Securing WebLogic Server
|
 |
 |
|
|
 |
 |
Configuring Authentication Providers
WebLogic Server includes numerous Authentication security providers. Most of them work in similar fashion: given a username and password credential pair, the provider attempts to find a corresponding user in the provider's data store. These Authentication providers differ primarily in what they use as a data store: one of many available LDAP servers, a SQL database, or other data store. In addition to these username/password based security providers, WebLogic Server includes identity assertion Authentication providers, which use certificates or security tokens, rather than username/password pairs, as credentials.
The following sections describe how to configure the Authentication security providers supplied by WebLogic Server.
- Choosing an Authentication Provider
- Using More Than One Authentication Provider
- Configuring the WebLogic Authentication Provider
- Configuring LDAP Authentication Providers
- Configuring RDBMS Authentication Providers
- Configuring a Windows NT Authentication Provider
- Configuring Identity Assertion Providers
- How an LDAP X509 Identity Assertion Provider Works
- Ordering of Identity Assertion for Servlets
Choosing an Authentication Provider
Authentication is the process whereby the identity of users and system processes are proved or verified. Authentication also involves remembering, transporting, and making identity information available to various components of a system when that information is needed.
The WebLogic Server security architecture supports: certificate-based authentication directly with WebLogic Server; HTTP certificate-based authentication proxied through an external Web server; perimeter-based authentication (Web server, firewall, VPN); and authentication based on multiple security token types and protocols.
WebLogic Server offers the following types of Authentication providers:
- The WebLogic Authentication provider accesses user and group information in WebLogic Server's embedded LDAP server.
- LDAP Authentication providers access external LDAP stores. You can use an LDAP Authentication provider to access any LDAP server. WebLogic Server provides LDAP Authentication providers already configured for Open LDAP, Sun iPlanet, Microsoft Active Directory and Novell NDS LDAP servers.
- RDBMS Authentication providers access external relational databases. WebLogic Server provides three RDBMS Authentication providers: SQL Authenticator, Read-only SQL Authenticator, and Custom RDBMS Authenticator.
- The WebLogic Identity Assertion provider validates X.509 and IIOP-CSIv2 tokens and optionally can use a user name mapper to map that token to a user in a WebLogic Server security realm.
- The SAML Authentication provider, which authenticates users based on Security Assertion Markup Language 1.1 (SAML) assertions.
- The Negotiate Identity Assertion provider, which uses Simple and Protected Negotiate (SPNEGO) tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to WebLogic users.
- The SAML Identity Assertion provider, which acts as a consumer of SAML security assertions. This enables WebLogic Server to act as a SAML destination site and supports using SAML for single sign-on.
- Custom (non-WebLogic) Authentication providers, which offer different types of authentication technologies.
- Custom (non-WebLogic) Identity Assertion providers, which support different types of tokens.
Using More Than One Authentication Provider
Each security realm must have one at least one Authentication provider configured. The WebLogic Security Framework is supports multiple Authentication providers (and thus multiple LoginModules) for multipart authentication. Therefore, you can use multiple Authentication providers as well as multiple types of Authentication providers in a security realm. For example, if you want to use both a retina-scan and a username/password-based form of authentication to access a system, you configure two Authentication providers.
How you configure multiple Authentication providers can affect the overall outcome of the authentication process. Configure the JAAS Control Flag for each Authentication provider to set up login dependencies between Authentication providers and allow single-sign on between providers. See Setting the JAAS Control Flag Option.
Authentication providers are called in the order in which they were configured in the security realm. Therefore, use caution when configuring Authentication providers. You can use the WebLogic Administration Console to re-order the configured Authentication providers, thus changing the order in which they are called. See Changing the Order of Authentication Providers.
Setting the JAAS Control Flag Option
When you configure multiple Authentication providers, use the JAAS Control Flag for each provider to control how the Authentication providers are used in the login sequence. You can set the JAAS Control Flag in the WebLogic Administration Console. See Set the JAAS control flag in the Administration Console online help. You can also use the WebLogic Scripting Tool or Java Management Extensions (JMX) APIs to set the JAAS Control Flag for an Authentication provider.
- REQUIRED—The Authentication provider is always called, and the user must always pass its authentication test. If authentication succeeds or fails, authentication still continues down the list of providers.
- REQUISITE—The user is required to pass the authentication test of the Authentication provider. If the user passes the authentication test of this Authentication provider, subsequent providers are executed but can fail (except for Authentication providers with the JAAS Control Flag set to REQUIRED).
- SUFFICIENT—The user is not required to pass the authentication test of the Authentication provider. If authentication succeeds, no subsequent Authentication providers are executed. If authentication fails, authentication continues down the list of providers.
- OPTIONAL—The user is allowed to pass or fail the authentication test of this Authentication provider. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.
When additional Authentication providers are added to an existing security realm, by default the Control Flag is set to OPTIONAL. If necessary, change the setting of the Control Flag and the order of Authentication providers so that each Authentication provider works properly in the authentication sequence.
