schema.infinispan-server-15.1.xsd Maven / Gradle / Ivy
The newest version!
Configuration for the connection factory
Configuration for the connection pool
Name for the datasource (used for management)
JNDI name for the datasource
Enable statistics for this datasource
Properties for the JDBC driver
Unique reference to the JDBC driver
JDBC driver connection URL (e.g. "jdbc:h2:tcp://localhost:1234")
Set the java.sql.Connection transaction isolation level to use. Defaults to READ_COMMITTED
SQL statement to be executed on a connection after creation
Username to use for basic authentication with the database
Password to use for basic authentication with the database
Define constants used as the possible transaction isolation levels in transaction-isolation type ]>
Include: NONE, READ_UNCOMMITTED, READ_COMMITTED, REPEATABLE_READ, SERIALIZABLE
Maximum number of connections in the pool
Minimum number of connections the pool should hold
Initial number of connections the pool should hold
Maximum time in milliseconds to block while waiting for a connection before throwing an exception
This will never throw an exception if creating a new connection takes an inordinately long period of time
Default is 0 meaning that a call will wait indefinitely
You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
Time in milliseconds between background validation runs. A duration of 0 means that this feature is disabled.
You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
Connections idle for longer than this time, specified in milliseconds, are validated before being
acquired (foreground validation). A duration of 0 means that this feature is disabled.
You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
Time in milliseconds a connection has to be held before a leak warning
You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
Time in milliseconds a connection has to be idle before it can be removed.
You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
Specifies the socket this connector binds to. If no socket binding is declared, the server does not listen to TCP connections.
Names the cache container this connector exposes.
Sets the number of I/O threads. Defaults to 2 * cpu cores. This configuration is ignored
when using single port.
Specifies the maximum time, in seconds, that client connections can remain inactive. Defaults to 0 (no timeout).
You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
Enables TCP NODELAY on the TCP stack. Values are enabled (default) / disabled.
Enables TCP KEEPALIVE on the TCP stack. Values are enabled / disabled (default).
Sets the size of the send buffer.
Sets the size of the receive buffer.
Requires clients to use certificates for authentication.
Specifies the socket the endpoint connector binds to.
Names the security realm to use for authentication, cache authorization, and encryption.
Specifies the socket the endpoint connector binds to.
Names the security realm to use for authentication, cache authorization, and encryption.
Enable administrative features on this endpoint. Defaults to true.
Enable metrics authentication on this endpoint. Defaults to true.
Logically names this connector. Use this attribute to separate multiple connector declarations for the same endpoint.
Sets an external address for this node to accept client connections. Defaults to the server socket binding address.
Sets an external port for this node. Defaults to the server socket binding port.
Names the security realm to use for authentication, cache authorization, and encryption.
Configures whether to use the netmask that the host system provides for interfaces or override with netmasks that follow IANA private address conventions.
Defaults to overriding host netmasks and using IANA conventions.
Names the cache that the Memcached connector exposes. Defaults to memcachedCache.
Sets client encoding for values. Applies to memcached text protocol only.
Names the security realm to use for authentication, cache authorization, and encryption.
Sets the context path for REST connectors and defaults to
the root context. The command line interface (CLI) and
other internal components use the root context. For this
reason, you should not change the default value or set a
custom context path.
Enables extended headers. Values are NEVER / ON_DEMAND (default).
Sets the maximum allowed content length.
Sets the level for compressed requests and responses.
The response body is compressed when the size of the response body exceeds the threshold. The value should be a non-negative number. 0 will enable compression for all responses.
Names the security realm to use for authentication, cache authorization, and encryption.
Names the cache that the RESP connector exposes. The default cache name is respCache.
Specifies a security realm for the RESP connector.
Configures lock acquisition timeouts, for topology caches. Defaults to 10 seconds.
You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
Configures replication timeouts for topology caches. Defaults to 10 seconds.
You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
Enables lazy retrieval of cluster topology from nodes via a ClusterCacheLoader. Values are true / false (default).
Configures whether initial state retrieval should happen immediately at startup. Applies only when lazy-retrieval is false. Values are true (default) / false.
Names the security realm to use for authentication and authorization. Deprecated since 12.1. Use the security-realm attribute on the connector instead.
The principal to use as the server identity. The principal must be present in the security
realm.
This is required for Kerberos-based SASL mechs (e.g. GSSAPI, GS2_KRB5)
Names the server that is exposed to clients.
Defines the name of a property.
