Using WebLogic Realms and ACLs
I. IntroductionAbout WebLogic authentication, authorization, and realmsYou can configure the WebLogic Server to identify connecting users and restrict their ability to access resources governed by the WebLogic Server. The process of identifying a user is called authentication. The process of testing a user's permission to access a resource is called authorization. WebLogic Server performs authentication and authorization through a security realm. The security realm provides access to implementations of the User, Group, Permission, and ACL (Access Control List) interfaces, which are based on Javasoft's java.security.acl package. For example, the default security realm for the WebLogic Server is weblogic.security.acl.WLPropertyRealm, which provides access to Users, Groups, and ACLs defined in the weblogic.properties file. Another realm example is the RdbmsRealm example included in the distribution. RdbmsRealm provides access to Users, Groups, Permissions, and ACLs stored in a relational database. WebLogic Server initializes a realm during startup and uses that realm for all subsequent authentication and authorization requests. When a client makes a connection to WebLogic Server, it may send a username and credential, such as a password. WebLogic Server passes these to the realm for authentication. If the realm can authenticate the user, it returns a weblogic.security.acl.User object, which is then passed to the thread that created the JNDI context. If the realm cannot authenticate the user, the connection is refused. If a client does not send a username and credential when requesting a connection, WebLogic Server uses the "guest" user for all authorization. A realm implements methods that handle authentication and authorization requests. WebLogic Server does not have to be concerned with specific representations of the realm's objects. This encapsulation of authentication and authorization within the realm interface makes it possible for the WebLogic Server to use any store of users, groups, and ACLs that you choose. The administration of realm objects (creating user accounts, changing passwords, granting permissions, etc.) is realm-dependent, as is the mechanism for storing and retrieving objects in the realm. The default realm for the WebLogic Server, weblogic.security.WLPropertyRealm, is administered simply by setting properties in the weblogic.properties file. See About the default WebLogic realm for more about administering the WLPropertyRealm. Other realms you can use with WebLogic Server are built upon more sophisticated systems, such as a database or an LDAP (Lightweight Directory Access Protocol) server, and are administered using tools supplied by the underlying system. About ACLsACLs protect resources that are accessed through WebLogic Server. An ACL grants a permission on a resource or class of resources to a list of Users and Groups. WebLogic Server supports ACLs on the following resources:
Each type of resource supports one or more grantable permissions. For example, Servlets have "execute" permission, while JDBC connection pools have "reserve" and "reset" permissions. See Setting up ACLs in the WebLogic realm for more about the permissions that can be set for each resource type. Security for Enterprise JavaBeans (EJBs) differs from other types of resources in a few important ways. First, EJB ACLs are configured in the access control properties of an EJBean's deployment descriptor file. Second, permissions can be granted on individual methods of an EJBean; there are no predefined permissions. Finally, according to the JavaSoft specification, EJB permissions should be granted to Roles instead of to individual Users and Groups. You can map an EJB Role to a WebLogic Group. See the Developer's Guide, Using WebLogic Enterprise JavaBeans for more about EJB security. In the WLPropertyRealm, ACLs are specified with weblogic.allow properties in the weblogic.properties file. For example, the ACL that grants "reserve" permission on the JDBC connection pool named "demoPool" to users "Alex", "Ed", "Jim", and "John" is specified with a property like this: weblogic.allow.reserve.weblogic.jdbc.connectionPool.demoPool=\ Alex,Ed,Jim,John The permission to be granted follows the weblogic.allow prefix -- "reserve" in the example above. The list to the right of the equals sign can include user names and group names. The portion of the property name between the permission and the equals sign specifies the resource or group of resources governed by the ACL. The string describes a node in a hierarchical list of ACLs. The following illustration shows a portion of an ACL hierarchy with the path to weblogic.jdbc.connectionPool.demoPool in red:
