RealmMBean

Overview

The MBean that represents configuration attributes for the security realm.

A security realm contains a set of security configuration settings, including the list of security providers to use (for example, for authentication and authorization).

Code using security can either use the default security realm for the domain or refer to a particular security realm by name (by using the JMX display name of the security realm).

One security realm in the WebLogic domain must have the DefaultRealm attribute set to true. The security realm with the DefaultRealm attribute set to true is used as the default security realm for the WebLogic domain. Note that other available security realms must have the DefaultRealm attribute set to false.

When WebLogic Server boots, it locates and uses the default security realm. The security realm is considered active since it is used when WebLogic Server runs. Any security realm that is not used when WebLogic Server runs is considered inactive. All active security realms must be configured before WebLogic Server is boots.

Since security providers are scoped by realm, the Realm attribute on a security provider must be set to the realm that uses the provider.

Related MBeans

This section describes attributes that provide access to other MBeans.

Adjudicator

Returns the Adjudication provider for this security realm.

Auditors

Returns the Auditing providers for this security realm (in invocation order).

AuthenticationProviders

Returns the Authentication providers for this security realm (in invocation order).

Authorizers

Returns the Authorization providers for this security realm (in invocation order).

CertPathBuilder

Returns the CertPath Builder provider in this security realm that will be used by the security system to build certification paths. Returns null if none has been selected. The provider will be one of this security realm's CertPathProviders.

CertPathProviders

Returns the Certification Path providers for this security realm (in invocation order).

CredentialMappers

Returns the Credential Mapping providers for this security realm (in invocation order).

PasswordValidators

Returns the Password Validator providers for this security realm (in invocation order).

RDBMSSecurityStore

Returns RDBMSSecurityStoreMBean for this realm, which is a singleton MBean describing RDBMS security store configuration.

For more information, see:

• createRDBMSSecurityStore

RoleMappers

Returns the Role Mapping providers for this security realm (in invocation order).

UserLockoutManager

Returns the User Lockout Manager for this security realm.

Attributes

This section describes the following attributes:

AdjudicatorTypes

Returns the types of Adjudication providers that may be created in this security realm, for example, weblogic.security.providers.authorization.DefaultAdjudicator. Use this method to find the available types to pass to createAdjudicator

AuditorTypes

Returns the types of Auditing providers that may be created in this security realm, for example, weblogic.security.providers.audit.DefaultAuditor. Use this method to find the available types to pass to createAuditor

AuthenticationProviderTypes

Returns the types of Authentication providers that may be created in this security realm, for example, weblogic.security.providers.authentication.DefaultAuthenticator. Use this method to find the available types to pass to createAuthenticationProvider

AuthMethods

Returns a comma separated string of authentication methods that should be used when the Web application specifies "REALM" as its auth-method. The authentication methods will be applied in order in which they appear in the list.

AuthorizerTypes

Returns the types of Authorization providers that may be created in this security realm, for example, weblogic.security.providers.authorization.DefaultAuthorizer. Use this method to find the available types to pass to createAuthorizer

AutoRestartOnNonDynamicChanges

Specifies whether the Realm will be auto-restarted if non-dynamic changes are made to the realm or providers within the realm.

CertPathProviderTypes

Returns the types of Certification Path providers that may be created in this security realm, for example, weblogic.security.providers.pk.WebLogicCertPathProvider. Use this method to find the available types to pass to createCertPathProvider

CombinedRoleMappingEnabled

Determines how the role mappings in the Enterprise Application, Web application, and EJB containers interact. This setting is valid only for Web applications and EJBs that use the Advanced security model and that initialize roles from deployment descriptors.

When enabled:

• Application role mappings are combined with EJB and Web application mappings so that all principal mappings are included. The Security Service combines the role mappings with a logical OR operator.

• If one or more policies in the web.xml file specify a role for which no mapping exists in the weblogic.xml file, the Web application container creates an empty map for the undefined role (that is, the role is explicitly defined as containing no principal). Therefore, no one can access URL patterns that are secured by such policies.

• If one or more policies in the ejb-jar.xml file specify a role for which no mapping exists in the weblogic-ejb-jar.xml file, the EJB container creates an empty map for the undefined role (that is, the role is explicitly defined as containing no principal). Therefore, no one can access methods that are secured by such policies.

