RealmMBean

Overview  |   Related MBeans  |   Attributes  |   Operations

Overview

The MBean that represents configuration attributes for the security realm.

A security realm contains a set of security configuration settings, including the list of security providers to use (for example, for authentication and authorization).

Code using security can either use the default security realm for the domain or refer to a particular security realm by name (by using the JMX display name of the security realm).

One security realm in the WebLogic domain must have the DefaultRealm attribute set to true. The security realm with the DefaultRealm attribute set to true is used as the default security realm for the WebLogic domain. Note that other available security realms must have the DefaultRealm attribute set to false.

When WebLogic Server boots, it locates and uses the default security realm. The security realm is considered active since it is used when WebLogic Server runs. Any security realm that is not used when WebLogic Server runs is considered inactive. All active security realms must be configured before WebLogic Server is boots.

Since security providers are scoped by realm, the Realm attribute on a security provider must be set to the realm that uses the provider.

Fully Qualified Interface Name If you use the getMBeanInfo operation in MBeanTypeServiceMBean, supply the following value as this MBean's fully qualified interface name:
weblogic.management.security.RealmMBean
   
Factory Methods No factory methods. Instances of this MBean are created automatically.

Related MBeans

This section describes attributes that provide access to other MBeans. For more information about the MBean hierarchy, refer to WebLogic Server MBean Data Model.

 

Adjudicator

Returns the Adjudication provider for the security realm.

Factory Methods createAdjudicator (java.lang.String type)

destroyAdjudicator ( )

Factory methods do not return objects.

See Using factory methods.    

Privileges Read only    
Type AdjudicatorMBean
Relationship type: Containment.

 

Auditors

Returns the Auditing providers for the security realm (in invocation order).

Factory Methods createAuditor (java.lang.String name)

destroyAuditor (AuditorMBean auditor)

Factory methods do not return objects.

See Using factory methods.    

Lookup Operation lookupAuditor(String name)

Returns a javax.management.ObjectName for the instance of AuditorMBean named name.    

Privileges Read/Write    
Type AuditorMBean[]
Relationship type: Containment.
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

 

AuthenticationProviders

Returns the Authentication providers for the security realm (in invocation order).

Factory Methods createAuthenticationProvider (java.lang.String type)

destroyAuthenticationProvider (AuthenticationProviderMBean authenticationProvider)

Factory methods do not return objects.

See Using factory methods.    

Lookup Operation lookupAuthenticationProvider(String name)

Returns a javax.management.ObjectName for the instance of AuthenticationProviderMBean named name.    

Privileges Read/Write    
Type AuthenticationProviderMBean[]
Relationship type: Containment.
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

 

Authorizers

Returns the Authorization providers for the security realm (in invocation order).

Factory Methods createAuthorizer (java.lang.String name)

destroyAuthorizer (AuthorizerMBean authorizer)

Factory methods do not return objects.

See Using factory methods.    

Lookup Operation lookupAuthorizer(String name)

Returns a javax.management.ObjectName for the instance of AuthorizerMBean named name.    

Privileges Read/Write    
Type AuthorizerMBean[]
Relationship type: Containment.
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

 

CertPathBuilder

Returns the CertPath Builder provider in the security realm that will be used by the security system to build certification paths. Returns null if none has been selected. The provider will be one of the security realm's CertPathProviders.

   
Privileges Read/Write    
Type CertPathBuilderMBean
Relationship type: Reference.
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

 

CertPathProviders

Returns the Certification Path providers for the security realm (in invocation order).

Factory Methods createCertPathProvider (java.lang.String name)

destroyCertPathProvider (CertPathProviderMBean certPathProvider)

Factory methods do not return objects.

See Using factory methods.    

Lookup Operation lookupCertPathProvider(String name)

Returns a javax.management.ObjectName for the instance of CertPathProviderMBean named name.    

Privileges Read/Write    
Type CertPathProviderMBean[]
Relationship type: Containment.
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

 

CredentialMappers

Returns the credential mapping providers for the security realm (in invocation order).

Factory Methods createCredentialMapper (java.lang.String name)

destroyCredentialMapper (CredentialMapperMBean credentialMapper)

Factory methods do not return objects.

See Using factory methods.    

Lookup Operation lookupCredentialMapper(String name)

Returns a javax.management.ObjectName for the instance of CredentialMapperMBean named name.    

Privileges Read/Write    
Type CredentialMapperMBean[]
Relationship type: Containment.
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

 

KeyStores

Returns the KeyStore providers for the security realm (in invocation order).

Deprecated. 8.1.0.0

Factory Methods createKeyStore (java.lang.String type)

destroyKeyStore (KeyStoreMBean keystore)

Factory methods do not return objects.

See Using factory methods.    

