Administration Console Online Help

 

---

Security Realm-->General

Tasks     Related Topics

Overview

A security realm provides all the auditing, authentication, authorization, credential mapping, and role mapping services to a WebLogic Server deployment. You can configure multiple security realms within a single WebLogic Server deployment. Use this page to configure a new security realm.

Only one security realm is designated as the default security realm. If you want your newly configured security realm to be the default security realm, click the View Domain-Wide Security Settings link on the General page on the Domain node. Then click the General tab. For more information, see Changing the Default Security Realm.

For any security realm to be valid, configure each of the following types of security providers (in any order):

• Authentication
• Authorization
• Adjudication
• Credential Mapping
• Role Mapping

At least one Authorization, Credential Mapping, and Role Mapping provider in the security realm must implement the DeployableAuthorizationProvider, DeployableCredentialProvider, and DeployableRoleProvider Security Service Provider Interface (SSPI). This SSPI allows the providers to store (rather than retrieve) information from deployment descriptors.

To give you control over performance, the WebLogic Server Administration Console requires you to specify how the WebLogic Security Service should perform security checks. You specify this preference using the Check Roles and Policies attribute on the security realm.

When the value of the Check Roles and Policies setting is: Web Applications and EJBs Protected in DD, the WebLogic Security Service only performs security checks on URL and EJB resources that have security specified in their associated deployment descriptors (DDs). This is the default Check Roles and Policies setting.

When the value of the Check Roles and Policies setting is: All Web Applications and EJBs, the WebLogic Security Service performs security checks on all URL (Web) and EJB resources, regardless of whether there are any security settings in the deployment descriptors (DDs) for these WebLogic resources. If you change the value of the Check Roles and Policies drop-down menu to All Web Applications and EJBs, you also need to specify what the WebLogic Security Service should do when the URL or EJB resource is redeployed.

If you decide that the WebLogic Security Service should perform security checks on All Web applications and EJBs in the Check Roles and Policies drop-down menu, you also need to tell WebLogic Server which technique you want to use to secure these URL (Web) and EJB resources. You specify this preference using the Future Redeploys attribute.

You should set the value of the Future Redeploys drop-down menu as follows:

• To secure your URL and EJB resources using only the WebLogic Server Administration Console, select the Ignore Roles and Policies From DD (Deployment Descriptors) option.
• To secure your URL and EJB resources using only the deployment descriptors (that is, the ejb-jar.xml, weblogic-ejb-jar.xml, web.xml, and weblogic.xml files), select Initialize roles and policies from DD option.

For more information, see Securing WebLogic Resources.

It is important to understand that once information from a weblogic-ra.xml deployment descriptor file is loaded into the embedded LDAP server, the original resource adapter remains unchanged. Therefore, if you redeploy the original resource adapter (which will happen if you redeploy it through the WebLogic Server Administration Console, modify it on disk, or restart WebLogic Server), the data will once again be imported from the weblogic-ra.xml deployment descriptor file and credential mapping information may be lost.

To avoid overwriting new credential mapping information with old information in a weblogic-ra.xml deployment descriptor file, enable the Ignore Security Data in Deployment Descriptors attribute.

The Web resource is deprecated in WebLogic Server 7.0 SP02. If you wrote a custom Authorization provider that uses the Web resource (instead of the URL resource), enable the Use Deprecated Web Resource attribute. This attribute changes the runtime behavior of the Servlet container to use a Web resource rather than a URL resource when performing authorization.

To improve the performance of a WebLogic or LDAP Authentication provider, the settings of the cache used by the WebLogic Principal Validation provider can be increased as appropriate. The Principal Validator cached used by the WebLogic Principal Validation provider caches signed WLSAbstractPrincipals. The following attributes are used to define settings for the Principal Validator cache:

• Enable WebLogic Principal Validator Cache—Indicates whether the WebLogic Principal Validation provider uses a cache. This attribute only applies if there are Authentication providers configured in the security realm that use the WebLogic Principal Validation provider and WLSAbstractPrincipals. By default, this attribute is enabled.
• Max WebLogic Principals In Cache—The maximum size of the Last Recently Used (LRU) cache used for validated WLSAbstractPrincipals. The default setting is 500. This attribute only applies if the Enable WebLogic Principal Validator Cache attribute is enabled.

Tasks

Changing the Default Security Realm

Related Topics

Introduction to WebLogic Security

Managing WebLogic Security

Securing WebLogic Resources

Programming WebLogic Security

Developing Security Providers for WebLogic Server

Securing a Production Environment

The Security topics in the WebLogic Server 8.1 Upgrade Guide

Security FAQ

The Security page in the WebLogic Server documentation

Contact BEA |  Feedback |  Privacy  |