The following sections provide information about customizing the default security realm, creating a new security realm, and setting a security realm as the default (active) security realm.
To simplify the configuration and management of security in WebLogic Server, a default security configuration is provided. In the default security configuration, myrealm is set as the default (active) security realm and the WebLogic Adjudication, Authentication, Identity Assertion, Authorization, Credential Mapping, and Role Mapping providers are defined as the security providers. Customize the default security configuration if you want to:
Replace one of the WebLogic security providers with a custom security provider.
Configure additional security providers in the default security realm. (For example, if you want to use two Authentication providers, one that uses the embedded LDAP server and one that uses an existing store of users and groups.)
Use an Authentication provider that accesses an LDAP server other than the embedded LDAP server.
Use an existing store of users and groups instead of defining users and groups in the WebLogic Authentication provider.
Add an Auditing provider to the default security realm.
Add a WebLogic Keystore provider to the default security realm. This involves creating a JKS keystore and then configuring the WebLogic Keystore provider to access it.
Upgrade from Compatibility security to the security providers in this release of WebLogic Server.
The easiest way to customize the default security configuration is to modify the default security realm (myrealm) to contain the security providers you want. For information about configuring different types of security providers in a security realm, see Configuring Security Providers..
However, you can also customize the default security configuration by creating a new security realm, configuring security providers in that realm, and setting the new security realm as the default security realm. BEA recommends this process when upgrading a security configuration.
The remainder of this chapter explains how to create a new security realm and set that security realm as the default (active) security realm.
Creating a New Security Realm
To create a new security realm:
Expand the Security node.
Expand the Realms node.
All the security realms available for the WebLogic domain are listed in the Realms table.
Click the Configure a new Realm... link.
Enter the name of the new security realm in the Name attribute on the General tab.
To control performance, specify how the WebLogic Security Service should perform security checks.
Set the value of the Check Roles and Policies setting as follows:
The Web Applications and EJBs protected in DD option specifies the WebLogic Security Service only performs security checks on URL (Web) and EJB resources that have security specified in their associated deployment descriptors (that is, the ejb-jar.xml, weblogic-ejb-jar.xml, web.xml, and weblogic.xml files). This is the default value.
The All Web Applications and EJBs options specifies the WebLogic Security Service performs security checks on all URL (Web) and EJB resources, regardless of whether there are any security settings in the deployment descriptors for these WebLogic resources. If you choose this option, you also need to specify what the WebLogic Security Service should do when the Web application or EJB module is redeployed. For more information, see step 6.
Note: Prior to WebLogic Server 7.0 SP3, you had to specify how the WebLogic Security Service would perform security checks using the fullyDelegateAuthorzation command-line argument. For more information, see "Understanding the fullyDelegateAuthorization Flag in Securing WebLogic Resources.
Specify which technique you want to use to secure URL (Web) and EJB resources.
Set the value of the Deployment Descriptor Security Behavior setting as follows:
To secure your URL (Web) and EJB resources using only the deployment descriptors (that is, the ejb-jar.xml, weblogic-ejb-jar.xml, web.xml, and weblogic.xml files), select the Seed Security from Deployment Descriptor option and refer to the Using Declarative Security with Web Applications and Using Declarative Security with EJBs sections of Programming WebLogic Security respectively.
To secure your URL and EJB resources using only the WebLogic Server Administration Console, select the Ignore Security Data in Deployment Descriptions option and follow the instructions for securing Web applications and EJBs described in Securing WebLogic Resources.
Warning: Switching the value of the Deployment Descriptor Security Behavior setting is risky and can lead to incorrect or lost security configurations. Carefully read "Techniques for Securing URL (Web) and EJB Resources" in Securing WebLogic Resources before defining a value for this setting.
To specify that the Credential Mapping providers in the security realm only use credential maps creating using the WebLogic Server Administration Console, check the Ignore Deploy Credential Mapping Deployment Descriptor setting. By default, this attribute is not checked meaning the Credential Mapping provider will load credential maps specified in a weblogic-ra.xml deployment descriptor file.
The Web resource is deprecated in this release of WebLogic Server. If you are configuring a custom Authorization provider that uses the Web resource (instead of the URL resource) in the new security realm, enable the Use Deprecated Web Resource attribute. This attribute changes the runtime behavior of the Servlet container to use a Web resource rather than a URL resource when performing authorization.
Click Create.
Configure the required security providers for the security realm. In order for a security realm to be valid, you must configure an Authentication provider, an Authorization provider, an Adjudication provider, a Credential Mapping provider, and a Role Mapping provider. Otherwise, you will not be able to set the new security realm as the default security realm. For more information, see Configuring Security Providers.
Note: When creating a new security realm, at least one of the configured Authentication providers must return asserted LoginModules. Otherwise, run-as tags defined in deployment descriptors will not work.
Optionally, define Identity Assertion, Keystore, and Auditing providers. For more information, see Configuring Security Providers.
If you configured the WebLogic Authentication, Authorization, Credential Mapping or Role Mapping provider in the new security realm, verify the default attribute settings of the embedded LDAP server. For more information, see Managing the Embedded LDAP Server.
Protect WebLogic resources in the new security realm with security policies. Creating security policies is a multi-step process with many options. To fully understand this process, read Securing WebLogic Resources. This document should be used in conjunction with Managing WebLogic Security to ensure security is completely configured for a WebLogic Server deployment.
Protect user accounts in the new security realm. For more information, see Protecting User Accounts.
Setting a New Security Realm as the Default (Active) Security Realm
After you define attributes on the new security realm and configure the security providers for the security realm, set the new security realm as the default (active) security realm.
To set the new security realm as the default (active) security realm:
Expand the Domain node (for example, Examples).
Select the Security tab.
Select the General tab.
The pull-down menu on the Default Realm attribute displays the security realms configured in the WebLogic Server domain.
Note: If you create a new security realm but do not configure the minimun required security providers in the security realm, the realm will not be available from the pull-down menu.
Select the security realm you want to set as the default security realm.
Click Apply.
Reboot WebLogic Server. If you not reboot WebLogic Server, the new realm is not set as the default security realm.
To verify you set the default security realm correctly:
Expand the Security-->Realms nodes.
The Realms table shows all realms configured for the WebLogic Server domain. The default (active) security realm has the Default Realm attribute set to true.
Deleting a Security Realm
When you delete a security realm, the user, group, security role, security policy, and credential map information is not deleted from the embedded LDAP server. Use an external LDAP browser to delete any unnecessary entries from the embedded LDAP server. For more information, see Viewing the Contents of the Embedded LDAP Server from an LDAP Browser.
To delete a security realm:
Expand the Security-->Realms nodes.
The Realms table shows all realms configured for the WebLogic domain.
In the table row for the security realm you want to delete, click the trash can icon.
Click Yes in response to the following question:
Are you sure you want to permanently delete OldRealm from the domain configuration?
A confirmation message appears when the security realm is deleted.
Reverting to a Previous Security Configuration
It is easy to make a mistake when configuring a new security realm or security providers. A mistake may make it impossible to boot the server or correct the mistake. Use the following command-line argument to revert to the last security configuration:
