Securing WebLogic Server
WebLogic Server includes numerous Authentication security providers. Fundamentally, most of these Authentication providers work in the same way: given a username and password credential pair, the provider attempts to find a corresponding user in the provider's data store. These Authentication providers differ primarily in what they use as a data store: one of many available LDAP servers, a SQL database, or other data store. In addition to these username/password based security providers, WebLogic Server includes identity assertion Authentication providers, which use certificates or security tokens, rather than username/password pairs, as credentials.
Authentication is the process whereby the identity of users and system processes are proved or verified. Authentication also involves remembering, transporting, and making identity information available to various components of a system when that information is needed.
The WebLogic Server security architecture supports: certificate-based authentication directly with WebLogic Server; HTTP certificate-based authentication proxied through an external Web server; perimeter-based authentication (Web server, firewall, VPN); and authentication based on multiple security token types and protocols.
Each security realm must have one at least one Authentication provider configured. The WebLogic Security Framework is designed to support multiple Authentication providers (and thus multiple LoginModules) for multipart authentication. Therefore, you can use multiple Authentication providers as well as multiple types of Authentication providers in a security realm. For example, if you want to use both a retina-scan and a username/password-based form of authentication to access a system, you configure two Authentication providers.
The way you configure multiple Authentication providers can affect the overall outcome of the authentication process. Configure the JAAS Control Flag for each Authentication provider to set up login dependencies between Authentication providers and allow single-sign on between providers. See Setting the JAAS Control Flag Option.
Authentication providers are called in the order in which they were configured in the security realm. Therefore, use caution when configuring Authentication providers. You can use the WebLogic Administration Console to re-order the configured Authentication providers, thus changing the order in which they are called. See Changing the Order of Authentication Providers.
When you configure multiple Authentication providers, use the JAAS Control Flag for each provider to control how the Authentication providers are used in the login sequence. You can set the JAAS Control Flag in the WebLogic Administration Console. See Set the JAAS control flag in the Administration Console online help. You can also use the WebLogic Scripting Tool or Java Management Extensions (JMX) APIs to set the JAAS Control Flag for an Authentication provider.
When additional Authentication providers are added to an existing security realm, by default the Control Flag is set to OPTIONAL. If necessary, change the setting of the Control Flag so that the Authentication provider works properly in the authentication sequence.
The order in which WebLogic Server calls multiple Authentication providers can affect the overall outcome of the authentication process. The Authentication Providers table lists the authentication providers in the order in which they will be called. By default, Authentication providers are called in the order in which they were configured. You can use the Administration Console to change the order of Authentication providers. Use the Reorder button on the Security Realms: Providers: Authentication page in the Administration Console to change the order in which Authentication providers are called by WebLogic Server and listed in the console.
For more information, see Re-order Authentication Providers in the Administration Console online help.
The WebLogic Authentication provider uses WebLogic Server's embedded LDAP server to store user and group membership information. This provider allows you to edit, list, and manage users and group membership. By default, most of the configuration options for the WebLogic Authentication provider are already defined. You should need to configure a WebLogic Authentication provider only when creating a new security realm. However, note the following:
Each of these LDAP Authentication providers works in basically the same way, storing user and group information in an external LDAP server. They differ primarily in how they are configured by default to match typical directory schemas for their corresponding LDAP server.
WebLogic Server does not support or certify any particular LDAP servers. Any LDAP v2 or v3 compliant LDAP server should work with WebLogic Server. The following LDAP directory servers have been tested:
An LDAP Authentication provider can also be used to access other LDAP servers. However, you must either use the LDAP Authentication provider (
LDAPAuthenticator) or choose a pre-defined LDAP provider and customize it. See Accessing Other LDAP Servers.
If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the
Admin role to boot WebLogic Server and use a user or group in the LDAP directory. Do one of the following in the LDAP directory:
Adminrole includes the
Administratorsgroup. Create an
Administratorsgroup in the LDAP directory. Make sure the LDAP user who will boot WebLogic Server is included in the group.
The Active Directory LDAP directory has a default group called
Administrators. Add the user who will be booting WebLogic Server to the
Administrators group and define Group Base Distinguished Name (DN) so that the
Administrators group is found.
Administratorsgroup in the LDAP directory (for example, because the LDAP directory uses the
Administratorsgroup for a different purpose), create a new group (or use an existing group) in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group the
The LDAP Authentication providers in this release of WebLogic Server are configured to work readily with the SunONE (iPlanet), Active Directory, Open LDAP, and Novell NDS LDAP servers. You can use an LDAP Authentication provider to access other types of LDAP servers. Choose either the LDAP Authentication provider (
LDAPAuthenticator) or the existing LDAP provider that most closely matches the new LDAP server and customize the existing configuration to match the directory schema and other attributes for your LDAP server.
You can configure an LDAP provider to work with multiple LDAP servers and enable failover if one LDAP server is not available. Use the Host attribute (found in the Administration Console on the Configuration: Provider Specific page for the LDAP Authentication provider) to specify the names of the additional LDAP servers. Each host name may include a trailing comma and a port number. In addition, set the Parallel Connect Delay and Connection Timeout attributes for the LDAP Authentication provider:
In the following scenario, an LDAP Authentication provider is configured with three servers in its Host attribute:
184.108.40.206. The status of the LDAP servers is as follows:
WebLogic Server attempts to connect to
directory.knowledge.com. After 10 seconds, the connect attempt times out and WebLogic Server attempts to connect to the next specified host (
people.catalog.com). WebLogic Server then uses
people.catalog.com as the LDAP Server for this connection.
In the following scenario, WebLogic Server attempts to connect to
directory.knowledge.com. After 1 second (specified by the Parallel Connect Delay attribute), the connect attempt times out and WebLogic Server tries to connect to the next specified host (
directory.knowledge.com at the same time. If the connection to
people.catalog.com succeeds, WebLogic Server uses
people.catalog.com as the LDAP Server for this connection.WebLogic Server cancels the connection to
directory.knowledge.com after the connection to
tokenGroupsoption holds the entire flattened group membership for a user as an array of system ID (SID) values. The SID values are specially indexed in the Active Directory and yield extremely fast lookup response.
To optimize the group membership caches for WebLogic and LDAP Authentication providers, set the following attributes (found in the Administration Console on the LDAP Authentication provider's Configuration: Provider Specific and Performance pages):
Dynamic groups do not list the names of their members. Instead, the membership of the dynamic group is constructed by matching user attributes. Since group membership needs to be computed dynamically for dynamic groups, there is a risk of performance problems for large groups. Configuring the iPlanet Authentication provider appropriately can improve performance where dynamic groups are involved.
In the iPlanet Authentication provider, the User Dynamic Group DN Attribute attribute specifies the attribute of an LDAP user object that specifies the distinguished names (DNs) of dynamic groups to which this user belongs. If such an attribute does not exist, WebLogic Server determines if a user is a member of a group by evaluating the URLs on the dynamic group. By default, User Dynamic Group DN Attribute is null. If you set User Dynamic Group DN Attribute to some other value, to improve performance set the following attributes for the iPlanet Authentication provider:
To improve the performance of a WebLogic or LDAP Authentication provider, the settings of the cache used by the WebLogic Principal Validation provider can be increased as appropriate. The Principal Validator cache used by the WebLogic Principal Validation provider caches signed WLSAbstractPrincipals. To optimize the performance of the Principal Validator cache, set these attributes for your security realm (found in the Administration Console on the Configuration: Performance page for the security realm):
To configure an Active Directory Authentication provider to use the
tokenGroups option, set the following attributes (found in the Administration Console on the Active Directory Authentication provider's Configuration: Provider Specific page):
tokenGroupslookup algorithm instead of the standard recursive group membership lookup algorithm. By default, this option is not enabled.
Note: Access to the
tokenGroups option is required (meaning, the user accessing the LDAP directory must have privileges to read the
tokenGroups option and the
tokenGroups option must be in the schema for user objects).
In WebLogic Server, an RDBMS Authentication provider is a username/password based Authentication provider that uses a relational database (rather than an LDAP directory) as its data store for user, password, and group information. WebLogic Server includes these RDBMS Authentication providers:
For information about adding an RDBMS Authentication provider to your security realm, see Configure Authentication and Identity Assertion providers in the Administration Console help. Once you have created an instance of the RDBMS Authentication provider, configure it, using the RDBMS Authentication provider's Configuration: Provider Specific page in the Administration Console.
The Group Membership Searching and Max Group Membership Search Level attributes specify whether recursive group membership searching is unlimited or limited, and if limited, how many levels of group membership can be searched. For example, if you specify that Group Membership Searching is LIMITED, and the Max Group Membership Search Level is 0, then the RDBMS Authentication providers will find only groups that the user is a direct member of. Specifying a maximum group membership search level can greatly increase authentication performance in certain scenarios, since it may reduce the number of DBMS queries executed during authentication. However, you should only limit group membership search if you can be certain that the group memberships you require are within the search level limits you specify.
You can improve the performance of RDBMS Authentication providers by caching the results of group hierarchy lookups. Use of this cache can reduce the frequency with which the RDBMS Authentication provider needs to access the database. In the Administration Console, you can use the Performance page for your Authentication provider to configure the use, size, and duration of this cache. For detailed information, see Security Realms: Security Providers: SQL Authenticator: Performance in the Administration Console online help.
For detailed information configuring a SQL Authentication provider, see Security Realms: Security Providers: SQL Authenticator: Provider Specific in the Administration Console online help. In addition to the attributes described in Common RDBMS Authentication Provider Attributes, the SQL Authentication provider's configurable attributes include:
The remaining attributes specify the SQL statements used by the provider to access and edit the username, password, and group information in the database. The default values in the SQL statement attributes assume that the database schema includes the following tables:
Note that the tables referenced by the SQL statements must exist in the database; the provider will not create them. You can modify these attributes as needed to match the schema of your database. However, if your database schema is radically different from this default schema, you may need to use a Custom DBMS Authentication provider instead.
For detailed information configuring a Read-Only SQL Authentication provider, see Security Realms: Security Providers: Read-Only SQL Authenticator: Provider Specific in the Administration Console online help. In addition to the attributes described in Common RDBMS Authentication Provider Attributes, the Read-Only SQL Authentication provider's configurable attributes include attributes that specify the SQL statements used by the provider to list the username, password, and group information in the database. You can modify these attributes as needed to match the schema of your database.
The Custom DBMS Authentication provider, like the other RDBMS Authentication providers, uses a relational database as its data store for user, password, and group information. Use this provider if your database schema does not map well to the SQL schema expected by the SQL Authenticator. In addition to the attributes described in Common RDBMS Authentication Provider Attributes, the Custom DBMS Authentication provider's configurable attributes include:
A Custom DBMS Authentication provider requires that you write a plug-in class that implements the weblogic.security.providers.authentication.CustomDBMSAuthenticatorPlugin interface. The class must exist in the CLASSPATH and must be specified in the Plugin Class Name attribute for the Custom DBMS Authentication provider. Optionally, you can use the Plugin Properties attribute to specify values for properties defined by your plug-in class.
The Windows NT Authentication provider uses account information defined for a Windows NT domain to authenticate users and groups and permit Windows NT users and groups to be listed in the WebLogic Administration Console.
To use the Windows NT Authentication provider, create the provider in the WebLogic Administration Console. In most cases, you should not need to do anything more to configure this Authentication provider. Depending on how your Windows NT domains are configured, you may want to set the attributes that control how the Windows NT Authentication provider interacts with the Windows NT domain.
Usernames in a Windows NT domain can take several different forms. You may need to configure the Windows NT Authentication provider to match the form of usernames you expect your users to sign on with. A simple username is one that gives no indication of the domain, such as
smith. Compound usernames combine a username with a domain name and may take a form like
If the local machine is not part of a Microsoft domain, then no changes to the domain controller list are needed. On a standalone machine, the users and groups to be authenticated are defined only on that machine.
If the local machine is part of a Microsoft domain and is the domain controller for the local domain, then no changes are needed to the domain controller list are needed. Users defined on the local machine and the domain are the same in this case, so you can use the default domain controller setting.
If the local machine is part of a Microsoft domain, but is not the domain controller for the local domain, then a simple username might be found on either the local machine or in the domain. In this case, consider the following:
If you answer yes to either question, then set the
DomainControllers attribute to
LIST and specify the names of the domain controllers in the
DomainControllerList for the trusted domains that you want to be used. Consider also whether to use explicit names for the local machine and local domain controller or if you want to use placeholders in the list for those. You can use the following placeholders:
UPN style usernames can take the form
user@domain. You can configure how the Windows NT Authentication provider handles usernames that include the @ character, but which may not be UPN names, by setting the
If none of your Windows NT domains or local machines have usernames that contain the @ character other than UPN usernames, then you can use the default value of the
mapUPNNames attribute, FIRST. However, you may want to consider changing the setting to ALWAYS in order to reduce the amount of time it takes to detect authentication failures. This is especially true if you have specified a long domain controller list.
mapUPNNamesattribute to FIRST.
mapUPNNamesattribute to LAST.
mapUPNNamesattribute to NEVER.
If you are using perimeter authentication, you need to use an Identity Assertion provider. In perimeter authentication, a system outside of WebLogic Server establishes trust through tokens (as opposed to simple authentication, where WebLogic Server establishes trust through usernames and passwords). An Identity Assertion provider verifies the tokens and performs whatever actions are necessary to establish validity and trust in the token. Each Identity Assertion provider is designed to support one or more token formats.
Multiple Identity Assertion providers can be configured in a security realm, but none are required. Identity Assertion providers can support more than one token type, but only one token type per Identity Assertion provider can be active at a given time. In the Active Type field on the General page, define the active token type. The WebLogic Identity Assertion provider supports identity assertion with X.509 certificates and CORBA Common Secure Interoperability version 2 (CSI v2). If you are using CSI v2 identity assertion, define the list of client principals in the Trusted Principals field.
When using the WebLogic Identity Assertion provider in a security realm, you can use a user name mapper to map the tokens authenticated by the Identity Assertion provider to a user in the security realm. For more information about configuring a user name mapper, see Configuring a WebLogic Credential Mapping Provider.
If the authentication type in a Web application is set to
CLIENT-CERT, the Web Application container in WebLogic Server performs identity assertion on values from request headers and cookies. If the header name or cookie name matches the active token type for the configured Identity Assertion provider, the value is passed to the provider.
The Base64 Decoding Required value on the Details page determines whether the request header value or cookie value must be Base64 Decoded before sending it to the Identity Assertion provider. The setting is enabled by default for purposes of backward compatibility; however, most Identity Assertion providers will disable this option.
For more information see Configure Authentication and Identity Assertion providers in the Administration Console online help. In addition, see the following sections:
The LDAP X509 Identity Assertion provider receives an X509 certificate, looks up the LDAP object for the user associated with that certificate, ensures that the certificate in the LDAP object matches the presented certificate, and then retrieves the name of the user from the LDAP object.
Typically, if you use the LDAP X509 Identity Assertion provider, you also need to configure an LDAP Authentication provider that uses an LDAP server. The authentication provider ensures the user exists and locates the groups to which the user belongs. You should ensure both providers are properly configured to communicate with the same LDAP server.
There must be a correlation between the Subject DN in the certificate and the location of the object for that user in the LDAP server. The LDAP object for the user must also include configuration information for the certificate and the username that will be used in the Subject.
The Negotiate Identity Assertion provider enables single sign-on (SSO) with Microsoft clients. The identity assertion provider decodes Simple and Protected Negotiate (SPNEGO) tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to WebLogic users. The Negotiate Identity Assertion provider utilizes the Java Generic Security Service (GSS) Application Programming Interface (API) to accept the GSS security context via Kerberos.
The Negotiate Identity Assertion provider is an implementation of the Security Service Provider Interface (SSPI) as defined by the WebLogic Security Framework and provides the necessary logic to authenticate a client based on the client's SPNEGO token.
For information about adding a Negotiate Identity Assertion provider to a security realm, see Configure Authentication and Identity Assertion providers in the Administration Console help. For information about using the Negotiate Identity Assertion provider with Microsoft client SSO, see Configuring Single Sign-On with Microsoft Clients.
The SAML Identity Assertion provider acts as a consumer of SAML security assertions, allowing WebLogic Server to act as a destination site for using SAML for single sign-on. The SAML Identity Assertion provider validates SAML 1.1 assertions by checking the signature and validating the certificate for trust in the certificate registry maintained by the provider. If so, identity is asserted based on the
AuthenticationStatement contained in the assertion. The SAML Identity Assertion provider can be configured as a SAML Assertion Consumer Service. The SAML Identity Assertion provider can also ensure that the assertion has not been previously used.
For information about how to use the SAML Identity Assertion provider in a SAML single sign-on configuration, see Configuring Single Sign-On with Web Browsers and HTTP Clients. For general information about SAML support in WebLogic Server, see Security Assertion Markup Language (SAML) in Understanding WebLogic Security.
The Assertion Consumer URIs attribute lists the URIs at which the SAML Identity Assertion provider listens for incoming assertions. These URIs provide the Assertion Consumer Service (ACS). The SAML destination site can also be configured to redirect unauthenticated users to remote SAML source sites for authentication based on the particular URI they tried to access. Configure these SAML source sites in the SAML Identity Assertion provider's Source Site Redirects attribute. SAML Source Site Redirects are configured with Java-style properties, in key=value format, as in the example in Listing 5-1.
The SAML Identity Assertion provider maintains a registry of trusted certificates. Whenever a certificate is received, it is checked against the certificates in the registry for validity. The certificates in this registry are used:
You can configure how assertions will be consumed in the Assertion Configuration attribute of the SAML Identity Assertion provider. You configure assertions with Java-style properties, in key=value format. The key takes the form
If true, a SSL client certificate chain or message signer certificate must be provided when calling the Identity Asserter. Used with
Listing 5-2 is an example of how you might configure produced assertions. It includes both a POST profile assertion, named
mypost, and an Artifact profile assertion, named
When an HTTP request is sent, there may be multiple matches that can be used for identity assertion. However, identity assertion providers can only consume one of the active token types at a time. As a result there is no way to provide a set of tokens that can be consumed with one call. Therefore, the servlet contained in WebLogic Server is forced to choose between multiple tokens to perform identity assertion. The following ordering is used:
>is one of the active token types configured for the Identity Assertion provider in the default security realm.
>is one of the active tokens types configured for the Identity Assertion provider in the default security realm.
For example, if an Identity Assertion provider in the default security realm is configured to have the
BAR tokens as active token types (for the following example, assume the HTTP request contains nothing relevant to identity assertion except active token types), identity assertion is performed as follows:
FOOheader over a two-way SSL connection, X.509 is used for identity assertion.
FOOheader and a
BARtoken is used for identity assertion.
FOOheader and a
FOOtoken will be used for identity assertion.
FOOheader and a
BARheader, then either the
BARtoken is used for identity assertion, however, which one is used is unspecified.
FOOcookie and a
BARcookie, then either the
BARtoken is used for identity assertion, however, which one is used is unspecified.
When using an Identity Assertion provider (either for an X.509 certificate or some other type of token), Subjects (a grouping of related information for a single entity including an identity and its security-related configuration options) are cached within the server. This greatly enhances performance for servlets and EJB methods with
<run-as> tags as well as for other places where identity assertion is used but not cached in the HTTPSession (for example, signing and encrypting XML documents).
You can change the lifetime of items in this cache by setting the maximum number of seconds a Subject can live in the cache via the
-Dweblogic.security.identityAssertionTTL command-line argument. The default for this command-line argument is 300 seconds (that is, 5 minutes). Possible values for the command-line argument are:
To improve the performance of identity assertion, specify a higher value for this command-line argument. Note that as identity assertion performance improves, the Identity Assertion provider is less responsive to changes in the configured Authentication provider. For example, a change in the user's group will not be reflected until the Subject is flushed from the cache and recreated. Setting a lower value for the command-line argument makes authentication changes more responsive at a cost for performance.
WebLogic Server verifies the digital certificate of the Web browser or Java client when establishing a two-way SSL connection. However, the digital certificate does not identify the Web browser or Java client as a user in the WebLogic Server security realm. If the Web browser or Java client requests a WebLogic Server resource protected by a security policy, WebLogic Server requires the Web browser or Java client to have an identity. The WebLogic Identity Assertion provider allows you to enable a user name mapper that maps the digital certificate of a Web browser or Java client to a user in a WebLogic Server security realm.
The user name mapper must be an implementation of the
weblogic.security.providers.authentication.UserNameMapper interface. This interface maps a token to a WebLogic Server user name according to whatever scheme is appropriate for your needs. By default, WebLogic Server provides a default implementation of the
weblogic.security.providers.authentication.UserNameMapper interface. You can also write your own implementation.
The default user name mapper uses the subject DN of the digital certificate or the distinguished name to map to the appropriate user in the WebLogic Server security realm. For example, the user name mapper can be configured to map a user from the Email attribute of the subject DN (
email@example.com) to a user in the WebLogic Server security realm (
smith). Use Default User Name Mapper Attribute Type and Default Username Mapper Attribute Delimiter attributes of the WebLogic Identity Assertion provider to define this information:
For more information, see Configure a user name mapper in the Administration Console online help.
You can also write a custom user name mapper to map a token to a WebLogic Server user name according to whatever scheme is appropriate for your needs. The custom user name mapper must be an implementation of the
weblogic.security.providers.authentication.UserNameMapper interface. You then configure the custom user name mapper in the active security realm, using the User Name Mapper Class Name attribute of the WebLogic Identity Assertion provider.
For more information, see Configure custom user name mappers in the Administration Console online help.