jboss-as-security_1_2.xsd 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429
  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <!--
  3. ~ JBoss, Home of Professional Open Source.
  4. ~ Copyright 2011, Red Hat, Inc., and individual contributors
  5. ~ as indicated by the @author tags. See the copyright.txt file in the
  6. ~ distribution for a full listing of individual contributors.
  7. ~
  8. ~ This is free software; you can redistribute it and/or modify it
  9. ~ under the terms of the GNU Lesser General Public License as
  10. ~ published by the Free Software Foundation; either version 2.1 of
  11. ~ the License, or (at your option) any later version.
  12. ~
  13. ~ This software is distributed in the hope that it will be useful,
  14. ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
  15. ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  16. ~ Lesser General Public License for more details.
  17. ~
  18. ~ You should have received a copy of the GNU Lesser General Public
  19. ~ License along with this software; if not, write to the Free
  20. ~ Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
  21. ~ 02110-1301 USA, or see the FSF site: http://www.fsf.org.
  22. -->
  23. <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
  24. targetNamespace="urn:jboss:domain:security:1.2"
  25. xmlns="urn:jboss:domain:security:1.2"
  26. elementFormDefault="qualified"
  27. attributeFormDefault="unqualified"
  28. version="1.2">
  29. <!-- The security subsystem root element -->
  30. <xs:element name="subsystem" type="security-containerType" />
  31. <!-- The security container configuration -->
  32. <xs:complexType name="security-containerType">
  33. <xs:annotation>
  34. <xs:documentation>
  35. <![CDATA[
  36. The security subsystem, used to configure authentication and authorization.
  37. ]]>
  38. </xs:documentation>
  39. </xs:annotation>
  40. <xs:all>
  41. <xs:element name="security-management" type="securityManagementType" minOccurs="0" maxOccurs="1"/>
  42. <xs:element name="security-domains" type="securityDomainsType" minOccurs="0" maxOccurs="1"/>
  43. <xs:element name="vault" type="vaultType" minOccurs="0" maxOccurs="1"/>
  44. </xs:all>
  45. </xs:complexType>
  46. <!-- The security management element -->
  47. <xs:complexType name="securityManagementType">
  48. <xs:annotation>
  49. <xs:documentation>
  50. <![CDATA[
  51. The optional "deep-copy-subject-mode" attribute sets the copy mode of subjects done by the security
  52. managers to be deep copies that makes copies of the subject principals and credentials if they are
  53. cloneable. It should be set to true if subject include mutable content that can be corrupted when
  54. multiple threads have the same identity and cache flushes/logout clearing the subject in one thread
  55. results in subject references affecting other threads. Default value is "false".
  56. ]]>
  57. </xs:documentation>
  58. </xs:annotation>
  59. <xs:attribute name="deep-copy-subject-mode" type="xs:boolean" use="optional"/>
  60. </xs:complexType>
  61. <!-- Configuration for security domains -->
  62. <xs:complexType name="securityDomainsType">
  63. <xs:annotation>
  64. <xs:documentation>
  65. <![CDATA[
  66. Configures security domains for applications.
  67. ]]>
  68. </xs:documentation>
  69. </xs:annotation>
  70. <xs:sequence>
  71. <xs:element name="security-domain" type="securityDomainType" minOccurs="0" maxOccurs="unbounded"/>
  72. </xs:sequence>
  73. </xs:complexType>
  74. <xs:complexType name="securityDomainType">
  75. <xs:annotation>
  76. <xs:documentation>
  77. <![CDATA[
  78. Definition of a security domain.
  79. ]]>
  80. </xs:documentation>
  81. </xs:annotation>
  82. <xs:sequence>
  83. <xs:choice>
  84. <xs:element name="authentication" type="authenticationType" minOccurs="0" maxOccurs="1"/>
  85. <xs:element name="authentication-jaspi" type="authenticationJaspiType" minOccurs="0" maxOccurs="1"/>
  86. </xs:choice>
  87. <xs:element name="authorization" type="authorizationType" minOccurs="0" maxOccurs="1"/>
  88. <xs:element name="acl" type="aclType" minOccurs="0" maxOccurs="1"/>
  89. <xs:element name="mapping" type="mappingType" minOccurs="0" maxOccurs="1"/>
  90. <xs:element name="audit" type="auditType" minOccurs="0" maxOccurs="1"/>
  91. <xs:element name="identity-trust" type="identityTrustType" minOccurs="0" maxOccurs="1"/>