Changing the Order of Authentication Providers
The order in which WebLogic Server calls multiple Authentication providers can affect the overall outcome of the authentication process. The Authentication Providers table lists the authentication providers in the order in which they will be called. By default, Authentication providers are called in the order in which they were configured. You can use the Administration Console to change the order of Authentication providers. Use the Reorder button on the Security Realms: Providers: Authentication page in the Administration Console to change the order in which Authentication providers are called by WebLogic Server and listed in the console.
See Re-order Authentication Providers in the Administration Console online help.
Configuring the WebLogic Authentication Provider
The WebLogic Authentication provider uses WebLogic Server's embedded LDAP server to store user and group membership information. This provider allows you to edit, list, and manage users and group membership. By default, most configuration options for the WebLogic Authentication provider are already defined. You should need to configure a WebLogic Authentication provider only when creating a new security realm. However, note the following:
- The WebLogic Authentication provider is configured in the default security realm with the name
DefaultAuthenticator. - User and group names in the WebLogic Authentication provider are case insensitive.
- Ensure that all user names are unique.
- Use the Minimum Password Length option on the Configuration: Provider Specific page to specify the length of passwords defined for users that are stored in the embedded LDAP server.
- If you are using multiple Authentication providers, set the JAAS Control Flag to determine how the WebLogic Authentication provider is used in the authentication process. See Using More Than One Authentication Provider.
Configuring LDAP Authentication Providers
WebLogic Server includes the following LDAP Authentication providers:
- iPlanet Authentication provider
- Active Directory Authentication provider
- Open LDAP Authentication provider
- Novell Authentication provider
- generic LDAP Authentication provider
Each LDAP Authentication provider stores user and group information in an external LDAP server. They differ primarily in how they are configured by default to match typical directory schemas for their corresponding LDAP server.
WebLogic Server does not support or certify any particular LDAP servers. Any LDAP v2 or v3 compliant LDAP server should work with WebLogic Server. The following LDAP directory servers have been tested:
- Sun iPlanet version 4.1.3
- Active Directory shipped as part of Windows 2000
- Open LDAP version 2.0.7
- Novell NDS version 8.5.1
An LDAP Authentication provider can also be used to access other LDAP servers. However, you must either use the LDAP Authentication provider (LDAPAuthenticator) or choose a pre-defined LDAP provider and customize it. See Accessing Other LDAP Servers.
Requirements for Using an LDAP Authentication Provider
If an LDAP Authentication provider is the only configured Authentication provider for a security realm, you must have the Admin role to boot WebLogic Server and use a user or group in the LDAP directory. Do one of the following in the LDAP directory:
- By default in WebLogic Server, the
Adminrole includes theAdministratorsgroup. Create anAdministratorsgroup in the LDAP directory, if one does not already exist. Make sure the LDAP user who will boot WebLogic Server is included in the group. The Active Directory LDAP directory has a default group called
Administrators. Add the user who will be booting WebLogic Server to theAdministratorsgroup and define Group Base Distinguished Name (DN) so that theAdministratorsgroup is found.- If you do not want to create an
Administratorsgroup in the LDAP directory (for example, because the LDAP directory uses theAdministratorsgroup for a different purpose), create a new group (or use an existing group) in the LDAP directory and include the user from which you want to boot WebLogic Server in that group. In the WebLogic Administration Console, assign that group theAdminrole.
Configuring an LDAP Authentication Provider: Main Steps
To configure an LDAP Authentication provider:
- Choose an LDAP Authentication provider that matches your LDAP server and create an instance of the provider in your security realm. See Configure Authentication and Identity Assertion providers in the Administration Console help.
- Configure the provider-specific attributes of the LDAP Authentication provider, which you can do through the Administration Console. For each LDAP Authentication provider, there are attributes that:
- Configure performance options that control the cache for the LDAP server. Use the Configuration: Provider Specific and Performance pages for the provider in the Administration Console to configure the cache. See Improving the Performance of WebLogic and LDAP Authentication Providers.
- Accessing Other LDAP Servers
- Accessing Other LDAP Servers
- Configuring Failover for LDAP Authentication Providers
- Improving the Performance of WebLogic and LDAP Authentication Providers
Accessing Other LDAP Servers
The LDAP Authentication providers in this release of WebLogic Server are configured to work readily with the SunONE (iPlanet), Active Directory, Open LDAP, and Novell NDS LDAP servers. You can use an LDAP Authentication provider to access other types of LDAP servers. Choose either the LDAP Authentication provider (LDAPAuthenticator) or the existing LDAP provider that most closely matches the new LDAP server and customize the existing configuration to match the directory schema and other attributes for your LDAP server.
Dynamic Groups and WebLogic Server
Many LDAP servers have a concept of dynamic groups or virtual groups. These are groups that, rather than consisting of a list of users and groups, contain some policy statements, queries, or code that define the set of users that belong to the group. Even if a group is marked dynamic, users must log out and log back in before any changes in their group memberships take effect. The term dynamic describes the means of defining the group and not any runtime semantics of the group within WebLogic Server.