Lookup Operation lookupKeyStore(String name)

Returns a javax.management.ObjectName for the instance of KeyStoreMBean named name.    

Privileges Read/Write    
Type KeyStoreMBean[]
Relationship type: Containment.
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

 

PasswordValidators

Returns the Password Validator providers for the security realm (in invocation order).

Factory Methods createPasswordValidator (java.lang.Class subClass)

destroyPasswordValidator (PasswordValidatorMBean provider)

Factory methods do not return objects.

See Using factory methods.    

Lookup Operation lookupPasswordValidator(String name)

Returns a javax.management.ObjectName for the instance of PasswordValidatorMBean named name.    

Privileges Read only    
Type PasswordValidatorMBean[]
Relationship type: Containment.

 

RDBMSSecurityStore

Returns RDBMSSecurityStoreMBean for this realm, which is a singleton MBean describing RDBMS security store configuration.

For more information, see:

Factory Methods createRDBMSSecurityStore (java.lang.String name)

destroyRDBMSSecurityStore ( )

Factory methods do not return objects.

See Using factory methods.    

Privileges Read only    
Type RDBMSSecurityStoreMBean
Relationship type: Containment.

 

RoleMappers

Returns the Role Mapping providers for the security realm (in invocation order).

Factory Methods createRoleMapper (java.lang.String name)

destroyRoleMapper (RoleMapperMBean roleMapper)

Factory methods do not return objects.

See Using factory methods.    

Lookup Operation lookupRoleMapper(String name)

Returns a javax.management.ObjectName for the instance of RoleMapperMBean named name.    

Privileges Read/Write    
Type RoleMapperMBean[]
Relationship type: Containment.
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

 

UserLockoutManager

Returns the User Lockout Manager for the security realm.

Factory Methods No explicit creator method. The child shares the lifecycle of its parent.    
Privileges Read only    
Type UserLockoutManagerMBean
Relationship type: Containment.

Attributes

This section describes the following attributes:

 

AdjudicatorTypes

Returns the types of Adjudication providers that may be created in the security realm, for example, weblogic.security.providers.authorization.DefaultAdjudicator. Use this method to find the available types to pass to createAdjudicator

   
Privileges Read only    
Type class java.lang.String[]
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

 

AuditorTypes

Returns the types of Auditing providers that may be created in the security realm, for example, weblogic.security.providers.audit.DefaultAuditor. Use this method to find the available types to pass to createAuditor

   
Privileges Read only    
Type class java.lang.String[]
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

 

AuthenticationProviderTypes

Returns the types of Authentication providers that may be created in the security realm, for example, weblogic.security.providers.authentication.DefaultAuthenticator. Use this method to find the available types to pass to createAuthenticationProvider

   
Privileges Read only    
Type class java.lang.String[]
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

 

AuthMethods

Returns a comma separated string of authentication methods that should be used when the Web application specifies "REALM" as its auth-method. The authentication methods will be applied in order in which they appear in the list.

Available Since Release 9.2.0.0    
Privileges Read/Write    
Type java.lang.String

 

AuthorizerTypes

Returns the types of Authorization providers that may be created in the security realm, for example, weblogic.security.providers.authorization.DefaultAuthorizer. Use this method to find the available types to pass to createAuthorizer

   
Privileges Read only    
Type class java.lang.String[]
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

 

CertPathProviderTypes

Returns the types of Certification Path providers that may be created in the security realm, for example, weblogic.security.providers.pk.WebLogicCertPathProvider. Use this method to find the available types to pass to createCertPathProvider

   
Privileges Read only    
Type class java.lang.String[]
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

 

CombinedRoleMappingEnabled

Determines how the role mappings in the Enterprise Application, Web application, and EJB containers interact. This setting is valid only for Web applications and EJBs that use the Advanced security model and that initialize roles from deployment descriptors.

When enabled:

  • Application role mappings are combined with EJB and Web application mappings so that all principal mappings are included. The Security Service combines the role mappings with a logical OR operator.

  • If one or more policies in the web.xml file specifies a role for which no mapping exists in the weblogic.xml file, the Web application container creates an empty map for the undefined role (that is, the role is explicitly defined as containing no principal). Therefore, no one can access URL patterns that are secured by such policies.

  • If one or more policies in the ejb-jar.xml file specifies a role for which no mapping exists in the weblogic-ejb-jar.xml file, the EJB container creates an empty map for the undefined role (that is, the role is explicitly defined as containing no principal). Therefore, no one can access methods that are secured by such policies.

When disabled:

  • Role mappings for each container are exclusive to other containers unless defined by the <externally-defined> descriptor element.

