<a name="compatibility_mode"></a>Compatibility Security

Note: The Administration Console refers to the WebLogic Role Mapping provider as the Default Role Mapper.

Role Mapping providers support security policies by obtaining a computed set of roles granted to a requestor for a given resource. Role Mapping providers supply Authorization providers with this role information so that the Authorization provider can answer the "is access allowed?" question for WebLogic resources that use role-based security.

The WebLogic Security Framework will use business logic and the current operation parameters (obtained from the J2EE and WebLogic deployment descriptor files) to determine which roles (if any) apply to the particular Subject at the moment in which access is required for a given resource. If multiple Role Mapping providers are configured, the set of roles returned by all Role Mapping providers will be intersected by the WebLogic Security Framework.

By default, the WebLogic Role Mapping provider is configured in the default security realm (myrealm). You can use a Custom Role Mapping provider instead of the WebLogic Role Mapping provider. For a Custom Role Mapping provider to be available through the WebLogic Server Administration Console, the MBean JAR file for the provider must be in the WL_HOME\lib\mbeantypes directory.

A Role Mapping provider that supports deploying roles on behalf of Web application or Enterprise JavaBean (EJB) deployments needs to implement the DeployableRoleProvider Security Service Provider Interface (SSPI) instead of the RoleProvider SSPI. You also need to enable the Role Deployment Enabled attribute on this tab. The Role Deployment Enabled attribute is enabled by default for the WebLogic Role Mapping provider.

During application deployment, WebLogic Server reads role mappings from the weblogic.xml and weblogic-ejb-jar.xml files. This information is used to populate the WebLogic Role Mapping provider. Any changes made to the role mappings through the WebLogic Server Administration Console are not persisted to the weblogic.xml and weblogic-ejb-jar.xml files. Before you deploy the application again (which will happen if you redeploy it through the WebLogic Server Administration Console, modify it on disk, or restart WebLogic Server), you need enable the Ignore security data in deployment descriptors attribute on the General tab for a security realm.

Table 1-13

Attribute Label	Description	Value Constraints
Name	The name of this configuration. WebLogic Server uses an MBean to implement and persist the configuration. MBean: weblogic.security. providers.authorization. DefaultRoleMapperMBean Attribute: Name
Description	Describes this security provider. Each security provider's mbean should set the default value of this read-only attribute to a string that describes the provider. In other words, each security provider's mbean hard-wires its description. There are no conventions on the contents of the description. It should be a human readable string that gives a brief description of the security provider. MBean: weblogic.security. providers.authorization. DefaultRoleMapperMBean Attribute: Description	Default: "Weblogic Role Mapping Provider"
Version	this security provider's version. Each security provider's mbean should set the default value of this read-only attribute to a string that specifies the version of the provider (eg. 7.3.04). In other words, each security provider's mbean hard-wires its version. There are no conventions on the contents of the version string. MBean: weblogic.security. providers.authorization. DefaultRoleMapperMBean Attribute: Version	Default: "1.0"
Role Deployment Enabled	Indicates whether this Role Mapping provider stores roles that are created while deploying a Web application or EJB. MBean: weblogic.security. providers.authorization. DefaultRoleMapperMBean Attribute: RoleDeploymentEnabled	Default: new java.lang.Boolean(true) Valid values: true false