Oracle Fusion Middleware
Oracle WebLogic Server MBean Javadoc
11g Release 1 (10.3.6)

Part Number E13945-06

weblogic.management.configuration
Interface SecurityConfigurationMBean

All Superinterfaces:
ConfigurationMBean

public interface SecurityConfigurationMBean
extends ConfigurationMBean

Provides domain-wide security configuration information.

Deprecation of MBeanHome and Type-Safe Interfaces

This is a type-safe interface for a WebLogic Server MBean, which you can import into your client classes and access through weblogic.management.MBeanHome. As of 9.0, the MBeanHome interface and all type-safe interfaces for WebLogic Server MBeans are deprecated. Instead, client classes that interact with WebLogic Server MBeans should use standard JMX design patterns in which clients use the javax.management.MBeanServerConnection interface to discover MBeans, attributes, and attribute types at runtime.

Since:
7.0.0.0

Field Summary
 
Fields inherited from interface weblogic.management.configuration.ConfigurationMBean
DEFAULT_EMPTY_BYTE_ARRAY
 
Method Summary
 RealmMBean createRealm()
          Creates a realm.
 RealmMBean createRealm(String name)
          Creates a realm.
 void destroyRealm(RealmMBean realm)
          Destroys a realm.
 RealmMBean findDefaultRealm()
          Deprecated. 9.0.0.0 Replaced by SecurityConfigurationMBean.getDefaultRealm()
 RealmMBean findRealm(String realmDisplayName)
          Deprecated. 9.0.0.0 Replaced by SecurityConfigurationMBean.lookupRealm(java.lang.String)
 RealmMBean[] findRealms()
          Deprecated. 9.0.0.0 Replaced by SecurityConfigurationMBean.getRealms()
 byte[] generateCredential()
          Generates a new encrypted byte array which can be use when calling #setCredentialEncrypted
 CertRevocMBean getCertRevoc()
          Determines the domain's X509 certificate revocation checking configuration.
 boolean getCompatibilityConnectionFiltersEnabled()
          Specifies whether this WebLogic Server domain enables compatiblity with previous connection filters.
 String getConnectionFilter()
          The name of the Java class that implements a connection filter (that is, the weblogic.security.net.ConnectionFilter interface).
 String[] getConnectionFilterRules()
          The rules used by any connection filter that implements the ConnectionFilterRulesListener interface.
 boolean getConnectionLoggerEnabled()
          Specifies whether this WebLogic Server domain should log accepted connections.
 RealmMBean getDefaultRealm()
          Returns the default security realm or null if no realm has been selected as the default security realm.
 boolean getDowngradeUntrustedPrincipals()
          Whether or not to downgrade to anonymous principals that cannot be verified.
 boolean getEnforceStrictURLPattern()
          Whether or not the system should enforce strict URL pattern or not.
 boolean getEnforceValidBasicAuthCredentials()
          Whether or not the system should allow requests with invalid Basic Authentication credentials to access unsecure resources.
 String[] getExcludedDomainNames()
           Specifies a list of remote domains for which cross-domain check should not be applied.
 String getNodeManagerPassword()
          The password that the Administration Server uses to communicate with Node Manager when starting, stopping, or restarting Managed Servers.
 byte[] getNodeManagerPasswordEncrypted()
          The password that the Administration Server passes to a Node Manager when it instructs the Node Manager to start, stop, or restart Managed Servers.
 String getNodeManagerUsername()
          The user name that the Administration Server uses to communicate with Node Manager when starting, stopping, or restarting Managed Servers.
 RealmMBean[] getRealms()
          Returns all the realms in the domain.
 String getWebAppFilesCaseInsensitive()
          This property defines the case sensitive URL-pattern matching behavior for security constraints, servlets, filters, virtual-hosts, and so on, in the Web application container and external security policies.
 boolean isAnonymousAdminLookupEnabled()
          Returns true if anonymous JNDI access for Admin MBean home is permitted.
 boolean isClearTextCredentialAccessEnabled()
          Returns true if allow access to credential in clear text.
 boolean isConsoleFullDelegationEnabled()
          Indicates whether the console is enabled for fully delegate authorization.
 boolean isCrossDomainSecurityEnabled()
           Indicates whether or not cross-domain security is enabled
 boolean isPrincipalEqualsCaseInsensitive()
          Specifies whether the WebLogic Server principal name is compared using a case insensitive match when the equals method for the principal object is performed.
 boolean isPrincipalEqualsCompareDnAndGuid()
          Specifies whether the GUID and DN data in a WebLogic Server principal object are used when the equals method of that object is invoked.
 RealmMBean lookupRealm(String name)
          Finds a realm given it's name.
 void setAnonymousAdminLookupEnabled(boolean permit)
          Permits anonymous JNDI access to get the Admin MBean home.
 void setClearTextCredentialAccessEnabled(boolean enabled)
          Allow access to clear-text password.
 void setCompatibilityConnectionFiltersEnabled(boolean compatibility)
           