When disabled:

• Role mappings for each container are exclusive to other containers unless defined by the <externally-defined> descriptor element.

• If one or more policies in the web.xml file specify a role for which no role mapping exists in the weblogic.xml file, the Web application container assumes that the undefined role is the name of a principal. It therefore maps the assumed principal to the role name. For example, if the web.xml file contains the following stanza in one of its policies:

  <auth-constraint>
<role-name>PrivilegedUser</role-name>
</auth-constraint>

  but, if the weblogic.xml file has no role mapping for PrivilegedUser, then the Web application container creates an in-memory mapping that is equivalent to the following stanza:

  <security-role-assignment>
<role-name>PrivilegedUser</role-name>
<principal-name>PrivilegedUser</principal-name>
</security-role-assignment>

• Role mappings for EJB methods must be defined in the weblogic-ejb-jar.xml file. Role mappings defined in the other containers are not used unless defined by the <externally-defined> descriptor element.

Note:

For all applications previously deployed in version 8.1 and upgraded to version 9.x, the combining role mapping is disabled by default.

CredentialMapperTypes

Returns the types of Credential Mapping providers that may be created in this security realm, for example, weblogic.security.providers.credentials.DefaultCredentialMapper. Use this method to find the available types to pass to createCredentialMapper

DefaultRealm

Returns whether this security realm is the Default realm for the WebLogic domain. Deprecated in this release of WebLogic Server and replaced by weblogic.management.configuration.SecurityConfigurationMBean.getDefaultRealm.

Deprecated. 9.0.0.0 Replaced by SecurityConfigurationMBean#getDefaultRealm()

DelegateMBeanAuthorization

Configures the WebLogic Server MBean servers to use the security realm's Authorization providers to determine whether a JMX client has permission to access an MBean attribute or invoke an MBean operation.

You can continue to use WebLogic Server's default security settings or modify the defaults to suit your needs.

If you do not delegate authorization to the realm's Authorization providers, the WebLogic MBean servers allow access only to the four default security roles (Admin, Deployer, Operator, and Monitor) and only as specified by WebLogic Server's default security settings.

DeployableProviderSynchronizationEnabled

Specifies whether synchronization for deployable Authorization and Role Mapping providers is enabled.

The Authorization and Role Mapping providers may or may not support parallel security policy and role modification, respectively, in the security provider database. If the security providers do not support parallel modification, the WebLogic Security Framework enforces a synchronization mechanism that results in each application and module being placed in a queue and deployed sequentially.

DeployableProviderSynchronizationTimeout

Returns the timeout value, in milliseconds, for the deployable security provider synchronization operation. This value is only used if DeployableProviderSynchronizationEnabled is set to true

DeployCredentialMappingIgnored

Returns whether credential mapping deployment calls on the security system are ignored or passed to the configured Credential Mapping providers.

Deprecated. 9.0.0.0

DeployPolicyIgnored

Returns whether policy deployment calls on the security system are ignored or passed to the configured Authorization providers.

Deprecated. 9.0.0.0

DeployRoleIgnored

Returns whether role deployment calls on the security system are ignored or passed to the configured Role Mapping providers.

Deprecated. 9.0.0.0

EnableWebLogicPrincipalValidatorCache

Returns whether the WebLogic Principal Validator caching is enabled.

The Principal Validator is used by Oracle supplied authentication providers and may be used by custom authentication providers. If enabled, the default principal validator will cache WebLogic Principal signatures.

FullyDelegateAuthorization

Returns whether the Web and EJB containers should call the security framework on every access.

If false the containers are free to only call the security framework when security is set in the deployment descriptors.

Deprecated. 9.0.0.0

IdentityAssertionHeaderNamePrecedence

Obtain an ordered list of token type names used for Identity Assertion with HTTP request headers.

The list determines the precedence order when multiple HTTP headers are present in an HTTP request based on the list of active token types maintained on the configured Authentication providers.

ManagementIdentityDomain

Sets the Management Identity Domain value for the realm.

MaxWebLogicPrincipalsInCache

Returns the maximum size of the LRU cache for holding WebLogic Principal signatures. This value is only used if EnableWebLogicPrincipalValidatorCache is set to true

Name

The name of this configuration. WebLogic Server uses an MBean to implement and persist the configuration.

