<?xml version="1.0" encoding="UTF-8"?> | |
<!-- | |
Licensed to the Apache Software Foundation (ASF) under one or more | |
contributor license agreements. See the NOTICE file distributed with | |
this work for additional information regarding copyright ownership. | |
The ASF licenses this file to You under the Apache License, Version 2.0 | |
(the "License"); you may not use this file except in compliance with | |
the License. You may obtain a copy of the License at | |
http://www.apache.org/licenses/LICENSE-2.0 | |
Unless required by applicable law or agreed to in writing, software | |
distributed under the License is distributed on an "AS IS" BASIS, | |
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
See the License for the specific language governing permissions and | |
limitations under the License. | |
--> | |
<!-- $Rev: 610624 $ $Date: 2008-01-09 17:03:50 -0800 (Wed, 09 Jan 2008) $ --> | |
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" | |
xmlns:j2ee="http://java.sun.com/xml/ns/j2ee" | |
xmlns:geronimo="http://geronimo.apache.org/xml/ns/security-1.2" | |
targetNamespace="http://geronimo.apache.org/xml/ns/security-1.2" | |
xmlns:app="http://geronimo.apache.org/xml/ns/j2ee/application-2.0" | |
elementFormDefault="qualified" attributeFormDefault="unqualified" | |
version="1.0"> | |
<xsd:annotation> | |
<xsd:documentation> | |
This is a partial XML Schema Definition for common security | |
elements. This schema will never be used directly but its elements | |
are used in geronimo-application-client-2.0.xsd, | |
geronimo-connector-1.2.xsd, geronimo-web-2.0.1.xsd, | |
geronimo-tomcat-2.0.1.xsd, and geronimo-jetty-2.0.2.xsd. All the schemas | |
or plans using elements of this schema must specify the top level | |
element with one of the namespace specified as | |
"http://geronimo.apache.org/xml/ns/j2ee/security-1.2". The default | |
location for this document is | |
http://geronimo.apache.org/schemas-1.2/geronimo-security-1.2.xsd. | |
</xsd:documentation> | |
</xsd:annotation> | |
<xsd:import namespace="http://www.w3.org/XML/1998/namespace" | |
schemaLocation="http://www.w3.org/2001/xml.xsd" /> | |
<xsd:import | |
namespace="http://geronimo.apache.org/xml/ns/j2ee/application-2.0" | |
schemaLocation="geronimo-application-2.0.xsd"> | |
<xsd:annotation> | |
<xsd:documentation> | |
Import Geronimo enterprise application deployment plans. The | |
imported plan includes complex types abstract-securityType | |
required by this plan schema. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:import> | |
<xsd:element name="security" type="geronimo:securityType" | |
substitutionGroup="app:security"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The element security is used to map security roles setting for | |
applications. If this element is present, all the web and EJB | |
modules must make the appropriate access checks as outlined by | |
the JACC specifications. Essentially, it configures the | |
security-realms to be used by applications. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
<xsd:element name="default-principal" | |
type="geronimo:default-principalType"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The element default-principal provides the principal to be used | |
during unauthorized access. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
<xsd:complexType name="securityType"> | |
<xsd:annotation> | |
<xsd:documentation> | |
Security entries | |
If this element is present, all web and EJB modules MUST make | |
the appropriate access checks as outlined in the JACC spec. | |
</xsd:documentation> | |
</xsd:annotation> | |
<xsd:complexContent> | |
<xsd:extension base="app:abstract-securityType"> | |
<xsd:annotation> | |
<xsd:documentation> | |
Extension of abstract-securityType element defined in | |
geronimo-application-2.0.xsd. | |
</xsd:documentation> | |
</xsd:annotation> | |
<xsd:sequence> | |
<xsd:element name="description" | |
type="geronimo:descriptionType" minOccurs="0" | |
maxOccurs="unbounded"> | |
<xsd:annotation> | |
<xsd:documentation> | |
Language specific description of security | |
element. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
<xsd:element name="default-principal" | |
type="geronimo:default-principalType"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The element default-principal provides the | |
principal to be used during unauthorized access. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
<xsd:element name="role-mappings" | |
type="geronimo:role-mappingsType" minOccurs="0"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The element role-mappings provides the mapping | |
information for roles defined in deployment | |
descriptors and security realms available. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
</xsd:sequence> | |
<xsd:attribute name="doas-current-caller" type="xsd:boolean" | |
default="false"> | |
<xsd:annotation> | |
<xsd:documentation> | |
Set doas-current-caller attribute to "true" if the | |
work is to be performed as the calling Subject | |
instead of as application server. The default value | |
for doas-current-caller is false. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:attribute> | |
<xsd:attribute name="use-context-handler" type="xsd:boolean" | |
default="false"> | |
<xsd:annotation> | |
<xsd:documentation> | |
Set this attribute to "true" if the installed JACC | |
policy contexts will use PolicyContextHandlers. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:attribute> | |
<xsd:attribute name="default-role" type="xsd:string"> | |
<xsd:annotation> | |
<xsd:documentation> | |
Used by the the Deployer to assign method | |
permissions for all of the unspecified methods, | |
either by assigning them to security roles, or by | |
marking them as unchecked. If the value of | |
default-role is empty, then the unspecified methods | |
are marked unchecked | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:attribute> | |
</xsd:extension> | |
</xsd:complexContent> | |
</xsd:complexType> | |
<xsd:complexType name="descriptionType"> | |
<xsd:simpleContent> | |
<xsd:extension base="xsd:string"> | |
<xsd:attribute ref="xml:lang"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The reference to XML schema's lang attribute. This | |
is used to define the language for this descriptor. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:attribute> | |
</xsd:extension> | |
</xsd:simpleContent> | |
</xsd:complexType> | |
<xsd:complexType name="default-principalType"> | |
<xsd:sequence> | |
<xsd:element name="description" type="geronimo:descriptionType" | |
minOccurs="0" maxOccurs="unbounded"> | |
<xsd:annotation> | |
<xsd:documentation> | |
Language specific description for default principle. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
<xsd:choice> | |
<xsd:element name="principal" type="geronimo:principalType"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The principal element defines the to be used for | |
default principal, mapped using simple mapping | |
principal. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
<xsd:element name="login-domain-principal" | |
type="geronimo:loginDomainPrincipalType"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The login-domain-principal element defines the to be | |
used for default principal, mapped using login | |
domain specific mapping. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
<xsd:element name="realm-principal" | |
type="geronimo:realmPrincipalType"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The realm-principal element defines the to be used | |
for default principal, mapped using login domain and | |
realm specific mapping. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
</xsd:choice> | |
<xsd:element name="named-username-password-credential" | |
type="geronimo:named-username-password-credentialType" | |
minOccurs="0" maxOccurs="unbounded"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The named-username-password-credential element defines | |
named credential to be used on per-user authentication | |
bases. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
</xsd:sequence> | |
</xsd:complexType> | |
<xsd:complexType name="named-username-password-credentialType"> | |
<xsd:sequence> | |
<xsd:element name="name" type="xsd:string"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The name for this credential. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
<xsd:element name="username" type="xsd:string"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The username for this credential. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
<xsd:element name="password" type="xsd:string"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The password for this credential. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
</xsd:sequence> | |
</xsd:complexType> | |
<xsd:complexType name="role-mappingsType"> | |
<xsd:sequence> | |
<xsd:element name="role" type="geronimo:roleType" minOccurs="1" | |
maxOccurs="unbounded"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The set of principals used to map the roles defined in | |
deployment descriptors. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
</xsd:sequence> | |
</xsd:complexType> | |
<xsd:complexType name="roleType"> | |
<xsd:sequence> | |
<xsd:element name="description" type="geronimo:descriptionType" | |
minOccurs="0" maxOccurs="unbounded"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The language specific description of the role. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
<xsd:element name="realm-principal" | |
type="geronimo:realmPrincipalType" minOccurs="0" | |
maxOccurs="unbounded"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The realm-principal element defines the to be used for | |