The security realm to use for authentication/authorization purposes. Defaults to none (no
authentication). Deprecated since 12.1. Use the security-realm attribute on the connector instead.
The security realm to use for authentication/authorization purposes. Defaults to none (no
authentication). Deprecated since 12.1. Use the security-realm attribute on the connector instead.
The authentication method to require. Can be NONE, BASIC, DIGEST, CLIENT_CERT, SPNEGO.
Defaults to NONE. Setting it to a different value requires enabling a security-realm.
The principal to use as the server identity. The principal must be present in the security
realm.
This is required for Kerberos-based SASL mechs (e.g. SPNEGO).
Requires clients to use certificates for authentication.
Names the security realm that contains the SSL keystore. Deprecated since 12.1. Use the security-realm attribute on the connector instead.
TLS SNI host name
A corresponding security realm. If none is specified, the default will be used.
Path for REST prefix
Never return extended headers
Return extended headers on demand (i.e. when the 'extendend' query parameter is present
on the request)
Defines a CORS rule for one or more origins.
Defines a name for a CORS rule.
Configures if CORS requests use credentials and sets the CORS
'Access-Control-Allow-Credentials' response header.
Configures how long CORS preflight request headers can be caches
and sets the CORS 'Access-Control-Max-Age' response header.
Specifies the CORS 'Access-Control-Allow-Origin' header that controls which
origins can access resources.
Specifies the CORS 'Access-Control-Allow-Methods' header in the preflight response.
Controls the methods that origins can access.
Specifies the CORS 'Access-Control-Allow-Headers' header in the preflight response.
Controls the headers that origins can access.
Specifies the CORS 'Access-Control-Expose-Headers' header in the preflight response.
Controls the headers that are exposed to origins.
Complex type to contain the definitions of the credential stores.
Credential reference to be used by the configuration.
Credential store name used to fetch credential with given 'alias' from.
Credential store name has to be defined elsewhere.
Alias of credential in the credential store.
A clear-text credential.
The clear-text password.
Adds a masked password for the credential keystore.
Specifies a masked password in the format of `MASKED_VALUE;SALT;ITERATION`.
Executes an external command that supplies the password for the credential keystore.
An external command, including arguments, that returns the credential on the standard output.
An individual credential store definition.
Specifies a clear-text password that allows access to the credential keystore.
Specifies a masked password that allows access to the credential keystore.
Specifies an external command that supplies a password that allows access to the credential keystore.
Specifies the credential keystore that contains a password that allows access to the credential keystore.
Specifies the name of the credential keystore.
A property name whose value will be used to resolve relative paths.
File name of the credential keystore. If the path is relative, the full path will be resolved using the 'relative-to' attribute.
The type of the credential store file. Can be either pkcs12 or jceks. Defaults to pkcs12.
Specifies which of the underlying realms will be used by default. It defaults to the first realm.
The maximum size for the identity cache for this realm. If the size is less than 1, the cache will be disabled. Defaults to 256.
The lifespan, in milliseconds, of entries in the identity cache after which they expire and are reloaded from the realm provider. Defaults to -1 (never expires).
Specifies the location of the keystore on the host file system. You can set a relative or absolute value.
If you set a relative value, configure a value for the 'relative-to' attribute.
The type of the keystore will be auto-detected among JKS, JCEKS, PKCS12 or PEM.
BKS, BCFKS and UBER are also supported if the `bouncycastle` libary is present.
The path may be omitted when using global store providers, such as 'SunPKCS11-NSS-FIPS'.
Specifies a property name that resolves to a directory on the host file system.
Any files that you specify with the 'path' attribute, unless absolute, must be relative to this directory.
Deprecated: use the 'password' attribute instead.
The password required to open the keystore. If the keystore is a PEM file, this should be specified as an
empty string.
The alias of the entry in the keystore to use as the server identity.
Only required if there are multiple entries in the keystore.
A password required to access a specific entry within the keystore. Only needed if the keystore type
supports it and the entries have been protected by an additional password.
If this attribute is set and if the file that backs the KeyStore does not exist, then
a self-signed certificate will be generated on first use and it will be persisted to
the file that backs the KeyStore. The value of this attribute will be used for the
Common Name value in the self-signed certificate.
The use of this attribute is intended for testing purposes only. This attribute is not
intended for production use.
The name of the provider to use to instantiate the KeyManagerFactory. If the provider is not
specified, the first provider found that can create an instance of the
specified 'type' will be used.
The type of the keystore. Normally the type will be auto-detected. This attribute is required for
file-less keystores, for example when using the `SunPKCS11-nss-fips` provider.
Specifies the location of the truststore on the host file system. You can set a relative or absolute value.
If you set a relative value, configure a value for the 'relative-to' attribute.
The type of the keystore will be auto-detected among JKS, JCEKS, PKCS12 or PEM.
BKS, BCFKS and UBER are also supported if the `bouncycastle` libary is present.
The path may be omitted when using global store providers, such as 'SunPKCS11-NSS-FIPS'.
Specifies a property name that resolves to a directory on the host file system.
Any files that you specify with the 'path' attribute, unless absolute, must be relative to this directory.
The password required to open the truststore. If the truststore is a PEM file, this should be specified as an
empty string.
The name of the provider to use to instantiate the TrustManagerFactory. If the provider is not
specified, the first provider found that can create an instance of the
specified 'type' will be used.
The type of the truststore. Normally the type will be auto-detected. This attribute is required for
file-less truststores, for example when using the `SunPKCS11-nss-fips` provider.
The filter to be applied to the cipher suites made available by this SSL engine.
The ciphersuite names to use for the TLSv1.3 engine.
Names the security realm to logically separate multiple realms of the same type.
Defines an LDAP security realm.
Names the security realm to logically separate multiple realms of the same type.
Specifies the URL for LDAP server connections in the format ldap[s]://{hostname}:{port}.
Specifies the user principal for LDAP server connections.
Specifies the user credential for LDAP server connections.
Configures the realm to verify credentials by connecting to LDAP servers with the account. Values are true / false (default).
Sets the page size for realm iteration. The default value is 50.
Enables connection pooling.
Specifies if LDAP server referrals are followed and corresponds
to the REFERRAL ("java.naming.referral") environment property.
Values are "ignore", "follow" (default), and "throw".
Sets the timeout, in milliseconds, for LDAP server connections.
The default value is 5 seconds.
You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
Sets the read timeout, in milliseconds, for LDAP server
operations. The default value is 1 minute.
You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
The name of a realm which provides a trust store with which to validate SSL client connections.
Specifies a name rewriter that transforms names returned by a realm.
Specifies the base type for all PrincipalTransformer definitions.
Deprecated. Will be ignored.
Specifies a PrincipalTransformer definition using regular expressions and Matcher based replacement.
Specifies the regular expression for this PrincipalTransformer.
Specifies the replacement string for the PrincipalTransformer.
Replaces all occurrences instead of the first occurrence.
Specifies a PrincipalTransformer definition using case conversion
Whether to transform to UPPERCASE or lowercase. The default is true.
Specifies a PrincipalTransformer definition which extracts the first CommonName (CN) from a DistinguishedName (DN).
Specifies configuration options that define how principals are
mapped to corresponding entries in LDAP servers.
Names the context for query execution. This option provides a
useful method to authenticate users based on names that do not
use X.500 format, such as "plainUser". In this case, you must
also specify the rdn-identifier. If names to authenticate users
are based on the X.500 format, you can suppress this
configuration. You should also note that this option lets realms
authenticate users based on simple, or X.500, names.
Specifies an LDAP attribute that contains the user name and
appears in the path of new entries.
Performs recursive queries.
The time limit of LDAP search in milliseconds. Defaults to 10000 ms.
Specifies the LDAP filter that retrieves an identity by name.
In the default value, "{0}" is replaced with the searched identity name and "rdn_identifier" is replaced with the value of the "rdn-identifier" attribute.
Specifies the attribute mappings defined for this resource.
The filter to use to obtain the values for a specific attribute.
String "{0}" will be replaced by username, "{1}" by user identity DN.
The name of an LDAP attribute containing DN of entry to obtain value from.
The name of the context where the filter should be performed.
The name of the LDAP attribute to map to an identity attribute.
If not defined, DN of the whole entry is used as value.
The name of the identity attribute mapped from a specific LDAP attribute.
If not provided, the name of the attribute is the same as define in 'from'.
If the 'from' is not defined too, value 'dn' is used.
Indicates if attribute LDAP search queries are recursive.
Sets recursive roles assignment - value determine maximum depth of recursion. (0 for no recursion)
Determine LDAP attribute of role entry which will be substitute for "{0}" in filter-name when searching roles of role.
Used only when role-recursion is set.
The RDN key to use as the value for an attribute, in case the value in its raw form is in X.500 format.