PasswordValidatorTypes

Returns the types of Password Validator providers that may be created in this security realm, for example, com.bea.security.providers.authentication.passwordvalidator.SystemPasswordValidator. Use this method to find the available types to pass to createPasswordValidator

RetireTimeoutSeconds

Specifies the retire timeout for a realm that is restarted. The old realm will be shutdown after the specified timeout period has elapsed.

RoleMapperTypes

Returns the types of Role Mapping providers that may be created in this security realm, for example, weblogic.security.providers.authorization.DefaultRoleMapper. Use this method to find the available types to pass to createRoleMapper

SecurityDDModel

Specifies the default security model for Web applications or EJBs that are secured by this security realm. You can override this default during deployment.

Note: If you deploy a module by modifying the domain's config.xml file and restarting the server, and if you do not specify a security model value for the module in config.xml, the module is secured with the default value of the AppDeploymentMBean SecurityDDModelattribute (see getSecurityDDModel ).

Choose one of these security models:

• Deployment Descriptors Only (DDOnly)

  • For EJBs and URL patterns, this model uses only the roles and policies in the Java EE deployment descriptors (DD); the Administration Console allows only read access for this data. With this model, EJBs and URL patterns are not protected by roles and policies of a broader scope (such as a policy scoped to an entire Web application). If an EJB or URL pattern is not protected by a role or policy in the DD, then it is unprotected: anyone can access it.

  • For application-scoped roles in an EAR, this model uses only the roles defined in the WebLogic Server DD; the Administration Console allows only read access for this data. If the WebLogic Server DD does not define roles, then there will be no such scoped roles defined for this EAR.

  • For all other types of resources, you can use the Administration Console to create roles or policies. For example, with this model, you can use the Administration Console to create application-scoped policies for an EAR.

  • Applies for the life of the deployment. If you want to use a different model, you must delete the deployment and reinstall it.

• Customize Roles Only (CustomRoles)

  • For EJBs and URL patterns, this model uses only the policies in the Java EE deployment descriptors (DD). EJBs and URL patterns are not protected by policies of a broader scope (such as a policy scoped to an entire Web application). This model ignores any roles defined in the DDs; an administrator completes the role mappings using the Administration Console.

  • For all other types of resources, you can use the Administration Console to create roles or policies. For example, with this model, you can use the Administration Console to create application-scoped policies or roles for an EAR.

  • Applies for the life of the deployment. If you want to use a different model, you must delete the deployment and reinstall it.

• Customize Roles and Policies (CustomRolesAndPolicies)

  • Ignores any roles and policies defined in deployment descriptors. An administrator uses the Administration Console to secure the resources.

  • Performs security checks for all URLs or EJB methods in the module.

  • Applies for the life of the deployment. If you want to use a different model, you must delete the deployment and reinstall it.

• Advanced (Advanced)

  You configure how this model behaves by setting values for the following options:

  • When Deploying Web Applications or EJBs

    Note: When using the WebLogic Scripting Tool or JMX APIs, there is no single MBean attribute for this setting. Instead, you must set the values for the DeployPolicyIgnored and DeployRoleIgnored attributes of RealmMBean.

  • Check Roles and Policies (FullyDelegateAuthorization)
  • Combined Role Mapping Enabled (CombinedRoleMappingEnabled)

  You can change the configuration of this model. Any changes immediately apply to all modules that use the Advanced model. For example, you can specify that all modules using this model will copy roles and policies from their deployment descriptors into the appropriate provider databases upon deployment. After you deploy all of your modules, you can change this behavior to ignore roles and policies in deployment descriptors so that when you redeploy modules they will not re-copy roles and policies.

  Note: Prior to WebLogic Server version 9.0 the Advanced model was the only security model available. Use this model if you want to continue to secure EJBs and Web Applications as in releases prior to 9.0.

For more information, see:

• isDeployPolicyIgnored()
• isDeployRoleIgnored()
• isFullyDelegateAuthorization()
• isCombinedRoleMappingEnabled()

ValidateDDSecurityData

Not used in this release.

Operations

This section describes the following operations:

isSet

Returns true if the specified attribute has been set explicitly in this MBean instance.

unSet

Restore the given property to its default value.

validate

Checks that the realm is valid.

Deprecated. 9.0.0.0 This method is no longer required since activating a configuration transaction does this check automatically on the default realm, and will not allow the configuration to be saved if the domain does not have a valid default realm configured.

wls_getDisplayName