A permission can be granted on a single object, such as "demoPool" above, or on a class of objects, such as all JDBC connection pools. WebLogic Server uses the most specific ACL it can find for a protected resource. For example, the default weblogic.properties file contains these Servlet ACLs: weblogic.allow.execute.weblogic.servlet=everyone weblogic.allow.execute.weblogic.servlet.T3AdminMain=system When a client submits a request to execute a Servlet, WebLogic Server searches the realm for an ACL on the Servlet, for example weblogic.servlet.HelloWorld. If no specific ACL has been created for the Servlet, WebLogic Server drops the last portion of the string (HelloWorld) and searches the realm for a weblogic.servlet ACL. Permission is granted based on the most specific ACL for a requested resource. This means that you can create ACLs that grant default permissions for a class of resources, and then create more restrictive ACLs for specific resources. The Servlet ACLs above demonstrate this technique. II. Administering ACLsAbout the WebLogic realmIn the default WebLogic realm, WLPropertyRealm, is driven by the weblogic.properties file. A User is defined with a weblogic.password property, a Group is defined with a weblogic.security.group property, and an ACL is defined with one or more weblogic.allow properties. A weblogic.password entry defines a user. All users are automatically members of everyone group, which is a requirement of the WebLogic Server. When the group everyone has a permission, the WebLogic Server does not require authentication. WLPropertyRealm also provides special users system, guest, and http. An ACL consists of a set of ACL properties that include all Permissions that apply to a particular resource. For example, the access control list for the resource "weblogic.workspace.namedWorkspace" consists of two ACL properties, one for "read" Permission and one for "write" Permission. The pattern for ACL properties in the weblogic.properties file is weblogic.allow.PPP.AAA=U1,...,Un, where PPP is the Permission, and AAA is the ACL name. In this pattern, AAA grants Permission PPP to users U1 through Un. The period character may occur in AAA, but not in PPP. There are more details about setting up access control lists for the WebLogic realm in the WebLogic Administrators Guide, Setting WebLogic properties. WebLogic Server may also defer authentication and/or authorization to an external system. WebLogic provides the following alternative realms:
The section Writing a custom realm has additional information about extending or replacing the WLPropertyRealm with your own custom realm. Setting up ACLs in the WebLogic realmWith release 3.0, many of the aspects of WebLogic services and facilities have been put under ACL control. WebLogic Server itself tracks instance credentials through its built-in security realm, the default WebLogic realm, which enables access control for servlets and enterprise beans. WebLogic also provides a default realm implementation.To add an individual (principal) to the WebLogic realm, add a weblogic.password property to the weblogic.properties file, as in this example, which adds users "billc", "sam", and "don": weblogic.password.billc=whiterabbit weblogic.password.sam=madhatter weblogic.password.don=cheshirecat To add a group to the WebLogic realm, add a weblogic.security.group property listing the group members. This example adds group "regusers" with members "billc", "sam", and "don": weblogic.security.group.regusers=billc,sam,don Note that the WebLogic Console does not currently display groups. If you have many users, the weblogic.properties file is not a good place to register users and groups -- property entries can become prohibitively long, and you must restart WebLogic after editing the properties file. A better plan is to extend the WebLogic realm with a centralized security database or a service such as LDAP or Kerberos. The RdbmsRealm example (included in the distribution in the weblogic/examples/security/RdbmsRealm directory) shows how you can extend the WebLogic realm with users, groups, permissions, and ACLs stored in a relational database. WebLogic comes out-of-the-box with access control on the following internal resources:
ACLs for each of these services can be set up or extended with properties in the weblogic.properties file, which also serves as a means of making new security features backwards compatible with older security-related and service-related properties. An ACL can be set at the services level so that you can establish defaults -- like "weblogic.allow.execute.weblogic.servlet=everyone" -- and then override the defaults for specific access. Here is a mapping of the permissions that may be set for each service (ACL name) in the properties file:
In addition, the ACL weblogic.admin, which is built into the default realm, grants permission for "shutdown" and "reset" to the WebLogic special administrative user "system." There is a more detailed discussion of setting properties in the WebLogic Administrators Guide, Setting WebLogic properties.
III. The WebLogic ACL APIWebLogic ACL API referencePackage weblogic.security.acl
Class java.lang.Object Class weblogic.security.acl.AclEntryImpl (implements java.security.acl.AclEntry) Class weblogic.security.acl.AdminPermissions Interface weblogic.security.acl.BasicRealm Class weblogic.security.acl.BasicRealmDelegator (implements weblogic.security.acl.BasicRealm) Class java.awt.Component (implements java.awt.image.ImageObserver, java.awt.MenuContainer, java.io.Serializable) Class java.awt.Container Class java.awt.Panel Class weblogic.security.acl.AclView Class weblogic.security.acl.DefaultRealmImpl (implements weblogic.security.acl.ManageableRealm) Class weblogic.security.acl.WLPropertyRealm (implements weblogic.security.acl.DynamicUserAcl) Class weblogic.security.acl.DefaultUserInfoImpl (implements weblogic.security.acl.UserInfo, java.io.Externalizable) Interface weblogic.security.acl.DynamicUserAcl (extends weblogic.security.acl.BasicRealm) Interface weblogic.security.acl.ExplicitlyControlled Class java.security.Identity (implements java.security.Principal, java.io.Serializable) Class weblogic.security.acl.User Class weblogic.security.acl.DefaultUserImpl (implements java.io.Serializable) Class weblogic.security.acl.Everyone (implements java.security.acl.Group) Class weblogic.security.acl.GroupImpl (implements java.security.acl.Group) Class weblogic.security.acl.LispFormat Interface weblogic.security.acl.ListableRealm (extends weblogic.security.acl.BasicRealm) Interface weblogic.security.acl.ManageableRealm (extends weblogic.security.acl.ListableRealm) Class weblogic.security.acl.OwnerImpl (implements java.security.acl.Owner, java.io.Serializable) Class weblogic.security.acl.AclImpl (implements java.security.acl.Acl, java.io.Serializable) Class weblogic.security.acl.PermissionImpl (implements java.security.acl.Permission, java.io.Serializable) Class weblogic.security.acl.Realm Class weblogic.security.acl.RealmProxy Class weblogic.security.acl.Security Interface weblogic.security.acl.UserInfo (extends java.io.Serializable) Overview of the WebLogic ACL APIThe weblogic.security.acl package is based on the JavaSoft JDK 1.1 java.security.acl API specification. You can read a high-level summary of this specification in Security in JDK 1.1 on the JavaSoft website. WebLogic security provides a Realm interface through which implementations of, and extensions to, the JavaSoft security API are called. A Realm groups a set of classes that implement User, Group, Permission, and ACL interfaces. It presents a uniform interface for performing authentication and authorization tasks. If you use the default WebLogic realm, WLPropertyRealm (or one of the alternative realms that WebLogic provides) WebLogic security is chiefly an administrative responsibility. Accessing the WebLogic ACL API from Java applications is rarely necessary. There are two situations, however, where you may need to use the WebLogic ACL API from a Java application:
In the first case, you add functionality to the realm's authorization service, without affecting the realm's authentication service or the implementation of any of the realm's objects. The second case allows you to replace all or part of the realm's authentication or authorization services with your own implementation. The two techniques can also be combined. WebLogic security classesRealm classesDuring startup, WebLogic Server initializes the realm it uses for authentication and authorization. The weblogic.security.realmClass property specifies the realm class to use. It defaults to weblogic.security.acl.WLPropertyRealm. WebLogic Server loads the realm class and makes it available through the weblogic.security.acl.Security class. The weblogic.security.acl.Security methods can only be executed in the WebLogic Server's VM. WebLogic provides three realm interfaces:
WLPropertyRealm implements the ListableRealm interface and extends weblogic.security.acl.DefaultRealmImpl, a ManageableRealm. When the WebLogic Server starts, it uses the ManageableRealm methods provided by DefaultRealmImpl to create Users, Groups, Permissions, and ACLs as they are read from the weblogic.properties file. User and Group classesJDK 1.1 provides classes and interfaces to describe users and groups of users. The
weblogic.security.acl.User and java.security.acl.Group both extend java.security.Identity, which implements the java.security.Principal interface. Some weblogic.security.acl methods take a Principal argument, which can be satisfied with either a User or Group. For example, you can add a User or a Group to a Group, or you can set a permission for a User or Group. The Java 1.1 java.security.Identity class represents an entity with a name and a public key. However, weblogic.security.acl.User is implemented with a name and a credential, which could be any Object that can be used for authentication in the realm, such as a password, certificate, or certificate token. WebLogic Server depends upon the special users "system" and "guest," and the special group "everyone." You must define a password for the "system" user in the weblogic.properties file using the weblogic.password.system property, even if you substitute a custom realm for WLPropertyRealm. The default WLPropertyRealm creates User "guest" (with password "guest") and Group "everyone" at startup. If you substitute your own realm for authentication, that realm must supply the "guest" User and the "everyone" Group and every User must be a member of the "everyone" Group. The realm must also supply a "system" User (in addition to the "system" User defined in the weblogic.properties file), and that "system" User must also be a member of the "everyone" Group, which ensures that the "system" User also receives permissions granted to "everyone." Permission classThe weblogic.security.acl.PermissionImpl class implements the java.security.acl.Permission interface. A Permission is some right that can be granted to a user such as "execute," "read," or "lookup" Permission. A Permission can be positive or negative. The default WLPropertyRealm supports only positive Permissions. Because of this limitation, in the WLPropertyRealm you cannot grant a Permission to a Group and then revoke the Permission from individual Users in that Group. A custom realm, however, could support negative Permissions. When you use the WLPropertyRealm for authorization, WebLogic Server creates Permissions as it parses weblogic.allow properties in the weblogic.properties file. If you substitute a custom realm for authorization, that realm must create Permissions. For example, the RdbmsRealm creates Permissions from the rows it retrieves from the aclentries database table. ACL classesJDK 1.1 supplies the java.security.acl.Acl interface and the java.security.acl.AclEntry interface. WebLogic implements these interfaces with the weblogic.security.acl.AclImpl and weblogic.security.acl.AclEntryImpl classes. An Acl is a data structure that contains multiple AclEntries. An Acl has a name, which is generally a reference to the resource the Acl protects. Each Acl is created with an owner, a Principal (User or Group), that must be supplied when altering the Acl, for example, adding or removing AclEntries. An AclEntry contains a Principal (a User or Group) and an array of Permissions. The class provides methods to add and remove Permissions, check for the presence of a Permission, and change a positive Permission to a negative Permission. Only the owner of an Acl can add an AclEntry to the Acl.