 void setConnectionFilter(String filter)
           
 void setConnectionFilterRules(String[] filterList)
           
 void setConnectionLoggerEnabled(boolean logging)
           
 void setConsoleFullDelegationEnabled(boolean enabled)
          Enables the console to operate with fully delegate authorization.
 void setCredential(String credential)
          As of 8.1 sp4, this method does the following:
 void setCredentialEncrypted(byte[] bytes)
          Encrypts and sets the value of the CredentialEncrypted attribute.
 void setCrossDomainSecurityEnabled(boolean enabled)
           Turns on/off the cross-domain security.
 void setDefaultRealm(RealmMBean defaultRealm)
          Sets the default security realm.
 void setDowngradeUntrustedPrincipals(boolean downgrade)
           
 void setEnforceStrictURLPattern(boolean enforceStrictURLPattern)
           
 void setEnforceValidBasicAuthCredentials(boolean allow)
           
 void setExcludedDomainNames(String[] remoteDomains)
           Specifies a list of remote domains for which cross-domain check should not be applied.
 void setNodeManagerPassword(String password)
          Sets the value of the NodeManagerPassword attribute.
 void setNodeManagerPasswordEncrypted(byte[] bytes)
          Sets the value of the NodeManagerPassword attribute.
 void setNodeManagerUsername(String username)
          Sets the node manager username for the domain.
 void setPrincipalEqualsCaseInsensitive(boolean principalEqualsCaseInsensitive)
          Sets the value of the PrincipalEqualsCaseInsensitive attribute.
 void setPrincipalEqualsCompareDnAndGuid(boolean principalEqualsCompareDnAndGuid)
          Sets the value of the UseGUIDandDNinEqual attribute.
 void setWebAppFilesCaseInsensitive(String caseInsensitive)
          Sets the value for the WebAppFilesCaseInsensitive.
 
Methods inherited from interface weblogic.management.configuration.ConfigurationMBean
freezeCurrentValue, getName, getNotes, isSet, restoreDefaultValue, setComments, setDefaultedMBean, setName, setNotes, setPersistenceEnabled, unSet
 

Method Detail

createRealm

RealmMBean createRealm(String name)
                       throws JMException
Creates a realm.

Parameters:
name - - The name of this realm, for example, myrealm
Throws:
JMException

createRealm

RealmMBean createRealm()
                       throws JMException
Creates a realm.

Parameters:
name - a String containing the realm's name. This name must be unique among all realms in the domain. If the name can be converted to a JMX object name, then it is used as the provider's JMX object name. The encouraged convention is: "Security:Name=realmDisplayName". For example: "Security:Name=myrealm".
displayName - a String containing the realm's display name (ie. the name that will be displayed in the console).
Throws:
JMException

destroyRealm

void destroyRealm(RealmMBean realm)
Destroys a realm. This does not destroy its providers or its user lockout manager.


getRealms

RealmMBean[] getRealms()
Returns all the realms in the domain.


lookupRealm

RealmMBean lookupRealm(String name)
Finds a realm given it's name. The name is often its JMX object name (e.g. Security:Name=myrealm)


findRealms

RealmMBean[] findRealms()
Deprecated. 9.0.0.0 Replaced by SecurityConfigurationMBean.getRealms()

Returns all the realms in the domain.

