6 About Configuring WebLogic Security Providers

Although most WebLogic security providers can run with their default settings as soon as Oracle WebLogic Server is started, several providers typically require configuration settings tailored to the environment in which they run. For example, if you are using an identity store other than the embedded LDAP server, you need to configure an Authentication provider that is specific to that store. And if you configure multiple providers of a certain type, you need to specify the order in which they are invoked.

This chapter includes the following sections:

When Do You Need to Configure a Security Provider?

By default, most WebLogic security providers are generally configured to run after you install WebLogic Server. However, the following circumstances require you to supply configuration information:

You can use either the WebLogic-supplied security providers or a custom security provider in a security realm. To configure a custom security provider, see Configure custom security providers in the Oracle WebLogic Server Administration Console Online Help.

Reordering Security Providers

You can configure more than one security provider of a given type in a security realm. For example, you might use two or more different Role Mapping providers or Authorization providers. If you have more than one security provider of the same type in a security realm, the order in which these providers are called can affect the overall outcome of the security processes. By default, security providers are called in the order that they were added to the realm. You can use the WebLogic Server Administration Console to change the order of the providers. See Re-order security providers in the Oracle WebLogic Server Administration Console Online Help.

Enabling Synchronization in Security Policy and Role Modification at Deployment

For the best performance, and by default, Weblogic Server supports parallel modification to security policy and roles during application and module deployment. For this reason, deployable Authorization and Role Mapping providers configured in the security realm should support parallel calls. The WebLogic deployable XACML Authorization and Role Mapping providers meet this requirement.

However, custom deployable Authorization and Role Mapping providers may or may not support parallel calls. If your custom deployable Authorization or Role Mapping providers do not support parallel calls, you need to disable the parallel security policy and role modification and instead enforce a synchronization mechanism that results in each application and module being placed in a queue and deployed sequentially. Otherwise, if a provider does not support parallel calls, it generates a java.util.ConcurrentModificationException exception.

You can turn on this synchronization enforcement mechanism on in two ways:

Note:

Enabling the synchronization mechanism affects every deployable provider configured in the realm, including the WebLogic Server XACML providers. Enabling the synchronization mechanism may negatively impact the performance of these providers.

  • From the WebLogic Server Administration Console. Set the Deployable Provider Synchronization Enabled and Deployable Provider Synchronization Timeout controls for the realm.

    The Deployable Provider Synchronization Enabled control enforces a synchronization mechanism that results in each application and module being placed in a queue and deployed sequentially.

    The Deployable Provider Synchronization Timeout control sets or returns the timeout value, in milliseconds, for the deployable security provider synchronization operation. This is the maximum time a deployment cycle wants to wait in the queue when the previous cycle is stuck.

  • From the DeployableProviderSynchronizationEnabled and DeployableProviderSynchronizationTimeout attributes of the RealmMBean. From WLST, set the DeployableProviderSynchronizationEnabled and DeployableProviderSynchronizationTimeout attributes of the RealmMBean.

    See RealmMBean in MBean Reference for Oracle WebLogic Server.