{"id":4154,"date":"2012-06-22T08:32:02","date_gmt":"2012-06-22T13:32:02","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=4154"},"modified":"2012-06-22T08:32:03","modified_gmt":"2012-06-22T13:32:03","slug":"weblogic11g-security-providers","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=4154","title":{"rendered":"WebLogic11g: Security Providers"},"content":{"rendered":"
\n

Contents<\/h2>\n
    \n\t
  1. \n\t\tConfigure Security Providers<\/a>\n\t\t
      \n\t\t\t
    1. \n\t\t\t\tRequired providers<\/a>\n\t\t\t<\/li>\n\t\t\t
    2. \n\t\t\t\tOptional providers<\/a>\n\t\t\t<\/li>\n\t\t\t
    3. \n\t\t\t\tAudit Provider<\/a>\n\t\t\t<\/li>\n\t\t\t
    4. \n\t\t\t\tAuthentication Provider<\/a>\n\t\t\t<\/li>\n\t\t\t
    5. \n\t\t\t\tPassword Validation Provider<\/a>\n\t\t\t<\/li>\n\t\t\t
    6. \n\t\t\t\tAdd Other Providers<\/a>\n\t\t\t<\/li>\n\t\t\t
    7. \n\t\t\t\tExport\/Import Authentication Data<\/a>\n\t\t\t<\/li>\n\t\t\t
    8. \n\t\t\t\tConfigure Entitlement Caching<\/a>\n\t\t\t<\/li>\n\t\t\t
    9. \n\t\t\t\tSet Default Security Realm<\/a>\n\t\t\t<\/li>\n\t\t\t
    10. \n\t\t\t\tReverting Realm<\/a>\n\t\t\t<\/li>\n\t\t\t
    11. \n\t\t\t\tAdd Users<\/a>\n\t\t\t<\/li>\n\t\t\t
    12. \n\t\t\t\tAdd Groups<\/a>\n\t\t\t<\/li>\n\t\t\t
    13. \n\t\t\t\tSecurity Roles<\/a>\n\t\t\t<\/li>\n\t\t\t
    14. \n\t\t\t\tSecurity Policies<\/a>\n\t\t\t<\/li>\n\t\t\t
    15. \n\t\t\t\tWAR and EJB Security Models<\/a>\n\t\t\t\t
        \n\t\t\t\t\t
      1. \n\t\t\t\t\t\tDD Only Model<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
      2. \n\t\t\t\t\t\tCustom Roles Model<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
      3. \n\t\t\t\t\t\tCustom Roles and Policies Model<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t\t
      4. \n\t\t\t\t\t\tDD Security Elements<\/a>\n\t\t\t\t\t<\/li>\n\t\t\t\t<\/ol>\n\t\t\t
      5. \n\t\t\t\tConfigure Embedded LDAP Server<\/a>\n\t\t\t<\/li>\n\t\t<\/ol>\n\t
      6. \n\t\tRDBMS Security Store<\/a>\n\t<\/li>\n\t
      7. \n\t\tReferences<\/a>\n\t<\/li>\n<\/ol>\n<\/ol>\n<\/div>\n
         <\/div>\n

        Configure Security Providers<\/h2><\/span>\n

        * Create a new realm named tmprealm<\/strong><\/p>\n

        Required providers<\/h3><\/span>\n

        – Authentication provider,
        \n– Authorization provider,
        \n– Adjudication provider,
        \n– Credential Mapping provider,
        \n– CertPath Builder,
        \n– Role Mapping provider. <\/p>\n

        Optional providers<\/h3><\/span>\n

        – Identity Assertion,
        \n– Auditing,
        \n– Certificate Registry providers<\/p>\n