All security roles can access this item.

findDefaultRealm

RealmMBean findDefaultRealm()
Deprecated. 9.0.0.0 Replaced by SecurityConfigurationMBean.getDefaultRealm()

Finds the default security realm. Returns null if a default security realm is not defined.

All security roles can access this item.

findRealm

RealmMBean findRealm(String realmDisplayName)
Deprecated. 9.0.0.0 Replaced by SecurityConfigurationMBean.lookupRealm(java.lang.String)

Finds a realm by name (that is, by the display name of the realm). Returns null no realm with that name has been defined. Throws a configuration error if there are multiple matches.

Parameters:
realmDisplayName - A String containing the realm's display name.
All security roles can access this item.

getDefaultRealm

RealmMBean getDefaultRealm()
Returns the default security realm or null if no realm has been selected as the default security realm.


setDefaultRealm

void setDefaultRealm(RealmMBean defaultRealm)
                     throws InvalidAttributeValueException
Sets the default security realm.

Parameters:
realm - The new default realm. Use null to specify that there is no default realm.
Throws:
InvalidAttributeValueException

isAnonymousAdminLookupEnabled

boolean isAnonymousAdminLookupEnabled()

Returns true if anonymous JNDI access for Admin MBean home is permitted. This is overridden by the Java property -Dweblogic.management.anonymousAdminLookupEnabled.

Returns:
true if anonymous access is allowed, false otherwise
Default Value:
false

setAnonymousAdminLookupEnabled

void setAnonymousAdminLookupEnabled(boolean permit)

Permits anonymous JNDI access to get the Admin MBean home.

Parameters:
permit - The new value.
See Also:
SecurityConfigurationMBean.isAnonymousAdminLookupEnabled()

isClearTextCredentialAccessEnabled

boolean isClearTextCredentialAccessEnabled()

Returns true if allow access to credential in clear text. This can be overridden by the system property -Dweblogic.management.clearTextCredentialAccessEnabled

Returns:
true if allow access to clear-text password, false otherwise
Changes take effect after you redeploy the module or restart the server.
Default Value:
false

setClearTextCredentialAccessEnabled

void setClearTextCredentialAccessEnabled(boolean enabled)

Allow access to clear-text password.

Parameters:
enabled - The new value.
See Also:
SecurityConfigurationMBean.isClearTextCredentialAccessEnabled()

generateCredential

byte[] generateCredential()

Generates a new encrypted byte array which can be use when calling #setCredentialEncrypted

Returns:
a new encrypted byte array suitable for use as a domain credential.

setCredential

void setCredential(String credential)
                   throws InvalidAttributeValueException

As of 8.1 sp4, this method does the following:

  1. Encrypts the parameter value.
  2. Sets the value of the CredentialEncrypted attribute to the encrypted parameter value.

Parameters:
credential - The new credential value
Throws:
InvalidAttributeValueException
See Also:
SecurityConfigurationMBean.getCredential(), SecurityConfigurationMBean.setCredentialEncrypted(byte[] bytes)

setCredentialEncrypted

void setCredentialEncrypted(byte[] bytes)
                            throws InvalidAttributeValueException

Encrypts and sets the value of the CredentialEncrypted attribute.

