Programming WebLogic Server J2EE Connectors
As specified in the J2EE Connector Specification, Version 1.0 Final Release, the WebLogic Server connector implementation supports both container-managed and application-managed sign-on. At runtime, the WebLogic Server connector implementation determines—based upon the specified information in the invoking client component's deployment descriptor—the chosen sign-on mechanism. The res-auth element of the calling component is where the sign-on mechanism is specified. For more information on this element, see web.xml Deployment Descriptor Elements in Developing Web Applications for WebLogic Server.
If the Weblogic Server J2EE Connector Architecture implementation is unable to determine what sign-on mechanism is being requested by the client component—typically due to an improper JNDI lookup of the resource adapter Connection Factory—the Connector Architecture attempts container-managed sign-on.
For related information, see Obtaining the ConnectionFactory (Client-JNDI Interaction) in Client Considerations.
With application-managed sign-on, the client component provides the necessary security information (typically a username and password) when making the call to obtain a connection to an Enterprise Information System (EIS). In this scenario, the application server provides no additional security processing other than to pass this information along on the request for the connection. The provided resource adapter uses the client component provided security information to perform the EIS sign-on in a resource adapter implementation specific manner.
To use container-managed sign-on, WebLogic Server must identify a resource principal and then request the connection on behalf of the resource principal. In order to make this identification, WebLogic Server looks for a configured mapping in the embedded LDAP storage. For any deployed resource adapter, you can configure credential mappings for applicable users. For more information, see Configuring Credential Mappings Using the Console.
You map a user in WebLogic Server to an appropriate set of credentials for a given resource adapter. For old-style resource adapters that still use the deprecated security-principal-map element (configured in the weblogic-ra.xml deployment descriptor), this information is imported into the embedded LDAP storage at deployment time.
The J2EE Connector specification, Version 1.0 Final Release requires storage of credentials in a javax.security.auth.Subject; the credentials are passed to either the createManagedConnection() or matchManagedConnection() methods of the ManagedConnectionFactory object.
Prior to version 7.0 of WebLogic Server, credential mapping information was stored in the weblogic-ra.xml deployment descriptor in the security-principal-map element. In subsequent versions of WebLogic Server, the credential mapping information is stored in the WebLogic Server Embedded LDAP storage.
WebLogic Server users must be authenticated whenever they request access to a protected WebLogic Server resource. For this reason, each user is required to provide a credential (a username/password pair or a digital certificate) to WebLogic Server.
Password authentication is the only authentication mechanism supported by WebLogic Server out of the box. Password authentication consists of a user ID and password. Based on the configured mappings, when a user requests connection to a resource adapter, the appropriate credentials for that user are supplied to the resource adapter.
The SSL (or HTTPS) protocol can be used to provide an additional level of security to password authentication. Because the SSL protocol encrypts the data transferred between the client and WebLogic Server, the user ID and password of the user do not flow in clear text. Therefore, WebLogic Server can authenticate the user without compromising the confidentiality of the user's ID and password.
You configure credential mappings using the WebLogic Server Administration Console. Before you can configure the credential mappings for a resource adapter using the Console, however, you must successfully deploy the resource adapter. Note that the first time you deploy a resource adapter, it has no credential mappings configured.
If the resource adapter requires you to provide credentials and is configured to create connections at deployment time (meaning the initial-capacity element in the weblogic-ra.xml is set to greater than 0), this may cause the initial connection to fail. In this case, BEA recommends that—for the initial installation and deployment of this resource adapter—you set the initial-capacity to 0 for its connection pool. Once you have configured the appropriate credentials and after the initial deployment of the resource adapter, you can change the initial-capacity element. For more information on weblogic-ra.xml deployment descriptors, see weblogic-ra.xml Deployment Descriptor Elements.
To create credential mappings, see Single Sign-on with Enterprise Information Systems in Managing WebLogic Security.
The following sections discuss the definition of users and groups. For more information on how to create users and groups, see Managing WebLogic Security
Users are entities that can be authenticated in a WebLogic Server security realm. A user can be a person or a software entity, such as a Java client. Each user is given a unique identity within a WebLogic Server security realm. As a system administrator you must guarantee that no two users in the same security realm are identical.
Defining users in a security realm involves specifying a unique name and password for each user that will access resources in the WebLogic Server security realm in the users window of the Administration Console.
A group represents a set of users who usually have something in common, such as working in the same department in a company. Groups are a means of managing a number of users in an efficient manner. You grant users and groups security roles. These security roles are used to create a security policy, which restricts access to server resources. For more information, see Managing WebLogic Security
You create default mappings using the special name: weblogic_ra_default. This is an optional mapping. However, you must specify it in some form if container-managed sign-on is supported by the resource adapter and used by any client.
When importing a security principal map from an old-style resource adapter that has a deprecated security-principal-map element configured in its weblogic-ra.xml file, elements with an initiating principal of * are imported to the special mappings for both weblogic_ra_initial and wl_ra_default. This allows these mappings to be used for both initial connections created at deployment time and default connections (to be used when there is no matching mapping for the current user).
These topics are discussed further in Defining Users and Groups.
The J2EE Connector Specification, Version 1.0 Final Release defines default security policies for any resource adapters running in an application server. It also defines a way for a resource adapter to provide its own specific security policies overriding the default.
In compliance with this specification, WebLogic Server dynamically modifies the runtime environment for resource adapters. If the resource adapter has not defined specific security policies, WebLogic Server overrides the runtime environment for the resource adapter with the default security policies specified in the J2EE Connector Architecture Specification. If the resource adapter has defined specific security policies, WebLogic Server first overrides the runtime environment for the resource adapter first with a combination of the default security policies for resource adapters and the specific policies defined for the resource adapter. Resource adapters define specific security policies using the security-permission-spec element in the ra.xml deployment descriptor file.
For more information on security policy processing requirements, see the "Security Permissions" section of the "Runtime Environment" chapter in the J2EE Connector Specification, Version 1.0 Final Release (http://java.sun.com/j2ee/download.html#connectorspec).