Security Guide

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Managing Security Providers

This chapter describes how to view and configure authentication and role mapping providers and security provider services.

In the Users, Groups, & Roles > Security Providers menu, you can view detailed information about how providers have been configured to interact with the WebLogic Portal Administration Console. This menu shows the access privileges for each provider you have configured to supply authentication and role-based authorization capabilities, including whether or not you can view, remove, or modify users, groups, and roles.

In the Configuration Settings > Service Administration menu, you can determine whether or not text entry of users and groups is allowed for security providers that do not allow read access, and you can prevent specific users or groups from being created or deleted. You can also configure user management and group management roles that determine runtime operations that can be performed by these roles using the UserProvider and GroupProvider APIs.

This chapter includes the following sections:

 

Viewing Configured Security Providers

Use the WebLogic Portal Administration Console to view the access privileges for each provider you have configured to supply authentication and role-based authorization capabilities.

The authentication providers and role mappers you connect to WebLogic Server are configured in specific ways. For example, the WebLogic SQL Authenticator is typically configured to allow you to add and remove users and groups using the WebLogic Portal Administration Console, while a custom authenticator may be configured to provide only read access to users and groups.

Perform the following steps to view the configured security providers:

  1. Choose Users, Groups, & Roles > Security Providers.
  2. Select Security Providers in the Security Providers tree.

The Browse Security Providers tab shows the title and description for each category of provider, including authentication providers and role mappers, as shown in Figure 6-1.

Figure 6-1 Security Providers

Security Providers

From this tab, you can choose a type of security provider, either Authentication Providers or Role Mappers, to view additional information.

 

Viewing Configured Authentication Providers

Authentication providers store users, passwords, and groups, which can be viewed and managed directly in those providers. The providers are also configured with rules for how tools such as the WebLogic Portal Administration Console interact with them.

The WebLogic SQL Authenticator (the default authentication provider) and WebLogic LDAP Authenticator provide read and write access from the WebLogic Portal Administration Console (and the WebLogic Server Administration Console) by default.

The typical configuration for users and groups in supported external authentication providers is read-only access from the WebLogic Portal Administration Console (and the WebLogic Server Administration Console). To provide write access to external users and groups from the WebLogic Portal Administration Console, you must develop your custom authentication provider to allow write access. If you are using any custom authentication providers, develop them according to the guidelines in How to Develop a Custom Authentication Provider.

Perform the following steps to view the configured authentication providers:

  1. Choose Users, Groups, & Roles > Security Providers.
  2. Select Authentication Providers in the Security Providers tree.

The Browse Authentication Providers tab shows the title and description for each authentication provider, as shown in Figure 6-2. At least one authentication provider, SQLAuthenticator, is present by default.

Figure 6-2 Authentication Providers

Authentication Providers

Tip: You can also build group hierarchy trees for authentication providers in the WebLogic Portal Administration Console. A tree view of groups provides a convenient visual mode for changing profile values, finding users within groups, and adding users and groups to delegated administration and visitor entitlement roles. For more information, see the User Management Guide.

 

Viewing Authentication Provider Details

Perform the following steps to view the details for a configured authentication provider:

  1. Choose Users, Groups, & Roles > Security Providers.
  2. Select Authentication Providers in the Security Providers tree.
  3. Select the authentication provider for which you would like to see details.

The Authentication Provider Details tab shows the name, description, and version of the authentication provider. It also shows which management interfaces are implemented for the provider.

Figure 6-3 Authentication Provider Details

Authentication Provider Details

Descriptions of the available management interfaces are listed in Table 6-1.

Table 6-1 Authentication Provider Management Interfaces
Management Interface
Description
Default Authentication Provider
Indicates whether or not this was the first authentication provider configured in WebLogic Server. The default does not change, regardless of which authentication provider is currently being used.
Group Editor
Indicates whether or not you can manage groups with the WebLogic Portal Administration Console; for example, whether you can add groups, move groups, and add users to groups.
Group Reader
Indicates whether or not you can view groups with theWebLogic Portal Administration Console.
Group Remover
Indicates whether or not you can remove groups with the WebLogic Portal Administration Console.
Group Member Lister
Indicates whether or not you can use the WebLogic Portal Administration Console to search within a group for users or subgroups that match a given name pattern.
Member Group Lister
Indicates whether or not you can view groups in the WebLogic Portal Administration Console that directly contain a user or a group.
User Editor
Indicates whether or not you can modify group membership for users with the WebLogic Portal Administration Console.
User Lockout Manager
User lockout settings include how many unsuccessful login attempts a user can make before being prevented from future login attempts. For information about how to modify user lockout settings in the WebLogic Server Administration Console, see the Administration Console Online Help.
User Password Editor
Indicates whether or not you can modify user passwords in the WebLogic Portal Administration Console.
User Reader
Indicates whether or not you can view users in the WebLogic Portal Administration Console.
User Remover
Indicates whether or not you can delete users in the WebLogic Portal Administration Console.

