Security

The following sections discuss WebLogic J2EE Connector security:

 

Container-Managed and Application-Managed Sign-on

As specified in the J2EE Connector Specification, Version 1.0 Final Release, the WebLogic Server connector implementation supports both container-managed and application-managed sign-on. At runtime, the WebLogic Server connector implementation determines - based upon the specified information in the invoking client component's deployment descriptor - the chosen sign-on mechanism. The res-auth element of the calling component is where the sign-on mechanism is specified. For more information on this element, see web.xml Deployment Descriptor Elements" in Developing Web Applications for WebLogic Server.

If the Weblogic Server J2EE Connector Architecture implementation is unable to determine what sign-on mechanism is being requested by the client component - typically due to an improper JNDI lookup of the resource adapter Connection Factory - the Connector Architecture attempts container-managed sign-on.

Note: Note that even in this case, if the client component has specified explicit security information, this information is also presented on the call to obtain the connection.

For related information, see Obtaining the ConnectionFactory (Client-JNDI Interaction) in Client Considerations.

 

Application-Managed Sign-on

With application-managed sign-on, the client component provides the necessary security information (typically a username and password) when making the call to obtain a connection to an Enterprise Information System (EIS). In this scenario, the application server provides no additional security processing other than to pass this information along on the request for the connection. The provided resource adapter uses the client component provided security information to perform the EIS sign-on in a resource adapter implementation specific manner.

 

Container-Managed Sign-on

To use container-managed sign-on, WebLogic Server must identify a resource principal and then request the connection on behalf of the resource principal. In order to make this identification, WebLogic Server looks for a configured mapping in the embedded LDAP storage. For any deployed resource adapter, you can configure credential mappings for applicable users. For more information, see Configuring Credential Mappings Using the Console.

You map a user in WebLogic Server to an appropriate set of credentials for a given resource adapter. For old-style resource adapters that still use the deprecated security-principal-map element (configured in the weblogic-ra.xml deployment descriptor), this information is imported into the embedded LDAP storage at deployment time.

 

Password Credential Mapping Mechanism

The J2EE Connector specification, Version 1.0 Final Release requires storage of credentials in a javax.security.auth.Subject; the credentials are passed to either the createManagedConnection() or matchManagedConnection() methods of the ManagedConnectionFactory object.

Prior to version 7.0 of WebLogic Server, credential mapping information was stored in the weblogic-ra.xml deployment descriptor in the security-principal-map element. In subsequent versions of WebLogic Server, the credential mapping information is stored in the WebLogic Server Embedded LDAP storage.

 

Authentication Mechanisms

WebLogic Server users must be authenticated whenever they request access to a protected WebLogic Server resource. For this reason, each user is required to provide a credential (a username/password pair or a digital certificate) to WebLogic Server.

Password authentication is the only authentication mechanism supported by WebLogic Server out of the box. Password authentication consists of a user ID and password. Based on the configured mappings, when a user requests connection to a resource adapter, the appropriate credentials for that user are supplied to the resource adapter.

The SSL (or HTTPS) protocol can be used to provide an additional level of security to password authentication. Because the SSL protocol encrypts the data transferred between the client and WebLogic Server, the user ID and password of the user do not flow in clear text. Therefore, WebLogic Server can authenticate the user without compromising the confidentiality of the user's ID and password.

For more information, see Configuring SSL" in Managing WebLogic Security:

 

Configuring Credential Mappings Using the Console

You configure credential mappings using the WebLogic Server Administration Console. Before you can configure the credential mappings for a resource adapter using the Console, however, successfully deploy the resource adapter. Note that the first time you deploy a resource adapter, it has no credential mappings configured.

If the resource adapter requires you to provide credentials and is configured to create connections at deployment time (meaning the initial-capacity element in the weblogic-ra.xml is set to greater than 0), this may cause the initial connection to fail. In this case, BEA recommends that - for the initial installation and deployment of this resource adapter - you set the initial-capacity to 0 for its connection pool. Once you have configured the appropriate credentials and after the initial deployment of the resource adapter, you can change the initial-capacity element. For more information on weblogic-ra.xml deployment descriptors, see weblogic-ra.xml Deployment Descriptor Elements.

To create credential mappings, see Single Sign-on with Enterprise Information Systems" in Managing WebLogic Security.

 

Defining Users and Groups

The following sections discuss the definition of users and groups. For more information on how to create users and groups, see Managing WebLogic Security

 

Defining Users

Users are entities that can be authenticated in a WebLogic Server security realm. A user can be a person or a software entity, such as a Java client. Each user is given a unique identity within a WebLogic Server security realm. As a system administrator guarantee that no two users in the same security realm are identical.

Defining users in a security realm involves specifying a unique name and password for each user that will access resources in the WebLogic Server security realm in the users window of the Administration Console.

Three special users are provided for use by resource adapters. They are as follows:

  • weblogic_ra_initial - If you define a mapping for this user, the specified credentials are used for the initial connections created when starting the connection pool for this resource adapter. The InitialCapacity parameter on the pool specifies the number of initial connections. If you do not define a mapping for this user the default mapping weblogic_ra_default (if provided) is used. Otherwise, no credentials are provided for the initial connections.
  • weblogic_ra_anonymous - If you define a mapping for this user, the specified credentials are used when no user is authenticated for the connection request on the resource adapter.
  • weblogic_ra_default - If you define a mapping for this user, the specified credentials are used when no other mapping applies for the current user or when no anonymous mapping is provided in the case where there is no authenticated user.

 

Defining Groups

A group represents a set of users who usually have something in common, such as working in the same department in a company. Groups are a means of managing a number of users in an efficient manner. You grant users and groups security roles. These security roles are used to create a security policy, which restricts access to server resources. For more information, see Managing WebLogic Security

 

Default Resource Principal

You create default mappings using the special name: weblogic_ra_default. This is an optional mapping. However, specify it in some form if container-managed sign-on is supported by the resource adapter and used by any client.

In addition, deployment-time population of the connection pool with managedconnections is attempted using the mapping defined for the weblogic_ra_initial resource principal, if one is specified.

When importing a security principal map from an old-style resource adapter that has a deprecated security-principal-map element configured in its weblogic-ra.xml file, elements with an initiating principal of * are imported to the special mappings for both weblogic_ra_initial and wl_ra_default. This allows these mappings to be used for both initial connections created at deployment time and default connections (to be used when there is no matching mapping for the current user).

These topics are discussed further in Defining Users and Groups.

 

Security Policy Processing

The J2EE Connector Specification, Version 1.0 Final Release defines default security policies for any resource adapters running in an application server. It also defines a way for a resource adapter to provide its own specific security policies overriding the default.

In compliance with this specification, WebLogic Server dynamically modifies the runtime environment for resource adapters. If the resource adapter has not defined specific security policies, WebLogic Server overrides the runtime environment for the resource adapter with the default security policies specified in the J2EE Connector Architecture Specification. If the resource adapter has defined specific security policies, WebLogic Server first overrides the runtime environment for the resource adapter first with a combination of the default security policies for resource adapters and the specific policies defined for the resource adapter. Resource adapters define specific security policies using the security-permission-spec element in the ra.xml deployment descriptor file.

For more information on security policy processing requirements, see the "Security Permissions" section of the "Runtime Environment" chapter in the J2EE Connector Specification, Version 1.0 Final Release (http://java.sun.com/j2ee/download.html#connectorspec).

Skip navigation bar  Back to Top Previous Next