This chapter includes the following sections:
WebLogic Authentication provider
SQL Authenticator provider
LDAP Authentication provider
Oracle Internet Directory Authentication Provider
Oracle Virtual Directory Authentication Provider
Active Directory Authentication provider
ODSEE Authentication provider
Novell Authentication provider
Open LDAP Authentication provider
For information about configuring the Password Validation provider in the WebLogic Server Administration Console, see Configure the Password Validation provider in the Oracle WebLogic Server Administration Console Online Help.
Note:
Passwords cannot contain a curly brace ("{") as the first character.Table 17-1 Additional Password Composition Rules Required by Password Validation Provider When Used with an LDAP Authentication Provider
LDAP Authentication Provider | Additional Password Composition Requirement |
---|---|
|
At least one of the characters in the password must be numeric. |
|
At least one of the characters in the password must be non-alphabetic. For example, a numeric character, an asterisk (*), or an octothorpe (#). |
The password composition rules you optionally can configure for the Password Validation provider include the following:
User name policies — Rules that determine whether the password may consist of or contain the user's name, or the reverse of that name
Password length policies — Rules for the minimum or maximum number of characters in a password (composition rules may specify both a minimum and maximum length)
Character policies — Rules regarding the inclusion of the following characters in the password:
Numeric characters
Lowercase alphabetic characters
Uppercase alphabetic characters
Non-alphanumeric characters
For information about the specific composition rules that may be configured for the Password Validation provider, including the settings for these rules that Oracle recommends for a production environment, see System Password Validation Provider: Provider Specific in the Oracle WebLogic Server Administration Console Online Help.
Note:
Setting password composition rules is only one component of hardening the WebLogic Server environment against brute-force password attacks. To protect user accounts, you should also configure user lockout. User lockout specifies the number of incorrect passwords that may be entered within a given interval of time before the user is locked out of his or her account. See Protecting User Accounts.
By default, the WebLogic Authentication provider requires a minimum password length of 8 characters, of which one is non-alphabetic. However, the minimum password length enforced by this provider can be customized. If the WebLogic Authentication provider and Password Validation provider are both configured in the security realm, and you attempt to create a password that does not meet the minimum length enforced by the WebLogic Authentication provider, an error is generated. For example, the following message is displayed in the WebLogic Server Administration Console:
Error [Security:090285]password must be at least 8 characters long Error Errors must be corrected before proceeding.
If the WebLogic Authentication provider rejects a password because it does not meet the minimum length requirement, the Password Validation provider is not called. To ensure that the Password Validator is always used in conjunction with the WebLogic Authentication provider, make sure that the minimum password length is the same for both providers.
Using the WebLogic Server Administration Console, you can set the minimum password length for WebLogic Authentication provider by completing the following steps:
For information about how to set the minimum password length in the Password Validation provider, see Using WLST to Create and Configure the Password Validation Provider.
SystemPasswordValidatorMBean
, described in MBean Reference for Oracle WebLogic Server. You may create and configure the Password Validation provider from a single WLST script, or you may have separate scripts that perform these functions separately. The following topics explain how, providing sample WLST code snippets:The Password Validation provider is created automatically in the security realm when you create a new domain. However, you can use WLST to create one as well, as shown in Example 17-1. This code does the following:
Example 17-1 Creating the System Password Validator
edit() startEdit() realm = cmo.getSecurityConfiguration().getDefaultRealm() pwdvalidator = realm.lookupPasswordValidator('SystemPasswordValidator') if pwdvalidator: print 'Password Validator provider is already created' else: # Create SystemPasswordValidator syspwdValidator = realm.createPasswordValidator('SystemPasswordValidator', 'com.bea.security.providers.authentication.passwordvalidator.SystemPasswordValidator') print "--- Creation of System Password Validator succeeded!" save() activate()
The following example shows the WLST code that sets the composition rules for the Password Validation provider. For information about the rule attributes that can be set in this script, see the description of the SystemPasswordValidatorMBean
in the MBean Reference for Oracle WebLogic Server.
edit() startEdit() # Configure SystemPasswordValidator try: pwdvalidator.setMinPasswordLength(8) pwdvalidator.setMaxPasswordLength(12) pwdvalidator.setMaxConsecutiveCharacters(3) pwdvalidator.setMaxInstancesOfAnyCharacter(4) pwdvalidator.setMinAlphabeticCharacters(1) pwdvalidator.setMinNumericCharacters(1) pwdvalidator.setMinLowercaseCharacters(1) pwdvalidator.setMinUppercaseCharacters(1) pwdvalidator.setMinNonAlphanumericCharacters(1) pwdvalidator.setMinNumericOrSpecialCharacters(1) pwdvalidator.setRejectEqualOrContainUsername(true) pwdvalidator.setRejectEqualOrContainReverseUsername(true) print " --- Configuration of SystemPasswordValidator complete ---" except Exception,e: print e save() activate()