Specifies the user password credential mapping defined for this
resource.
The name of the LDAP attribute to map to an identity user password credential.
If the password credential is verifiable.
Defines one or more string values representing an unique identifier for the entities that are allowed as
issuers of a given JWT. During validation JWT tokens must have a iss claim that contains one of the values defined here.
If not provided, the validator will not perform validations based on the issuer claim.
Defines one or more string values representing the audiences supported by this configuration.
During validation JWT tokens must have an aud claim that contains one of the values defined here.
If not provided, the validator will not perform validations based on the audience claim.
A default public key in its PEM format used to validate the signature of tokens without kid header parameter.
If not provided, the validator will not validate signatures.
A timeout, in milliseconds for cached jwks when using jku claim.
After this timeout, the keys of need to be re-cached before use. Default value is 2 minutes.
You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
Sets the timeout, in milliseconds, for connections to the JKU server.
The default value is 2 seconds.
You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
Sets the read timeout, in milliseconds, for the JKU server.
operations. The default value is 2 seconds.
You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
The name of a realm which provides a trust store with which to validate SSL client connections.
A HostnameVerifier that will be used to validate the hostname when using SSL/TLS.
This configuration is mandatory if using jku claims. Can be ANY or DEFAULT.
The identifier of a client registered within the OAuth2 Authorization Server that will be used to
authenticate this server in order to validate bearer tokens arriving to this server.
Please note that the client will be usually a confidential client with both an identifier and secret
configured in order to authenticate against the token introspection endpoint. In this case, the endpoint
must support HTTP BASIC authentication using the client credentials (both id and secret).
The secret of the client identified by the given clientId.
An URL pointing to a RFC-7662 OAuth2 Token Introspection compatible endpoint.
Sets the timeout, in milliseconds, for connections to the OAuth2 server.
The default value is 2 seconds.
You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
Sets the read timeout, in milliseconds, for the OAuth2 server.
operations. The default value is 2 seconds.
You can optionally set one of the following units: ms (milliseconds), s (seconds), m (minutes), h (hours), d (days).
The name of a realm which provides a trust store with which to validate SSL client connections.
A HostnameVerifier that will be used to validate the hostname when using SSL/TLS.
This configuration is mandatory if the given token introspection url is using SSL/TLS. Can be ANY or DEFAULT.
Specifies the principal that the KeyTab represents.
Sets the path to the KeyTab for retrieving credentials.
Specifies the name of a named path or a standard path that the
system provides. If set, the value of the "path" attribute
becomes relative to this path.
Specifies, in seconds, how long a cached credential can remain before it is recreated.
Specifies, in seconds, how much lifetime to request for newly
created credentials.
Specifies the amount of time, in seconds, to wait before
attempting to obtain server credential if the previous attempt
failed. Prevents long waiting periods on every authentication
attempt if the KDC is unavailable.
Specifies if the realm is server-side (default) or client-side.
Controls if a KerberosTicket is also obtained and associated
with the credential. The value must be true if credentials are
delegated to the server.
Defines if the JAAS step to obtain the credential has debug
logging enabled.
Specifies if generated GSS credentials are wrapped to prevent
improper disposal.
Specifies if the keytab file with adequate principal must exist
when the service starts.
Defines the mechanism names with which the credential can be
used. Names are converted to OIDs and used together with OIDs
from the mechanism-oids attribute.
Defines the mechanism OIDs with which the credential can be
used. Used with OIDs derived from names from the mechanism-names
attribute.
A realm definition for authentication and authorization of identities distributed between multiple realms.
A list of security realms that should be used for authentication until one succeeds.
If no realms are specified, all the available realms will be used.
A realm definition for authentication and authorization of identities aggregated between multiple realms.
The name of a security realm that should be used for authentication.
A list of security realm names that should be used for authorization.
If no realms are specified, all the available realms will be used.
Defines a security-realm which will be used to secure the resource.
It may be used on the cache-container transport element.
Defines a data-source which will be used to provide database connections.
It may be used to on the cache-container transport element to configure JDBC_PING.
An EvidenceDecoder that derives the principal associated with the given evidence from the subject from
the first certificate in the certificate chain.
An EvidenceDecoder that derives the principal associated with the given evidence from an X.509 subject
alternative name from the first certificate in the given evidence.
The subject alternative name type to decode from the given evidence.
The 0-based occurrence of the subject alternative name to map. This attribute is optional and only
used when there is more than one subject alternative name of the given alt-name-type