Contents
-
Configure Security Providers
- Required providers
- Optional providers
- Audit Provider
- Authentication Provider
- Password Validation Provider
- Add Other Providers
- Export/Import Authentication Data
- Configure Entitlement Caching
- Set Default Security Realm
- Reverting Realm
- Add Users
- Add Groups
- Security Roles
- Security Policies
- WAR and EJB Security Models
- Configure Embedded LDAP Server
- RDBMS Security Store
- References
Configure Security Providers
* Create a new realm named tmprealm
Required providers
– Authentication provider,
– Authorization provider,
– Adjudication provider,
– Credential Mapping provider,
– CertPath Builder,
– Role Mapping provider.
Optional providers
– Identity Assertion,
– Auditing,
– Certificate Registry providers
Audit Provider
* Add DefaultAuditor name tmpDefAud
* Default logfile: DOMAIN_ HOME\
* Change default log file directory: -Dweblogic.security.audit.auditLogDir=C:\audit
* Enable configuration auditing:
Domain > Configuration > General > Advanced > Configuration Audit Type
– audit
– log
– log and audit
Authentication Provider
* Authentication Provider control flag:
– REQUIRED: if fails go to next authenticator
– REQUISITE: if fails return to application
– SUFFICIENT:
– OPTIONAL:
* Create a new DefaultAuthenticator named tmpDefAuth
Security Realm > Realm Name > Providers > Authentication Provider
Password Validation Provider
* Add Password Validation Provider named tmpSysPassVal
Security Realm > Realm Name > Providers > Password Validation
Add Other Providers
* Add tmpDefIdAsserter; set active type to AuthenticatedUser
* Add tmpXACMLAuthorizer
* Add tmpDefAdj
* Add tmpXACMLRoleMapper
* Add tmpCredMapper
* Add tmpWebLogicCertPath (check Current Builder)
Export/Import Authentication Data
* Export
Security Realm > myrealm > Providers > Authentication > DefaultAuthenticator > Migration > Export
* Import
Security Realm > tmprealm > Providers > Authentication > DefaultAuthenticator > Migration > Export
Configure Entitlement Caching
* Set cache preload to true:
-Dweblogic.entitlement.engine.cache.preload=true
* Set cache max numbers:
-Dweblogic.entitlement.engine.cache.max_role_count=4000
-Dweblogic.entitlement.engine.cache.max_resource_count=3200
Set Default Security Realm
* Set at:
domain > Security > General > Default realm
Reverting Realm
* Backup config.xml files: domain/config/backup_confign.xml
* Copy backup config file to config.xml
Add Users
* Go to Security Realm > tmprealm > Users and Groups > Users
* Add user tmpUser/welcome1
* Go to Security Realm > tmprealm > Users and Groups > tmpUser > Groups
* Add Administrator group
Add Groups
* Go to Security Realm > tmprealm > Users and Groups > Groups
* Add group tmpGroup
* Default Groups:
– Administrators
– Deployers
– Operators
– Monitors
– AppTesters
– CrossDomainConnectors
– AdminChannelUsers
– OracleSystemGroup
Security Roles
* Security roles are privileges the server grants to a user, group, or time of day.
* Difference from groups:
– granted at runtime dynamically (by role mapper provider)
– can be scoped to a specific resource
* Role types:
– Global roles
– Scoped roles
* Default global roles
– Admin
– Anonymous
– Deployer
– Operator
– Monitor
– AppTester
– CrossDomainConnector
– OracleSystemRole
Security Policies
* Security policy restricts WebLogic resource to a user, group, or security role
* Root level security policies: apply to a specific type of resource, e.g. JMS resource, EJB resource
* Hierarchical security policies: apply to a specific instance of resource, e.g. web app, ear app, ejb method
WAR and EJB Security Models
* Two security models:
– JEE Security model aka DD Only model
– WebLogic security model
* Which model to use is made at deployment time. Need redeployment to change security model.
DD Only Model
* Uses groups, roles, and security policies defined in
– web.xml
– weblogic.xml
– ejb-jar.xml
– weblogic-ejb-jar.xml
* Developers use DD to
– Define security roles (if developer does not define roles then no security)
– Map EJBs/Web URLs to roles
– Map Roles to principals (users/groups)
* DD contained security info is parsed at server bootup time by
– Authorization Provider that implements DeployableAuthorizationProvider
– Role Mapping Provider that implements DeployableRoleProvider
Custom Roles Model
* Developers define security policies (not principals) in DD to map:
– EJBs/Web URLs to roles
* Administrator/Deployer:
– Define security roles (all roles defined in DD are ignored by server)
– Map roles to principals
Custom Roles and Policies Model
* Completely ignores DD security settings
* ??The drawback with this security model is that it doesn’t provide fine-grained security checks based on a client accessing a specific URL or EJB method–the server checks the security permissions following each client request for a URL or EJB method, leading to an additional overhead.
DD Security Elements
* web.xml
<security-role> <security-role-ref> <security-constraint> <web-resource-collection> <user-data-constraint><transport-guarantee>
* weblogic.xml
<externally-defined> <weblogic-web-app> <security-role-assignment> <role-name>PayrollAdmin</role-name> <principal-name>Nina</principal-name> <principal-name>Sam</principal-name> <principal-name>system</principal-name> </security-role-assignment> <run-as-role-assignment> <role-name>runasrole</role-name> <run-as-principal-name>sam</run-as-principal-name> </run-as-role-assignment> </weblogic-web-app>
Configure Embedded LDAP Server
* Admin server maintains master LDAP server, managed server maintains replicated LDAP server
* Admin console configure link: Domain > Security > Embedded LDAP
* LDAP directories:
WL_HOME\domains\
– backup
– ldapfiles
– conf
– log
– replicadata
RDBMS Security Store
References
* Oracle WebLogic Server 11g Administration Handbook By: Sam Alapati
* SSO with WebLogic 10.3.1 and SAML2
One Response to WebLogic11g: Security Providers