|
Administration Console Online Help
|
Weblogic Identity Assertion
Provider-->General
Tasks Related Topics Attributes
Overview
Use this tab to configure a WebLogic Identity Assertion provider for a security realm.
Note: The Administration Console refers to the WebLogic Identity Assertion provider as the Default Identity Asserter.
JAAS LoginModules seek proof of an entity's identity based on usernames/passwords or identification devices inside the request; identity assertion involves establishing a client's identity through the use of client-supplied tokens that may exist outside of the request. Thus, the function of an Identity Assertion provider is to validate and map a token to a username. Identity Assertion providers support perimeter authentication by passing tokens in HTML headers or cookies.
By default, the WebLogic Identity Assertion provider is configured in the default security realm (myrealm). The WebLogic Identity Assertion provider supports identity assertion using X509 certificates and Common Secure Interoperability version 2 (CSIv2).
You can use a Custom Identity Assertion provider instead of the WebLogic Identity Assertion provider. For a Custom Identity Assertion provider to be available in the WebLogic Server Administration Console, the MBean JAR file for the provider must be in the WL_HOME\lib\mbeantypes directory.
When using 2-way SSL, WebLogic Server verifies the digital certificate of the Web browser or Java client when establishing an SSL connection. However, the digital certificate does not identify the Web browser or Java client as a user in the WebLogic Server security realm. If the Web browser or Java client requests a WebLogic Server resource protected by a security policy, WebLogic Server requires the Web browser or Java client to have an identity. The WebLogic Identity Assertion provider allows you to define a user name mapper that maps the digital certificate of a client to a user in a WebLogic Server security realm.
This user name mapper is a class that implements the weblogic.security.providers.authentication.UserNameMapper interface. You can either write your own implementation and configure it in the Administration Console or use the default implementation provided by WebLogic Server.
The WebLogic Identity Assertion provider calls the user name mapper class for the following types of identity assertion token types:
- X.509 digital certificates passed via the SSL handshake
- X.509 digital certificates passed via CSIv2
- X.501 distinguished names passed via CSIv2
The default user name mapper uses the attributes from the subject DN of the digital certificate or the distinguished name to map to the appropriate user in the WebLogic Server security realm. For example, the user name mapper can be configured to map a user from the Email attribute of the subject DN (smith@bea.com) to a user in the WebLogic Server security realm (smith).
Use this tab to activate the default user name mapper and specify which attributes in a digital certificates are used to create the username. The attributes on the tab are defined as follows:
- Default User Name Mapper Attribute Type—The attribute of the subject distinguished name (DN) in a digital certificate used to create a username. Valid values are:
- C—Country code.
- CN—Common name.
- E—Email address. (This is the default value).
- L—Name of the city or town.
- O—Organization name.
- OU—Organization unit name (for example, the name of the division or group within a company).
- Default User Name Mapper Attribute Delimiter—The attribute that ends the username. The user name mapper uses everything to the left of the attribute to create a username.
Use the User Name Mapper Class attribute to configure a custom user name mapper. Enter the fully-qualified path to the implementation of the weblogic.security.providers.authentication.UserNameMapper interface..
Tasks
Configuring an Authentication Provider: Main Steps
Configuring a WebLogic Identity Assertion Provider
Related Topics
Introduction to WebLogic Security
Managing WebLogic Security
Programming WebLogic Security
Developing Security Providers for WebLogic Server
Securing a WebLogic Server Deployment
Upgrading Security in WebLogic Server Version 6.x to WebLogic Server Version 7.0
Security FAQ
The Security page in the WebLogic Server documentation
Attributes
Table 1-11
|
Attribute Label
|
Description
|
Value Constraints
|
|
Name
|
The name of this configuration. WebLogic Server uses an MBean to implement and persist the configuration.
MBean: weblogic.security.
providers.authentication.
DefaultIdentityAsserterMBean
Attribute: Name
|
|
|
Description
|
A short description of the WebLogic Identity Assertion provider.
MBean: weblogic.security.
providers.authentication.
DefaultIdentityAsserterMBean
Attribute: Description
|
Default: "WebLogic Identity Assertion provider"
|
|
Version
|
The version number of the WebLogic Identity Assertion provider.
MBean: weblogic.security.
providers.authentication.
DefaultIdentityAsserterMBean
Attribute: Version
|
Default: "1.0"
|
|
User Name Mapper Class Name
|
The name of the Java class that maps X.509 digital certificates and X.501 distinguished names to WebLogic user names.
MBean: weblogic.security.
providers.authentication.
DefaultIdentityAsserterMBean
Attribute: UserNameMapperClassName
|
|
|
Use Default User Name Mapper
|
Uses the user name mapping class provided by WebLogic. The default user name mapping class only validates that a certificate has not expired. If you require additional validation, you need to write your own user name mapping class. Writing your own user name mapping class also allows you to specify what attribute in the subject DN of the certificate is used to map to the user name.
MBean: weblogic.security.
providers.authentication.
DefaultIdentityAsserterMBean
Attribute: UseDefaultUserNameMapper
|
Default: new java.lang.Boolean(false)
Valid values:
|
|
Default User Name Mapper Attribute Type
|
The name of the attribute from the subject DN to use when mapping from the X.509 certificate or X.500 name token to the WebLogic user name.
MBean: weblogic.security.
providers.authentication.
DefaultIdentityAsserterMBean
Attribute: DefaultUserNameMapperAttributeType
|
Default: "E"
|
|
Default User Name Mapper Attribute Delimiter
|
The delimiter that ends the attribute value when mapping from the X.509 certificate or X.500 name token to the WebLogic user name.
MBean: weblogic.security.
providers.authentication.
DefaultIdentityAsserterMBean
Attribute: DefaultUserNameMapperAttributeDelimiter
|
Default: "@"
|
|
Trusted Client Principals
|
The list of trusted client principals to use in CSI v2 identity assertion. The wildcard character (*) can be used to specify all principals are trusted. If a client is not listed as a trusted client principal, the CSIv2 identity assertion fails and the invoke is rejected.
MBean: weblogic.security.
providers.authentication.
DefaultIdentityAsserterMBean
Attribute: TrustedClientPrincipals
|
|
|
Supported Types
|
The list of token types supported by the Identity Assertion provider. To see a list of default token types, refer the Javadoc for weblogic.security.spi.IdentityAsserter
MBean: weblogic.security.
providers.authentication.
DefaultIdentityAsserterMBean
Attribute: SupportedTypes
|
Default: new String[] { weblogic.security.spi.IdentityAsserter.AU_TYPE, weblogic.security.spi.IdentityAsserter.X509_TYPE, weblogic.security.spi.IdentityAsserter.CSI_PRINCIPAL_TYPE, weblogic.security.spi.IdentityAsserter.CSI_ANONYMOUS_TYPE, weblogic.security.spi.IdentityAsserter.CSI_X509_CERTCHAIN_TYPE, weblogic.security.spi.IdentityAsserter.CSI_DISTINGUISHED_NAME_TYPE }
|
|
Active Types
|
Specifies what type of token is currently being used by the Identity Assertion provider.
MBean: weblogic.security.
providers.authentication.
DefaultIdentityAsserterMBean
Attribute: ActiveTypes
|
|