Parameters:
bytes - The new credential value as a byte array.
Throws:
InvalidAttributeValueException
See Also:
SecurityConfigurationMBean.getCredentialEncrypted()

getWebAppFilesCaseInsensitive

String getWebAppFilesCaseInsensitive()

This property defines the case sensitive URL-pattern matching behavior for security constraints, servlets, filters, virtual-hosts, and so on, in the Web application container and external security policies. Note: This is a Windows-only flag that is provided for backward compatibility when upgrading from pre-9.0 versions of WebLogic Server. On Unix platforms, setting this value to true causes undesired behavior and is not supported. When the value is set to os, the pattern matching will be case- sensitive on all platforms except the Windows file system. Note that on non-Windows file systems, WebLogic Server does not enforce case sensitivity and relies on the file system for optimization. As a result, if you have a Windows Samba mount from Unix or Mac OS that has been installed in case-insensitive mode, there is a chance of a security risk. If so, specify case-insensitive lookups by setting this attribute to true. Note also that this property is used to preserve backward compatibility on Windows file systems only. In prior releases, WebLogic Server was case- insensitive on Windows. As of WebLogic Server 9.0, URL-pattern matching is strictly enforced. During the upgrade of older domains, the value of this parameter is explicitly set to os by the upgrade plug-in to preserve backward compatibility.

Default Value:
"false"
Valid Values:
"os", "true", "false"

setWebAppFilesCaseInsensitive

void setWebAppFilesCaseInsensitive(String caseInsensitive)
                                   throws InvalidAttributeValueException

Sets the value for the WebAppFilesCaseInsensitive.

Parameters:
caseInsensitive - The new value caseInsensitive.
Throws:
InvalidAttributeValueException
See Also:
SecurityConfigurationMBean.getWebAppFilesCaseInsensitive()

getConnectionFilter

String getConnectionFilter()

The name of the Java class that implements a connection filter (that is, the weblogic.security.net.ConnectionFilter interface). If no class name is specified, no connection filter will be used.

This attribute replaces the deprecated ConnectionFilter attribute on the SecurityMBean.

Since:
9.0.0.0
Default Value:
null

setConnectionFilter

void setConnectionFilter(String filter)
                         throws InvalidAttributeValueException
Throws:
InvalidAttributeValueException

getConnectionFilterRules

String[] getConnectionFilterRules()

The rules used by any connection filter that implements the ConnectionFilterRulesListener interface. When using the default implementation and when no rules are specified, all connections are accepted. The default implementation rules are in the format: target localAddress localPort action protocols.

This attribute replaces the deprecated ConnectionFilterRules attribute on the SecurityMBean.

Since:
9.0.0.0
Changes take effect after you redeploy the module or restart the server.
Default Value:
null

setConnectionFilterRules

void setConnectionFilterRules(String[] filterList)

getConnectionLoggerEnabled

boolean getConnectionLoggerEnabled()

Specifies whether this WebLogic Server domain should log accepted connections.

This attribute can be used by a system administrator to dynamically check the incoming connections in the log file to determine if filtering needs to be performed.

This attribute replaces the deprecated ConnectionLoggerEnabled attribute on the SecurityMBean.

Since:
9.0.0.0
Changes take effect after you redeploy the module or restart the server.
Default Value:
false

setConnectionLoggerEnabled

void setConnectionLoggerEnabled(boolean logging)
                                throws InvalidAttributeValueException
Throws:
InvalidAttributeValueException

getCompatibilityConnectionFiltersEnabled

boolean getCompatibilityConnectionFiltersEnabled()

Specifies whether this WebLogic Server domain enables compatiblity with previous connection filters.

This attribute changes the protocols names used when filtering needs to be performed.

Since:
9.0.0.0
Changes take effect after you redeploy the module or restart the server.
Default Value:
false

setCompatibilityConnectionFiltersEnabled

void setCompatibilityConnectionFiltersEnabled(boolean compatibility)
                                              throws InvalidAttributeValueException
Throws:
InvalidAttributeValueException

getNodeManagerUsername

String getNodeManagerUsername()

The user name that the Administration Server uses to communicate with Node Manager when starting, stopping, or restarting Managed Servers.

Returns:
the username value
Since:
9.0.0.0
Changes take effect after you redeploy the module or restart the server.
Default Value:
""

setNodeManagerUsername

void setNodeManagerUsername(String username)
Sets the node manager username for the domain.