To provide write access to external users and groups from the WebLogic Portal Administration Console, the authentication provider must be configured to allow it. This is a development task. For more information, see Configuring WebLogic Security Providers.

If an authentication provider does not provide read access to users and groups with the WebLogic Portal Administration Console, you can still use text entry fields to type in the names of existing users and groups for selection. For example, if you want to change the user profile property values for a user stored in a provider that does not support read access, you can type the name of the user in the Users Management tree to select the user for property modifications. For information about allowing text entry, see Enabling Text Entry for Authentication Providers.

For information on determining if you need to develop a custom authentication provider, and how to develop one, see How to Develop a Custom Authentication Provider. If you want to add an authentication provider, see Choosing WebLogic and Custom Authentication Providers.

 

Removing Authentication Providers

If you remove an authentication provider using the WebLogic Server Administration Console, be sure to also remove the provider from the WebLogic Portal Administration Console from the Service Administration > Authentication Hierarchy Service tree. For more information, see the User Management Guide.

 

Viewing Configured Role Mappers

A role mapping provider determines which security roles apply to operations performed on a resource.The default role mapping provider is the WebLogic XACML provider, XACMLRoleMapper, which uses the embedded LDAP server to store role policies.

Note: The WebLogic XACML role mapping provider is required for WebLogic Portal, and suitable for most needs. It is unlikely that you will need to configure a custom role mapping provider.

Perform the following steps to view the configured role mappers:

  1. Choose Users, Groups, & Roles > Security Providers.
  2. Select Role Mappers in the Security Providers tree.

The Browse Role Mappers tab shows the title and description for each role mapper. The default role mapper, XACMLRoleMapper, is present by default, as shown in Figure 6-4.

Figure 6-4 Role Mappers

Role Mappers

 

Viewing Role Mapper Details

Perform the following steps to view the details for a configured role mapper:

  1. Choose Users, Groups, & Roles > Security Providers.
  2. Select Role Mappers in the Security Providers tree.
  3. Select the role mapper for which you would like to see details from the tab or from the tree.

The Role Mapper Details tab shows the name, description, and version of the role mapper. It also shows which management interfaces are implemented for the role mapper.

Figure 6-5 Role Mapper Details

Role Mapper Details

Descriptions of the available management interfaces are listed in Table 6-2.

Table 6-2 Role Mapper Management Interfaces
Management Interface
Description
Default Role Provider
Indicates whether or not this was the first role mapper configured in WebLogic Server. The default does not change, regardless of which role mapper is currently being used.
Role Editor
Indicates whether or not you can modify role definitions in the WebLogic Portal Administration Console.
Role Reader
Indicates whether or not you can read roles in the WebLogic Portal Administration Console.

 

Viewing Authentication Provider Services

Perform the following steps to view the configured authentication provider services:

  1. Choose Configuration Settings > Service Administration.
  2. In the tree, select Application Configuration Settings > Security > Authentication Security Provider Service.

The Authentication Security Provider Service window shows the name and description for each service that has been configured. The AllAtnProviders service configuration settings apply to all authentication provider services, unless the settings are overridden for an individual authentication provider service.

 

Viewing Authentication Provider Service Details

Perform the following steps to view detailed information about a configured authentication provider service:

  1. Choose Configuration Settings > Service Administration.
  2. In the tree, select Application Configuration Settings > Security > Authentication Security Provider Service.
  3. Select the authentication provider service for which you want to see detailed information. The AllAtnProviders service configuration settings apply to all authentication provider services; these settings can be overridden for an individual authentication provider service.

Detailed information about the selected authentication provider service is displayed.

The Predicate Text Entry Enabled? check box determines whether delegated administrators can add user, group, and role names to role and security policies by entering their names in a text box. For more information, see Enabling Text Entry for Authentication Providers.

You can also see which roles have the capability to create, read, update, or delete groups and users using the GroupProvider and UserProvider APIs.

The Anonymous role includes any unauthenticated user. The Self role is the logged in authenticated user, and indicates whether that user can perform operations for themselves, such as adding themselves to a group or changing their password.

Table 6-3 describes the group management and user management capabilities.

Table 6-3 Descriptions of Group Management and User Management Capabilities
Can Create
Determines whether the role can create groups or users, using the GroupProvider API or UserProvider API, respectively.
Can Read
Determines whether the role can see groups or users, using the GroupProvider API or UserProvider API, respectively.
Can Update
Determines whether the role can update groups or users, using the GroupProvider API or UserProvider API, respectively.
Can Delete
Determines whether the role can delete groups or users, using the GroupProvider API or UserProvider API, respectively.

You can also restrict groups and users with specified names from being created or deleted.

Table 6-4 describes group and user naming restrictions you can set.

Table 6-4 Descriptions of Naming Restrictions
Protected
Determines whether a group or user with the specified name can be deleted.
Reserved
Determines whether a group or user with the specified name can be created.

From this window, you can add an authentication provider service to configure, as described next, or edit configuration settings, as described in Configuring Authentication Provider Services.

 

Adding Authentication Security Provider Services

You can add an existing authentication provider service so that you can view and edit its configuration settings in the Service Administration menu.

Perform the following steps to add an authentication security provider service:

  1. Choose Configuration Settings > Service Administration.
  2. Select Security > Authentication Security Provider Service in the Application Configuration Settings tree.
  3. Click Add Security Provider Service.
  4. In the Add Authentication Security Provider Service to Security Service dialog, select the name of the authentication provider from the drop-down list.
  5. Optionally, add a description of the service.
  6. Optionally, check the box to enable predicate text entry for the service. For more information, see Enabling Text Entry for Authentication Providers.
  7. Click Update.

The service you have added appears in the list of services.

Updates to any of these settings require either enterprise application redeployment or server restart.

 

Configuring Authentication Provider Services

You can modify the following configuration settings for authentication provider services:

Enabling Text Entry for Authentication Providers

Some authentication providers may not allow read access to users and groups by external tools such as the WebLogic Portal Administration Console. If providers do not allow read access to users and groups, you can enable a text entry field that allows you to type in user and group names in the User Management, Groups Management, Delegated Administration, and Visitor Entitlements menus for those providers. By enabling text entry, you override the requirement that SSPI providers implement reader interfaces.

The text box, which appears in the tree section when text entry is enabled, allows you enter the names of known users and groups. You can assign profiles for those users or groups, and define delegated administration and visitor entitlements policies using those users and groups. When a user from a non-readable authentication provider logs in, the profile created for that user enables authorization checks to be performed for the user.

To enable text entry for an authentication security provider service:

  1. Choose Configuration Settings > Service Administration.
  2. In the tree, select Application Configuration Settings > Security > Authentication Security Provider Service.
  3. Select the authentication provider service for which you want to see detailed information.
  4. Click the Edit icon next to Configuration Settings for: ServiceName.
  5. Select the Predicate Text Entry Enabled? check box.

This change requires either enterprise application redeployment or server restart.

Adding Group Management Roles

When you add a group management role to an authentication provider service, you enable capabilities for manual runtime checks performed by API calls to group providers. This provides a low-level alternative to using visitor entitlements on groups. For each group management capability (create, read, update, and delete), you can specify which roles are allowed to perform the task.

Note: Use existing global or enterprise-application scoped roles.

Perform the following steps to add role capabilities for the GroupProvider API:

  1. Choose Configuration Settings > Service Administration.
  2. In the tree, select Application Configuration Settings > Security > Authentication Security Provider Service.
  3. Select the authentication provider service for which you want to add a group management role.
  4. In the Group Management Delegated Administration section, click Add Group Management Role.
  5. Enter a role name. Use existing global or enterprise-application scoped role names.
  6. Select the capabilities for the role, as described in Table 6-3, Descriptions of Group Management and User Management Capabilities, on page 6-10.
  7. Click Update.

The new role appears in the list of Group Management Roles. This change requires either enterprise application redeployment or server restart.

Editing Group Management Roles

Group Management role capabilities are used for manual runtime checks performed by API calls to group providers. This provides a low-level alternative to using visitor entitlements on groups.

Perform the following steps to edit group management role capabilities for the GroupProvider API:

  1. Choose Configuration Settings > Service Administration.
  2. In the tree, select Application Configuration Settings > Security > Authentication Security Provider Service.
  3. Select the authentication provider service for which you want to edit a group management role.
  4. Click the role name or the Edit icon for the role you want to edit.
  5. Select the capabilities for the role, as described in Table 6-3, Descriptions of Group Management and User Management Capabilities, on page 6-10.
  6. Click Update.

The updated role appears in the list of Group Management Roles. This change requires either enterprise application redeployment or server restart.

Adding User Management Roles

When you add a user management role to an authentication provider service, you enable capabilities for manual runtime checks performed by API calls to user providers. For each user management capability (create, read, update, and delete), you can specify which roles are allowed to perform the task.

Note: Use existing global or enterprise-application scoped roles.

Perform the following steps to add user management role capabilities for the UserProvider API:

  1. Choose Configuration Settings > Service Administration.
  2. In the tree, select Application Configuration Settings > Security > Authentication Security Provider Service.
  3. Select the authentication provider service for which you want to add a user management role.
  4. In the User Management Delegated Administration section, click Add User Management Role.
  5. Enter a role name. Use existing global or enterprise-application scoped role names.
  6. Select the capabilities for the role, as described in Table 6-3, Descriptions of Group Management and User Management Capabilities, on page 6-10.
  7. Click Update.

The new role appears in the list of User Management Roles. This change requires either enterprise application redeployment or server restart.

Editing User Management Roles

User Management role capabilities are used for manual runtime checks performed by API calls to group user.

Perform the following steps to edit user management role capabilities for the UserProvider API:

  1. Choose Configuration Settings > Service Administration.
  2. In the tree, select Application Configuration Settings > Security > Authentication Security Provider Service.
  3. Select the authentication provider service for which you want to edit a user management role.
  4. Click the role name or the Edit icon for the role you want to edit.
  5. Select the capabilities for the role, as described in Table 6-3, Descriptions of Group Management and User Management Capabilities, on page 6-10.
  6. Click Update.

The updated role appears in the list of User Management Roles. This change requires either enterprise application redeployment or server restart.

Adding Protected and Reserved Group Names

For each authentication provider, you can specify group names that cannot be created or deleted.

Perform the following steps to set restrictions on group names:

  1. Choose Configuration Settings > Service Administration.
  2. In the tree, select Application Configuration Settings > Security > Authentication Security Provider Service.
  3. Select the authentication provider service for which you want to restrict group names.
  4. In the Protected/Reserved Groups section, click Add Protected/Reserved Group.
  5. Enter a group name.
  6. Select the Protected check box if you want to prevent a group with this name from being deleted.
  7. Select the Reserved check box if you want to prevent a group with this name from being created.
  8. Click Update.

The group name role appears in the list of Protected/Reserved Groups. This change requires either enterprise application redeployment or server restart.

Editing Protected and Reserved Group Names

Perform the following steps to edit the restrictions for group names that are in the list of Protected/Reserved Groups:

  1. Choose Configuration Settings > Service Administration.
  2. In the tree, select Application Configuration Settings > Security > Authentication Security Provider Service.
  3. Select the authentication provider service for which you want to change restrictions on group names.
  4. In the Protected/Reserved Groups section, click a group name or the Edit icon for that group.
  5. Select the Protected check box if you want to prevent a group with this name from being deleted.
  6. Select the Reserved check box if you want to prevent a group with this name from being created.
  7. Click Update.

The new restrictions for this group name role appears in the list of Protected/Reserved Groups. This change requires either enterprise application redeployment or server restart.

Adding Protected and Reserved User Names

For each authentication provider, you can specify user names that cannot be created or deleted.

Perform the following steps to set restrictions on user names:

  1. Choose Configuration Settings > Service Administration.
  2. In the tree, select Application Configuration Settings > Security > Authentication Security Provider Service.
  3. Select the authentication provider service for which you want to restrict user names.
  4. In the Protected/Reserved Users section, click Add Protected/Reserved User.
  5. Enter a user name.
  6. Select the Protected check box if you want to prevent a user with this name from being deleted.
  7. Select the Reserved check box if you want to prevent a user with this name from being created.
  8. Click Update.

The user name role appears in the list of Protected/Reserved Users. This change requires either enterprise application redeployment or server restart.

Editing Protected and Reserved User Names

Perform the following steps to edit the restrictions for user names that are in the list of Protected/Reserved Users:

  1. Choose Configuration Settings > Service Administration.
  2. In the tree, select Application Configuration Settings > Security > Authentication Security Provider Service.
  3. Select the authentication provider service for which you want to change restrictions on user names.
  4. In the Protected/Reserved Users section, click a user name or the Edit icon for that user.
  5. Select the Protected check box if you want to prevent a user with this name from being deleted.
  6. Select the Reserved check box if you want to prevent a user with this name from being created.
  7. Click Update.

The new restriction for this user name appears in the list of Protected/Reserved Users. This change requires either enterprise application redeployment or server restart.

 

Viewing Role Provider Services

Perform the following steps to view the configured role provider services:

  1. Choose Configuration Settings > Service Administration.
  2. In the tree, select Application Configuration Settings > Security > Role Security Provider Service.

The Role Security Provider Service window shows the name and description for each service that has been configured. The AllRolePrividers service configuration settings apply to all role mapping provider services, unless the settings are overridden for an individual role provider service.

The default role mapping provider is the WebLogic XACML provider, XACMLRoleMapper, which uses the embedded LDAP server to store role policies.

Note: The WebLogic XACML role mapping provider is required for WebLogic Portal, and suitable for most needs. It is unlikely that you will need to configure a custom role mapping provider.

 

Viewing Role Provider Service Details

Perform the following steps to view detailed information about a configured role provider service:

  1. Choose Configuration Settings > Service Administration.
  2. In the tree, select Application Configuration Settings > Security > Role Security Provider Service.
  3. Select the role provider service for which you want to see detailed information. The AllRoleProviders service configuration settings apply to all role provider services, unless the settings are overridden for an individual role provider service.

The Predicate Text Entry Enabled? capability determines whether delegated administrators can add user, group, and role name predicates to role and security policies by entering their names in a text box. For more information, see Enabling Text Entry for a Role Mapping Providers.

 

Adding Role Mapping Provider Services

You can add an existing role provider service so that you can view and edit the configuration settings in the Service Administration menu.

Perform the following steps to add a role security provider service:

  1. Choose Configuration Settings > Service Administration.
  2. Select Security > Role Security Provider Service in the Application Configuration Settings tree.
  3. Click Add Security Provider Service.
  4. Select the name of the role mapping provider from the drop-down list.
  5. Optionally, add a description of the service.
  6. Optionally, check the box to enable predicate text entry. For more information, see Enabling Text Entry for a Role Mapping Providers.
  7. Click Update.

The service you have added appears in the list of services.

Updates to any of these settings require either enterprise application redeployment or server restart.

 

Configuring Role Mapping Provider Services

The default role mapping provider is the WebLogic XACML role mapping provider, which uses the embedded LDAP server to store role policies. The WebLogic XACML role mapping provider is required for WebLogic Portal, and suitable for most needs. It is unlikely that you will need to configure a custom role mapping provider.

Enabling Text Entry for a Role Mapping Providers

Some role providers may not allow read access to role policies by external tools such as the WebLogic Portal Administration Console. If providers do not allow read access to roles, you can enable a text entry field that allows you to type in role names in the Delegated Administration and Visitor Entitlements menus for those providers. By enabling text entry, you override the requirement that SSPI providers implement reader interfaces.

The text box, which appears in the menu tree when text entry is enabled, allows you enter the names of known roles. You can define delegated administration and visitor entitlements policies using these role names.

To enable text entry for a role security provider service:

  1. Choose Configuration Settings > Service Administration.
  2. In the tree, select Application Configuration Settings > Security > Role Security Provider Service.
  3. Select the role provider service for which you want to see detailed information.
  4. Click the Edit icon next to Configuration Settings for: ServiceName.
  5. Select the Predicate Text Entry Enabled? check box.

This change requires either enterprise application redeployment or server restart.


  Back to Top       Previous  Next