Domain: Security: General

Select the security realm that should be used as the default (active) realm for this WebLogic Server domain.

All available security realms are listed on the pull-down menu. If you configure a new security realm, but do not configure any security providers or all the required security providers, the security realm will not be available from the pull-down menu. In order for a security realm to be valid, you must configure an Authentication provider, an Authorization provider, an Adjudication provider, a Credential Mapping provider, and a Role Mapping provider.

Specifies whether anonymous, read-only access to WebLogic Server MBeans should be allowed from the MBeanHome API.

With anonymous access enabled, you can see the value of any MBean attribute that is not explicitly marked as protected by the WebLogic Server MBean authorization process. This attribute should be enabled only for backward compatibility.

Specifies the security mode to use for XA calls in cross-domain transactions. Only applies to transactions in which some participating resources are running on older versions of WebLogic Server.

In previous releases of WebLogic Server, the transaction coordinator used the kernel identity when calling to remote resources, however calls were made over a non-secure channel. In the current release, remote calls made as the kernel identity must use a secure channel, which causes an interoperability problem with previous WebLogic domains and a possible performance problem in JTA with an admin channel enabled. The security interoperability mode setting enables you to control the XA call behavior.

Security Interoperability Mode options:

• default

  - The transaction coordinator makes calls using the kernel identity over an admin channel if it is enabled, and anonymous otherwise.

• performance

  - The transaction coordinator makes calls using anonymous at all times. This implies a small security risk since a malicious third party could then try to affect the outcome of transactions.

• compatibility

  - The transaction coordinator makes calls as the kernel identity over an insecure channel. This is a high security risk because it means that the server's kernel identity could be captured and used for nefarious purposes. However, this setting is required to interoperate with older, unpatched versions of WebLogic Server.

MBean Attribute:
JTAMBean.SecurityInteropMode

Specifies whether a credential (usually a password) should be generated randomly for this WebLogic Server domain. This credential is used to enable a trust relationship between two domains. If you want to establish trust between two domains, you must ensure that they have the same credential by unchecking Enable Generated Credential and specifying the same value as the credential for both domains.

The credential for this WebLogic Server domain. If Enable Generated Credential is unchecked because you want to establish trust between two domains, specify a credential here and in the other domain.

Re-enter the credential.

The user name that the Administration Server passes to a Node Manager when it instructs the Node Manager to start, stop, or restart Managed Servers.

When you enable Node Manager to control a domain, you specify the name of a user who has Operator privileges. This is the user name that you must specify for this (NodeManagerUsername) attribute.

MBean Attribute:
SecurityConfigurationMBean.NodeManagerUsername

The password that the Administration Server passes to a Node Manager when it instructs the Node Manager to start, stop, or restart Managed Servers.

When you get the value of this attribute, WebLogic Server does the following:

1. Retrieves the value of the NodeManagerPasswordEncrypted attribute.

2. Decrypts the value and returns the unencrypted password as a String.

When you set the value of this attribute, WebLogic Server does the following:

1. Encrypts the value.

2. Sets the value of the NodeManagerPasswordEncrypted attribute to the encrypted value.

Using this attribute (NodeManagerPassword) is a potential security risk because the String object (which contains the unencrypted password) remains in the JVM's memory until garbage collection removes it and the memory is reallocated. Depending on how memory is allocated in the JVM, a significant amount of time could pass before this unencrypted data is removed from memory.

Instead of using this attribute, use NodeManagerPasswordEncrypted.

MBean Attribute:
SecurityConfigurationMBean.NodeManagerPassword

Changes take effect after you redeploy the module or restart the server.

Re-enter the NodeManager password.

Specifies the case sensitive URL-pattern matching behavior for security-constraints, servlets, filters, virtual-hosts, etc. in the webapp container and external security policies. LegalValues: "os", "true", "false".

When the value is set to "os", the pattern matching will be case sensitive on all platforms except windows file system. Note that on non-Windows file system WebLogic doesn't enforce case sensitivity and rely on the file system for optimization. As a result, if you have a Windows Samba mount from UNIX or Mac OS that have been installed in case-insensitive mode) there is a chance of security risk. If that is the case, please specify case insensitive lookups by setting this attribute to true. Also this property is used to preserve backward compatibility on Windows file system. Until the 8.1 release WebLogic was case insensitive on Windows. Starting with 9.0 release the URL-pattern matching will be strictly enforced. During the upgrade of older domains the value of this parameter is explicitly set to "os" by the upgrade plug-in, in order to preserve backward compatibility.

MBean Attribute:
SecurityConfigurationMBean.WebAppFilesCaseInsensitive

Changes take effect after you redeploy the module or restart the server.

Specifies whether the system should enforce strict URL pattern., " / " to represent the entire contents of a Web Application.

This property is provided for backward compatibility with version 8.1. When this field is checked the system enforces the use of the " / " character as the default representation of an entire Web application in the security container. This is the standard J2EE syntax and is consistent with the syntax used by the Servlet container. In version 8.1 the security container used " /* " as the default representation of an entire Web application. If you want your applications to continue to use " /* " in this context you must change the value to false (unchecked). When set to false, the security container recognizes " /* " as the equivalent of " / " , thereby ensuring consistency with the Servlet container.

MBean Attribute:
SecurityConfigurationMBean.EnforceStrictURLPattern

Changes take effect after you redeploy the module or restart the server.

Specifies whether to downgrade to anonymous principals that cannot be verified.

This feature is useful for server-server communication between untrusted domains.

MBean Attribute:
SecurityConfigurationMBean.DowngradeUntrustedPrincipals

Changes take effect after you redeploy the module or restart the server.

Specifies whether this WebLogic Server domain enables compatibility with previous connection filters.

Checking or unchecking this fields changes the protocols names used when filtering needs to be performed.

MBean Attribute:
SecurityConfigurationMBean.CompatibilityConnectionFiltersEnabled

Specifies whether security management operations are allowed if non-dynamic changes have been made and the Admin Server requires restart.

If a user makes changes to non-dynamic attributes of security MBeans and then activates the changes, by default he can not perform any security management operations until the server has been restarted. You can override this default behavior by checking this field. This permits users to perform security management operations without restarting the server. Note that this attribute is reset to false when a new console session starts.