default principal, mapped using login domain and realm | |
specific mapping. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
<xsd:element name="login-domain-principal" | |
type="geronimo:loginDomainPrincipalType" minOccurs="0" | |
maxOccurs="unbounded"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The login-domain-principal element defines the to be | |
used for default principal, mapped using login domain | |
specific mapping. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
<xsd:element name="principal" type="geronimo:principalType" | |
minOccurs="0" maxOccurs="unbounded"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The principal element defines the to be used for default | |
principal, mapped using simple mapping principal. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
<xsd:element name="distinguished-name" | |
type="geronimo:distinguishedNameType" minOccurs="0" | |
maxOccurs="unbounded"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The distinguished-name element defines the client | |
certification authentication. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
</xsd:sequence> | |
<xsd:attribute name="role-name" type="xsd:string" use="required"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The role-name element defines the name for this role. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:attribute> | |
</xsd:complexType> | |
<xsd:complexType name="realmPrincipalType"> | |
<xsd:complexContent> | |
<xsd:extension base="geronimo:loginDomainPrincipalType"> | |
<xsd:annotation> | |
<xsd:documentation> | |
Extends loginDomainPrincipalType defined later in this | |
schema. | |
</xsd:documentation> | |
</xsd:annotation> | |
<xsd:attribute name="realm-name" type="xsd:string" | |
use="required"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The realm-name attribute maps to the Geronimo | |
security realm. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:attribute> | |
</xsd:extension> | |
</xsd:complexContent> | |
</xsd:complexType> | |
<xsd:complexType name="loginDomainPrincipalType"> | |
<xsd:complexContent> | |
<xsd:extension base="geronimo:principalType"> | |
<xsd:annotation> | |
<xsd:documentation> | |
Extends principalType defined later in this schema. | |
</xsd:documentation> | |
</xsd:annotation> | |
<xsd:attribute name="domain-name" type="xsd:string" | |
use="required"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The domain-name attribute maps to the | |
login-domain-name set for the JAAS login module. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:attribute> | |
</xsd:extension> | |
</xsd:complexContent> | |
</xsd:complexType> | |
<xsd:complexType name="principalType"> | |
<xsd:sequence> | |
<xsd:element name="description" type="geronimo:descriptionType" | |
minOccurs="0" maxOccurs="unbounded"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The language specific description for this principal. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
</xsd:sequence> | |
<xsd:attribute name="class" type="xsd:string" use="required"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The class attribute provides the fully qualified class name | |
of the principal class. The default Geronimo principal | |
classes are | |
org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal | |
and | |
org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:attribute> | |
<xsd:attribute name="name" type="xsd:string" use="required"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The name attribute provides the unique name for this | |
principal. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:attribute> | |
<xsd:attribute name="designated-run-as" type="xsd:boolean" | |
default="false"> | |
<xsd:annotation> | |
<xsd:documentation> | |
Set this attribute to "true" if this principal is to be used | |
as the run-as principal for this role. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:attribute> | |
</xsd:complexType> | |
<xsd:complexType name="distinguishedNameType"> | |
<xsd:sequence> | |
<xsd:element name="description" type="geronimo:descriptionType" | |
minOccurs="0" maxOccurs="unbounded"> | |
<xsd:annotation> | |
<xsd:documentation> | |
Language specific description of distinguished name | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:element> | |
</xsd:sequence> | |
<xsd:attribute name="name" type="xsd:string" use="required"> | |
<xsd:annotation> | |
<xsd:documentation> | |
The name of the distinguished name provided in client | |
certificate. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:attribute> | |
<xsd:attribute name="designated-run-as" type="xsd:boolean" | |
default="false"> | |
<xsd:annotation> | |
<xsd:documentation> | |
Set this attribute to "true" if this principal is to be used | |
as the run-as principal for this role. | |
</xsd:documentation> | |
</xsd:annotation> | |
</xsd:attribute> | |
</xsd:complexType> | |
</xsd:schema> |