How WebLogic Server authenticatesIf a connecting client provides a username and credential, WebLogic Server passes them to the realm for authentication. If the realm cannot authenticate the user, WebLogic Server refuses the request. If the realm successfully authenticates the user, it returns a weblogic.security.acl.User object, which is then associated with thread that created the JNDI context. For more information see Associating a principle with a thread. If a connecting client does not provide a username and credential on a connection request, WebLogic Server uses the "guest" user for authorization. If the user requests an HTTP servlet protected with an Acl, the web browser prompts the user for a username and credential. If the realm authenticates the user's entry, the authenticated User replaces the "guest" user on the connection. A Java application can specify a username and credential when establishing the connection. If it does not, then the "guest" user is associated with the connection. IV. Implementing with the WebLogic ACL API
Using custom permissionsYou can design your own ACL names and permissions and access them from your applications. If you use the default WLPropertyRealm realm, just define your ACLs in the weblogic.properties file and then test Permission at runtime using a few methods in the weblogic.security.acl package. If you are using a different realm for authorization, you define your ACLs in the way that is appropriate for that realm. For example, if you use the RdbmsRealm, you add ACLs to the ACLs table in the realm's database. In an application, you can call Security.checkPermission() to test for a permission in the WebLogic realm. As with all realm operations, the test can only be performed in a class executing in the WebLogic Server. The weblogic.security.acl.Security.hasPermission() and weblogic.security.acl.Security.checkPermission() methods test whether a user has a given permission. The methods are similar, except that the hasPermission() method returns a boolean (true if the user has the permission) and the checkPermission method throws a java.lang.SecurityException if the user does not have the permission. The examples.security.acl example demonstrates how to create your own permissions and test them in a server-side application. It is a simple example that demonstrates how to protect an RMI object with a custom ACL. (Find out more about WebLogic RMI and remote method invocation in Using WebLogic RMI.) This section describes how the examples.security.acl example uses the WebLogic ACL API. See Package-examples.security.acl for instructions on setting up and running the example. The weblogic.security.acl example has three classes/interfaces:
The example uses a custom ACL, "aclexample" with the permission "frob". Using the default WebLogic realm, you create the ACL by adding the following property to the weblogic.properties file: weblogic.allow.frob.aclexample=list Replace list with a comma-separated list of users or groups, which must also be defined in the weblogic.properties file. When WebLogic Server starts up, it parses this property and does the following:
FrobImpl classThe FrobImpl class contains the code that runs in the WebLogic Server and calls into the realm to check the "aclexample" Acl. The class shows two methods for testing a permission. The first method uses a static method in theweblogic.security.acl.Security class: Security.checkPermission(Security.getCurrentUser(), "aclexample", Security.getRealm().getPermission("frob"), '.'); The weblogic.security.acl.Security class provides access to the WebLogic realm. This is WLPropertyRealm if you have not substituted a custom realm. If you have specified a custom realm with the weblogic.security.realmClass property, the Security class provides access to that realm. You could also instantiate a realm in the WebLogic Server that does not replace the default realm. In this case, you cannot use the Security class, since it only provides access to the WebLogic realm. The second method for checking permission illustrated by the FrobImpl example gets a realm by name, retrieves an Acl from that realm, and then tests for permission with the acl.checkPermission() method: User p = Security.getCurrentUser(); BasicRealm realm = Realm.getRealm("weblogic"); Acl acl = realm.getAcl("aclexample"); if (acl == null || !acl.checkPermission(p, realm.getPermission("frob"))) { Security.logAndThrow("Permission \"frob\" denied " + "for user \"" + p + ".\""); } When you check permission in a realm other than the WebLogic realm, you must test a User from that same realm. Since this example uses the WebLogic realm, it retrieves the current user on the thread with Security.getCurrentUser(). Also, it uses the Security.logAndThrow() method, a convenience method that writes a message to the log and throws a java.lang.SecurityException. Client classThe examples.security.acl.Client class creates a connection to the WebLogic Server and attempts to execute the frob() method. The permission-checking is performed in the server-side code. Client does not have to provide any security-related code other than providing the username and password needed for authentication. The client program takes three command-line arguments: an URL for the WebLogic