BEA Logo BEA WebLogic Server Release 6.1

  BEA Home  |  Events  |  Solutions  |  Partners  |  Products  |  Services  |  Download  |  Developer Center  |  WebSUPPORT

   http://www.oracle.com/technology/documentation/index.html   |   Site Map   |   Search   |   Download Documentation   |   Contact   |   Glossary

 
  |  

  WebLogic Server Doc Home   |     J2EE Connector Architecture   |   Previous Topic   |   Next Topic   |   Contents   |   View as PDF

Security

 

The following sections discuss WebLogic J2EE Connector Architecture security:

 

Container-Managed and Application-Managed Sign-on

As specified in the J2EE Connector Specification, Version 1.0, Proposed Final Draft 2, the WebLogic J2EE Connector Architecture implementation supports both container-managed and application-managed sign-on.

At runtime, the Weblogic J2EE Connector Architecture implementation determines— based upon the specified information in the invoking client component's deployment descriptor—the chosen sign-on mechanism. If the Weblogic Server J2EE Connector Architecture implementation is unable to determine what sign-on mechanism is being requested by the client component—typically due to an improper JNDI lookup of the resource adapter Connection Factory—the Connector Architecture attempts container-managed sign-on.

Note: Note that even in this case, if the client component has specified explicit security information, this information is also presented on the call to obtain the connection.

For related information, see Obtaining the ConnectionFactory (Client-JNDI Interaction) in Client Considerations.

Application-Managed Sign-on

With application-managed sign-on, the client component provides the necessary security information (typically a username and password) when making the call to obtain a connection to an Enterprise Information System (EIS). In this scenario, the application server provides no additional security processing other than to pass this information along on the request for the connection. The provided resource adapter uses the client component provided security information to perform the EIS sign-on in a resource adapter implementation specific manner.

Container-Managed Sign-on

With container-managed sign-on, the client component does not present any security information, and the container must determine the necessary sign-on information and provide this information to the resource adapter when making a call to request a connection. In all container-managed sign-on scenarios, the container must determine an appropriate Resource Principal and provide this Resource Principal information to the resource adapter in the form of a Java Authentication and Authorization Service (JAAS) Subject.

 

Security Principal Map

The "EIS Sign-on" section of the J2EE Connector Specification, Version 1.0, Proposed Final Draft 2 (http://java.sun.com/j2ee/download.html#connectorspec) identifies a number of possible options for defining a Resource Principal on whose behalf the sign-on is being performed. The Weblogic Server implementation implements the Security Principal Map option identified in the specification.

Under this option, a resource principal is determined by mapping from the identity of the initiating/caller principal for the invoking component. The resultant resource principal does not inherit the identity or security attributes of the principal that it is mapped from, but instead gets its identity and security attributes (password) based upon the defined mapping.

Therefore, in order to enable and use container-managed sign-on, Weblogic Server must provide a mechanism to specify the initiating-principal to resource- principal association. WebLogic Server does this through a Security Principal Map that can be defined for each deployed resource adapter.

If container-managed sign-on is requested by the client component and no Security Principal Map is configured for the deployed resource adapter, an attempt is made to obtain the connection, but the provided JAAS Subject will be NULL. Support for this scenario will be based upon the resource adapter implementation.

A scenario in which omitting configuration of a Security Principal Map might be considered valid is the case in which a resource adapter internally obtains all of its EIS connections with a hard-coded and pre-configured set of security information, and therefore does not depend on the security information passed to it on requests for new connections. (In a sense, this is a third scenario, outside of application-managed sign-on and container-managed sign-on.)

While the defined connection management system contracts define how security information is exchanged between WebLogic Server and the provided resource adapter, the determination of whether to use container-managed sign-on or application-managed sign-on is based on deployment information defined for the client application that is requesting a connection. For more information on how a connection management system contract is specified, see Client Considerations.

For more information on how client components specify the sign-on mechanism, see the "Application Programming Model" section of the "Connection Management" chapter in the J2EE Connector Specification, Version 1.0, Proposed Final Draft 2 (http://java.sun.com/j2ee/download.html#connectorspec).

For more information on the J2EE Connector Architecture application security model, see the "Application Security Model" of the same document.

Using Container-Managed Sign-On

To use container-managed sign-on, WebLogic Server must identify a resource principal and then request the connection on behalf of the resource principal. In order to make this identification, WebLogic Server looks for a Security Principal Mapping specified with the security-principal-map element in the weblogic-ra.xml deployment descriptor file.

A security-principal-map element defines the relationship of initiating-principal to a resource-principal.

Each security-principal-map element provides a mechanism to define appropriate resource principal values for resource adapter and EIS sign-on processing. The security-principal-map elements allow you to specify a defined set of initiating principals and the corresponding resource principal's username and password to be used when allocating managed connections and connection handles.

Default Resource Principal

A default resource principal can be defined for the connection factory in the security-principal-map element. If you specify an initiating-principal value of '*' and a corresponding resource-principal value, the defined resource-principal is utilized whenever the current identity is not matched elsewhere in the map.

This is an optional element, however. You must specify it in some form if container-managed sign-on is supported by the resource adapter and used by any client.

In addition, the deployment-time population of the Connection Pool with Managed Connections is attempted using the defined 'default' resource principal if one is specified.

For instructions on configuring the J2EE Connector Architecture security-principal-map and associating it with the deployed .rar (resource adapter), refer to Configuring the Security Principal Map in Configuration.

 

Password Converter Tool

Because BEA understands the importance of protecting security passwords, it provides a converter tool that can encrypt all passwords present in the weblogic-ra.xml file.

For more information, refer to Configuring the Security Principal Map, in Configuration.

 

back to top previous page next page

 

Copyright © 2001 BEA Systems, Inc. All rights reserved.
Required browser: Netscape 4.0 or higher, or Microsoft Internet Explorer 4.0 or higher.