        Audit Provider<\/h3><\/span>\n

        * Add DefaultAuditor name tmpDefAud<\/strong>
        \n* Default logfile: DOMAIN_ HOME\\\\logs\\DefaultAuditRecorder.log<\/em>
        \n* Change default log file directory: -Dweblogic.security.audit.auditLogDir=C:\\audit
        \n* Enable configuration auditing:
        \nDomain > Configuration > General > Advanced > Configuration Audit Type<\/em>
        \n– audit
        \n– log
        \n– log and audit<\/p>\n

        Authentication Provider<\/h3><\/span>\n

        * Authentication Provider control flag:
        \n– REQUIRED: if fails go to next authenticator
        \n– REQUISITE: if fails return to application
        \n– SUFFICIENT:
        \n– OPTIONAL:
        \n* Create a new DefaultAuthenticator named tmpDefAuth<\/strong>
        \nSecurity Realm > Realm Name > Providers > Authentication Provider<\/em><\/p>\n

        Password Validation Provider<\/h3><\/span>\n

        * Add Password Validation Provider named tmpSysPassVal<\/strong>
        \nSecurity Realm > Realm Name > Providers > Password Validation<\/em><\/p>\n

        Add Other Providers<\/h3><\/span>\n

        * Add tmpDefIdAsserter<\/strong>; set active type to AuthenticatedUser<\/strong>
        \n* Add tmpXACMLAuthorizer<\/strong>
        \n* Add tmpDefAdj<\/strong>
        \n* Add tmpXACMLRoleMapper<\/strong>
        \n* Add tmpCredMapper<\/strong>
        \n* Add tmpWebLogicCertPath <\/strong>(check <\/strong>Current Builder<\/em>)<\/p>\n

        Export\/Import Authentication Data<\/h3><\/span>\n

        * Export
        \nSecurity Realm > myrealm > Providers > Authentication > DefaultAuthenticator > Migration > Export<\/em>
        \n* Import
        \nSecurity Realm > tmprealm > Providers > Authentication > DefaultAuthenticator > Migration > Export<\/em><\/p>\n

        Configure Entitlement Caching<\/h3><\/span>\n

        * Set cache preload to true:
        \n-Dweblogic.entitlement.engine.cache.preload=true
        \n* Set cache max numbers:
        \n-Dweblogic.entitlement.engine.cache.max_role_count=4000
        \n-Dweblogic.entitlement.engine.cache.max_resource_count=3200<\/p>\n

        Set Default Security Realm<\/h3><\/span>\n

        * Set at:
        \ndomain > Security > General > Default realm<\/em><\/p>\n

        Reverting Realm<\/h3><\/span>\n

        * Backup config.xml files: domain\/config\/backup_confign.xml
        \n* Copy backup config file to config.xml<\/p>\n

        Add Users<\/h3><\/span>\n

        * Go to Security Realm > tmprealm > Users and Groups > Users<\/em>
        \n* Add user tmpUser\/welcome1
        \n* Go to Security Realm > tmprealm > Users and Groups > tmpUser > Groups<\/em>
        \n* Add Administrator <\/em>group<\/p>\n

        Add Groups<\/h3><\/span>\n

        * Go to Security Realm > tmprealm > Users and Groups > Groups<\/em>
        \n* Add group tmpGroup
        \n* Default Groups:
        \n– Administrators
        \n– Deployers
        \n– Operators
        \n– Monitors
        \n– AppTesters
        \n– CrossDomainConnectors
        \n– AdminChannelUsers
        \n– OracleSystemGroup<\/p>\n

        Security Roles<\/h3><\/span>\n

        * Security roles are privileges the server grants to a user, group, or time of day.
        \n* Difference from groups:
        \n– granted at runtime dynamically (by role mapper provider)
        \n– can be scoped to a specific resource
        \n* Role types:
        \n– Global roles
        \n– Scoped roles
        \n* Default global roles
        \n– Admin
        \n– Anonymous
        \n– Deployer
        \n– Operator
        \n– Monitor
        \n– AppTester
        \n– CrossDomainConnector
        \n– OracleSystemRole<\/p>\n

        Security Policies<\/h3><\/span>\n

        * Security policy restricts WebLogic resource to a user, group, or security role
        \n* Root level security policies: apply to a specific type <\/strong>of resource, e.g. JMS resource, EJB resource
        \n* Hierarchical security policies: apply to a specific instance <\/strong>of resource, e.g. web app, ear app, ejb method<\/p>\n

        WAR and EJB Security Models<\/h3><\/span>\n

        * Two security models:
        \n– JEE Security model aka DD Only model
        \n– WebLogic security model
        \n* Which model to use is made at deployment time. Need redeployment to change security model.<\/p>\n

        DD Only Model<\/h4><\/span>\n

        * Uses groups, roles, and security policies defined in
        \n– web.xml
        \n– weblogic.xml
        \n– ejb-jar.xml
        \n– weblogic-ejb-jar.xml
        \n* Developers use DD to
        \n– Define security roles (if developer does not define roles then no security)
        \n– Map EJBs\/Web URLs to roles
        \n– Map Roles to principals (users\/groups)
        \n* DD contained security info is parsed at server bootup time by
        \n– Authorization Provider that implements DeployableAuthorizationProvider <\/strong>
        \n– Role Mapping Provider that implements DeployableRoleProvider<\/strong><\/p>\n

        Custom Roles Model<\/h4><\/span>\n

        * Developers define security policies (not principals) in DD to map:
        \n– EJBs\/Web URLs to roles
        \n* Administrator\/Deployer:
        \n– Define security roles (all roles defined in DD are ignored by server)
        \n– Map roles to principals<\/p>\n

        Custom Roles and Policies Model<\/h4><\/span>\n

        * Completely ignores DD security settings
        \n* ??The drawback with this security model is that it doesn’t provide fine-grained security checks based on a client accessing a specific URL or EJB method–the server checks the security permissions following each client request for a URL or EJB method, leading to an additional overhead.<\/p>\n

        DD Security Elements<\/h4><\/span>\n

        * web.xml<\/p>\n

        \r\n\r\n\r\n\r\n\r\n\r\n<\/pre>\n
        * weblogic.xml<\/p>\n
        \r\n\r\n\r\n \r\n   \r\n    PayrollAdmin<\/role-name> \r\n    Nina<\/principal-name> \r\n    Sam<\/principal-name> \r\n    system<\/principal-name> \r\n  <\/security-role-assignment> \r\n\r\n \r\n   runasrole<\/role-name>\r\n   sam<\/run-as-principal-name>\r\n <\/run-as-role-assignment>\r\n<\/weblogic-web-app>\r\n\r\n<\/pre>\n
        Configure Embedded LDAP Server<\/h3><\/span>\n
        * Admin server maintains master LDAP server, managed server maintains replicated LDAP server
        \n* Admin console configure link: Domain > Security > Embedded LDAP<\/em>
        \n* LDAP directories:
        \nWL_HOME\\domains\\\\ servers\\\\data\\ldap
        \n– backup
        \n– ldapfiles
        \n– conf
        \n– log
        \n– replicadata<\/p>\n
        RDBMS Security Store<\/h2><\/span>\n
        References<\/h2><\/span>\n
        * Oracle WebLogic Server 11g Administration Handbook By: Sam Alapati
        \n* SSO with WebLogic 10.3.1 and SAML2 <\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
        Configure Security Providers * Create a new realm named tmprealm Required providers – Authentication provider, – Authorization provider, – Adjudication provider, – Credential Mapping provider, – CertPath Builder, – Role Mapping provider. Optional providers – Identity Assertion, – Auditing, – … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[104],"tags":[],"class_list":["post-4154","post","type-post","status-publish","format-standard","hentry","category-weblogic11g"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-150","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/4154","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4154"}],"version-history":[{"count":8,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/4154\/revisions"}],"predecessor-version":[{"id":4761,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/4154\/revisions\/4761"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4154"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4154"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4154"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}