Download Docs   Site Map   Glossary  Search

Administration Console Online Help

WebLogic Identity Assertion Provider-->Details

Tasks     Related Topics

Overview

When using 2-way SSL, WebLogic Server verifies the digital certificate of the Web browser or Java client when establishing an SSL connection. However, the digital certificate does not identify the Web browser or Java client as a user in the WebLogic Server security realm. If the Web browser or Java client requests a WebLogic Server resource protected by a security policy, WebLogic Server requires the Web browser or Java client to have an identity. The WebLogic Identity Assertion provider allows you to define a user name mapper that maps the digital certificate of a client to a user in a WebLogic Server security realm.

This user name mapper is a class that implements the weblogic.security.providers.authentication.UserNameMapper interface. You can either write your own implementation and configure it in the Administration Console or use the default implementation provided by WebLogic Server.

The WebLogic Identity Assertion provider calls the user name mapper class for the following types of identity assertion token types:

• X.509 digital certificates passed via the SSL handshake
• X.509 digital certificates passed via CSIv2
• X.501 distinguished names passed via CSIv2

The default user name mapper uses the attributes from the subject DN of the digital certificate or the distinguished name to map to the appropriate user in the WebLogic Server security realm. For example, the user name mapper can be configured to map a user from the Email attribute of the subject DN (smith@bea.com) to a user in the WebLogic Server security realm (smith).

Use this tab to activate the default user name mapper and specify which attributes in a digital certificates are used to create the username. The attributes on the tab are defined as follows:

• Default User Name Mapper Attribute Type—The attribute of the subject distinguished name (DN) in a digital certificate used to create a username. Valid values are:
• C—Country code.
• CN—Common name.
• E—Email address. (This is the default value).
• L—Name of the city or town.
• O—Organization name.
• OU—Organization unit name (for example, the name of the division or group within a company).
• Default User Name Mapper Attribute Delimiter—The attribute that ends the username. The user name mapper uses everything to the left of the attribute to create a username.

Configure a custom user name mapper on the Weblogic Identity Assertion Provider-->General tab.

Tasks

Configuring a WebLogic Identity Assertion Provider

Related Topics

Introduction to WebLogic Security

Managing WebLogic Security

Programming WebLogic Security

Developing Security Providers for WebLogic Server

Securing a WebLogic Server Deployment

Upgrading Security in WebLogic Server Version 6.x to WebLogic Server Version 7.0

Security FAQ

The Security page in the WebLogic Server documentation