7 Configuring Authorization and Role Mapping Providers

In Oracle WebLogic Server, Authorization providers use the concepts of security policies, ContextHandlers, access decisions, and more, to determine who may have access to a resource. Role Mapping providers compute the set of roles granted to a subject for a given resource, and Adjudication providers resolve authorization conflicts if multiple Authorization providers don’t return the same access decision.

This chapter includes the following sections:

Configuring an Authorization Provider

Authorization is the process whereby the interactions between users and resources are limited to ensure integrity, confidentiality, and availability. In other words, authorization is responsible for controlling access to resources based on user identity or other information. You should only need to configure an Authorization provider when you create a new security realm.

By default, security realms in newly created domains include the XACML Authorization provider. The XACML Authorization provider uses XACML, the eXtensible Access Control Markup Language. For information about using the XACML Authorization provider, see Using XACML Documents to Secure WebLogic Resources in Securing Resources Using Roles and Policies for Oracle WebLogic Server. WebLogic Server also includes the WebLogic Authorization provider, which uses a proprietary policy language. This provider is named DefaultAuthorizer, but is no longer the default authorization provider.

See Enabling Synchronization in Security Policy and Role Modification at Deployment for information about how Authorization providers support parallel modification to security policy during application and module deployment.

Note:

The WebLogic Authorization provider, also known as the DefaultAuthorizer, is deprecated in WebLogic Server 14.1.1.0.0 and will be removed in a future release.

The WebLogic Authorization provider improves performance by caching the roles, predicates, and resource data that it looks up. For information on configuring these caches, see Best Practices: Configure Entitlements Caching When Using WebLogic Providers in Securing Resources Using Roles and Policies for Oracle WebLogic Server. The XACML Authorization uses its own cache, but this cache is not configurable.

Configuring the WebLogic Adjudication Provider

When multiple Authorization providers are configured in a security realm, each may return a different answer to the "is access allowed" question for a given resource. This answer may be PERMIT, DENY, or ABSTAIN. Determining what to do if multiple Authorization providers do not agree on the answer is the primary function of the Adjudication provider. Adjudication providers resolve authorization conflicts by weighting each Authorization provider's answer and returning a final decision.

Each security realm requires an Adjudication provider, and can have no more than one active Adjudication provider. By default, a WebLogic security realm is configured with the WebLogic Adjudication provider. You can use either the WebLogic Adjudication provider or a custom Adjudication provider in a security realm.

Note:

In the WebLogic Server Administration Console, the WebLogic Adjudication provider is referred to as the Default Adjudicator.

By default, most configuration options for the WebLogic Adjudication provider are defined. However, you can set the Require Unanimous Permit option to determine how the WebLogic Adjudication provider handles a combination of PERMIT and ABSTAIN votes from the configured Authorization providers.

  • If the option is enabled (the default), all Authorization providers must vote PERMIT in order for the Adjudication provider to vote true.

  • If the option is disabled, ABSTAIN votes are counted as PERMIT votes.

Configuring a Role Mapping Provider

Role mapping is the process whereby principals (users or groups) are dynamically mapped to security roles at runtime. Role Mapping providers supply Authorization providers with this role information so that the Authorization provider can answer the "is access allowed?" question for WebLogic resources. By default, a WebLogic security realm is configured with the XACML Role Mapping provider. The XACML Role Mapping provider uses XACML, the eXtensible Access Control Markup Language. For information about using the XACML Role Mapping provider, see Using XACML Documents to Secure WebLogic Resources in Securing Resources Using Roles and Policies for Oracle WebLogic Server.

WebLogic Server also includes the WebLogic Role Mapping provider, which uses a proprietary policy language. This provider is named DefaultRoleMapper, but is no longer the default role mapping provider in newly-created security realms. You can also use a custom Role Mapping provider in your security realm.

Note:

The WebLogic Role Mapping provider, also known as the DefaultRoleMapper, is deprecated in WebLogic Server 14.1.1.0.0 and will be removed in a future release.

By default, most configuration options for the XACML Role Mapping provider are already defined. However, you can set Role Mapping Deployment Enabled, which specifies whether or not this Role Mapping provider imports information from deployment descriptors for Web applications and EJBs into the security realm. This setting is enabled by default.

In order to support Role Mapping Deployment Enabled, a Role Mapping provider must implement the DeployableRoleProvider SSPI. Roles are stored by the XACML Role Mapping provider in the embedded LDAP server.

See Enabling Synchronization in Security Policy and Role Modification at Deployment for information about how Role Mapping providers support parallel modification to roles during application and module deployment.

For information about using, developing, and configuring Role Mapping providers, see: