Use this page to configure the general behavior of this security
realm.
Note:
If you are implementing security using JACC (Java Authorization
Contract for Containers as defined in JSR 115), you must use the J2EE
standard model. Other WebLogic Server models are not available and the
security functions for Web applications and EJBs in the Administration
Console are disabled.
A security realm provides all the auditing, authentication,
authorization, credential mapping, and role mapping services to a WebLogic
Server deployment. You can configure multiple security realms within a
single WebLogic Server deployment. Only one security realm is designated
as the default security realm.
For any security realm to be valid, configure each of the following
types of security providers (in any order):
Authentication
Authorization
Adjudication
Credential Mapping
Role Mapping
CertPathBuilder
At least one Authorization and Role Mapping provider in the security
realm must implement the DeployableAuthorizationProvider and
DeployableRoleProvider Security Service Provider Interface
(SSPI), respectively. These SSPIs allow the providers to store (rather
than retrieve) information from deployment descriptors.
Specifies when the Security Service checks for authorization to
access Web applications and Enterprise JavaBeans (EJBs). This setting
is valid only for Web applications and EJBs that use the Advanced
security model.
Configure the WebLogic Security Service to do one of the
following:
All Web applications and EJBs. Check for
authorization when a client tries to access any URL in a Web
application or any method in an EJB.
Web applications and EJBs protected in DD. Check
for authorization when a client tries to access a URL or EJB method
that is protected by a policy in the Web application or EJB
deployment descriptor.
This selection causes the Advanced model
to use only roles and policies defined in a Web application or EJB's
deployment descriptors and ignore any security data in the realm's
provider databases.
Specifies whether the Security Service copies security data from
the deployment descriptors into the appropriate security provider
databases each time the Web application or EJB is deployed. This
setting is valid only for Web applications and EJBs that use the
Advanced security model and only when Check Roles and
Policies is set to All Web applications and
EJBs.
Configure the WebLogic Security Service to do one of the
following:
Initialize roles and policies from DD. While
deploying Web applications and EJBs that use the Advanced security
model, copy the roles and policies that are specified in the
modules' deployment descriptors into the appropriate security
provider databases.
Each role mapper provider and authentication
provider determines how it resolves conflicts and whether it removes
roles that have been removed from the deployment descriptors. The
WebLogic Server role mapper resolves conflicts by accepting the last
change; it also removes roles that have been removed from the
deployment descriptor.
Ignore roles and policies from DD. While deploying
Web applications and EJBs that use the Advanced security model,
ignore any roles and policies in the deployment descriptor.
Specifies the default security model for Web applications or
EJBs that are secured by this security realm. You can override this
default during deployment.
Choose one of these security models:
Deployment Descriptors Only (DDOnly)
Uses only the roles and policies in the J2EE deployment
descriptor (DD) and the WebLogic Server DD.
Performs security checks only for URLs or EJB methods that are
protected by a policy in the deployment descriptor.
Each time you deploy the module, the Security Service copies the
roles and policies in the deployment descriptors.
Applies for the life of the deployment. If you want to use a
different model, you must delete the deployment and reinstall
it.
Customize Roles Only (CustomRoles)
Uses policies defined in the J2EE DD and ignores any Principal
mappings in the WebLogic Server DD. An administrator completes the
role mappings using the Administration Console.
Performs security checks only for URLs or EJB methods that are
protected by a policy in the deployment descriptor.
Each time you deploy the module, the Security Service copies the
roles and policies in the deployment descriptors.
Applies for the life of the deployment. If you want to use a
different model, you must delete the deployment and reinstall
it.
Customize Roles and Policies
(CustomRolesAndPolicies)
Ignores any roles and policies defined in deployment
descriptors. An administrator uses the Administration Console to
secure the resources.
Performs security checks for all URLs or EJB methods in
the module.
Applies for the life of the deployment. If you want to use a
different model, you must delete the deployment and reinstall
it.
Advanced (Advanced)
You configure how this model behaves by setting values for the
following options:
When Deploying Web Applications or EJBs
Note:
When using the WebLogic Scripting Tool or JMX APIs, there is no
single MBean attribute for this setting. Instead, you must set the
values for the DeployPolicyIgnored and
DeployRoleIgnored attributes of
RealmMBean.
Check Roles and Policies
(FullyDelegateAuthorization)
Combined Role Mapping Enabled
(CombinedRoleMappingEnabled)
You can change the configuration of this model. Any changes
immediately apply to all modules that use the Advanced model. For
example, you can specify that all modules using this model will
copy roles and policies from their deployment descriptors into the
appropriate provider databases upon deployment. After you deploy
all of your modules, you can change this behavior to ignore roles
and policies in deployment descriptors so that when you redeploy
modules they will not re-copy roles and policies.
Note:
Prior to WebLogic Server version 9.0 the Advanced model was the
only security model available. Use this model if you want to
continue to secure EJBs and Web Applications as in releases prior
to 9.0.
Determines how the role mappings in the Enterprise Application,
Web application, and EJB containers interact. This setting is valid
only for Web applications and EJBs that use the Advanced security
model and that initialize roles from deployment descriptors.
When enabled:
Application role mappings are combined with EJB and Web
application mappings so that all principal mappings are included.
The Security Service combines the role mappings with a logical
OR operator.
If one or more policies in the web.xml file
specifies a role for which no mapping exists in the
weblogic.xml file, the Web application container
creates an empty map for the undefined role (that is, the role is
explicitly defined as containing no principal). Therefore, no one
can access URL patterns that are secured by such policies.
If one or more policies in the ejb-jar.xml file
specifies a role for which no mapping exists in the
weblogic-ejb-jar.xml file, the EJB container creates
an empty map for the undefined role (that is, the role is
explicitly defined as containing no principal). Therefore, no one
can access methods that are secured by such policies.
When disabled:
Role mappings for each container are exclusive to other
containers unless defined by the
<externally-defined> descriptor element.
If one or more policies in the web.xml file
specifies a role for which no role mapping exists in the
weblogic.xml file, the Web application container
assumes that the undefined role is the name of a principal. It
therefore maps the assumed principal to the role name. For example,
if the web.xml file contains the following stanza in
one of its policies: <auth-constraint>
<role-name>PrivilegedUser</role-name>
</auth-constraint>
but the weblogic.xml file has no role mapping for
PrivilegedUser, then the Web application container
creates an in-memory mapping that is equivalent to the following
stanza: <security-role-assignment>
<role-name>PrivilegedUser</role-name>
<principal-name>PrivilegedUser</principal-name>
</security-role-assignment>
Role mappings for EJB methods must be defined in the
weblogic-ejb-jar.xml file. Role mappings defined in
the other containers are not used unless defined by the
<externally-defined> descriptor element.
Note:
For all applications previously deployed in version 8.1 and
upgraded to version 9.x, the combining role mapping is disabled by
default.