Realm - org.apache.catalina.realm.CombinedRealm"><!--()--></a><a name="Combined_Realm_-_org.apache.catalina.realm.CombinedRealm"><strong>Combined Realm - org.apache.catalina.realm.CombinedRealm</strong></a></font></td></tr><tr><td><blockquote>
623
624 <p><strong>CombinedRealm</strong> is an implementation of the Tomcat 6
625 <code>Realm</code> interface that authenticates users through one or more
626 sub-Realms.</p>
627
628 <p>Using CombinedRealm gives the developer the ability to combine multiple
629 Realms of the same or different types. This can be used to authenticate
630 against different sources, provide fall back in case one Realm fails or for
631 any other purpose that requires multiple Realms.</p>
632
633 <p>Sub-realms are defined by nesting <code>Realm</code> elements inside the
634 <code>Realm</code> element that defines the CombinedRealm. Authentication
635 will be attempted against each <code>Realm</code> in the order they are
636 listed. Authentication against any Realm will be sufficient to authenticate
637 the user.</p>
638
639 <p>See the <a href="../realm-howto.html">Container-Managed Security
640 Guide</a> for more information on setting up container managed security
641 using the CombinedRealm component.</p>
642
643 <p>The CombinedRealm implementation supports the following additional
644 attributes.</p>
645
646 <table border="1" cellpadding="5"><tr><th width="15%" bgcolor="#023264"><font color="#ffffff">Attribute</font></th><th width="85%" bgcolor="#023264"><font color="#ffffff">Description</font></th></tr><tr><td align="left" valign="center"><code>allRolesMode</code></td><td align="left" valign="center">
647 <p>This attribute controls how the special role name <code>*</code> is
648 handled when processing authorization constraints in web.xml. By
649 default, the specification compliant value of <code>strict</code> is
650 used which means that the user must be assigned one of the roles defined
651 in web.xml. The alternative values are <code>authOnly</code> which means
652 that the user must be authenticated but no check is made for assigned
653 roles and <code>strictAuthOnly</code> which means that the user must be
654 authenticated and no check will be made for assigned roles unless roles
655 are defined in web.xml in which case the user must be assigned at least
656 one of those roles.</p>
657 </td></tr></table>
658 </blockquote></td></tr></table>
659
660
661 <table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#828DA6"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="LockOut Realm - org.apache.catalina.realm.LockOutRealm"><!--()--></a><a name="LockOut_Realm_-_org.apache.catalina.realm.LockOutRealm"><strong>LockOut Realm - org.apache.catalina.realm.LockOutRealm</strong></a></font></td></tr><tr><td><blockquote>
662
663 <p><strong>LockOutRealm</strong> is an implementation of the Tomcat 6
664 <code>Realm</code> interface that extends the CombinedRealm to provide lock
665 out functionality to provide a user lock out mechanism if there are too many
666 failed authentication attempts in a given period of time.</p>
667
668 <p>To ensure correct operation, there is a reasonable degree of
669 synchronization in this Realm.</p>
670
671 <p>This Realm does not require modification to the underlying Realms or the
672 associated user storage mechanisms. It achieves this by recording all failed
673 logins, including those for users that do not exist. To prevent a DOS by
674 deliberating making requests with invalid users (and hence causing this
675 cache to grow) the size of the list of users that have failed authentication
676 is limited.</p>
677
678 <p>Sub-realms are defined by nesting <code>Realm</code> elements inside the
679 <code>Realm</code> element that defines the LockOutRealm. Authentication
680 will be attempted against each <code>Realm</code> in the order they are
681 listed. Authentication against any Realm will be sufficient to authenticate
682 the user.</p>
683
684 <p>The LockOutRealm implementation supports the following additional
685 attributes.</p>
686
687 <table border="1" cellpadding="5"><tr><th width="15%" bgcolor="#023264"><font color="#ffffff">Attribute</font></th><th width="85%" bgcolor="#023264"><font color="#ffffff">Description</font></th></tr><tr><td align="left" valign="center"><code>allRolesMode</code></td><td align="left" valign="center">
688 <p>This attribute controls how the special role name <code>*</code> is
689 handled when processing authorization constraints in web.xml. By
690 default, the specification compliant value of <code>strict</code> is
691 used which means that the user must be assigned one of the roles defined
692 in web.xml. The alternative values are <code>authOnly</code> which means
693 that the user must be authenticated but no check is made for assigned
694 roles and <code>strictAuthOnly</code> which means that the user must be
695 authenticated and no check will be made for assigned roles unless roles
696 are defined in web.xml in which case the user must be assigned at least
697 one of those roles.</p>
698 </td></tr><tr><td align="left" valign="center"><code>cacheRemovalWarningTime</code></td><td align="left" valign="center">
699 <p>If a failed user is removed from the cache because the cache is too
700 big before it has been in the cache for at least this period of time (in
701 seconds) a warning message will be logged. Defaults to 3600 (1 hour).</p>
702 </td></tr><tr><td align="left" valign="center"><code>cacheSize</code></td><td align="left" valign="center">
703 <p>Number of users that have failed authentication to keep in cache. Over
704 time the cache will grow to this size and may not shrink. Defaults to
705 1000.</p>
706 </td></tr><tr><td align="left" valign="center"><code>failureCount</code></td><td align="left" valign="center">
707 <p>The number of times in a row a user has to fail authentication to be
708 locked out. Defaults to 5.</p>
709 </td></tr><tr><td align="left" valign="center"><code>lockOutTime</code></td><td align="left" valign="center">
710 <p>The time (in seconds) a user is locked out for after too many
711 authentication failures. Defaults to 300 (5 minutes).</p>
712 </td></tr></table>
713
714 <p>See the <a href="../realm-howto.html">Container-Managed Security
715 Guide</a> for more information on setting up container managed security
716 using the LockOutRealm component.</p>
717
718 </blockquote></td></tr></table>
719
720</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Nested Components"><!--()--></a><a name="Nested_Components"><strong>Nested Components</strong></a></font></td></tr><tr><td><blockquote>
721
722 <h3>CombinedRealm Implementation</h3>
723
724 <p>If you are using the <em>CombinedRealm Implementation</em> or a Realm
725 that extends the CombinedRealm, e.g. the LockOutRealm,
726 <strong>&lt;Realm&gt;</strong> elements may be nested inside it.</p>
727
728 <h3>Other Realm Implementations</h3>
729
730 <p>No other Realm implementation supports nested components.</p>
731
732</blockquote></td></tr></table><table border="0" cellspacing="0" cellpadding="2"><tr><td bgcolor="#525D76"><font color="#ffffff" face="arial,helvetica.sanserif"><a name="Special Features"><!--()--></a><a name="Special_Features"><strong>Special Features</strong></a></font></td></tr><tr><td><blockquote>
733
734 <p>See <a href="host.html">Single Sign On</a> for information about
735 configuring Single Sign On support for a virtual host.</p>
736
737</blockquote></td></tr></table></td></tr><!--FOOTER SEPARATOR--><tr><td colspan="2"><hr noshade="noshade" size="1"></td></tr><!--PAGE FOOTER--><tr><td colspan="2"><div align="center"><font color="#525D76" size="-1"><em>
738 Copyright &copy; 1999-2014, Apache Software Foundation
739 </em></font></div></td></tr></table></body></html>