Administration Console Online Help

Authentication Mechanism --> Configuration

Tasks     Additional Documentation     Attributes

Overview

Password Credential Mapping Mechanism

The J2EE Connector Specification, Version 1.0 Final Release defines two types of credentials that resource adapters can support: password credentials and generic credentials. In the previous release of WebLogic Server, you specified your password credentials in the security-principal-map element in the weblogic-ra.xml deployment descriptor file. The security-principal-map element was provided to map between the initiating principal and resource principal. BEA also provided a Password Converter Tool for encrypting the password stored in the security-principal-map element.

The storage of user names and passwords for principal maps in weblogic-ra.xml is not the most elegant nor secure storage mechanism. As a result, the security-principal-map element and Password Converter Tool have been deprecated in this release of WebLogic Server. The principal map has been moved from the security-principal-map to an internal WebLogic Server storage mechanism (a directory server).

The J2EE Connector specification, Version 1.0 Final Release requires storage of credentials in a javax.security.auth.Subject; the credentials are passed to either the createManagedConnection() or matchManagedConnection() methods of the ManagedConnectionFactory object.

WebLogic Server users must be authenticated whenever they request access to a protected WebLogic Server resource. For this reason, each user is required to provide a credential (a username/password pair or a digital certificate) to WebLogic Server. The following types of authentication mechanisms are supported by WebLogic Server:

• Password authentication—a user ID and password are requested from the user and sent to WebLogic Server in clear text. WebLogic Server checks the information and if it is trustworthy, grants access to the protected resource.

  The SSL (or HTTPS) protocol can be used to provide an additional level of security to password authentication. Because the SSL protocol encrypts the data transferred between the client and WebLogic Server, the user ID and password of the user do not flow in the clear. Therefore, WebLogic Server can authenticate the user without compromising the confidentiality of the user's ID and password.

• Certificate authentication—when an SSL or HTTPS client request is initiated, WebLogic Server responds by presenting its digital certificate to the client. The client then verifies the digital certificate and an SSL connection is established. The CertAuthenticator class then extracts data from the client's digital certificate to determine which WebLogic Server User owns the certificate and then retrieves the authenticated User from the WebLogic Server security realm.

  You can also use mutual authentication. In this case, WebLogic Server not only authenticates itself, it also requires authentication from the requesting client. Clients are required to submit digital certificates issued by a trusted certificate authority. Mutual authentication is useful when you must restrict access to trusted clients only. For example, you might restrict access by accepting only clients with digital certificates provided by you.

Tasks

Configuring Resource Adapters (Connectors) for Deployment

Deploying Resource Adapters (Connectors)

Viewing Deployed Resource Adapters (Connectors)

Undeploying Deployed Resource Adapters (Connectors)

Updating Deployed Resource Adapters (Connectors)

Getting Started

Viewing Leaked Connections

Viewing Idle Connections

Deleting Connections

Deleting a Connector

Editing Connector Deployment Descriptors

Additional Documentation

(Requires an Internet connection.)

See "Security" in Programming the WebLogic Server J2EE Connector Architecture.

Attributes