This chapter explains how to configure the RDBMS Authentication providers included in WebLogic Server.
This chapter includes the following sections:
In WebLogic Server, an RDBMS Authentication provider is a username/password based Authentication provider that uses a relational database (rather than an LDAP directory) as its data store for user, password, and group information. WebLogic Server includes these RDBMS Authentication providers:
SQL Authenticator—Uses a SQL database and allows both read and write access to the database. This Authentication provider is configured by default with a typical SQL database schema, which you can configure to match your database's schema. See Configuring the SQL Authentication Provider.
Read-only SQL Authenticator—Uses a SQL database and allows only read access to the database. For write access, you use the SQL database's own interface, not the WebLogic security provider. See Configuring the Read-Only SQL Authenticator.
Custom RDBMS Authenticator—Requires you to write a plug-in class. This may be a better choice if you want to use a relational database for your authentication data store, but the SQL Authenticator's schema configuration is not a good match for your existing database schema. See Configuring the Custom DBMS Authenticator.
For information about adding an RDBMS Authentication provider to your security realm, see "Configure Authentication and Identity Assertion providers" in the Oracle WebLogic Server Administration Console Online Help. Once you have created an instance of the RDBMS Authentication provider, configure it on the RDBMS Authentication provider's Configuration > Provider Specific page in the WebLogic Server Administration Console.
All three RDBMS Authentication providers include these configuration options.
The Data Source Name specifies the WebLogic Server data source to use to connect to the database.
The Group Membership Searching and Max Group Membership Search Level attributes specify whether recursive group membership searching is unlimited or limited, and if limited, how many levels of group membership can be searched. For example, if you specify that Group Membership Searching is LIMITED, and the Max Group Membership Search Level is 0, then the RDBMS Authentication providers will find only groups that the user is a direct member of. Specifying a maximum group membership search level can greatly increase authentication performance in certain scenarios, since it may reduce the number of DBMS queries executed during authentication. However, you should only limit group membership search if you can be certain that the group memberships you require are within the search level limits you specify.
Note:
If the RDBMS contains cyclic groups, or groups that are defined to contain themselves, the RDBMS Authentication provider may be unable to complete the authentication process. Setting the Group Membership Searching and Max Group Membership Search Level attributes can help limit recursive group name lookups. However, the use of RDBMS Authentication providers with cyclic groups is not supported and must be avoided.You can improve the performance of RDBMS Authentication providers by caching the results of group hierarchy lookups. Use of this cache can reduce the frequency with which the RDBMS Authentication provider needs to access the database. In the WebLogic Server Administration Console, you can use the Performance page for your Authentication provider to configure the use, size, and duration of this cache. See "Security Realms: Security Providers: SQL Authenticator: Performance" in the Oracle WebLogic Server Administration Console Online Help.
For detailed information about configuring a SQL Authentication provider, see "Security Realms: Security Providers: SQL Authenticator: Provider Specific" in the Oracle WebLogic Server Administration Console Online Help. In addition to the attributes described in Common RDBMS Authentication Provider Attributes, the SQL Authentication provider has the following configurable attributes.
The following attributes govern how the RDBMS Authentication provider and its underlying database handle user passwords:
Plaintext Passwords Enabled
Password Style Retained
Password Style
Password Algorithm
SQL statement attributes specify the SQL statements used by the provider to access and edit the username, password, and group information in the database. With the default values in the SQL statement attributes, it is assumed that the database schema includes the following tables:
users (username, password, [description])
groupmembers (group name, group member)
groups (group name, group description)
Note:
The tables referenced by the SQL statements must exist in the database; the provider will not create them. You can modify these attributes as needed to match the schema of your database. However, if your database schema is radically different from this default schema, you may need to use a Custom DBMS Authentication provider instead.For detailed information about configuring a Read-Only SQL Authentication provider, see "Security Realms: Security Providers: Read-Only SQL Authenticator: Provider Specific" in the Oracle WebLogic Server Administration Console Online Help. In addition to the attributes described in Common RDBMS Authentication Provider Attributes, the Read-Only SQL Authentication provider's configurable attributes include attributes that specify the SQL statements used by the provider to list the username, password, and group information in the database. You can modify these attributes as needed to match the schema of your database.
The Custom DBMS Authentication provider, like the other RDBMS Authentication providers, uses a relational database as its data store for user, password, and group information. Use this provider if your database schema does not map well to the SQL schema expected by the SQL Authenticator. In addition to the attributes described in Common RDBMS Authentication Provider Attributes, the Custom DBMS Authentication provider's configurable attributes include the following.
A Custom DBMS Authentication provider requires that you write a plug-in class that implements the weblogic.security.providers.authentication.CustomDBMSAuthenticatorPlugin interface. The class must exist in the system classpath and must be specified in the Plug-in Class Name attribute for the Custom DBMS Authentication provider. Optionally, you can use the Plugin Properties attribute to specify values for properties defined by your plug-in class.