The MBean that represents configuration atrributes for the WebLogic Identity Assertion provider. The WebLogic Identity Assertion provider supports identity assertion using X.509 certificates and CORBA Common Secure Interoperability version 2 (CS1 v2). The class also contains attributes for the default user name mapping class plus the list of trusted client principals.
| Fully Qualified Interface Name | If you use the getMBeanInfo operation in MBeanTypeServiceMBean, supply the following value as this MBean's fully qualified interface name:
weblogic.security.providers.authentication.DefaultIdentityAsserterMBean
|
||
| Factory Methods | No factory methods. Instances of this MBean are created automatically. | ||
| Access Points Inherited from AuthenticationProviderMBean |
Because this MBean extends or implements AuthenticationProviderMBean, you can also access this MBean by retrieving AuthenticationProviderMBeans. The following attributes contain AuthenticationProviderMBeans and its subtypes:
|
This section describes attributes that provide access to other MBeans.
|
|
Returns the realm that contains this security provider. Returns null if this security provider is not contained by a realm.
| Privileges | Read only |
| Type | RealmMBean |
| Relationship type: | Reference. |
This section describes the following attributes:
No description provided.
| Privileges | Read/Write |
| Type | class java.lang.String[] |
| Default Value | AuthenticatedUser weblogic-jwt-token |
Returns whether the tokens that are passed to the Identity
Assertion provider will be base64 decoded first. If
false then the server will not base64 decode the token
before passing it to the identity asserter. This defaults to
true for backwards compatibility but most providers
will probably want to set this to false.
| Privileges | Read/Write |
| Type | boolean |
| Default Value | true |
The list of token types mean the tokens are not needed to be Base64 decoded as others.
| Available Since | Release 12.2.1.0.0 |
| Privileges | Read/Write |
| Type | class java.lang.String[] |
| Default Value | weblogic-jwt-token |
The delimiter that ends the attribute value when mapping from the X.509 certificate or X.500 name token to the WebLogic user name.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value | @ |
The name of the attribute from the subject DN to use when mapping from the X.509 certificate or X.500 name token to the WebLogic user name.
| Privileges | Read/Write |
| Type | java.lang.String |
| Default Value | E |
| Legal Values |
|
A short description of the Identity Assertion provider.
| Privileges | Read only |
| Type | java.lang.String |
| Default Value | WebLogic Identity Assertion provider |
| Redeploy or Restart required | Changes take effect after you redeploy the module or restart the server. |
The name of the data source to use for storage digest values. These digest values are used to detect replay attacks.
| Privileges | Read/Write |
| Type | java.lang.String |
Determines how long digests are valid.
A digest that was created before the specified time will not be valid. This setting impacts how long previous digest values must be stored in the database for use in detecting replay attacks.
| Privileges | Read/Write |
| Type | int |
| Default Value | 300 |
Enables the storage of the digest nonce values used to detect replay attacks.
If this setting is enabled, you must configure a data source to store the nonces for the specified expiration period. WebLogic Server then stores all the nonces from digest authentication attempts for all the machines in the domain. On each digest authentication attempt, the nonce is validated against the stored nonces. If the nonce is present, a replay attack has occurred and the digest authentication attempt fails.
| Privileges | Read/Write |
| Type | boolean |
Returns the name of the identity domain.
| Privileges | Read/Write |
| Type | java.lang.String |
| Privileges | Read only |
| Type | java.lang.String |
| Default Value | DefaultIdentityAsserter |
| Redeploy or Restart required | Changes take effect after you redeploy the module or restart the server. |
The name of the Java class used to load the Identity Assertion provider.
| Privileges | Read only |
| Type | java.lang.String |
| Default Value | weblogic.security.providers.authentication.DefaultIdentityAsserterProviderImpl |
| Redeploy or Restart required | Changes take effect after you redeploy the module or restart the server. |
The token types supported by the Identity Assertion provider.
| Privileges | Read only |
| Type | class java.lang.String[] |
| Default Value | AuthenticatedUser weblogic-jwt-token X.509 CSI.PrincipalName CSI.ITTAnonymous CSI.X509CertChain CSI.DistinguishedName wsse:PasswordDigest |
| Redeploy or Restart required | Changes take effect after you redeploy the module or restart the server. |
The list of trusted client principals to use in CSI v2 identity assertion.
The wildcard character (*) can be used to specify all principals are trusted. If a client is not listed as a trusted client principal, the CSIv2 identity assertion fails and the invoke is rejected.
| Privileges | Read/Write |
| Type | class java.lang.String[] |
Uses the user name mapping class provided by WebLogic Server. The default user name mapping class only validates that a certificate has not expired.
If you require additional validation, you need to write your own user name mapping class. Writing your own user name mapping class also allows you to specify what attribute in the subject DN of the certificate is used to map to the user name.
| Privileges | Read/Write |
| Type | boolean |
The name of the Java class that maps X.509 digital certificates and X.501 distinguished names to WebLogic user names.
| Privileges | Read/Write |
| Type | java.lang.String |
The version number of the Identity Assertion provider.
| Privileges | Read only |
| Type | java.lang.String |
| Default Value | 1.0 |
| Redeploy or Restart required | Changes take effect after you redeploy the module or restart the server. |
Determines whether to authenticate Weblogic Server users accessing via identity assertion, which are not represented in the security store.
If this setting is enabled, Weblogic Server users not represented in the security store, will be authenticated. Note that in addition to this attribute, Subject Component mapper classes, which are a type of user name mapper, may disallow virtual users based on the token.
| Privileges | Read/Write |
| Type | boolean |
This section describes the following operations:
Returns true if the specified attribute has been set explicitly in this MBean instance.
| Operation Name | "isSet" |
| Parameters | Object [] { propertyName }
where:
|
| Signature | String [] {
"java.lang.String" } |
| Returns |
boolean
|
| Exceptions |
|
Restore the given property to its default value.
| Operation Name | "unSet" |
| Parameters | Object [] { propertyName }
where:
|
| Signature | String [] {
"java.lang.String" } |
| Returns |
void
|
| Exceptions |
|
| Operation Name | "wls_getDisplayName" |
| Parameters | null |
| Signature | null |
| Returns | String
|