Server, a username, and a password. These arguments are placed in the Hashtable used to get a JNDI context from the WebLogic Server. Here is the code that gets a JNDI context, looks up the "frobtarget" RMI object, and then executes the frob() method: Context ctx = null; try { // Set up a Hashtable and get a JNDI context Hashtable env = new Hashtable(); env.put(Context.INITIAL_CONTEXT_FACTORY, "weblogic.jndi.WLInitialContextFactory"); env.put(Context.PROVIDER_URL, arg[0]); env.put(Context.SECURITY_PRINCIPAL, arg[1]); env.put(Context.SECURITY_CREDENTIALS, arg[2]); // RMI lookup on the remote object ctx = new InitialContext(env); Frobable f = (Frobable) ctx.lookup("frobtarget"); // Can this user get access to the "frob" method? f.frob(); System.out.println("Frobbed successfully"); } // If not, this client-side code throws an exception catch (Throwable t) { t.printStackTrace(); System.out.println("Failed to frob"); } finally { try (ctx.close()} catch (Exception e) { // Deal with any failure } }
Writing a custom realmYou can create your own security realm, perhaps to take advantage of an existing store of users, such as a directory server on the network. You can substitute your custom realm for the default WebLogic realm by setting the weblogic.security.realmClass property to the name of your realm class in the weblogic.properties file. When the WebLogic Server starts up, it initializes your realm and uses it for all authentication and authorization requests. Your realm then becomes the WebLogic realm. Alternatively, you could install a custom realm as a startup class so that it is an additional realm available to specific applications that are written to use it. The additional realm has no effect on basic WebLogic Server authentication and authorization, but allows applications to perform authentication and authorization in a separate domain. To create a custom realm for the WebLogic realm, you can either extend the WLPropertyRealm, or build a new realm by implementing a realm interface and the User, Group, Permission, Acl, and AclEntry interfaces. A custom realm to replace WLPropertyRealm should implement ManageableRealm, which allows the realm to create and destroy Users, Groups, Permissions and Acls. The realm methods that you implement include all methods from all three realm interfaces, BasicRealm, ListableRealm, and ManageableRealm:
Your custom realm design should consider these issues:
Writing a realm that extends the default WebLogic realmYour realm can extend the default WebLogic realm, and delegate to WLPropertyRealm as appropriate. This is useful if you want to continue to use the weblogic.properties file for some of the realm's source data. For example, you could override methods that retrieve Users, but continue to define Groups and ACLs in the weblogic.properties file. You then install your realm in the WebLogic Server by adding the following property to the weblogic.properties file: weblogic.security.realmClass=myRealmClass
The LDAPRealm is an example of a realm that extends WLPropertyRealm. LDAPRealm uses an LDAP server (such as Netscape Directory Server or Microsoft Site Server) for authentication, but depends on the WLPropertyRealm for authorization (ACLs). It overrides WLPropertyRealm methods that look up Users and Groups and authenticate Users. It uses EJBs to cache User and Group objects to avoid redundant calls to the LDAP server. Writing a realm using DefaultRealmExtenderThe DefaultRealmExtender example is a realm implementation that makes it easier to develop custom realms. DefaultRealmExtender delegates to an underlying realm that you provide. If your realm does not provide certain objects the WebLogic Server requires, DefaultRealmExtender provides them. DefaultRealmExtender:
Before DefaultRealmExtender creates an object, it first requests that object from the underlying realm. Therefore, the underlying realm, which you provide, always has precedence over DefaultRealmExtender. RdbmsRealm example
The RdbmsRealm example shows how to develop a database-based realm using DefaultRealmExtender. The examples.security.rdbmsrealm package also includes CachingRealm, a realm that implements a LRU cache for Users, Groups, Permissions, and ACLs.
Here is how the delegation chain is established:
See the instructions for the RdbmsRealm and DefaultRealmExtender examples for help with setting up the RdbmsRealm example. Implementing RdbmsRealmDefaultRealmExtender and CachingRealm are "helper" realms that pass requests through to RdbmsRealm. RdbmsRealm performs the actual work of the realm, so this section focuses on the implementation of RdbmsRealm. To create a new realm, you implement one of the realm interfaces and any additional classes needed for Users, Groups, ACLs, and Permissions. RdbmsRealm implements the weblogic.security.acl.ListableRealm interface and the CacheableRealm interface. It also provides an RdbmsUser class and an RdbmsUserInfo class. It uses standard WebLogic implementations for Group, Permission, Acl, and AclEntry. The RdbmsUser and RdbmsUserInfo class extend existing User and UserInfo classes, so the work of implementing the realm is nearly confined to retrieving data from the database with JDBC and creating objects.
|
|
Copyright © 2000 BEA Systems, Inc. All rights reserved.
|