Configuring Failover for LDAP Authentication Providers
You can configure an LDAP provider to work with multiple LDAP servers and enable failover if one LDAP server is not available. Use the Host attribute (found in the Administration Console on the Configuration: Provider Specific page for the LDAP Authentication provider) to specify the names of the additional LDAP servers. Each host name may include a trailing comma and a port number. In addition, set the Parallel Connect Delay and Connection Timeout attributes for the LDAP Authentication provider:
- Parallel Connect Delay—Specifies the number of seconds to delay when making concurrent attempts to connect to multiple servers. An attempt is made to connect to the first server in the list. The next entry in the list is tried only if the attempt to connect to the current host fails. This setting might cause your application to block for an unacceptably long time if a host is down. If the value is greater than 0, another connection setup thread is started after the specified number of delay seconds has passed. If the value is 0, connection attempts are serialized.
- Connection Timeout—Specifies the maximum number of seconds to wait for the connection to the LDAP server to be established. If the set to 0, there is no maximum time limit and WebLogic Server waits until the TCP/IP layer times out to return a connection failure. Set to a value over 60 seconds depending upon the configuration of TCP/IP.
The following examples present scenarios that occur when an LDAP Authentication provider is configured for LDAP failover.
LDAP Failover Example 1
In the following scenario, an LDAP Authentication provider is configured with three servers in its Host attribute: directory.knowledge.com:1050, people.catalog.com, and 199.254.1.2. The status of the LDAP servers is as follows:
WebLogic Server attempts to connect to directory.knowledge.com. After 10 seconds, the connect attempt times out and WebLogic Server attempts to connect to the next specified host (people.catalog.com). WebLogic Server then uses people.catalog.com as the LDAP Server for this connection.
LDAP Failover Example 2
In the following scenario, WebLogic Server attempts to connect to directory.knowledge.com. After 1 second (specified by the Parallel Connect Delay attribute), the connect attempt times out and WebLogic Server tries to connect to the next specified host (people.catalog.com) and directory.knowledge.com at the same time. If the connection to people.catalog.com succeeds, WebLogic Server uses people.catalog.com as the LDAP Server for this connection.WebLogic Server cancels the connection to directory.knowledge.com after the connection to people.catalog.com succeeds.
Improving the Performance of WebLogic and LDAP Authentication Providers
To improve the performance of WebLogic and LDAP Authentication providers:
- Optimize the group membership caches used by the WebLogic and LDAP Authentication providers. See Optimizing the Group Membership Caches.
- Expose the Principal Validator cache for the security realm and increase its thresholds. See Optimizing the Principal Validator Cache.
- If you are using the Active Directory Authentication provider, configure it to perform group membership lookups using the
tokenGroupsoption. ThetokenGroupsoption holds the entire flattened group membership for a user as an array of system ID (SID) values. The SID values are specially indexed in the Active Directory and yield extremely fast lookup response. See Configuring the Active Directory Authentication Provider to Improve Performance.
Optimizing the Group Membership Caches
To optimize the group membership caches for WebLogic and LDAP Authentication providers, set the following attributes (found in the Administration Console on the LDAP Authentication provider's Configuration: Provider Specific and Performance pages):
- Group Membership Searching—Controls whether group searches are limited or unlimited in depth. This option controls how deeply to search into nested groups. For configurations that use only the first level of nested group hierarchy, this option allows improved performance during user searches by limiting the search to the first level of the group.
- If a limited search is defined, Max Group Membership Search Level must be defined.
- If an unlimited search is defined, Max Group Membership Search Level is ignored.
- Max Group Membership Search Level—Controls the depth of a group membership search if Group Membership Searching is defined. Possible values are:
- 0—Indicates only direct groups will be found. That is, when searching for membership in Group A, only direct members of Group A will be found. If Group B is a member of Group A, the members will not be found by this search.
- Any positive number—Indicates the number of levels to search. For example, if this option is set to 1, a search for membership in Group A will return direct members of Group A. If Group B is a member of Group A, the members of Group B will also be found by this search. However, if Group C is a member of Group B, the members of Group C will not be found by this search.
- Enable Group Membership Lookup Hierarchy Caching—Indicates whether group membership hierarchies found during recursive membership lookup are cached. Each subtree found will be cached. The cache holds the groups to which a group is a member. This setting only applies if Group Membership is enabled. By default, it is disabled.
- Max Group Hierarchies in Cache—The maximum size of the Least Recently Used (LRU) cache that holds group membership hierarchies. This setting only applies if Enable Group Membership Lookup Hierarchy Caching is enabled.
- Group Hierarchy Cache TTL—The number of seconds cached entries stay in the cache. The default is 60 seconds.
In planning your cache settings, bear in mind the following considerations:
- Enabling a cache involves a trade-off of performance and accuracy. Using a cache means that data is retrieved faster, but runs the risk that the data may not be the latest available.
- The time-to-live (TTL) setting how long you are willing to accept potentially stale data. This depends a lot on your particular business needs. If you frequently changes group memberships for users, then a long TTL could mean that group related changes won't show up for a while, and you may want a short TTL. If group memberships almost never change after a user is added, a longer TTL may be fine.
- The cache size is related to the amount of memory you have available, as well as the cache TTL. Consider the number of entries that might be loaded in the span of the TTL, and size the cache in relation to that number. A longer TTL will tend to require a larger cache size.
