This chapter provides general information about choosing and configuring an Authentication provider in a security realm. Most of them work in similar fashion: given a username and password credential pair, the provider attempts to find a corresponding user in the provider's data store. These Authentication providers differ primarily in what they use as a data store: one of many available LDAP servers, a SQL database, or other data store. In addition to these username/password based security providers, WebLogic Server includes identity assertion Authentication providers, which use certificates or security tokens, rather than username/password pairs, as credentials.
This chapter includes the following sections:
Authentication is the process whereby the identity of users and system processes are proved or verified. Authentication also involves remembering, transporting, and making identity information available to various components of a system when that information is needed.
The WebLogic Server security architecture supports: password-based and certificate-based authentication directly with WebLogic Server; HTTP certificate-based authentication proxied through an external Web server; perimeter-based authentication (Web server, firewall, VPN); and authentication based on multiple security token types and protocols.
WebLogic Server offers the following types of Authentication providers:
The WebLogic Authentication provider, also known as the DefaultAuthenticator, accesses user and group information in WebLogic Server's embedded LDAP server.
The Oracle Internet Directory Authentication provider accesses users and groups in Oracle Internet Directory, an LDAP version 3 directory.
The Oracle Virtual Directory Authentication provider accesses users and groups in Oracle Virtual Directory, an LDAP version 3 enabled service.
LDAP Authentication providers access external LDAP stores. You can use an LDAP Authentication provider to access any LDAP server. WebLogic Server provides LDAP Authentication providers already configured for Open LDAP, Oracle Directory Server Enterprise Edition (ODSEE), Microsoft Active Directory, and Novell NDS LDAP servers.
RDBMS Authentication providers access external relational databases. WebLogic Server provides three RDBMS Authentication providers: SQL Authenticator, Read-only SQL Authenticator, and Custom RDBMS Authenticator.
The WebLogic Identity Assertion provider validates X.509 and IIOP-CSIv2 tokens and optionally can use a user name mapper to map that token to a user in a WebLogic Server security realm.
The SAML Authentication provider, which authenticates users based on Security Assertion Markup Language 1.1 (SAML) assertions.
The Negotiate Identity Assertion provider, which uses Simple and Protected Negotiate (SPNEGO) tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to WebLogic users.
The SAML Identity Assertion provider, which acts as a consumer of SAML security assertions. This enables WebLogic Server to act as a SAML destination site and supports using SAML for single sign-on.
In addition, you can use:
Custom (non-WebLogic) Authentication providers, which offer different types of authentication technologies.
Custom (non-WebLogic) Identity Assertion providers, which support different types of tokens.
Each security realm must have at least one Authentication provider configured. The WebLogic Security Framework supports multiple Authentication providers (and thus multiple LoginModules) for multipart authentication. Therefore, you can use multiple Authentication providers as well as multiple types of Authentication providers in a security realm. For example, if you want to use both a retina-scan and a username/password-based form of authentication to access a system, you configure two Authentication providers.
How you configure multiple Authentication providers can affect the overall outcome of the authentication process. Configure the JAAS Control Flag for each Authentication provider to set up login dependencies between Authentication providers and allow single-sign on between providers. See Setting the JAAS Control Flag Option.
Authentication providers are called in the order in which they were configured in the security realm. Therefore, use caution when configuring Authentication providers. You can use the WebLogic Server Administration Console to re-order the configured Authentication providers, thus changing the order in which they are called. See Changing the Order of Authentication Providers.
When you configure multiple Authentication providers, use the JAAS Control Flag for each provider to control how the Authentication providers are used in the login sequence. You can set the JAAS Control Flag in the WebLogic Server Administration Console. See "Set the JAAS control flag" in the Oracle WebLogic Server Administration Console Online Help. You can also use the WebLogic Scripting Tool or Java Management Extensions (JMX) APIs to set the JAAS Control Flag for an Authentication provider.
JAAS Control Flag values are:
REQUIRED—The Authentication provider is always called, and the user must pass its authentication test. However, regardless of whether authentication succeeds or fails, authentication still continues down the list of providers.
REQUISITE—The Authentication provider is always called, and the user is required to pass its authentication test.
If authentication succeeds, subsequent providers are executed but can fail (except for REQUIRED Authentication providers).
If authentication fails, control is returned to the caller and no subsequent Authentication provider down the list is executed.
SUFFICIENT—The user is not required to pass the authentication test of the Authentication provider.
If authentication succeeds, control is returned to the caller and no subsequent Authentication provider down the list is executed.
If authentication fails, authentication continues down the list of providers.
Any REQUIRED or REQUISITE Authentication provider in the list must pass its own authentication test. If no REQUIRED or REQUISITE Authentication provider is in the list, then the authentication test of at least one OPTIONAL or SUFFICIENT Authentication provider must pass.
OPTIONAL—The user is not required to pass the authentication test of the Authentication provider. Regardless of whether authentication succeeds or fails, authentication continues down the list of providers.
The overall authentication of the user succeeds only if all REQUIRED and REQUISITE Authentication providers configured in the realm succeed. Note also:
If a SUFFICIENT Authentication provider is configured and succeeds, then only the REQUIRED and REQUISITE Authentication providers prior to that SUFFICIENT Authentication provider need to have succeeded for the overall authentication to succeed.
If no REQUIRED or REQUISITE Authentication providers are configured in the security realm, then at least one SUFFICIENT or OPTIONAL Authentication provider must succeed.
When additional Authentication providers are added to an existing security realm, by default the Control Flag is set to OPTIONAL. If necessary, change the setting of the Control Flag and the order of Authentication providers so that each Authentication provider works properly in the authentication sequence.
Note:As part of the startup process, WebLogic Server must be able to initialize all security providers that are configured in the security realm, including any Authentication providers that have a JAAS Control Flag set to OPTIONAL. If the initialization process for any security provider cannot be completed, WebLogic Server fails to boot, and an error message similar to the following is displayed:
<BEA-090870> <The realm "myrealm" failed to be loaded:
The order in which WebLogic Server calls multiple Authentication providers can affect the overall outcome of the authentication process. The Authentication Providers table lists the authentication providers in the order in which they will be called. By default, Authentication providers are called in the order in which they were configured. You can use the WebLogic Server Administration Console to change the order of Authentication providers. Select the Reorder button on the Security Realms > RealmName > Providers > Authentication page in the WebLogic Server Administration Console to change the order in which Authentication providers are called by WebLogic Server and listed in the console.
See "Re-order Authentication Providers" in the Oracle WebLogic Server Administration Console Online Help.