Parameters:
username - the new username value
Since:
9.0.0.0
See Also:
SecurityConfigurationMBean.getNodeManagerUsername()

getNodeManagerPassword

String getNodeManagerPassword()

The password that the Administration Server uses to communicate with Node Manager when starting, stopping, or restarting Managed Servers.

When you get the value of this attribute, WebLogic Server does the following:

  1. Retrieves the value of the NodeManagerPasswordEncrypted attribute.
  2. Decrypts the value and returns the unencrypted password as a String.

When you set the value of this attribute, WebLogic Server does the following:

  1. Encrypts the value.
  2. Sets the value of the NodeManagerPasswordEncrypted attribute to the encrypted value.

Using this attribute (NodeManagerPassword) is a potential security risk because the String object (which contains the unencrypted password) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.

Instead of using this attribute, you should use NodeManagerPasswordEncrypted.

Returns:
the password value
Since:
9.0.0.0
See Also:
SecurityConfigurationMBean.getNodeManagerPasswordEncrypted()

setNodeManagerPassword

void setNodeManagerPassword(String password)
Sets the value of the NodeManagerPassword attribute.

Parameters:
password - the new password value
Since:
9.0.0.0
See Also:
SecurityConfigurationMBean.getNodeManagerPassword(), SecurityConfigurationMBean.setNodeManagerPasswordEncrypted(byte[])

getNodeManagerPasswordEncrypted

byte[] getNodeManagerPasswordEncrypted()

The password that the Administration Server passes to a Node Manager when it instructs the Node Manager to start, stop, or restart Managed Servers.

To set this attribute, use weblogic.management.EncryptionHelper.encrypt() to encrypt the value. Then set this attribute to the output of the encrypt() method.

To compare a password that a user enters with the encrypted value of this attribute, go to the same WebLogic Server instance that you used to set and encrypt this attribute and use weblogic.management.EncryptionHelper.encrypt() to encrypt the user-supplied password. Then compare the encrypted values.

Returns:
the password value
Since:
9.0.0.0
Changes take effect after you redeploy the module or restart the server.
Default Value:
"".getBytes()

setNodeManagerPasswordEncrypted

void setNodeManagerPasswordEncrypted(byte[] bytes)
Sets the value of the NodeManagerPassword attribute.

Parameters:
password - the new password value
Since:
9.0.0.0
See Also:
#getNodeManagerPasswordEncrytped()

isPrincipalEqualsCaseInsensitive

boolean isPrincipalEqualsCaseInsensitive()

Specifies whether the WebLogic Server principal name is compared using a case insensitive match when the equals method for the principal object is performed.

If this attribute is enabled, matches are case insensitive.

Note: Note that principal comparison is not used by the WebLogic Security Service to determine access to protected resources. This attribute is intended for use with JAAS authorization, which may require case insensitive principal matching behavior.

Returns:
true if use case insensitive match, false otherwise
Changes take effect after you redeploy the module or restart the server.
Default Value:
false

setPrincipalEqualsCaseInsensitive

void setPrincipalEqualsCaseInsensitive(boolean principalEqualsCaseInsensitive)
Sets the value of the PrincipalEqualsCaseInsensitive attribute.

Parameters:
caseInsensitivePrincipalMatch -
See Also:
#isCaseInsensitivePrincipalMatch()

isPrincipalEqualsCompareDnAndGuid

boolean isPrincipalEqualsCompareDnAndGuid()

Specifies whether the GUID and DN data in a WebLogic Server principal object are used when the equals method of that object is invoked.

If enabled, the GUID and DN data (if included among the attributes in a WebLogic Server principal object) and the principal name are compared when this method is invoked.

Returns:
true if use guid and dn in equal compararison, false otherwise
Changes take effect after you redeploy the module or restart the server.
Default Value:
false

setPrincipalEqualsCompareDnAndGuid

void setPrincipalEqualsCompareDnAndGuid(boolean principalEqualsCompareDnAndGuid)
Sets the value of the UseGUIDandDNinEqual attribute.

