Security providers are modular components that handle specific aspects of security, such as authentication and authorization. Although applications can leverage the services offered by the default WebLogic security providers, the WebLogic Security Service’s flexible infrastructure also allows security vendors to write their own custom security providers which can be used with WebLogic Server.
Before configuring new Security providers, you must be aware that WebLogic Server security includes many unique terms and concepts that you need to understand. The following table describes them shortly:
Authentication: this is the process of determining whether someone is, in fact, who it is declared to.
Identity Assertion: an Authentication provider that performs perimeter authentication—a special type of authentication using tokens—is called an Identity Assertion provider.
Authorization: once a user’s identity has been established by an authentication provider, authorization is responsible for determining whether access to resources should be permitted for that user.
Role Mapping: you can assign one or more roles to multiple users and then specify access rights for users who hold particular roles for a given resource.
Adjudication: an Adjudication provider is used to resolves authorization conflicts between multiple Authorization providers. It can do so, by weighing each Authorization provider’s access decision and determining whether to permit access to the requested resource.
Credential Mapping: credential mapping allows WebLogic Server to log into a remote system on behalf of a subject that has already been authenticated.
Keystore: this is a repository of security certificates, either authorization certificates or public key certificates – used for instance in SSL encryption.
Certificate Lookup and Validation (CLV): you can usecertificate lookup and validation (CLV) providers to perform additional validation on the certificate chain.
Certificate Registry: a certificate registry is a mechanism for adding certificate revocation checking to a security realm. The registry stores (into an embedded LDAP server) a list of valid certificates. Only registered certificates are valid.
Auditing: auditing is a process which is in charge is to collect, store and distribute information about security requests for the purpose of non-repudiation.
Managing Security Providers
You can get the list of available Security Providers by selecting the Providers upper tab (Security realm | Providers). Out of the box, WLS provides a default WebLogic Authentication Provider and an Identity Assertion Provider.
WebLogic Server’s default security providers use an embedded LDAP server to persist all security-related data. Each server stores this data locally, including all of the user, group, role, access control policy, and credential information. You can use the embedded LDAP server for managing users and groups for reasonably small environments (10,000 or fewer users).
Connecting to the embedded LDAP server
Connecting to the embedded LDAP server is quite simple as it just requires an ordinary LDAP browser such as JXPlorer (http://jxplorer.org/).
Before doing that, you need to set a password in order to be able to log to the LDAP server. This can be done by navigating into the Domain | Security | Embedded LDAP screen. Once there, set the Credential (and confirm it) that will be your password for accessing LDAP:
Now restart WLS and launch your LDAP explorer. From there enter the Base DN information, which will be bound to your domain name, and enter as username “Admin” and as password the one we have just entered in the console. The LDAP port is 7001. The LDAP explorer window is depicted in the following picture:
Click Ok. You can now view/export your WLS realm using the standard LDAP’s ldif format.
Creating a new provider: Database Authentication provider
In this section, we will show how to create a new Authentication provider which uses the database for storing the user’s credentials.
- Open up the Console and select the Security Realm| [Your Realm] |Providers Summary view.
- Click on New.
- In the next screen you will need to configure some basic settings for your provider. In the Type combo you need to select the type of authentication provider you want to create.
WebLogic Server comes with several built-in, configurable authentication providers. These providers primarily include support for external directory servers such as Active Directory, Sun Java System Directory Server, OpenLDAP, and Novell eDirectory, Oracle Internet Directory, and Oracle Virtual Directory LDAP servers.
In this recipe we will show how to use a DBMS provider to store your users and roles, therefore select the SQLAuthenticator as Type and click Ok.
Once created, select your just created provider and enter the Configuration tab and the Common sub-tab:
There you specify, via the Control Flag option, how this Authentication provider fits in the overall authentication process, in case you have multiple Authentication providers. The Control Flag option can have the following values:
- REQUIRED: the authentication provider is required to succeed. If it succeeds or fails, the authentication process continues to proceed through the list of configured providers. If multiple providers are present, at least one needs to be set as REQUIRED.
- REQUISITE: the authentication provider is required to succeed. If it succeeds, the authentication process continues through the list of configured providers. If it fails, the authentication process immediately fails and returns control to the application.
- SUFFICIENT: the authentication provider is not required to succeed. If it does succeed, the authentication process succeeds and control is returned immediately to the application. If it fails, the authentication process continues down the list of configured providers.
- OPTIONAL: the authentication provider is not required to succeed. If it succeeds or fails, the authentication process continues down the list of configured providers.
Warning! Because the administration server must authenticate the user using the default authentication provider, a misconfigured provider using one of these strict control flags will prevent the server from starting (for example by setting more than one option to REQUIRED).
Back to our example, we have decided to set the control flag to SUFFICIENT. Click Save and move to the Provider specific sub-tab:
We need to fill in the Data Source name which will be used to connect to your database. You can leave all the other options to the default values. Then we need to restart the WebLogic server. After the reboot, we can go the User and Group tab of your default security realm where we can change or add users and roles.
Database schema setup
In order to get working with the Database authentication provider you need to create your schema where users and roles will be stored. A creation script is available at Github on the following address: (https://github.com/fmarchioni/ascookbook/tree/master/OracleWLS) in the SQLAuthenticator_createDB.txt
Now just add your users using either direct SQL commands as follows:
insert into USERS (U_NAME,U_PASSWORD,U_DESCRIPTION) values(‘system’,’weblogic’,’admin user’);
insert into GROUPS (G_NAME,G_DESCRIPTION) values(‘Administrators’,’Administrators’);
insert into GROUPMEMBERS (G_NAME,G_MEMBER) values(‘Administrators’,’system’);
The only limitation is that passwords are not encrypted so either you can add users via console or via WLST script to store them in encrypted form. The following WLST script can be used to add users:
connect(‘weblogic’,’weblogic123′,’t3://localhost:7001′)
edit()
startEdit(-1,-1,’false’)
serverConfig()
cd(‘/SecurityConfiguration/base_domain/Realms/myrealm/AuthenticationProviders’)
ls()
cd(‘SqlAuthenticator’)
cmo.createUser(‘myuser’,’weblogic123′,’SQLuser’)
edit()
stopEdit(‘y’)
Remember to customize user, password and admin URL in the 1st line. Also replace domain name “base_domain” with your domain name in line 5. Finally change SQL authenticator name in line 6 with your authenticator name.