  92. <xs:element name="jsse" type="jsseType" minOccurs="0" maxOccurs="1"/>
  93. </xs:sequence>
  94. <xs:attribute name="name" type="xs:string" use="required"/>
  95. <xs:attribute name="cache-type" type="xs:string" use="optional"/>
  96. </xs:complexType>
  97. <xs:complexType name="authenticationType">
  98. <xs:annotation>
  99. <xs:documentation>
  100. <![CDATA[
  101. Authentication configuration.
  102. ]]>
  103. </xs:documentation>
  104. </xs:annotation>
  105. <xs:sequence>
  106. <xs:element name="login-module" type="loginModuleType" minOccurs="1" maxOccurs="unbounded"/>
  107. </xs:sequence>
  108. </xs:complexType>
  109. <xs:complexType name="authenticationJaspiType">
  110. <xs:annotation>
  111. <xs:documentation>
  112. <![CDATA[
  113. JASPI authentication configuration.
  114. ]]>
  115. </xs:documentation>
  116. </xs:annotation>
  117. <xs:sequence>
  118. <xs:element name="login-module-stack" type="loginModuleStackType" maxOccurs="unbounded"/>
  119. <xs:element name="auth-module" type="authModuleType" maxOccurs="unbounded"/>
  120. </xs:sequence>
  121. </xs:complexType>
  122. <xs:complexType name="authorizationType">
  123. <xs:annotation>
  124. <xs:documentation>
  125. <![CDATA[
  126. Authorization configuration.
  127. ]]>
  128. </xs:documentation>
  129. </xs:annotation>
  130. <xs:sequence>
  131. <xs:element name="policy-module" type="policyModuleType" maxOccurs="unbounded"/>
  132. </xs:sequence>
  133. </xs:complexType>
  134. <xs:complexType name="aclType">
  135. <xs:annotation>
  136. <xs:documentation>
  137. <![CDATA[
  138. ACL configuration.
  139. ]]>
  140. </xs:documentation>
  141. </xs:annotation>
  142. <xs:sequence>
  143. <xs:element name="acl-module" type="aclModuleType" maxOccurs="unbounded"/>
  144. </xs:sequence>
  145. </xs:complexType>
  146. <xs:complexType name="mappingType">
  147. <xs:annotation>
  148. <xs:documentation>
  149. <![CDATA[
  150. Mapping configuration.
  151. ]]>
  152. </xs:documentation>
  153. </xs:annotation>
  154. <xs:sequence>
  155. <xs:element name="mapping-module" type="mappingModuleType" maxOccurs="unbounded"/>
  156. </xs:sequence>
  157. </xs:complexType>
  158. <xs:complexType name="auditType">
  159. <xs:annotation>
  160. <xs:documentation>
  161. <![CDATA[
  162. Audit configuration.
  163. ]]>
  164. </xs:documentation>
  165. </xs:annotation>
  166. <xs:sequence>
  167. <xs:element name="provider-module" type="providerModuleType" maxOccurs="unbounded"/>
  168. </xs:sequence>
  169. </xs:complexType>
  170. <xs:complexType name="identityTrustType">
  171. <xs:annotation>
  172. <xs:documentation>
  173. <![CDATA[
  174. Identity trust configuration.
  175. ]]>
  176. </xs:documentation>
  177. </xs:annotation>
  178. <xs:sequence>
  179. <xs:element name="trust-module" type="trustModuleType" maxOccurs="unbounded"/>
  180. </xs:sequence>
  181. </xs:complexType>
  182. <xs:simpleType name="module-option-flag">
  183. <xs:annotation>
  184. <xs:documentation>
  185. <![CDATA[
  186. The flag attribute controls how a login module
  187. participates in the overall procedure.
  188. Required - The LoginModule is required to succeed. If it
  189. succeeds or fails, authentication still continues to proceed
  190. down the LoginModule list.
  191. Requisite - The LoginModule is required to succeed. If it succeeds,
  192. authentication continues down the LoginModule list. If it fails,
  193. control immediately returns to the application (authentication does not proceed
  194. down the LoginModule list).
  195. Sufficient - The LoginModule is not required to succeed. If it does
  196. succeed, control immediately returns to the application (authentication
  197. does not proceed down the LoginModule list). If it fails,
  198. authentication continues down the LoginModule list.
  199. Optional - The LoginModule is not required to succeed. If it succeeds or
  200. fails, authentication still continues to proceed down the
  201. LoginModule list.
  202. The overall authentication succeeds only if
  203. all required and requisite LoginModules succeed. If a
  204. sufficient LoginModule is configured and succeeds, then only
  205. the required and requisite LoginModules prior to that
  206. sufficient LoginModule need to have succeeded for the overall
  207. authentication to succeed. If no required or requisite
  208. LoginModules are configured for an application, then at least
  209. one sufficient or optional LoginModule must succeed.