Parameters:
useGUIDandDNinPrincipalEqual -
See Also:
#isUseGUIDandDNinPrincipalEqual

getDowngradeUntrustedPrincipals

boolean getDowngradeUntrustedPrincipals()
Whether or not to downgrade to anonymous principals that cannot be verified. This is useful for server-server communication between untrusted domains.

Returns:
the DowngradeUntrustedPrincipals value
Since:
9.0.0.0
Default Value:
false

setDowngradeUntrustedPrincipals

void setDowngradeUntrustedPrincipals(boolean downgrade)
Parameters:
downgrade - the new DowngradeUntrustedPrincipals value
See Also:
SecurityConfigurationMBean.getDowngradeUntrustedPrincipals()

getEnforceStrictURLPattern

boolean getEnforceStrictURLPattern()
Whether or not the system should enforce strict URL pattern or not.

Returns:
the EnforceStrictURLPattern value
Since:
9.0.0.0
Default Value:
true

setEnforceStrictURLPattern

void setEnforceStrictURLPattern(boolean enforceStrictURLPattern)
Parameters:
enforceStrictURLPattern - the new EnforceStrictURLPattern value
See Also:
SecurityConfigurationMBean.getEnforceStrictURLPattern()

getEnforceValidBasicAuthCredentials

boolean getEnforceValidBasicAuthCredentials()
Whether or not the system should allow requests with invalid Basic Authentication credentials to access unsecure resources.

Returns:
the EnforceValidBasicAuthCredentials value
Since:
9.2
Default Value:
true

setEnforceValidBasicAuthCredentials

void setEnforceValidBasicAuthCredentials(boolean allow)
Parameters:
allow - the new EnforceValidBasicAuthCredentials value
See Also:
SecurityConfigurationMBean.getEnforceValidBasicAuthCredentials()

isConsoleFullDelegationEnabled

boolean isConsoleFullDelegationEnabled()

Indicates whether the console is enabled for fully delegate authorization.

Returns:
true if the console is enabled for fully delegate authorization
Since:
9.2.0.0
Default Value:
false

setConsoleFullDelegationEnabled

void setConsoleFullDelegationEnabled(boolean enabled)

Enables the console to operate with fully delegate authorization.

Parameters:
enabled - the new console full delegation value
Since:
9.2.0.0
See Also:
SecurityConfigurationMBean.isConsoleFullDelegationEnabled()

getExcludedDomainNames

String[] getExcludedDomainNames()

Specifies a list of remote domains for which cross-domain check should not be applied.

Returns:
An array of Strings
Since:
10.0

setExcludedDomainNames

void setExcludedDomainNames(String[] remoteDomains)

Specifies a list of remote domains for which cross-domain check should not be applied. Sets the list of remote domain names that are to be excluded from the cross-domain checks.

Parameters:
Array - of Strings of all the domain names to be excluded.

isCrossDomainSecurityEnabled

boolean isCrossDomainSecurityEnabled()

Indicates whether or not cross-domain security is enabled

Returns:
returns a boolean value
Default Value:
false

setCrossDomainSecurityEnabled

void setCrossDomainSecurityEnabled(boolean enabled)

Turns on/off the cross-domain security.

Parameters:
boolean - value to indicate whether or not cross domain security is enabled via the use of credential mapper.
Default Value:
false

getCertRevoc

CertRevocMBean getCertRevoc()
Determines the domain's X509 certificate revocation checking configuration.

A CertRevocMBean is always associated with a domain's security configuration and cannot be changed, although CertRevocMBean attributes may be changed as documented.

Returns:
The associated CertRevocMBean.

Copyright 1996, 2011, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.

Oracle Fusion Middleware
Oracle WebLogic Server MBean Javadoc
11g Release 1 (10.3.6)

Part Number E13945-06