Managing WebLogic Security
Single sign-on allows user information to be propagated from an EIS to WebLogic Server so that users are not required to authenticate themselves multiple times as they access WebLogic Server resources. Resource adapters defined by the J2EE Connector Architecture can acquire the credentials necessary to authenticate users defined in an EIS when they request access to a protected WebLogic resource. The container in WebLogic Server that hosts resource adapters can retrieve the appropriate set of credentials for the WebLogic resource using a credential map. A credential map creates an association between a user in WebLogic Server security realm and an identity (a username and password combination) used to authenticate that user in an EIS such as an Oracle database, a SQL server, or a SAP application.
For more information using security in resource adapters, see the Security topic in Programming WebLogic J2EE Connectors.
WebLogic Server provides two techniques for creating credential maps: deployment descriptors (deprecated) and the WebLogic Server Administration Console. The following sections describe both techniques.
Credentials maps can be specified in the <
security-principal-map> element of the
weblogic-ra.xml deployment descriptor file. The <
security-principal-map> element provides the association between the credentials used to log in to the EIS and credentials used to authenticate to WebLogic resources. The deployment descriptor technique for creating credential maps is deprecated in this release of WebLogic Server. Instead, use the WebLogic Server Administration Console to create credential maps. For more information, see Using the WebLogic Administration Console to Create Credential Maps.
If you deployed a resource adapter that has a
weblogic-ra.xml deployment descriptor file containing a defined
<security-principal-map> element, BEA recommends importing the data into the embedded LDAP server and where it can be used by the WebLogic Credential Mapping provider.
To import the information from the
weblogic-ra.xml deployment descriptor file into the embedded LDAP server, enable the Credential Mapping Deployment Enabled attribute on the Credential Mapping provider in the default (active) security realm. When the resource adapter is deployed, the credential map information is loaded into the Credential Mapping provider.
In order to support the Credential Mapping Deployment Enabled attribute, a Credential Mapping provider must implement the DeployableCredentialProvider SSPI. By default, the WebLogic Credential Mapping provider has this attribute enabled. Therefore, information from a
weblogic-ra.xml deployment descriptor file is automatically loaded into the WebLogic Credential Mapping provider when the resource adapter is deployed.
It is important to understand that once information from a
weblogic-ra.xml deployment descriptor file is loaded into the embedded LDAP server, the original resource adapter remains unchanged. Therefore, if you redeploy the original resource adapter (which will happen if you redeploy it through the WebLogic Server Administration Console, modify it on disk, or restart WebLogic Server), the data will once again be imported from the
weblogic-ra.xml deployment descriptor file and credential mapping information may be lost.
weblogic-ra.xmldeployment descriptor file.
You can now use the WebLogic Server Administration Console to create credential maps. If you are using the WebLogic Credential Mapping provider, the credential maps are stored in the embedded LDAP server.
weblogic-ra.xmldeployment descriptor files. For more information, see Setting a New Security Realm as the Default (Active) Security Realm.
If multiple WebLogic Credential Mapping providers are configured in the security realm, select which WebLogic Credential Mapping provider's database should store information for the new credential map.