BEA Logo BEA WebLogic Server Release 5.0

  Corporate Info  |  News  |  Solutions  |  Products  |  Partners  |  Services  |  Events  |  Download  |  How To Buy

   e-docs   |   Site Map   |   Search   |   Contact   |   Glossary   |   WebLogic Server Documentation

Administering the WebLogic Windows NT security realm

Setting up and configuring NTRealm
Testing NTRealm
Troubleshooting NTRealm
Change history

This document describes how to set up and configure the WebLogic Windows NT security realm (NTRealm) for your WebLogic Server. After installing NTRealm, the WebLogic Server queries a Windows NT domain controller for information on users and groups instead of weblogic.password and weblogic.security.group properties in the weblogic.properties file. Access control lists (ACLs) are still defined in the weblogic.properties file.

Using NTRealm, you can manage users for your organization in one place. You do not have to edit the weblogic.properties file whenever a user joins or leaves. This also means you do not have to restart the WebLogic Server whenever you change a user.

Currently, NTRealm has the following constraints:

  • The WebLogic realm defers to NTRealm for authentication, but not for authorization. Authorization is accomplished with access control lists (ACLs), which are defined in the weblogic.properties file.

  • NTRealm requires that you run the WebLogic Server as an administrative user that can read security-related data from the Windows NT Domain Controller.

  • WebLogic Server must execute on a computer that is a Windows NT Primary Domain Controller. If it runs on a computer that is not a Domain Controller, only users known on that computer can be authenticated.

  • The "system" and "guest" users must be defined in your Windows NT domain.

  • In the WebLogic property file realm, the "everyone" group automatically includes all users. With NTRealm, you must create a Windows NT "everyone" group and add every WebLogic Server user to it. Be sure to add the "system" user to the "everyone" group, or the WebLogic Server will fail at startup because the "system" user will not have permissions granted to "everyone" by default.

  • The NTRealm retrieves group names from the Windows NT domain once at startup. Groups added after the WebLogic Server starts are not recognized until the WebLogic Server is restarted.

  • Although NTRealm extends WLPropertyRealm, which is a ManageableRealm, methods that add, remove, or modify realm users and groups are not currently supported.

Since the WebLogic Server reads ACLs from the weblogic.properties file at startup time, you must restart the WebLogic Server after you change an ACL. If you use groups with your ACLs, however, you can avoid having to restart as often. Changing Windows NT group membership allows you to manage individual users' access to WebLogic Server resources dynamically.

Setting up the WebLogic Windows NT realm

  1. Edit the ntrealm.properties file, which you will find in the classes/weblogic/security/ntrealm directory.

    You can save the edited file in the WebLogic home directory (the directory where you start the server). NTRealm first looks for the file in the WebLogic home directory, and, if it is not found there, in the classes/weblogic/security/ntrealm directory. The ntrealm.properties file contains a single property that specifies the Windows NT Primary Domain Controller. The Primary Domain Controller is the computer where users and groups are defined for the domain. Here is an example that defines computer "hudson" in domain "domainj.com" as the Primary Domain Controller:

      weblogic.security.ntrealm.domain=hudson.domainj.com

    You can set the property to "." if the local computer (where the WebLogic Server executes) is the Primary Domain Controller.

  2. Add the following property to your weblogic.properties file:
      weblogic.security.realmClass=\
      weblogic.security.ntrealm.NTRealm

  3. To access user and group information, the WebLogic Server must be able to make system calls on the Windows NT computer where the WebLogic Server is running. To verify that this is true:

    1. Log into Windows NT with an Administrator account.
    2. Start User Manager, which is in the Administrative Tools program group.
    3. Select the user that will run the WebLogic Server.
    4. Choose User Rights from the Policies menu.
    5. Check the Show Advanced User Rights checkbox.
    6. Select Act as part of the operating system from the Rights list.
    7. Click the Add button and enter the name of the user under whose account the WebLogic Server will execute.

  4. Make sure that your PATH environment variable includes the weblogic\bin directory. The WebLogic Server loads Wlntrealm.dll from this directory.

