Index: docs/config/realm.xml =================================================================== --- docs/config/realm.xml (revision 1245889) +++ docs/config/realm.xml (working copy) @@ -79,7 +79,52 @@
Java class name of the implementation to use. This class must
implement the org.apache.catalina.Realm
interface.
The value is used to configure how to get the user name during the client certificate authentication. + The user name is the unique part of information from the client certificate that used to identify the identity of the user. +The Subject field (also called Subject Distinguish Name or SubjectDN) identifies the entity associated with the public key. +The Subject field contains the following relevant attributes (it can also contain other attributes). +
++
Subject Attribute | Subject Attribute Description | Example |
---|---|---|
CN | Common Name | CN=Bob BobFamily |
emailAddress | Email Address | emailAddress=bob@example.com |
C | Country Name | C=US |
ST | State or Province Name | ST=NY |
L | Locality Name | L=New York |
O | Organization Name | O=Work Organization |
OU | Organizational Unit Name | OU=Managers |
+To retrieve the user name from the subject, you can use the entire SubjectDN field or the SubjectDN attribute. +To retrieve the user name from entire SubjectDN field leave the value empty. +To retrieve the user name from the SubjectDN attribute, please provide the retrieve attribute name. +The the retrieve attribute name is a code letter based on a legend defined in the certificate itself. +
++For example, the Email attribute is used to hold the User Name. +Please provide "e" or "emailAddress" for the constructor. +
+ ++For example, the Common Name attribute is used to hold the User Name. +Please provide "CN" for the constructor.
+ + +The Java class name that is used to override the default X509UserNameRetriever.
+ The X509UserNameRetriever is used to get the user name during the client certificate authentication.
+ If the value is provided a realm will create X509UserNameRetriever from the provided class.
+ This class must implement the org.apache.catalina.realm.X509UserNameRetriever
interface.