Security Realm-->General
Overview
A security realm provides all the auditing, authentication, authorization, credential mapping, and role mapping services to a WebLogic Server deployment. You can configure multiple security realms within a single WebLogic Server deployment. Use this page to configure a new security realm.
Only one security realm is designated as the default security realm. If you want your newly configured security realm to be the default security realm, click the View Domain-Wide Security Settings link on the General page on the Domain node. Then click the General tab. For more information, see Changing the Default Security Realm.
For any security realm to be valid, configure each of the following types of security providers (in any order):
- Authentication
- Authorization
- Adjudication
- Credential Mapping
- Role Mapping
At least one Authorization, Credential Mapping, and Role Mapping provider in the security realm must implement the DeployableAuthorizationProvider, DeployableCredentialProvider, and DeployableRoleProvider Security Service Provider Interface (SSPI). This SSPI allows the providers to store (rather than retrieve) information from deployment descriptors.
To give you control over performance, the WebLogic Server Administration Console requires you to specify how the WebLogic Security Service should perform security checks. You specify this preference using the Check Roles and Policies attribute on the security realm.
When the value of the Check Roles and Policies setting is: Web Applications and EJBs Protected in DD, the WebLogic Security Service only performs security checks on URL and EJB resources that have security specified in their associated deployment descriptors (DDs). This is the default Check Roles and Policies setting.
When the value of the Check Roles and Policies setting is: All Web Applications and EJBs, the WebLogic Security Service performs security checks on all URL (Web) and EJB resources, regardless of whether there are any security settings in the deployment descriptors (DDs) for these WebLogic resources. If you change the value of the Check Roles and Policies drop-down menu to All Web Applications and EJBs, you also need to specify what the WebLogic Security Service should do when the URL or EJB resource is redeployed.
If you decide that the WebLogic Security Service should perform security checks on All Web applications and EJBs in the Check Roles and Policies drop-down menu, you also need to tell WebLogic Server which technique you want to use to secure these URL (Web) and EJB resources. You specify this preference using the Future Redeploys attribute.
You should set the value of the Future Redeploys drop-down menu as follows:
- To secure your URL and EJB resources using only the WebLogic Server Administration Console, select the Ignore Roles and Policies From DD (Deployment Descriptors) option.
- To secure your URL and EJB resources using only the deployment descriptors (that is, the ejb-jar.xml, weblogic-ejb-jar.xml, web.xml, and weblogic.xml files), select Initialize roles and policies from DD option.
For more information, see Securing WebLogic Resources.
It is important to understand that once information from a weblogic-ra.xml deployment descriptor file is loaded into the embedded LDAP server, the original resource adapter remains unchanged. Therefore, if you redeploy the original resource adapter (which will happen if you redeploy it through the WebLogic Server Administration Console, modify it on disk, or restart WebLogic Server), the data will once again be imported from the weblogic-ra.xml deployment descriptor file and credential mapping information may be lost.
To avoid overwriting new credential mapping information with old information in a weblogic-ra.xml deployment descriptor file, enable the Ignore Security Data in Deployment Descriptors attribute.
The Web resource is deprecated in WebLogic Server 7.0 SP02. If you wrote a custom Authorization provider that uses the Web resource (instread of the URL resource), enable the Use Deprecated Web Resource attribute. This attribute changes the runtime behavior of the Servlet container to use a Web resource rather than a URL resource when performing authorization.
Tasks
Changing the Default Security Realm
Related Topics
Introduction to WebLogic Security
Developing Security Providers for WebLogic Server
Securing a Production Environment
The Security topics in the WebLogic Server 8.1 Upgrade Guide
The Security page in the WebLogic Server documentation