  5. Start the WebLogic Server.

Testing NTRealm

After you have started up the WebLogic Server with NTRealm installed, you can perform the following checks to test that it is working properly.

  1. Load the T3AdminRealm servlet in a browser. This servlet displays information about the realm the WebLogic Server is using, and it lists all known users, groups, and ACLs. Load the servlet using a URL like this:
      http://localhost:7001/T3AdminRealm

    The default weblogic.properties file sets an ACLs that allows only the "system" user to execute the T3AdminRealm servlet.

  2. Display the realm in the WebLogic Console. The Console displays all the users and ACLs known in the realm.

  3. Add an ACL to your weblogic.properties file for the helloWorld example servlet. First find the weblogic.httpd.register property for the helloWorld servlet and make sure that it is uncommented. Add the following property: 
    weblogic.allow.execute.weblogic.servlet.helloWorld=\
    username,groupname

    Replace username with the name of a user in your Windows NT domain. Replace groupname with the name of a group in your Windows NT domain -- but select a group that does not include username.

    Restart the WebLogic Server and then load the helloWorld servlet with a URL like this: 

      http://localhost:7001/helloWorld

    Try entering the name and password for a Windows NT user who is not included in the ACL you added for the servlet. You should get a message telling you that you are not authorized.

    Try entering the name and password of a Windows NT user who you did include in the ACL, either as an individual or a member of the group. The servlet should load and display the "Hello World" message.

Troubleshooting NTRealm

Diagnosing an NTRealm startup failure
  1. The most common configuration problem with NTRealm has to do with Windows NT policies and group membership for the "system" user and the user whose account runs the WebLogic Server.

    • You must add the "system" user and then add the "system" user to the "everyone" group.
    • The user account that runs the WebLogic Server requires special permissions in order to access the Windows NT domain. The steps for granting this permission are in the configuration instructions.

  2. You can execute the weblogic.security.ntrealm.NTDelegate class to find out if NTRealm is connecting to the Windows NT domain controller. Execute the class in the WebLogic Server startup directory, with the same PATH and CLASSPATH you use for the WebLogic Server: 
     java weblogic.security.ntrealm.NTDelegate
                username password [domain]

    username
    The Windows NT user whose account executes the WebLogic Server.

    password
    Password for username.

    domain
    (optional) The Primary Domain Controller for the Windows NT domain. This is the hostname of the computer where Windows NT users and groups are defined. If omitted, the default is the current computer.

    Here is an example, using the Windows NT "weblogic" user with password "gumby1234."

      $ java weblogic.security.ntrealm.NTDelegate weblogic gumby1234

    The example above prints results similar to the following. The comments, in red, are not part of the output:

      auth ? true // User is authorized to make system calls 
  // Windows NT users in this domain
  enum users: 
     #1 'Administrator'
     #2 'Guest'
     #3 'pcuser'
     #4 'weblogic'
     #5 'system'
  // Windows NT groups in this domain
  enum groups: 
     #1 'Administrators'
     #2 'Backup Operators'
     #3 'Guests'
     #4 'Power Users'
     #5 'Replicator'
     #6 'Users'
     #7 'everyone'
  // Groups this user (weblogic) belongs to
  enum groups for user: weblogic
     #1 'everyone'
     #2 'Users'
  // "true" if user belongs to the 'Administrators' group
  is user weblogic an Administrator? false
  done

    If the first line ("auth ?") is not "true," then the Windows NT user you logged in with does not have permission to execute the required system calls.

  3. You can start the WebLogic Server with a system property set to display NTRealm debugging messages by using the command line described in command line examples and adding: 
     $  ...  -Dweblogic.security.ntrealm.verbose=true ...

    Then watch the log for NTRealm: messages. The messages may help you determine the cause of the failure.

    Warning: When weblogic.security.ntrealm.verbose is "true", sensitive information, including passwords, is written to the WebLogic Server log. Make sure that you do not enable this property in a production environment.

Change history

Release 4.5

Initial release.

 

Copyright © 2000 BEA Systems, Inc. All rights reserved.
Required browser: Netscape 4.0 or higher, or Microsoft Internet Explorer 4.0 or higher.
Last updated 07/22/1999