Configuring Dynamic Groups in the iPlanet Authentication Provider to Improve Performance
Dynamic groups do not list the names of their members. Instead, the membership of the dynamic group is constructed by matching user attributes. Because group membership needs to be computed dynamically for dynamic groups, there is a risk of performance problems for large groups. Configuring the iPlanet Authentication provider appropriately can improve performance where dynamic groups are involved.
In the iPlanet Authentication provider, the User Dynamic Group DN Attribute attribute specifies the attribute of an LDAP user object that specifies the distinguished names (DNs) of dynamic groups to which this user belongs. If such an attribute does not exist, WebLogic Server determines if a user is a member of a group by evaluating the URLs on the dynamic group. By default, User Dynamic Group DN Attribute is null. If you set User Dynamic Group DN Attribute to some other value, to improve performance set the following attributes for the iPlanet Authentication provider:
UserDynamicGroupDNAttribute="wlsMemberOf"
DynamicGroupNameAttribute="cn"
DynamicGroupObjectClass=""
DynamicMemberURLAttribute=""
To set these attributes in the Administration Console:
Optimizing the Principal Validator Cache
To improve the performance of a WebLogic or LDAP Authentication provider, the settings of the cache used by the WebLogic Principal Validation provider can be increased as appropriate. The Principal Validator cache used by the WebLogic Principal Validation provider caches signed WLSAbstractPrincipals. To optimize the performance of the Principal Validator cache, set these attributes for your security realm (found in the Administration Console on the Configuration: Performance page for the security realm):
- Enable WebLogic Principal Validator Cache—Indicates whether the WebLogic Principal Validation provider uses a cache. This setting only applies if Authentication providers in the security realm use the WebLogic Principal Validation provider and WLSAbstractPrincipals. By default, it is enabled.
- Max WebLogic Principals In Cache—The maximum size of the Last Recently Used (LRU) cache used for validated WLSAbstractPrincipals. The default setting is 500. This setting only applies if Enable WebLogic Principal Validator Cache is enabled.
Configuring the Active Directory Authentication Provider to Improve Performance
To configure an Active Directory Authentication provider to use the tokenGroups option, set the following attributes (found in the Administration Console on the Active Directory Authentication provider's Configuration: Provider Specific page):
- Use Token Groups for Group Membership Lookup—Indicates whether to use the Active Directory
tokenGroupslookup algorithm instead of the standard recursive group membership lookup algorithm. By default, this option is not enabled. - Enable SID to Group Lookup Caching—Indicates whether or not SID-to-group name lookup results are cached. This setting only applies if the Use Token Groups for Group Membership Lookup option is enabled.
- Max SID To Group Lookups In Cache—The maximum size of the Least Recently Used (LRU) cache for holding SID to group lookups. This setting applies only if both the Use Token Groups for Group Membership Lookup and Enable SID to Group Lookup Caching options are enabled.
Note: Access to the tokenGroups option is required (meaning, the user accessing the LDAP directory must have privileges to read the tokenGroups option and the tokenGroups option must be in the schema for user objects).
Configuring RDBMS Authentication Providers
In WebLogic Server, an RDBMS Authentication provider is a username/password based Authentication provider that uses a relational database (rather than an LDAP directory) as its data store for user, password, and group information. WebLogic Server includes these RDBMS Authentication providers:
- SQL Authenticator—Uses a SQL database and allows both read and write access to the database. This Authentication provider is configured by default with a typical SQL database schema, which you can configure to match your database's schema. See Configuring the SQL Authentication Provider.
- Read-only SQL Authenticator—Uses a SQL database and allows only read access to the database. For write access, you use the SQL database's own interface, not the WebLogic security provider. See Configuring the Read-Only SQL Authenticator.
- Custom RDBMS Authenticator—Requires you to write a plug-in class. This may be a better choice if you want to use a relational database for your authentication data store, but the SQL Authenticator's schema configuration is not a good match for your existing database schema. See Configuring the Custom DBMS Authenticator.
For information about adding an RDBMS Authentication provider to your security realm, see Configure Authentication and Identity Assertion providers in the Administration Console help. Once you have created an instance of the RDBMS Authentication provider, configure it on the RDBMS Authentication provider's Configuration: Provider Specific page in the Administration Console.
Common RDBMS Authentication Provider Attributes
All three RDBMS Authentication providers include these configuration options.
Data Source Attribute
The Data Source Name specifies the WebLogic Server data source to use to connect to the database.
Group Searching Attributes
The Group Membership Searching and Max Group Membership Search Level attributes specify whether recursive group membership searching is unlimited or limited, and if limited, how many levels of group membership can be searched. For example, if you specify that Group Membership Searching is LIMITED, and the Max Group Membership Search Level is 0, then the RDBMS Authentication providers will find only groups that the user is a direct member of. Specifying a maximum group membership search level can greatly increase authentication performance in certain scenarios, since it may reduce the number of DBMS queries executed during authentication. However, you should only limit group membership search if you can be certain that the group memberships you require are within the search level limits you specify.
