About Configuring WebLogic Security Providers

5 About Configuring WebLogic Security Providers

Although most WebLogic security providers can run with their default settings as soon as Oracle WebLogic Server is started, several providers typically require configuration settings tailored to the environment in which they run. For example, if you are using an identity store other than the embedded LDAP server, you need to configure an Authentication provider that is specific to that store. And if you configure multiple providers of a certain type, you need to specify the order in which they are invoked.

This chapter includes the following sections:

When Do You Need to Configure a Security Provider?

By default, most WebLogic security providers are generally configured to run after you install WebLogic Server. However, the following circumstances require you to supply configuration information:

Before using the WebLogic Identity Assertion provider, define the active token type. See Configuring Identity Assertion Providers.
To map tokens to a user in a security realm, configure the user name mapper in the WebLogic Identity Assertion provider. See Configuring a WebLogic Credential Mapping Provider.
To use auditing in the default (active) security realm, configure either the WebLogic Auditing provider or a custom Auditing provider. See Configuring the WebLogic Auditing Provider.
To use HTTP and Kerberos-based authentication in conjunction with WebLogic Server. See Configuring Single Sign-On with Microsoft Clients.
To use identity assertion based on SAML assertions. See Configuring Single Sign-On with Web Browsers and HTTP Clients Using SAML.
To use certificate revocation. See Configuring the Certificate Lookup and Validation Framework.
To use an LDAP server other than the embedded LDAP server, configure one of the LDAP Authentication providers. An LDAP authentication provider can be used instead of or in addition to the WebLogic Authentication provider. See Configuring LDAP Authentication Providers.
To access user, password, group, and group membership information stored in databases for authentication purposes. See Configuring RDBMS Authentication Providers. The RDBMS Authentication providers can be used to upgrade from the RDBMS security realm.
To use Windows NT users and groups for authentication purposes. See Configuring the Windows NT Authentication Provider. The Windows NT Authentication provider is the upgrade path for the Window NT security realm.
When you create a new security realm, configure security providers for that realm. See Creating and Configuring a New Security Realm: Main Steps.
When you add a custom security provider to a security realm or replace a WebLogic security provider with a custom security provider, configure options for the custom security provider.

You can use either the WebLogic-supplied security providers or a custom security provider in a security realm. To configure a custom security provider, see Configure custom security providers in the Oracle WebLogic Server Administration Console Online Help.

Reordering Security Providers

You can configure more than one security provider of a given type in a security realm. For example, you might use two or more different Role Mapping providers or Authorization providers. If you have more than one security provider of the same type in a security realm, the order in which these providers are called can affect the overall outcome of the security processes. By default, security providers are called in the order that they were added to the realm. You can use the WebLogic Server Administration Console to change the order of the providers. See Re-order security providers in the Oracle WebLogic Server Administration Console Online Help.

Enabling Synchronization in Security Policy and Role Modification at Deployment

For the best performance, and by default, Weblogic Server supports parallel modification to security policy and roles during application and module deployment. For this reason, deployable Authorization and Role Mapping providers configured in the security realm should support parallel calls. The WebLogic deployable XACML Authorization and Role Mapping providers meet this requirement.

However, custom deployable Authorization and Role Mapping providers may or may not support parallel calls. If your custom deployable Authorization or Role Mapping providers do not support parallel calls, you need to disable the parallel security policy and role modification and instead enforce a synchronization mechanism that results in each application and module being placed in a queue and deployed sequentially. Otherwise, if a provider does not support parallel calls, it generates a java.util.ConcurrentModificationException exception.

You can turn on this synchronization enforcement mechanism on in two ways:

Note:

Enabling the synchronization mechanism affects every deployable provider configured in the realm, including the WebLogic Server XACML providers. Enabling the synchronization mechanism may negatively impact the performance of these providers.

From the WebLogic Server Administration Console. Set the Deployable Provider Synchronization Enabled and Deployable Provider Synchronization Timeout controls for the realm.

The Deployable Provider Synchronization Enabled control enforces a synchronization mechanism that results in each application and module being placed in a queue and deployed sequentially.

The Deployable Provider Synchronization Timeout control sets or returns the timeout value, in milliseconds, for the deployable security provider synchronization operation. This is the maximum time a deployment cycle wants to wait in the queue when the previous cycle is stuck.
From the DeployableProviderSynchronizationEnabled and DeployableProviderSynchronizationTimeout attributes of the RealmMBean. From WLST, set the DeployableProviderSynchronizationEnabled and DeployableProviderSynchronizationTimeout attributes of the RealmMBean.

See RealmMBean in MBean Reference for Oracle WebLogic Server.