Administration Console Online Help

Previous Next Open TOC in new window
Content starts here

Security Realms: General

Configuration Options     Advanced Configuration Options     Related Tasks     Related Topics

Use this page to configure the general behavior of this security realm.

Note:
If you are implementing security using JACC (Java Authorization Contract for Containers as defined in JSR 115), you must use the DD Only security model. Other WebLogic Server models are not available and the security functions for Web applications and EJBs in the Administration Console are disabled.

A security realm provides all the auditing, authentication, authorization, credential mapping, and role mapping services to a WebLogic Server deployment. You can configure multiple security realms within a single WebLogic Server deployment. Only one security realm is designated as the default security realm.

For any security realm to be valid, configure each of the following types of security providers (in any order):

At least one Authorization and Role Mapping provider in the security realm must implement the DeployableAuthorizationProvider and DeployableRoleProvider Security Service Provider Interface (SSPI), respectively. These SSPIs allow the providers to store (rather than retrieve) information from deployment descriptors.

Configuration Options

Name Description
Name

The name of this security realm.

Security Model Default

Specifies the default security model for Web applications or EJBs that are secured by this security realm. You can override this default during deployment.

Note:

If you deploy a module by modifying the domain's config.xml file and restarting the server, and if you do not specify a security model value for the module in config.xml, the module is secured with the default value of the AppDeploymentMBean SecurityDDModelattribute (see AppDeploymentMBean SecurityDDModel ).

Choose one of these security models:

  • Deployment Descriptors Only (DDOnly)
    • For EJBs and URL patterns, this model uses only the roles and policies in the J2EE deployment descriptors (DD); the Administration Console allows only read access for this data. With this model, EJBs and URL patterns are not protected by roles and policies of a broader scope (such as a policy scoped to an entire Web application). If an EJB or URL pattern is not protected by a role or policy in the DD, then it is unprotected: anyone can access it.

    • For application-scoped roles in an EAR, this model uses only the roles defined in the WebLogic Server DD; the Administration Console allows only read access for this data. If the WebLogic Server DD does not define roles, then there will be no such scoped roles defined for this EAR.

    • For all other types of resources, you can use the Administration Console to create roles or policies. For example, with this model, you can use the Administration Console to create application-scoped policies for an EAR.

    • Applies for the life of the deployment. If you want to use a different model, you must delete the deployment and reinstall it.

  • Customize Roles Only (CustomRoles)
    • For EJBs and URL patterns, this model uses only the policies in the J2EE deployment descriptors (DD). EJBs and URL patterns are not protected by policies of a broader scope (such as a policy scoped to an entire Web application). This model ignores any roles defined in the DDs; an administrator completes the role mappings using the Administration Console.

    • For all other types of resources, you can use the Administration Console to create roles or policies. For example, with this model, you can use the Administration Console to create application-scoped policies or roles for an EAR.

    • Applies for the life of the deployment. If you want to use a different model, you must delete the deployment and reinstall it.

  • Customize Roles and Policies (CustomRolesAndPolicies)
    • Ignores any roles and policies defined in deployment descriptors. An administrator uses the Administration Console to secure the resources.

    • Performs security checks for all URLs or EJB methods in the module.

    • Applies for the life of the deployment. If you want to use a different model, you must delete the deployment and reinstall it.

  • Advanced (Advanced)

    You configure how this model behaves by setting values for the following options:

    • When Deploying Web Applications or EJBs
      Note:

      When using the WebLogic Scripting Tool or JMX APIs, there is no single MBean attribute for this setting. Instead, you must set the values for the DeployPolicyIgnored and DeployRoleIgnored attributes of RealmMBean.

    • Check Roles and Policies (FullyDelegateAuthorization)
    • Combined Role Mapping Enabled (CombinedRoleMappingEnabled)

    You can change the configuration of this model. Any changes immediately apply to all modules that use the Advanced model. For example, you can specify that all modules using this model will copy roles and policies from their deployment descriptors into the appropriate provider databases upon deployment. After you deploy all of your modules, you can change this behavior to ignore roles and policies in deployment descriptors so that when you redeploy modules they will not re-copy roles and policies.

    Note:

    Prior to WebLogic Server version 9.0 the Advanced model was the only security model available. Use this model if you want to continue to secure EJBs and Web Applications as in releases prior to 9.0.

MBean Attribute:
RealmMBean.SecurityDDModel

Combined Role Mapping Enabled

Determines how the role mappings in the Enterprise Application, Web application, and EJB containers interact. This setting is valid only for Web applications and EJBs that use the Advanced security model and that initialize roles from deployment descriptors.

When enabled:

  • Application role mappings are combined with EJB and Web application mappings so that all principal mappings are included. The Security Service combines the role mappings with a logical OR operator.

  • If one or more policies in the web.xml file specify a role for which no mapping exists in the weblogic.xml file, the Web application container creates an empty map for the undefined role (that is, the role is explicitly defined as containing no principal). Therefore, no one can access URL patterns that are secured by such policies.

  • If one or more policies in the ejb-jar.xml file specify a role for which no mapping exists in the weblogic-ejb-jar.xml file, the EJB container creates an empty map for the undefined role (that is, the role is explicitly defined as containing no principal). Therefore, no one can access methods that are secured by such policies.

When disabled:

  • Role mappings for each container are exclusive to other containers unless defined by the <externally-defined> descriptor element.

  • If one or more policies in the web.xml file specify a role for which no role mapping exists in the weblogic.xml file, the Web application container assumes that the undefined role is the name of a principal. It therefore maps the assumed principal to the role name. For example, if the web.xml file contains the following stanza in one of its policies:
    <auth-constraint> <role-name>PrivilegedUser</role-name> </auth-constraint>
    but the weblogic.xml file has no role mapping for PrivilegedUser, then the Web application container creates an in-memory mapping that is equivalent to the following stanza:
    <security-role-assignment> <role-name>PrivilegedUser</role-name> <principal-name>PrivilegedUser</principal-name> </security-role-assignment>

  • Role mappings for EJB methods must be defined in the weblogic-ejb-jar.xml file. Role mappings defined in the other containers are not used unless defined by the <externally-defined> descriptor element.

Note:

For all applications previously deployed in version 8.1 and upgraded to version 9.x, the combining role mapping is disabled by default.

MBean Attribute:
RealmMBean.CombinedRoleMappingEnabled

Use Authorization Providers to Protect JMX Access

Configures the WebLogic Server MBean servers to use the security realm's Authorization providers to determine whether a JMX client has permission to access an MBean attribute or invoke an MBean operation.

You can continue to use WebLogic Server's default security settings or modify the defaults to suit your needs.

If you do not delegate authorization to the realm's Authorization providers, the WebLogic MBean servers allow access only to the four default security roles (Admin, Deployer, Operator, and Monitor) and only as specified by WebLogic Server's default security settings.

MBean Attribute:
RealmMBean.DelegateMBeanAuthorization

Changes take effect after you redeploy the module or restart the server.

Advanced Configuration Options

Name Description
Check Roles and Policies

Specifies when the Security Service checks for authorization to access Web applications and Enterprise JavaBeans (EJBs). This setting is valid only for Web applications and EJBs that use the Advanced security model.

Configure the WebLogic Security Service to do one of the following:

  • All Web applications and EJBs. Check for authorization when a client tries to access any URL in a Web application or any method in an EJB.
  • Web applications and EJBs protected in DD. Check for authorization when a client tries to access a URL or EJB method that is protected by a policy in the Web application or EJB deployment descriptor.

    This selection causes the Advanced model to use only roles and policies defined in a Web application or EJB's deployment descriptors and ignore any security data in the realm's provider databases.

MBean Attribute:
RealmMBean.FullyDelegateAuthorization

Changes take effect after you redeploy the module or restart the server.

When Deploying Web Applications or EJBs

Specifies whether the Security Service copies security data from the deployment descriptors into the appropriate security provider databases each time the Web application or EJB is deployed. This setting is valid only for Web applications and EJBs that use the Advanced security model and only when Check Roles and Policies is set to All Web applications and EJBs.

Configure the WebLogic Security Service to do one of the following:

  • Initialize roles and policies from DD. While deploying Web applications and EJBs that use the Advanced security model, copy the roles and policies that are specified in the modules' deployment descriptors into the appropriate security provider databases.

    Each role mapper provider and authentication provider determines how it resolves conflicts and whether it removes roles that have been removed from the deployment descriptors. The WebLogic Server role mapper resolves conflicts by accepting the last change; it also removes roles that have been removed from the deployment descriptor.

  • Ignore roles and policies from DD. While deploying Web applications and EJBs that use the Advanced security model, ignore any roles and policies in the deployment descriptor.
Deployable Provider Synchronization Enabled

Specifies whether synchronization for deployable Authorization and Role Mapping providers is enabled.

The Authorization and Role Mapping providers may or may not support parallel security policy and role modification, respectively, in the security provider database. If the security providers do not support parallel modification, the WebLogic Security Framework enforces a synchronization mechanism that results in each application and module being placed in a queue and deployed sequentially.

MBean Attribute:
RealmMBean.DeployableProviderSynchronizationEnabled

Changes take effect after you redeploy the module or restart the server.

Deployable Provider Synchronization Timeout

Returns the timeout value, in milliseconds, for the deployable security provider synchronization operation. This value is only used if DeployableProviderSynchronizationEnabled is set to true

MBean Attribute:
RealmMBean.DeployableProviderSynchronizationTimeout

Changes take effect after you redeploy the module or restart the server.

Related Tasks

Related Topics


Back to Top