Skip navigation.

Managing WebLogic Security

  Previous Next vertical dots separating previous/next from contents/index/pdf Contents Index View as PDF   Get Adobe Reader

Using Compatibility Security

The following sections describe how to configure Compatibility security:

Note: Compatibility security is deprecated in this release of WebLogic Server. You should only use Compatibility security while upgrading your WebLogic Server deployment to the security features in this release of WebLogic Server.


Running Compatibility Security: Main Steps

To set up Compatibility security:

  1. Make a backup copy of your 6.x WebLogic domain (including your config.xml file) before using Compatibility security.
  2. Add the following to the 6.x config.xml file if it does not exist:
  3. <Security Name="mydomain" Realm="mysecurity"/>
    <Realm Name=
    "mysecurity" FileRealm="myrealm"/>
    <FileRealm Name="

  4. Install WebLogic Server in a new directory location. Do not overwrite your existing 6.x installation directory. For more information, see Installing WebLogic Platform.
  5. Modify the start script for your 6.x server to point to the new WebLogic Server installation. Specifically, you need to modify:
  6. Use the start script for your 6.x server to boot WebLogic Server.

To verify whether you are correctly running Compatibility security, do the following:

  1. In the WebLogic Server Administration Console, expand the Domain node.
  2. Select the desired WebLogic Server domain (referred to as the domain).
  3. Click the View the Domain Log link.
  4. The following message appears in the log:

    Security initializing using realm CompatibilityRealm

In addition, a CompatibilitySecurity node will appear in the WebLogic Server Administration Console.


The Default Security Configuration in the CompatibilityRealm

By default, the CompatibilityRealm is configured with a Realm Adapter Adjudication provider, a Realm Adapter Authentication provider, a WebLogic Authorization provider, a Realm Adapter Authorization provider, a WebLogic Credential Mapping provider, and a WebLogic Role Mapping provider.


Configuring the Identity Assertion Provider in the Realm Adapter Authentication Provider

The Realm Adapter Authentication provider includes an Identity Assertion provider.The Identity Assertion provider provides backward compatibility for implementations of the class. The identity assertion is performed on X.509 tokens. By default, the Identity Assertion provider is not enabled in the Realm Adapter Authentication provider.

To enable identity assertion in the Realm Adapter Authentication provider:

  1. Expand the Security-->Realms nodes.
  2. Select the CompatibilityRealm.
  3. Expand the Providers node.
  4. Select Authentication Providers.
  5. Click the Realm Adapter Authenticator link in the Realms table.
  6. The General tab appears.

  7. Enter X.509 in the Active Types list box.
  8. This step enables the use of 6.x Cert Authenticators.

  9. Click Apply.
  10. Reboot WebLogic Server.


Configuring a Realm Adapter Auditing Provider

The Realm Adapter Auditing provider allows you to use implementations of the class when using Compatibility security. In order for the Realm Adapter Auditing provider to work properly, the implementation of the class must have been defined in the Audit Provider class attribute on the Domain-->Security-->Compatibility-->General tab.

To configure a Realm Adapter Auditing provider:

  1. Expand the Compatibility Security-->Realms nodes.
  2. Expand the Providers node.
  3. Select Auditors.
  4. Click Configure a Realm Adapter Auditor... link.
  5. The General tab appears

  6. Click Create to save your changes.
  7. Reboot WebLogic Server.


Protecting User Accounts in Compatibilty Security

Weblogic Server provides a set of attributes to protect user accounts from intruders. By default, these attributes are set for maximum protection. As a system administrator, you have the option of turning off all the attributes, increasing the number of login attempts before a user account is locked, increasing the time period in which invalid login attempts are made before locking the user account, and changing the amount of time a user account is locked. Remember that changing the attributes lessens security and leaves user accounts vulnerable to security attacks.

There are two sets of attributes available to protect user accounts, one set at the domain and one set at the security realm. You may notice that if you set one set of attributes (for example, the attributes for the security realm) and exceed any of the values, the user account is not locked. This happens because the user account attributes at the domain override the user account attributes at the security realm. To avoid this situation, disable the user account attributes at the security realm.

To protect the user accounts in your WebLogic Server domain, perform the following steps:

  1. Expand the Domain node (for example, mydomain).
  2. At the bottom of the General tab, click the View Domain-Wide Security Settings link.
  3. Select the Compatibility-->Passwords tab.
  4. Define the desired attributes on this tab by entering values at the appropriate prompts and selecting the required checkboxes. (For details, see the following table).
  5. Click Apply to save your choices.
  6. Reboot WebLogic Server.

The following table describes each attribute on the Passwords tab.

Table 11-1 Password Protection Attributes



Minimum Password Length

Number of characters required in a password. Passwords must contain a minimum of 8 characters. The default is 8.

Lockout Enabled

Requests the locking of a user account after invalid attempts to log in to that account exceed the specified Lockout Threshold. By default, this attribute is enabled.

Lockout Threshold

Number of failed password entries for a user that can be tried to log in to a user account before that account is locked. Any subsequent attempts to access the account (even if the username/password combination is correct) raise a Security exception; the account remains locked until it is explicitly unlocked by the system administrator or another login attempt is made after the lockout duration period ends. Invalid login attempts must be made within a span defined by the Lockout Reset Duration attribute. The default is 5.

Lockout Duration

Number of minutes that a user's account remains inaccessible after being locked in response to several invalid login attempts within the amount of time specified by the Lockout Reset Duration attribute. In order to unlock a user account, you need to have the unlockuser permission for the weblogic.passwordpolicy. The default is 30 minutes.

Lockout Reset Duration

Number of minutes within which invalid login attempts must occur in order for the user's account to be locked.

An account is locked if the number of invalid login attempts defined in the Lockout Threshold attribute happens within the amount of time defined by this attribute. For example, if the value in this attribute is five minutes and three invalid login attempts are made within a six-minute interval, then the account is not locked. If five invalid login attempts are made within a five-minute period, however, then the account is locked.

The default is 5 minutes.

Lockout Cache Size

Specifies the intended cache size of unused and invalid login attempts. The default is 5.


To disable the user account attributes at the security realm:

  1. Expand the Security-->Realms nodes.
  2. Expand the CompatibilityRealm node.
  3. Select the User Lockout tab.
  4. Uncheck the Lockout Enabled attribute.
  5. Click Apply.
  6. Reboot WebLogic Server.

Warning: If you disable the user lockout attribute at the security realm, you must set the user attributes on the domain otherwise the user accounts will not be protected.


Accessing 6.x Security from Compatibility Security

When using Compatibility security, it is assumed you have an existing config.xml file with a security realm that defines users and groups and ACLs that protect the resources in your WebLogic Server domain. 6.x security management tasks such as configuring a security realm or defining ACLs should not be required therefore those management tasks are not described in this chapter. However, if you corrupt an existing 6.x security realm and have no choice but to restore it, the following 6.x security management tasks are described in the Compatibility Security section of the online help for the WebLogic Server Administration Console:

Warning: Compatibility security provides backward compatibility only and should not be considered a long-term security solution.


Back to Top Previous Next