Group Caching Attributes
You can improve the performance of RDBMS Authentication providers by caching the results of group hierarchy lookups. Use of this cache can reduce the frequency with which the RDBMS Authentication provider needs to access the database. In the Administration Console, you can use the Performance page for your Authentication provider to configure the use, size, and duration of this cache. See Security Realms: Security Providers: SQL Authenticator: Performance in the Administration Console online help.
Configuring the SQL Authentication Provider
For detailed information about configuring a SQL Authentication provider, see Security Realms: Security Providers: SQL Authenticator: Provider Specific in the Administration Console online help. In addition to the attributes described in Common RDBMS Authentication Provider Attributes, the SQL Authentication provider has the following configurable attributes.
Password Attributes
The following attributes govern how the RDBMS Authentication provider and its underlying database handle user passwords:
SQL Statement Attributes
SQL statement attributes specify the SQL statements used by the provider to access and edit the username, password, and group information in the database. With the default values in the SQL statement attributes, it is assumed that the database schema includes the following tables:
- users (username, password, [description])
- groupmembers (group name, group member)
- groups (group name, group description)
Note: The tables referenced by the SQL statements must exist in the database; the provider will not create them. You can modify these attributes as needed to match the schema of your database. However, if your database schema is radically different from this default schema, you may need to use a Custom DBMS Authentication provider instead.
Configuring the Read-Only SQL Authenticator
For detailed information about configuring a Read-Only SQL Authentication provider, see Security Realms: Security Providers: Read-Only SQL Authenticator: Provider Specific in the Administration Console online help. In addition to the attributes described in Common RDBMS Authentication Provider Attributes, the Read-Only SQL Authentication provider's configurable attributes include attributes that specify the SQL statements used by the provider to list the username, password, and group information in the database. You can modify these attributes as needed to match the schema of your database.
Configuring the Custom DBMS Authenticator
The Custom DBMS Authentication provider, like the other RDBMS Authentication providers, uses a relational database as its data store for user, password, and group information. Use this provider if your database schema does not map well to the SQL schema expected by the SQL Authenticator. In addition to the attributes described in Common RDBMS Authentication Provider Attributes, the Custom DBMS Authentication provider's configurable attributes include the following.
Plug-In Class Attributes
A Custom DBMS Authentication provider requires that you write a plug-in class that implements the weblogic.security.providers.authentication.CustomDBMSAuthenticatorPlugin interface. The class must exist in the CLASSPATH and must be specified in the Plug-in Class Name attribute for the Custom DBMS Authentication provider. Optionally, you can use the Plugin Properties attribute to specify values for properties defined by your plug-in class.
Configuring a Windows NT Authentication Provider
The Windows NT Authentication provider uses account information defined for a Windows NT domain to authenticate users and groups and to permit Windows NT users and groups to be listed in the WebLogic Server Administration Console.
To use the Windows NT Authentication provider, create the provider in the Administration Console. In most cases, you should not need to do anything more to configure this Authentication provider. Depending on how your Windows NT domains are configured, you may want to set the Domain Controllers and Domain Controller List attributes, which control how the Windows NT Authentication provider interacts with the Windows NT domain.
Domain Controller Settings
Usernames in a Windows NT domain can take several different forms. You may need to configure the Windows NT Authentication provider to match the form of usernames you expect your users to sign on with. A simple username is one that gives no indication of the domain, such as smith. Compound usernames combine a username with a domain name and may take a form like domain\smith or smith@domain.
If the local machine is not part of a Microsoft domain, then no changes to the Domain Controllers and Domain Controller List attributes are needed. On a stand-alone machine, the users and groups to be authenticated are defined only on that machine.
If the local machine is part of a Microsoft domain and is the domain controller for the local domain, then no changes are needed to the Domain Controller List attribute. Users defined on the local machine and the domain are the same in this case, so you can use the default Domain Controllers setting.
If the local machine is part of a Microsoft domain, but is not the domain controller for the local domain, then a simple username might be found on either the local machine or in the domain. In this case, consider the following:
- Do you want to prevent the users and groups from the local machine from being displayed in the Console when the local machine is part of a Microsoft domain?
- Do you want users from the local machine to be found and authenticated when a simple username is entered?
If the answer to either question is yes, then set the Domain Controller attribute to DOMAIN.
If you have multiple trusted domains, you may need to set the Domain Controller attribute to LIST and specify a Domain Controller List. Do this if:
- You require the users and groups for other trusted domains to be visible in the Console, or
- You expect that your users will be entering simple usernames and expect them to be located in the trusted domains (that is, users will sign on with a simple username like enter
smith, notsmith@domainordomain\Smith).
If either of these situations is the case, then set the Domain Controllers attribute to LIST and specify the names of the domain controllers in the Domain Controller List attribute for the trusted domains that you want to be used. Consider also whether to use explicit names for the local machine and local domain controller or if you want to use placeholders in the list for those. You can use the following placeholders in the Domain Controller List attribute:
LogonType Setting
The proper value of the LogonType attribute in the Windows NT Authentication provider depends on the Windows NT logon rights of the users that you want to be able to authenticate:
- If users have the "logon locally" right assigned to them on the machines that will run WebLogic Server, then use the default value,
interactive. - If users have the "Access this computer from the Network" right assigned to them, then change the LogonType attribute to
network.
You must assign one of these rights to users in the Windows NT domain or else the Windows NT Authentication provider will not be able to authenticate any users.
UPN Names Settings
UPN style usernames can take the form user@domain. You can configure how the Windows NT Authentication provider handles usernames that include the @ character, but which may not be UPN names, by setting the mapUPNNames attribute in the Windows NT Authentication provider.
If none of your Windows NT domains or local machines have usernames that contain the @ character other than UPN usernames, then you can use the default value of the mapUPNNames attribute, FIRST. However, you may want to consider changing the setting to ALWAYS in order to reduce the amount of time it takes to detect authentication failures. This is especially true if you have specified a long domain controller list.
If your Windows NT domains do permit non-UPN usernames with the @ character in them, then:
- if a username with the @ character is more likely to be a UPN username than a simple username, set the
mapUPNNamesattribute to FIRST. - if a username with the @ character is more likely to be a simple username than a UPN username, set the
mapUPNNamesattribute to LAST. - if a username is never in UPN format, set the
mapUPNNamesattribute to NEVER.
Configuring Identity Assertion Providers
If you are using perimeter authentication, you need to use an Identity Assertion provider. In perimeter authentication, a system outside of WebLogic Server establishes trust through tokens (as opposed to simple authentication, where WebLogic Server establishes trust through usernames and passwords). An Identity Assertion provider verifies the tokens and performs whatever actions are necessary to establish validity and trust in the token. Each Identity Assertion provider is designed to support one or more token formats.
WebLogic Server includes the following Identity Assertion providers:
- WebLogic Identity Asserter
- LDAP X.509 Identity Asserter
- Negotiate Identity Asserter
- SAML Identity Asserter
Multiple Identity Assertion providers can be configured in a security realm, but none are required. Identity Assertion providers can support more than one token type, but only one token type per Identity Assertion provider can be active at a given time. In the Active Type field on the Provider Specific configuration page in the Administration Console, define the active token type. The WebLogic Identity Assertion provider supports identity assertion with X.509 certificates and CORBA Common Secure Interoperability version 2 (CSI v2). If you are using CSI v2 identity assertion, define the list of client principals in the Trusted Principals field.
If multiple Identity Assertion providers are configured in a security realm, they can all support the same token type. However, the token can be active for only one only provider at a time.
With the WebLogic Identity Assertion provider, you can use a user name mapper to map the tokens authenticated by the Identity Assertion provider to a user in the security realm. For more information about configuring a user name mapper, see Configuring a WebLogic Credential Mapping Provider.
If the authentication type in a Web application is set to CLIENT-CERT, the Web Application container in WebLogic Server performs identity assertion on values from request headers and cookies. If the header name or cookie name matches the active token type for the configured Identity Assertion provider, the value is passed to the provider.
The Base64 Decoding Required value on the Provider Specific page determines whether the request header value or cookie value must be Base64 Decoded before sending it to the Identity Assertion provider. The setting is enabled by default for purposes of backward compatibility; however, most Identity Assertion providers will disable this option.
For more information see Configure Authentication and Identity Assertion providers in the Administration Console online help. In addition, see the following sections:
- How an LDAP X509 Identity Assertion Provider Works
- Configuring an LDAP X509 Identity Assertion Provider: Main Steps
- Configuring a Negotiate Identity Assertion Provider
- Configuring a SAML Identity Assertion Provider
- Ordering of Identity Assertion for Servlets
- Configuring Identity Assertion Performance in the Server Cache
- Configuring a User Name Mapper
- Configuring a Custom User Name Mapper
How an LDAP X509 Identity Assertion Provider Works
The LDAP X509 Identity Assertion provider receives an X509 certificate, looks up the LDAP object for the user associated with that certificate, ensures that the certificate in the LDAP object matches the presented certificate, and then retrieves the name of the user from the LDAP object.
The LDAP X509 Identity Assertion provider works in the following manner:
- An application is set up to use perimeter authentication (in other words, users or system process use tokens to assert their identity).
- As part of the SSL handshake, the application presents it certificate. The Subject DN in the certificate can be used to locate the object that represents the user in the LDAP server. The object contains the user's certificate and name.
Configuring an LDAP X509 Identity Assertion Provider: Main Steps
Typically, if you use the LDAP X509 Identity Assertion provider, you also need to configure an LDAP Authentication provider that uses an LDAP server. The authentication provider ensures the user exists and locates the groups to which the user belongs. You should ensure both providers are properly configured to communicate with the same LDAP server.
To use an LDAP X509 Identity Assertion provider:
- Obtain certificates for users and put them in an LDAP Server. See Configuring Identity and Trust.
A correlation must exist between the Subject DN in the certificate and the location of the object for that user in the LDAP server. The LDAP object for the user must also include configuration information for the certificate and the username that will be used in the Subject.
- In your security realm, configure an LDAP X509 Identity Assertion provider. See Configure Authentication and Identity Assertion providers in the Administration Console help.
- In the WebLogic Server Administration Console, configure the LDAP X509 Identity Assertion provider to find the LDAP object for the user in the LDAP directory given the certificate's Subject DN.
- Configure the LDAP X509 Identity Assertion provider to search the LDAP server to locate the LDAP object for the user. This requires the following pieces of data.
- A base LDAP DN from which to start searching. The Certificate Mapping option for the LDAP X509 Identity Assertion provider tells the identity assertion provider how to construct the base LDAP DN from the certificate's Subject DN. The LDAP object must contain an attribute that holds the certificate.
- A search filter that only returns LDAP objects that match a defined set of options. The filter narrows the LDAP search. Configure User Filter Search to construct a search filter from the certificate's Subject DN.
- Where in the LDAP directory to search for the base LDAP DN. The LDAP X509 Identity Assertion provider searches recursively (one level down). This value must match the values in the certificate's Subject DN.
- Configure the Certificate Attribute attribute of the LDAP X509 Identity Assertion provider to specify how the LDAP object for the user holds the certificate. The LDAP object must contain an attribute the holds the certificate.
- Configure the User Name Attribute attribute of the LDAP X509 Identity Assertion provider to specify which of the LDAP object's attributes holds the username that should appear in the Subject DN.
- Configure the LDAP server connection for the LDAP X509 Identity Assertion provider. The LDAP server information should be the same as the information defined for the LDAP Authentication provider configured in this security realm.
- Configure an LDAP Authentication provider for use with the LDAP X509 Identity Assertion provider. The LDAP server information should be the same the information defined for the LDAP X509 Identity Assertion provider configured in Step 7. See Configuring LDAP Authentication Providers.
Configuring a Negotiate Identity Assertion Provider
The Negotiate Identity Assertion provider enables single sign-on (SSO) with Microsoft clients. The identity assertion provider decodes Simple and Protected Negotiate (SPNEGO) tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to WebLogic users. The Negotiate Identity Assertion provider utilizes the Java Generic Security Service (GSS) Application Programming Interface (API) to accept the GSS security context via Kerberos.
The Negotiate Identity Assertion provider is an implementation of the Security Service Provider Interface (SSPI) as defined by the WebLogic Security Framework and provides the necessary logic to authenticate a client based on the client's SPNEGO token.
For information about adding a Negotiate Identity Assertion provider to a security realm, see Configure Authentication and Identity Assertion providers in the Administration Console help. For information about using the Negotiate Identity Assertion provider with Microsoft client SSO, see Configuring Single Sign-On with Microsoft Clients.
Configuring a SAML Identity Assertion Provider
The SAML Identity Assertion provider acts as a consumer of SAML security assertions, allowing WebLogic Server to act as a destination site for using SAML for single sign-on. The SAML Identity Assertion provider validates SAML 1.1 assertions by checking the signature and validating the certificate for trust in the certificate registry maintained by the provider. If so, identity is asserted based on the AuthenticationStatement contained in the assertion. The SAML Identity Assertion provider can also ensure that the assertion has not been previously used. The SAML Identity Assertion provider must be configured if you want to deploy a SAML Assertion Consumer Service on a server instance.
This release of WebLogic Server includes two SAML Identity Assertion providers. SAML Identity Asserter Version 2 provides greatly enhanced configuration options and is recommended for new deployments. SAML Identity Asserter Version 1 has been deprecated in WebLogic Server 9.1. A security realm can have not more than one SAML Identity Assertion provider, and if the security realm has both a SAML Identity Assertion provider and a SAML Credential Mapping provider, both must be of the same version. Do not use a Version 1 SAML provider in the same security realm as a Version 2 SAML provider. For information about configuring the SAML Identity Assertion provider Version 1, see Configuring a SAML Identity Assertion Provider in the WebLogic Server 9.0 documentation.
For information about how to use the SAML Identity Assertion provider in a SAML single sign-on configuration, see Configuring Single Sign-On with Web Browsers and HTTP Clients. For general information about SAML support in WebLogic Server, see Security Assertion Markup Language (SAML) in Understanding WebLogic Security.
Asserting Party Registry
When you configure WebLogic Server to act as a consumer of SAML security assertions, you need to register the parties whose SAML assertions will be accepted. For each SAML Asserting Party, you can specify the SAML profile used, details about the Asserting Party, and the attributes expected in assertions received from the Asserting Party. For information, see:
- Configuring Asserting Parties in Configuring Single Sign-On with Web Browsers and HTTP Clients in this guide.
- Configure a SAML Asserting Party in the Administration Console online help.
Certificate Registry
The SAML Identity Assertion provider maintains a registry of trusted certificates. Whenever a certificate is received, it is checked against the certificates in the registry for validity. The certificates in this registry are used:
- To check trust when the SAML Identity Assertion provider receives a signed assertion.
- To check trust in the source site that sent a POST profile assertion (a signed SAML response object).
- To check trust in a destination site that is retrieving an artifact from the Assertion Retrieval Service (ARS), if the connection is an SSL connection.
You can add trusted certificates to the certificate registry through the Administration Console:
On the Management > Certificates page, you can add, view, or delete certificates from the registry.
