Authentication Hierarchy Service
After you connect WebLogic Server to one or more authentication providers (other than WebLogic Server's default LDAP authentication provider), you can surface a hierarchical tree view of that provider's groups in the WebLogic Administration Portal. A tree view of groups provides a convenient visual mode for changing group properties, finding users within groups, and adding users and groups to rules for Delegated Administration and Visitor Entitlements. The following figure shows a group hierarchy tree for the DefaultAuthenticator.
Use the Authentication Hierarchy Service page to build and configure a group hierarchy tree for any of the authentication providers connected to WebLogic Server that provide read access.
Note: Being able to see a hierarchy tree in the WebLogic Administration Portal is ultimately dependent on how the authentication provider is configured. If the provider does not allow at least read access by external tools (such as the WebLogic Administration Portal), you will not be able to see the tree representation of the groups. See View Security Provider Properties to find out how to tell if an authentication provider allows read access. If the authentication provider does not allow read access to its groups, you can still use text entry fields in WebLogic Administration portal to enter the names of known users and groups.
Performance
If an authentication provider contains a few thousand groups, you may get better performance in the user management interface by not building a group hierarchy tree for the provider. In the place of a hierarchy tree, you must type the name of a known group in a text box to select that group, as shown in the following figure.
Once a group is selected this way, you can add and edit users and set up delegated administration on the group. However, without a group hierarchy tree, you cannot create, delete, or rearrange groups.
Note: In your server startup script(s), you can disable all group hierarchy trees by adding the following to the JAVA_OPTIONS line: -Dcom.bea.jsptools.disableGroupTree=true
Building a Group Hierarchy Tree for an Authentication Provider
Configuring a Group Hierarchy Tree
The following table describes the configuration options available for group hierarchy trees.
| Build Group Hierarchy Trees | Automatic - On server startup or application redeployment, group hierarchy trees are automatically built for the authentication providers listed in the "Authentication Providers to Build" list. Manual - Group hierarchy trees for the authentication providers listed in the "Authentication Providers to Build" list are built when you click "Update & Build Tree," letting you determine when the processing overhead for tree building occurs. A change to this value requires that you redeploy your enterprise application or restart the server. |
| Sweep Interval | Sweep Interval works with the Time to Live setting to determine how often the hierarchy trees are refreshed to show changes to users and groups. The Sweep Interval determines how often (in seconds) the hierarchy trees are checked to see if they have expired (their Time to Live has ended). If a sweep finds the trees expired, the trees are cleared from memory and are not rebuilt until you try to access them in one of the WebLogic Administration Portal tools. More frequent refreshing of trees can impact performance, but changes to users and groups are picked up more frequently. Set the Sweep Interval to the same value as Time to Live if you want the trees to be cleared from memory as soon as they expire. A change to this value requires that you redeploy your enterprise application or restart the server. |
| Maximum Number of Groups | Determines how many total groups for all authentication providers will be built and added to memory. |
| Time to Live | Time to Live works with the Sweep Interval to determine how often the hierarchy trees are refreshed to show changes to users and groups. The Time to Live determines how often (in seconds) the trees should be cleared from memory (expire). However, the expired trees are not cleared from memory until the trees are swept (determined by the Sweep Interval). More frequent refreshing of trees can impact performance, but changes to users and groups are picked up more frequently. Set Time to Live to the same value as the Sweep Interval if you want the trees to be cleared from memory as soon as they expire. |
| Locale Language, Locale Country, and Locale Variant | The Locale settings determine how the lists of users and groups are sorted. A change to any of these values requires that you redeploy your enterprise application or restart the server. |
| Provider to Add to Build List | To build a hierarchy tree for an available authentication provider in the WebLogic Administration Portal, select the provider, click Add, and click "Update & Build Tree." Authentication providers must allow read access for a hierarchy tree to be built. |
| Authentication Providers to Build | Shows the authentication providers for which hierarchy trees are built. When the trees are built is determined by the setting in the "Build Group Hierarchy Trees" field. To remove a hierarchy tree in the WebLogic Administration Portal for an authentication provider, select the name of the provider you want to remove, click Remove, and click "Update & Build Tree." Providers available for removal are listed in the "Authentication Providers to Build" list. After you remove hierarchy tree building for a provider, you can still use a text entry field in the WebLogic Administration Portal tools to select users and groups for that provider. |
Changes to Authentication Provider Settings
If you make changes to any authentication provider configuration in the WebLogic Server Administration Console (as opposed to changes you make on the Authentication Hierarchy Service page in the WebLogic Administration Console), be sure to restart the server. Restarting the server prevents exceptions in the WebLogic Administration Portal.
Related Help Topics: