Managing WebLogic Security
This section explains how to create credential maps that allow Enterprise Information System (EIS) users to access protected WebLogic Resources.
Note: This chapter applies to WebLogic Server deployments using the security features in this release of WebLogic Server as well as deployments using Compatibility Security.
Single sign-on allows user information to be propagated from an EIS to WebLogic Server so that users are not required to authenticate themselves multiple times as they access WebLogic Server resources. Resource adapters defined by the J2EE Connector Architecture can acquire the credentials necessary to authenticate users defined in an EIS when they request access to a protected WebLogic resource. The container in WebLogic Server that hosts resource adapters can retrieve the appropriate set of credentials for the WebLogic resource using a credential map. A credential map creates an association between a user in WebLogic Server security realm and an identity (a username and password combination) used to authenticate that user in an EIS such as an Oracle database, a SQL server, or a SAP application.
Creating a credential map is a two-step process:
For more information using security in resource adapters, see the Security topic in Programming WebLogic J2EE Connectors.
WebLogic Server provides two techniques for creating credential maps: deployment descriptors (deprecated) and the WebLogic Server Administration Console. The following sections describe both techniques.
Credentials maps can be specified in the <security-principal-map>
element of the weblogic-ra.xml
deployment descriptor file. The <security-principal-map>
element provides the association between the credentials used to log in to the EIS and credentials used to authenticate to WebLogic resources. The deployment descriptor technique for creating credential maps is deprecated in this release of WebLogic Server. Instead, use the WebLogic Server Administration Console to create credential maps. For more information, see Using the WebLogic Administration Console to Create Credential Maps.
If you deployed a resource adapter that has a weblogic-ra.xml
deployment descriptor file containing a defined <security-principal-map>
element, BEA recommends importing the data into the embedded LDAP server and where it can be used by the WebLogic Credential Mapping provider.
To import the information from the weblogic-ra.xml
deployment descriptor file into the embedded LDAP server, enable the Credential Mapping Deployment Enabled attribute on the Credential Mapping provider in the default (active) security realm. When the resource adapter is deployed, the credential map information is loaded into the Credential Mapping provider.
In order to support the Credential Mapping Deployment Enabled attribute, a Credential Mapping provider must implement the DeployableCredentialProvider SSPI. By default, the WebLogic Credential Mapping provider has this attribute enabled. Therefore, information from a weblogic-ra.xml
deployment descriptor file is automatically loaded into the WebLogic Credential Mapping provider when the resource adapter is deployed.
It is important to understand that once information from a weblogic-ra.xml
deployment descriptor file is loaded into the embedded LDAP server, the original resource adapter remains unchanged. Therefore, if you redeploy the original resource adapter (which will happen if you redeploy it through the WebLogic Server Administration Console, modify it on disk, or restart WebLogic Server), the data will once again be imported from the weblogic-ra.xml
deployment descriptor file and credential mapping information may be lost.
To avoid overwriting new credential mapping information with old information in a weblogic-ra.xml
deployment descriptor file, enable the Ignore Security Data in Deployment Descriptors attribute:
weblogic-ra.xml
deployment descriptor file.After performing the preceeding procedure, BEA Systems recommends modifying the weblogic-ra.xml
deployment descriptor file to remove the <security-principal-map>
element.
You can now use the WebLogic Server Administration Console to create credential maps. If you are using the WebLogic Credential Mapping provider, the credential maps are stored in the embedded LDAP server.
weblogic-ra.xml
deployment descriptor files. For more information, see Setting a New Security Realm as the Default (Active) Security Realm.