  • If one or more policies in the web.xml file specifies a role for which no role mapping exists in the weblogic.xml file, the Web application container assumes that the undefined role is the name of a principal. It therefore maps the assumed principal to the role name. For example, if the web.xml file contains the following stanza in one of its policies:
    <auth-constraint> <role-name>PrivilegedUser</role-name> </auth-constraint>
    but the weblogic.xml file has no role mapping for PrivilegedUser, then the Web application container creates an in-memory mapping that is equivalent to the following stanza:
    <security-role-assignment> <role-name>PrivilegedUser</role-name> <principal-name>PrivilegedUser</principal-name> </security-role-assignment>

  • Role mappings for EJB methods must be defined in the weblogic-ejb-jar.xml file. Role mappings defined in the other containers are not used unless defined by the <externally-defined> descriptor element.

Note:

For all applications previously deployed in version 8.1 and upgraded to version 9.x, the combining role mapping is disabled by default.

Available Since Release 9.0.0.0    
Privileges Read/Write    
Type boolean
Default Value true

 

CredentialMapperTypes

Returns the types of credential mapping providers that may be created in the security realm, for example, weblogic.security.providers.credentials.DefaultCredentialMapper. Use this method to find the available types to pass to createCredentialMapper

   
Privileges Read only    
Type class java.lang.String[]
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

 

DefaultRealm

Returns whether the security realm is the Default realm for the WebLogic domain. Deprecated in this release of WebLogic Server and replaced by weblogic.management.configuration.SecurityConfigurationMBean.getDefaultRealm.

Deprecated. 9.0.0.0 Replaced by SecurityConfigurationMBean#getDefaultRealm()

   
Privileges Read/Write    
Type boolean

 

DelegateMBeanAuthorization

Configures the WebLogic Server MBean servers to use the security realm's Authorization providers to determine whether a JMX client has permission to access an MBean attribute or invoke an MBean operation.

You can continue to use WebLogic Server's default security settings or modify the defaults to suit your needs.

If you do not delegate authorization to the realm's Authorization providers, the WebLogic MBean servers allow access only to the four default security roles (Admin, Deployer, Operator, and Monitor) and only as specified by WebLogic Server's default security settings.

For more information, see:

Available Since Release 9.1.0.0    
Privileges Read/Write    
Type boolean

 

DeployCredentialMappingIgnored

Returns whether credential mapping deployment calls on the security system are ignored or passed to the configured Credential Mapping providers.

Deprecated. 9.0.0.0

   
Privileges Read/Write    
Type boolean

 

DeployPolicyIgnored

Returns whether policy deployment calls on the security system are ignored or passed to the configured Authorization providers.

Deprecated. 9.0.0.0

   
Privileges Read/Write    
Type boolean

 

DeployRoleIgnored

Returns whether role deployment calls on the security system are ignored or passed to the configured Role Mapping providers.

Deprecated. 9.0.0.0

   
Privileges Read/Write    
Type boolean

 

EnableWebLogicPrincipalValidatorCache

Returns whether the WebLogic Principal Validator caching is enabled.

The Principal Validator is used by BEA supplied authentication providers and may be used by custom authentication providers. If enabled, the default principal validator will cache WebLogic Principal signatures.

   
Privileges Read/Write    
Type boolean
Default Value true

 

FullyDelegateAuthorization

Returns whether the Web and EJB containers should call the security framework on every access.

If false the containers are free to only call the security framework when security is set in the deployment descriptors.

Deprecated. 9.0.0.0

   
Privileges Read/Write    
Type boolean

 

KeyStoreTypes

Returns the types of KeyStore providers that may be created in the security realm, for example, weblogic.security.providers.pk.DefaultKeyStore. Use this method to find the available types to pass to createKeyStore

Deprecated. 8.1.0.0

   
Privileges Read only    
Type class java.lang.String[]
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

 

MaxWebLogicPrincipalsInCache

Returns the maximum size of the LRU cache for holding WebLogic Principal signatures. This value is only used if EnableWebLogicPrincipalValidatorCache is set to true

   
Privileges Read/Write    
Type java.lang.Integer
Default Value 500

 

Name of

Name of configuration. WebLogic Server uses an MBean to implement and persist the configuration.

   
Privileges Read only    
Type java.lang.String
Default Value Realm
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

 

PasswordValidatorTypes

Returns the types of Password Validator providers that may be created in the security realm, for example, com.bea.security.providers.authentication.passwordvalidator.SystemPasswordValidator. Use this method to find the available types to pass to createPasswordValidator

Available Since Release 10.0    
Privileges Read only    
Type class java.lang.String[]
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

 

RoleMapperTypes

Returns the types of Role Mapping providers that may be created in the security realm, for example, weblogic.security.providers.authorization.DefaultRoleMapper. Use this method to find the available types to pass to createRoleMapper

   
Privileges Read only    
Type class java.lang.String[]
Redeploy or Restart required Changes take effect after you redeploy the module or restart the server.

