Custom Security

 

 

---

Contents

1. Overview
2. Create a New Security Realm
3. Test a Security Realm
4. Set the Default Security Realm
5. Delete a Security Realm
6. Revert to a Previous Security Configuration

 

---

Overview

WebLogic Server provides a default security configuration called MBean=Security%3AName%3Dmyrealm">myrealm.

Default security providers include Adjudication, Authentication, Identity Assertion, Authorization, Credential Mapping, and Role Mapping.

To customize security, you can modify components of existing realms, or you can create new security realms.

 

---

Create a New Security Realm

To create a new security realm:

1. Click thru:

   Security --> MBean=medrec%3AName%3Dmedrec%2CType%3DDomain">Realms --> Configure a new Realm...

2. Enter the name of the new security realm in the Name attribute on the General tab.

3. Set the Check Roles and Security Policies attribute. The following options are available:

   Webapps and EJBs Protected in DD	Specifies that the WebLogic Security Service only performs security checks on URL and EJB resources that have security specified in their associated deployment descriptors. This option is the default Check Roles and Policies setting.
   All Webapps and EJBs	Specifies that the WebLogic Security Service performs security checks on all URLs and EJB resources, regardless of whether there are any security settings in the deployment descriptors for these WebLogic resources. If you change the setting of the Check Roles and Policies drop-down menu to All Webapps and EJBs, specify the Future Redeploys attribute.

4. Use the Future Redeploys attribute to tell WebLogic Server how URL and EJB resources are to be secured. The following options are provided:

   • To secure URL and EJB resources using only the console, select the Ignore Roles and Policies From DD (Deployment Descriptors) option.

   • To secure URL and EJB resources using only the deployment descriptors (that is, the ejb-jar.xml, weblogic-ejb-jar.xml, web.xml, and weblogic.xml files), select Initialize roles and policies from DD option.

5. You have the option of loading credential maps from weblogic-ra.xml deployment descriptor files into the embedded LDAP server and then using the console to create new credential maps or modify existing credential maps.

   Once information from a weblogic-ra.xml deployment descriptor file is loaded into the embedded LDAP server, the original resource adapter remains unchanged. Therefore, if you redeploy the original resource adapter (which will happen if you redeploy it through the console, modify it on disk, or restart WebLogic Server), the data will once again be imported from the weblogic-ra.xml deployment descriptor file and credential mapping information may be lost.

   To avoid overwriting new credential mapping information with old information in a weblogic-ra.xml deployment descriptor file, enable the Ignore Deploy Credential Mapping attribute.

6. The Web resource is deprecated in this release of WebLogic Server. If you are configuring a custom Authorization provider that uses the Web resource (instead of the URL resource) in the new security realm, enable the Use Deprecated Web Resource attribute. This attribute changes the runtime behavior of the Servlet container to use a Web resource rather than a URL resource when performing authorization.

7. Click Create.

8. Configure the required security providers for the security realm. In order for a security realm to be valid, configure an Authentication provider, an Authorization provider, an Adjudication provider, a Credential Mapping provider, and a Role Mapping provider. Otherwise, you will not be able to set the new security realm as the default security realm.

9. Optionally, define Identity Assertion and Auditing providers.

10. If you configured the WebLogic Authentication, Authorization, Credential Mapping or Role Mapping provider in the new security realm, verify the default attribute settings of the embedded LDAP server.

11. Protect WebLogic resources in the new security realm with security policies. Creating security policies is a multi-step process with many options. To fully understand this process, read Securing WebLogic Resources. This document should be used in conjunction with Managing WebLogic Security to ensure security is completely configured for a WebLogic Server deployment.

12. Protect user accounts in the new security realm.

13. Test the new security realm to ensure it is valid.

14. Set the new realm as the default security realm for the WebLogic domain.

15. Reboot WebLogic Server.

 

---

Test a Security Realm

To validate the configuration of a new security realm, click thru:

MBean=medrec%3AName%3Dmedrec%2CType%3DDomain">Realms --> realmname --> Testing --> Validate this Security realm...

 

---

Set the Default Security Realm

After you define attributes on the new security realm, configure the security providers for the security realm and ensure the configuration of the new security realm is valid, set the new security realm as the default (active) security realm.

To set the new security realm as the default (active) security realm:

1. Go to:

   MBean=medrec%3AName%3Dmedrec%2CType%3DDomain">domain --> Domain-wide Security Settings --> General

   The pull-down menu on the Default Realm attribute displays the security realms configured in the WebLogic Server domain.

2. Select the security realm you want to set as the default security realm.

3. Click Apply.

4. Reboot WebLogic Server. If you not reboot WebLogic Server, the new realm is not set as the default security realm.

5. To verify you set the default security realm correctly go to Security-->MBean=medrec%3AName%3Dmedrec%2CType%3DDomain">Realms. The Realms table shows all realms configured for the WebLogic Server domain. The default (active) security realm has the Default Realm attribute set to true.

 

---

Delete a Security Realm

When you delete a security realm, the user, group, security role, security policy, and credential map information is not deleted from the embedded LDAP server. Use an external LDAP browser to delete any unnecessary entries from the embedded LDAP server.

To delete a security realm:

1. Expand the Security-->MBean=medrec%3AName%3Dmedrec%2CType%3DDomain">Realms nodes. The Realms table shows all realms configured for the WebLogic domain.

2. In the table row for the security realm you want to delete, click the trash can icon.

3. Click Yes in response to the following question:

   Are you sure you want to permanently delete OldRealm from the domain configuration?

4. A confirmation message appears when the security realm is deleted.

 

---

Revert to a Previous Security Configuration

The Admin Server archives up to 5 previous versions of config.xmls within the domain-name/configArchive directory. To revert to a previous security configuration:

1. Copy all the archived copies to a temporary directory.

2. Copy one of the archived config.xml files to the domain directory you are currently using.

3. Reboot WebLogic Server.

Note this process will only revert your security realm (meaning, the realm and its providers) not users, groups, roles, or security policies.

---