Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: document global attribute


Code Block
    <gbean name="test-realm" class="">
        <attribute name="realmName">test-realm</attribute>
        <attribute name="global">true</attribute>
        <xml-reference name="LoginModuleConfiguration">
            <lc:login-config xmlns:lc="${geronimoSchemaVersion}">
                <lc:login-module control-flag="REQUIRED" wrap-principals="false">
                    <lc:option name="users">foo,bar</lc:option>
        <reference name="ServerInfo">


If you specify wrap-principals as false, your login module will work as usual and only its principals will get into the Subject. However if you specify wrap-principals as true, Geronimo will also add principals that wrap your principals and include the login-domain-name and realm-name of the login module and security realm that created the principal. This enables your role-principal mapping to distinguish between the "same" principal that comes from different sources. For instance, if you had two ldap servers where the groups had the same names but the meaning was different (perhaps users from different departments) you can wrap the principals yet still distinguish the same group based on the different realms. However, in order to distinguish principals in this way, we supply each login module with its own empty Subject object. Therefore ,a later login module cannot access the principals added to a Subject by an earlier login module. If you need to share information between login modules and also wrap principals, you must use the shared state map and not the Subject.

The Global attribute

A security realm has a 'global' attribute. If set to true, it is available to every application and to all ejbs. If set to false or omitted, it is only available to web applications that include the plugin containing the security realm as a dependency (or web applications that include the security realm definition themselves). Note that any security realm to be used by ejbs MUST be marked global. The reason for non-global security realms is to allow deploying multiple realms with the same name without conflicts while distinguishing between them using the dependency directed acyclic graph.