Configuration file syntax and usage

The credential refresh behavior is controlled by entries in the [credential-refresh-attributes] stanza in the WebSEAL configuration file. The format is:

attribute_name_pattern = {preserve|refresh}

The attribute name pattern is used to select a given set of attributes. Wildcard matching is supported.

A particular attribute can possibly be matched by many different wildcard patterns. Therefore, the order of elements in the configuration file is important. The firs pattern matching a given attribute is the only pattern that applies to that attribute.

Attribute names in attribute_name_pattern should not be case-sensitive because attribute names in credentials are not case-sensitive.

Example - Preserve all of the tag value attributes added by an extended attribute external authentication C API module:

[credential-refresh-attributes]
tagvalue_* = preserve

Example - Update the tagvalue_last_refresh_time attribute with the value from the new credential, but preserve all other attributes that begin with tagvalue_:

[credential-refresh-attributes]
tagvalue_last_refresh_time = refresh
tagvalue_* = preserve

Note the ordering of attributes in the file is important. In the following example, tagvalue_last_refresh_time will not be refreshed because it is first matched by the tagvalue_* entry, which is set to preserve:

[credential-refresh-attributes]
tagvalue_* = preserve
tagvalue_last_refresh_time = refresh

Avoid preserving attributes that begin with the letters AZN_. Such attributes are typically used internally by the authorization API during authorization decisions. See information about obtaining attribute lists from credentials in the IBM Knowledge Center.

Parent topic: Credential refresh concepts