  210. ]]>
  211. </xs:documentation>
  212. </xs:annotation>
  213. <xs:restriction base="xs:token">
  214. <xs:enumeration value="required"/>
  215. <xs:enumeration value="requisite"/>
  216. <xs:enumeration value="sufficient"/>
  217. <xs:enumeration value="optional"/>
  218. </xs:restriction>
  219. </xs:simpleType>
  220. <xs:complexType name="loginModuleType">
  221. <xs:annotation>
  222. <xs:documentation>
  223. <![CDATA[
  224. Login module configuration.
  225. ]]>
  226. </xs:documentation>
  227. </xs:annotation>
  228. <xs:sequence>
  229. <xs:element name="module-option" type="propertyType" minOccurs="0" maxOccurs="unbounded"/>
  230. </xs:sequence>
  231. <xs:attribute name="name" type="xs:string" use="optional"/>
  232. <xs:attribute name="code" type="xs:string" use="required"/>
  233. <xs:attribute name="flag" type="module-option-flag" use="required"/>
  234. <xs:attribute name="module" type="xs:string" use="optional"/>
  235. </xs:complexType>
  236. <xs:complexType name="propertyType">
  237. <xs:attribute name="name" type="xs:string" use="required"/>
  238. <xs:attribute name="value" type="xs:string" use="required"/>
  239. </xs:complexType>
  240. <xs:complexType name="loginModuleStackType">
  241. <xs:annotation>
  242. <xs:documentation>
  243. <![CDATA[
  244. Login module configuration for JASPI.
  245. ]]>
  246. </xs:documentation>
  247. </xs:annotation>
  248. <xs:sequence>
  249. <xs:element name="login-module" type="loginModuleType" minOccurs="1" maxOccurs="unbounded"/>
  250. </xs:sequence>
  251. <xs:attribute name="name" type="xs:string" use="required"/>
  252. </xs:complexType>
  253. <xs:complexType name="authModuleType">
  254. <xs:annotation>
  255. <xs:documentation>
  256. <![CDATA[
  257. Authentication module configuration for JASPI.
  258. ]]>
  259. </xs:documentation>
  260. </xs:annotation>
  261. <xs:sequence>
  262. <xs:element name="module-option" type="propertyType" minOccurs="0" maxOccurs="unbounded"/>
  263. </xs:sequence>
  264. <xs:attribute name="name" type="xs:string" use="optional"/>
  265. <xs:attribute name="code" type="xs:string" use="required"/>
  266. <xs:attribute name="flag" type="module-option-flag" use="optional"/>
  267. <xs:attribute name="login-module-stack-ref" type="xs:string" use="optional"/>
  268. <xs:attribute name="module" type="xs:string" use="optional"/>
  269. </xs:complexType>
  270. <xs:complexType name="policyModuleType">
  271. <xs:annotation>
  272. <xs:documentation>
  273. <![CDATA[
  274. Authorization module configuration.
  275. ]]>
  276. </xs:documentation>
  277. </xs:annotation>
  278. <xs:sequence>
  279. <xs:element name="module-option" type="propertyType" minOccurs="0" maxOccurs="unbounded"/>
  280. </xs:sequence>
  281. <xs:attribute name="name" type="xs:string" use="optional"/>
  282. <xs:attribute name="code" type="xs:string" use="required"/>
  283. <xs:attribute name="flag" type="module-option-flag" use="required"/>
  284. <xs:attribute name="module" type="xs:string" use="optional"/>
  285. </xs:complexType>
  286. <xs:complexType name="aclModuleType">
  287. <xs:annotation>
  288. <xs:documentation>
  289. <![CDATA[
  290. ACL module configuration.
  291. ]]>
  292. </xs:documentation>
  293. </xs:annotation>
  294. <xs:sequence>
  295. <xs:element name="module-option" type="propertyType" minOccurs="0" maxOccurs="unbounded"/>
  296. </xs:sequence>
  297. <xs:attribute name="name" type="xs:string" use="optional"/>
  298. <xs:attribute name="code" type="xs:string" use="required"/>
  299. <xs:attribute name="flag" type="module-option-flag" use="required"/>
  300. <xs:attribute name="module" type="xs:string" use="optional"/>
  301. </xs:complexType>
  302. <xs:complexType name="mappingModuleType">
  303. <xs:annotation>
  304. <xs:documentation>
  305. <![CDATA[
  306. Mapping module configuration.
  307. ]]>
  308. </xs:documentation>
  309. </xs:annotation>
  310. <xs:sequence>
  311. <xs:element name="module-option" type="propertyType" minOccurs="0" maxOccurs="unbounded"/>
  312. </xs:sequence>
  313. <xs:attribute name="name" type="xs:string" use="optional"/>
  314. <xs:attribute name="type" type="xs:string" use="optional"/>
  315. <xs:attribute name="code" type="xs:string" use="required"/>
  316. <xs:attribute name="module" type="xs:string" use="optional"/>
  317. </xs:complexType>
  318. <xs:complexType name="providerModuleType">
  319. <xs:annotation>
  320. <xs:documentation>
  321. <![CDATA[
  322. Audit module configuration.
  323. ]]>
  324. </xs:documentation>
  325. </xs:annotation>
  326. <xs:sequence>
  327. <xs:element name="module-option" type="propertyType" minOccurs="0" maxOccurs="unbounded"/>
  328. </xs:sequence>
  329. <xs:attribute name="name" type="xs:string" use="optional"/>
  330. <xs:attribute name="code" type="xs:string" use="required"/>
  331. <xs:attribute name="module" type="xs:string" use="optional"/>
  332. </xs:complexType>
  333. <xs:complexType name="trustModuleType">
  334. <xs:annotation>
  335. <xs:documentation>
  336. <![CDATA[
  337. Identity trust module configuration.
  338. ]]>
  339. </xs:documentation>
  340. </xs:annotation>
  341. <xs:sequence>
  342. <xs:element name="module-option" type="propertyType" minOccurs="0" maxOccurs="unbounded"/>
  343. </xs:sequence>
  344. <xs:attribute name="name" type="xs:string" use="optional"/>
  345. <xs:attribute name="code" type="xs:string" use="required"/>
  346. <xs:attribute name="flag" type="module-option-flag" use="required"/>
  347. <xs:attribute name="module" type="xs:string" use="optional"/>
  348. </xs:complexType>
  349. <xs:complexType name="jsseType">
  350. <xs:annotation>
  351. <xs:documentation>
  352. <![CDATA[
  353. JSSE configuration.
  354. ]]>
  355. </xs:documentation>
  356. </xs:annotation>
  357. <xs:sequence>
  358. <xs:element name="additional-properties" type="properties" minOccurs="0" maxOccurs="1"/>
  359. </xs:sequence>
  360. <xs:attribute name="keystore-password" type="xs:string" use="optional"/>
  361. <xs:attribute name="keystore-type" type="xs:string" use="optional"/>
  362. <xs:attribute name="keystore-url" type="xs:string" use="optional"/>
  363. <xs:attribute name="keystore-provider" type="xs:string" use="optional"/>
  364. <xs:attribute name="keystore-provider-argument" type="xs:string" use="optional"/>
  365. <xs:attribute name="key-manager-factory-algorithm" type="xs:string" use="optional"/>
  366. <xs:attribute name="key-manager-factory-provider" type="xs:string" use="optional"/>
  367. <xs:attribute name="truststore-password" type="xs:string" use="optional"/>
  368. <xs:attribute name="truststore-type" type="xs:string" use="optional"/>
  369. <xs:attribute name="truststore-url" type="xs:string" use="optional"/>
  370. <xs:attribute name="truststore-provider" type="xs:string" use="optional"/>
  371. <xs:attribute name="truststore-provider-argument" type="xs:string" use="optional"/>
  372. <xs:attribute name="trust-manager-factory-algorithm" type="xs:string" use="optional"/>
  373. <xs:attribute name="trust-manager-factory-provider" type="xs:string" use="optional"/>
  374. <xs:attribute name="client-alias" type="xs:string" use="optional"/>
  375. <xs:attribute name="server-alias" type="xs:string" use="optional"/>
  376. <xs:attribute name="service-auth-token" type="xs:string" use="optional"/>
  377. <xs:attribute name="client-auth" type="xs:boolean" use="optional"/>
  378. <xs:attribute name="cipher-suites" type="xs:string" use="optional"/>
  379. <xs:attribute name="protocols" type="xs:string" use="optional"/>
  380. </xs:complexType>
  381. <xs:complexType name="properties">
  382. <xs:sequence>
  383. <xs:element name="property" type="propertyType" maxOccurs="unbounded"/>
  384. </xs:sequence>
  385. </xs:complexType>
  386. <xs:complexType name="vaultType">
  387. <xs:annotation>
  388. <xs:documentation>
  389. <![CDATA[
  390. Vault Configuration.
  391. ]]>
  392. </xs:documentation>
  393. </xs:annotation>
  394. <xs:sequence>
  395. <xs:element name="vault-option" type="propertyType" minOccurs="0" maxOccurs="unbounded"/>
  396. </xs:sequence>
  397. <xs:attribute name="code" type="xs:string" use="optional"/>
  398. </xs:complexType>
  399. </xs:schema>