 

SecurityDDModel

Specifies the default security model for Web applications or EJBs that are secured by the security realm. You can override this default during deployment.

Note:

If you deploy a module by modifying the domain's config.xml file and restarting the server, and if you do not specify a security model value for the module in config.xml, the module is secured with the default value of the AppDeploymentMBean SecurityDDModelattribute (see AppDeploymentMBean SecurityDDModel ).

Choose one of these security models:

  • Deployment Descriptors Only (DDOnly)

    • For EJBs and URL patterns, this model uses only the roles and policies in the J2EE deployment descriptors (DD); the Administration Console allows only read access for this data. With this model, EJBs and URL patterns are not protected by roles and policies of a broader scope (such as a policy scoped to an entire Web application). If an EJB or URL pattern is not protected by a role or policy in the DD, then it is unprotected: anyone can access it.

    • For application-scoped roles in an EAR, this model uses only the roles defined in the WebLogic Server DD; the Administration Console allows only read access for this data. If the WebLogic Server DD does not define roles, then there will be no such scoped roles defined for this EAR.

    • For all other types of resources, you can use the Administration Console to create roles or policies. For example, with this model, you can use the Administration Console to create application-scoped policies for an EAR.

    • Applies for the life of the deployment. If you want to use a different model, delete the deployment and reinstall it.

  • Customize Roles Only (CustomRoles)

    • For EJBs and URL patterns, this model uses only the policies in the J2EE deployment descriptors (DD). EJBs and URL patterns are not protected by policies of a broader scope (such as a policy scoped to an entire Web application). This model ignores any roles defined in the DDs; an administrator completes the role mappings using the Administration Console.

    • For all other types of resources, you can use the Administration Console to create roles or policies. For example, with this model, you can use the Administration Console to create application-scoped policies or roles for an EAR.

    • Applies for the life of the deployment. If you want to use a different model, delete the deployment and reinstall it.

  • Customize Roles and Policies (CustomRolesAndPolicies)

    • Ignores any roles and policies defined in deployment descriptors. An administrator uses the Administration Console to secure the resources.

    • Performs security checks for all URLs or EJB methods in the module.

    • Applies for the life of the deployment. If you want to use a different model, delete the deployment and reinstall it.

  • Advanced (Advanced)

    You configure how this model behaves by setting values for the following options:

    • When Deploying Web Applications or EJBs
      Note:

      When using the WebLogic Scripting Tool or JMX APIs, there is no single MBean attribute for this setting. Instead, set the values for the DeployPolicyIgnored and DeployRoleIgnored attributes of RealmMBean.

    • Check Roles and Policies (FullyDelegateAuthorization)

    • Combined Role Mapping Enabled (CombinedRoleMappingEnabled)

    You can change the configuration of this model. Any changes immediately apply to all modules that use the Advanced model. For example, you can specify that all modules using this model will copy roles and policies from their deployment descriptors into the appropriate provider databases upon deployment. After you deploy all of your modules, you can change this behavior to ignore roles and policies in deployment descriptors so that when you redeploy modules they will not re-copy roles and policies.

    Note:

    Prior to WebLogic Server version 9.0 the Advanced model was the only security model available. Use this model if you want to continue to secure EJBs and Web Applications as in releases prior to 9.0.

For more information, see:

   
Privileges Read/Write    
Type java.lang.String
Default Value DDOnly
Legal Values

  • DDOnly

  • CustomRoles

  • CustomRolesAndPolicies

  • Advanced

 

ValidateDDSecurityData

This attribute is not used in the current BEA release.

   
Privileges Read/Write    
Type boolean

Operations

This section describes the following operations:

 

isSet

Returns true if the specified attribute has been set explicitly in this MBean instance.

Operation Name "isSet"    
Parameters Object [] {  propertyName }

where:

  • propertyName is an object of type java.lang.String that specifies:

    property to check

Signature String [] { "java.lang.String" }
Returns boolean
Exceptions

  • java.lang.IllegalArgumentException

 

unSet

Restore the given property to its default value.

Operation Name "unSet"    
Parameters Object [] {  propertyName }

where:

  • propertyName is an object of type java.lang.String that specifies:

    property to restore

Signature String [] { "java.lang.String" }
Returns void
Exceptions

  • java.lang.IllegalArgumentException
    UnsupportedOperationException if called on a runtime implementation.

 

validate

Checks that the realm is valid.

Deprecated. 9.0.0.0 This method is no longer required since activating a configuration transaction does this check automatically on the default realm, and will not allow the configuration to be saved if the domain does not have a valid default realm configured.

Operation Name "validate"    
Parameters null
Signature null
Returns void
Exceptions

  • weblogic.management.utils.ErrorCollectionException

 

wls_getDisplayName

Operation Name "wls_getDisplayName"    
Parameters null
Signature null
Returns String