Ordering of Identity Assertion for Servlets
When an HTTP request is sent, there may be multiple matches that can be used for identity assertion. However, identity assertion providers can only consume one active token type at a time. As a result there is no way to provide a set of tokens that can be consumed with one call. Therefore, the servlet contained in WebLogic Server is forced to choose between multiple tokens to perform identity assertion. The following ordering is used:
- An X.509 digital certificate (signifies two-way SSL to client or proxy plug-in with two-way SSL between the client and the Web server) if X.509 is one of the active token types configured for the Identity Assertion provider in the default security realm.
- Headers with a name in the form
WL-Proxy-Client-<TOKEN>where<TOKEN>is one of the active token types configured for the Identity Assertion provider in the default security realm.
Note: This method is deprecated and should only be used for the purpose of backward compatibility.
For example, if an Identity Assertion provider in the default security realm is configured to have the FOO and BAR tokens as active token types (for the following example, assume the HTTP request contains nothing relevant to identity assertion except active token types), identity assertion is performed as follows:
- If a request comes in with a
FOOheader over a two-way SSL connection, X.509 is used for identity assertion. - If a request comes in with a
FOOheader and aWL-Proxy-Client-BARheader, theBARtoken is used for identity assertion. - If a request comes in with a
FOOheader and aBARcookie, theFOOtoken will be used for identity assertion.
The ordering between multiple tokens at the same level is undefined, therefore:
- If a request comes in with a
FOOheader and aBARheader, then either theFOOorBARtoken is used for identity assertion, however, which one is used is unspecified. - If a request comes in with a
FOOcookie and aBARcookie, then either theFOOorBARtoken is used for identity assertion, however, which one is used is unspecified.
Configuring Identity Assertion Performance in the Server Cache
When you use an Identity Assertion provider, either for an X.509 certificate or some other type of token, subjects are cached within the server. (A subject is a grouping of related information for a single entity (such as a person), including an identity and its security-related configuration options.) Caching subjects within the server greatly enhances performance for servlets and EJB methods with <run-as> tags as well as in other situations where identity assertion is used but not cached in the HTTPSession, for example, in signing and encrypting XML documents).
Note: Caching can violate the desired semantics.
You can change the lifetime of items in this cache by setting the maximum number of seconds a subject can live in the cache via the -Dweblogic.security.identityAssertionTTL command-line argument. The default for this command-line argument is 300 seconds (that is, 5 minutes). Possible values for the command-line argument are:
- Less than 0—Disables the cache.
- 0—Caching is enabled and the identities in the cache never time out so long as the server is running. Any changes in the user database of cached entities requires a server reboot in order for the server to pick them up.
- Greater than 0—Caching is enabled and the cache is reset at the specified number of seconds.
To improve the performance of identity assertion, specify a higher value for this command-line argument.
Note: As identity assertion performance improves, the Identity Assertion provider is less responsive to changes in the configured Authentication provider. For example, a change in the user's group will not be reflected until the subject is flushed from the cache and recreated. Setting a lower value for the command-line argument makes authentication changes more responsive at a cost for performance.
Configuring a User Name Mapper
WebLogic Server verifies the digital certificate of the Web browser or Java client when establishing a two-way SSL connection. However, the digital certificate does not identify the Web browser or Java client as a user in the WebLogic Server security realm. If the Web browser or Java client requests a WebLogic Server resource protected by a security policy, WebLogic Server requires the Web browser or Java client to have an identity. The WebLogic Identity Assertion provider allows you to enable a user name mapper that maps the digital certificate of a Web browser or Java client to a user in a WebLogic Server security realm.
The user name mapper must be an implementation of the weblogic.security.providers.authentication.UserNameMapper interface. This interface maps a token to a WebLogic Server user name according to whatever scheme is appropriate for your needs. By default, WebLogic Server provides a default implementation of the weblogic.security.providers.authentication.UserNameMapper interface. You can also write your own implementation.
The WebLogic Identity Assertion provider calls the user name mapper for the following types of identity assertion token types:
- X.509 digital certificates passed via the SSL handshake
- X.509 digital certificates passed via CSIv2
- X.501 distinguished names passed via CSIv2
The default user name mapper uses the subject DN of the digital certificate or the distinguished name to map to the appropriate user in the WebLogic Server security realm. For example, the user name mapper can be configured to map a user from the Email attribute of the subject DN (smith@example.com) to a user in the WebLogic Server security realm (smith). Use Default User Name Mapper Attribute Type and Default Username Mapper Attribute Delimiter attributes of the WebLogic Identity Assertion provider to define this information:
- Default User Name Mapper Attribute Type—The subject distinguished name (DN) in a digital certificate used to create a username. Valid values are:
C,CN,E,L,O,OU,SandSTREET. - Default User Name Mapper Attribute Delimiter—Ends the username. The user name mapper uses everything to the left of the value to create a username. The default delimiter is @.
For more information, see Configure a user name mapper in the Administration Console online help.
Configuring a Custom User Name Mapper
You can also write a custom user name mapper to map a token to a WebLogic Server user name according to whatever scheme is appropriate for your needs. The custom user name mapper must be an implementation of the weblogic.security.providers.authentication.UserNameMapper interface. You then configure the custom user name mapper in the active security realm, using the User Name Mapper Class Name attribute of the WebLogic Identity Assertion provider.
For more information, see Configure custom user name mappers in the Administration Console online help.
