This chapter includes the following sections:
For information about configuring security providers, see About Configuring WebLogic Security Providers and About Configuring the Authentication Providers in WebLogic Server.
For information about migrating security data to a new security realm, see Migrating Security Data.
To simplify the configuration and management of security, WebLogic Server provides a default security configuration. In the default security configuration,
myrealm is set as the default (active) security realm, and the WebLogic Adjudication, Authentication, Identity Assertion, Credential Mapping, CertPath, XACML Authorization and XACML Role Mapping providers are defined as the security providers in the security realm.
Customize the default security configuration if you want to do any of the following:
Replace one of the security providers in the default realm with a different security provider.
Configure additional security providers in the default security realm. (For example, if you want to use two Authentication providers, one that uses the embedded LDAP server and one that uses a Windows NT store of users and groups.)
Use an Authentication provider that accesses an LDAP server other than WebLogic Server's embedded LDAP server.
Use an existing store of users and groups (for example, a DBMS database) instead of defining users and groups in the WebLogic Authentication provider (also known as the DefaultAuthenticator).
When performing authentication, use the GUID or DN attributes of principals, in addition to user names, specify that principal matching is case-insensitive.
Add an Auditing provider to the default security realm.
Use an Identity Assertion provider that handles SAML assertions or Kerberos tokens.
Use the Certificate Registry to add certificate revocation to the security realm.
Change the default configuration settings of the security providers.
Use a custom Authorization or Role Mapping provider that does not support parallel security policy and role modification, respectively, in the security provider database.
For information about configuring different types of security providers in a security realm, see About Configuring WebLogic Security Providers and About Configuring the Authentication Providers in WebLogic Server.
The easiest way to customize the default security configuration is to add the security providers you want to the default security realm (
myrealm). However, Oracle recommends instead that you customize the default security configuration by creating an entirely new security realm. This preserves your ability to revert more easily to the default security configuration. You configure security providers for the new realm; migrate any security data, such as users as groups, from the existing default realm; and then set the new security realm as the default realm. See Creating and Configuring a New Security Realm: Main Steps.
Before creating a new security realm, you need to decide:
Which security providers you want to use. WebLogic Server includes a wide variety of security providers and, in addition, allows you to create or obtain custom security providers. A valid security realm requires an Authentication provider, an Authorization provider, an Adjudication provider, a Credential Mapping provider, a Role Mapping provider, and a CertPathBuilder. In addition, a security realm can optionally include Identity Assertion, Auditing, and Certificate Registry providers. If your new security realm includes two or more providers of the same type (for example, more than one Authentication provider or more than one Authorization provider), you need to determine how these providers should interact with each other. See Using More Than One Authentication Provider.
In addition, custom Authorization and Role Mapping providers may or may not support parallel security policy and role modification, respectively, in the security provider database. If your custom Authorization and Role Mapping security providers do not support parallel modification, the WebLogic Security framework can enforce a synchronization mechanism that results in each application and module being placed in a queue and deployed sequentially. To do this, set the Deployable Provider Synchronization Enabled and Deployable Provider Synchronization Timeout controls for the realm.
What model to use to set security roles and security policies for Web application and EJB resources. These security roles and policies can be set through deployment descriptors or through the WebLogic Server Administration Console. See "Options for Securing Web Application and EJB Resources" in Securing Resources Using Roles and Policies for Oracle WebLogic Server.
Whether or not to use the Web resource.
The Web resource is deprecated. If you are configuring a custom Authorization provider that uses the Web resource (instead of the URL resource) in the new security realm, enable Use Deprecated Web Resource on the new security realm. This option changes the runtime behavior of the Servlet container to use a Web resource rather than a URL resource when performing authorization.
When you create a new security realm, you must configure at least one of the Authentication providers to return asserted LoginModules. Otherwise,
run-as tags defined in deployment descriptors will not work.
For more information, see "Configure new security realms" in the Oracle WebLogic Server Administration Console Online Help.
To create a new security realm:
You can also use the WebLogic Scripting Tool or Java Management Extensions (JMX) APIs to create a new security configuration. See Understanding the WebLogic Scripting Tool.