|
|
|
|
|
|
| | | |
The following sections describe how to implement security in WebLogic Server:
Steps for Configuring Security
Implementing security in a WebLogic Server deployment largely consists of configuring attributes that define the security policy for that deployment. WebLogic Server provides an Administration Console to help you define the security policy for your deployment. Using the Administration Console, you specify security-specific values for the following elements of your deployment:
Because security features are closely related, it is difficult to determine where to start when configuring security. In fact, defining security for your WebLogic Server deployment may be an iterative process. Although more than one sequence of steps may work, BEA Systems recommends the following procedure:
system User to protect your WebLogic Server deployment. See Changing the System Password.
For a complete description of WebLogic Server security features, see Introduction to WebLogic Security and Security Fundamentals.
Note: All configuration steps in this topic are based on the use of the Administration Console.
For information about assigning security roles to WebLogic EJBs, see WebLogic Server 6.1 Deployment Properties.
For information about security in WebLogic web applications, see Assembling and Configuring Web Applications.
During installation you specify a password for the system User. The specified password is associated with the system User in WebLogic Server and is stored in the fileRealm.properties file in the \wlserver6.1\config\domain directory where domain is the name specified as the WebLogic Administration domain name during installation. The specified password corresponds to the Administration Server for the domain and all the Managed Servers associated with that Administration Server.
Note: The system User is the only user account under which WebLogic Server can be started.
The password of the system User is encrypted and is further protected when WebLogic Server applies a hash to it. To improve security, BEA recommends frequently changing the system password that was set during installation. Each WebLogic Server deployment must have a unique password.
To change the system password, do the following:
system in the Name attribute field.
When you use an Administration Server and Managed Servers in a domain, the Managed Server must always use the password for the Administration Server in the domain. Always change the password for the Administration Server through the Administration Console. After changing the password, restart all servers in the domain. The process is as follows:
Maintaining the secrecy of WebLogic passwords is critical to keeping your WebLogic Server deployment and data secure. For your protection, BEA recommends keeping the password of WebLogic Server secret.
This section describes configuring a security realm for your WebLogic Server deployment. For an introduction of security realms and how they are used in WebLogic Server, see Security Realms in Programming WebLogic Security. The following sections describe specifying a security realm:
Configuring the File Realm
By default WebLogic Server is installed with the File realm in place. Before using the File realm, you need to define several attributes that govern the use of the File realm. You set these attributes on the Filerealm tab in the Security window of the Administration Console.
The following table describes each attribute on the Filerealm tab.
Table 14-1 File Realm Attributes
Use the Manage Caching Realm button to clear the user, group, and ACL caches.
Caution: If the fileRealm.properties file becomes corrupted or is destroyed, you must reconfigure the security information for WebLogic Server. WebLogic Server cannot boot without a fileRealm.properties file.
The fileRealm.properties file contains default ACLs used to boot WebLogic Server. Even if you write a custom security realm, you still need a fileRealm.properties file to boot WebLogic Server since the custom security realm is not initially called during the start-up sequence.
Therefore, BEA recommends that you take the following steps:
Make a backup copy of the fileRealm.properties file and put it in a secure place.
Set the permissions on the fileRealm.properties file such that the administrator of the WebLogic Server deployment has write and read privileges and no other users have any privileges.
Note: Also make a backup copy of the SerializedSystemIni.dat file for the File realm. For more information about the SerializedSystemIni.dat file, see Protecting Passwords.
If, instead of the File realm, you want to use one of the alternate security realms provided by WebLogic Server or a custom security realm, set the attributes for the desired realm and reboot WebLogic Server.
Caution: If you use one of the alternate security realms, you must configure and enable the Caching realm; otherwise the alternate security realm will not work.
For more information about security realms in WebLogic Server, see Security Realms.
The Caching realm works with the File realm, alternate security realms, or custom security realms to fulfill client requests with the proper authentication and authorization. The Caching realm stores the results of both successful and unsuccessful realm lookups. It manages separate caches for Users, Groups, permissions, ACLs, and authentication requests. The Caching realm improves the performance of WebLogic Server by caching lookups, thereby reducing the number of calls into other security realms. For more information about security realms in WebLogic Server, see Security Realms.
The Caching realm is installed automatically when you install WebLogic Server: the cache is set up to delegate to the other security realms however caching is not enabled. You have to enable caching through the Administration Console.
Caution: If you use one of the alternate security realms, you must configure and enable the Caching realm; otherwise the alternate security realm will not work.
When you enable caching, the Caching realm saves the results of a realm lookup in its cache. Lookup results remain in the cache until either the specified number of seconds defined for the time-to-live (TTL) attributes has passed (the lookup result has expired) or the cache has filled. When the cache is full, new lookup results replace the oldest cached results. The TTL attributes determine how long a cached object is valid. The higher you set these attributes, the less often the Caching realm calls the secondary security realm. Reducing the frequency of such calls improves the performance. The trade-off is that changes to the underlying security realm are not recognized until the cached object expires.
Note: When you obtain an object from a security realm, the object reflects a snapshot of the object. To update the object, call the object's get() method again. For example, the membership of a Group is set when the Group is retrieved from the security realm with a call to the getGroup() method. To update the members of the Group, you must call the getGroup() method again.
By default, the Caching realm operates on the assumption that the alternate security realm is case-sensitive. In a case-sensitive security realm, the owners of usernames bill and Bill, for example are treated as two distinct Users. The Windows NT Security realm and the LDAP Security realm are examples of security realms that are not case-sensitive. If you are using a security realm that is not case-sensitive, you must disable the CacheCaseSensitive attribute. When this attribute is set, the Caching realm converts usernames to lowercase so that WebLogic Server gives correct results for the security realm when it performs case-sensitive comparisons. When defining or referencing Users or Groups in a case-sensitive security realm, type usernames in lowercase.
To configure the Caching realm:
The following table describes the attributes you set on the General tab.
Table 14-2 Caching Realm Attributes on the General Tab
The following table describes the attributes you set on the ACL tab.
The following table describes the attributes you set on the Authentication tab.
The following table describes the attributes you set on the Group tab.
The following table describes the attributes you set on the User tab.
The following table describes each attribute on the Permission tab.
Configuring the LDAP Security Realm
The LDAP security realm provides authentication through a Lightweight Directory Access Protocol (LDAP) server. This server allows you to manage all the users for your organization in one place: the LDAP directory. The LDAP security realm supports Open LDAP, Netscape iPlanet, Microsoft Site Server, and Novell NDS.
In this release of WebLogic Server, you can choose between two versions of the LDAP security realm:
getUsers() or getGroups() due to the fact that allocating memory to fulfill those requests can cause a denial of service vulernability. If you want to use those functions, BEA recommends using LDAP realm V1 When running Windows 2000, BEA recommends using LDAP realm V2 to authenticate against the Windows 2000 User and Group store.
Note: When using LDAP realm V1 you can view Users and members of a Group stored in the LDAP directory server through the Administration Console. However, when using LDAP realm V2, you can only view the Groups stored in the LDAP directory server through the Administration Console.
You need to use the administration tools available with the LDAP server to manage Users and Groups (for example, adding or deleting Users or Groups or adding members to Groups). If you make a change in the LDAP directory store, reset the User cache and the Group cache to immediately view your changes in the Administration Console.
The following suggestions are ways to improve the performance of the LDAP Security realm:
ldaprealm.props file to obtain smaller and more specific results sets from the LDAP server (supported for LDAP realm V2 only).
Configuring the LDAP security realm involves defining attributes that enable the LDAP Security realm in WebLogic Server to communicate with the LDAP server and attributes that describe how Users and Groups are stored in the LDAP directory. The LDAP tree and schema is different for every LDAP server. Therefore, the LDAP realm V2 provides a set of templates that define default attributes for the supported LDAP servers.
Restrictions When Using the LDAP Security Realm
The LDAP security realm has the following restrictions:
NTGroups with a default Group named Administrators, which is empty. By default, WebLogic Server also provides a Group called Administrators that contains a member System which is the User under which WebLogic Server is started. If you use the defaults in Microsoft Site Server and start creating your own Groups under the default organizational unit, WebLogic Server will not start. In order to start WebLogic Server with the LDAP security realm, you need to create your own unique organizational unit in the LDAP directory and create Groups for your WebLogic Server deployment under that organizational unit.
getGroups() method for large numbers of groups (more than 300). This problem is due to caching bugs in Open LDAP.
Locating Users and Groups in the LDAP Directory
The LDAP security realm needs to know where the Users and Groups are stored in the LDAP directory used with the security realm. This is done by specifying the distinguished names (DNs) of the LDAP directories that contain the Users and Groups.
In LDAP, a DN starts with a leaf node and goes to the root node. For example:
root | | | o=acme.com | | | ou=Groups
The DN for this branch would be specified as ou=Groups, o=acme.com.
In LDAP realm V1, you specify DNs via the GroupDN and UserDN attributes when configuring the security realm. However, you must reverse the DNs. For example, the sample DN would be specified as groupDN="o=acme.com, ou=Groups".
In LDAP realm V2, you specify DNs by adding user.dn and group.dn properties to the Configuration attribute of the CustomRealm MBean. Unlike LDAP realm V1, you do not have to reverse the DN. For example, the user.dn and group.dn properties for a LDAP realm V2 are specified as follows:
ConfigurationData="..., group.dn=ou=Groups, o=acme.com, ..."
A common error when switching between the LDAP realm V1 and LDAP realm V2 is copying over the reverse DNs thus causing the LDAP security realm to stop working. Check your DN specifications when migrating from LDAP realm V1 to LDAP realm V2.
Configuring an LDAP Realm V1
To use the LDAP Security realm V1 instead of the File realm:
The name of the class that implements the LDAP Security realm is displayed.
The following table describes the attributes you set on the LDAP Realm V1 tab.
The following table describes the attributes you set on the Users tab.
The following table describes the attributes you set on the Groups tab.
Note: When you use an LDAP Security realm, you must configure and enable the Caching realm; otherwise, the LDAP Security realm will not work.
When configuring the Caching realm, select LDAP Realm from the pull-down menu for the Basic attribute on the General tab. The Basic attribute defines the association between the Caching realm and the alternate security realm (in this case, the LDAP Realm V1).
Note: When you use an LDAP Security realm, you must configure and enable the Caching realm; otherwise, the LDAP Security realm will not work.
The Caching realm caches Users and Groups internally to avoid frequent lookups in the LDAP directory. Each object in the Users and Groups caches has a TTL attribute that you set when you configure the Caching realm. If you make changes in the LDAP directory, those changes are not reflected in the LDAP Security realm until the cached object expires or is flushed from the cache. The default TTL is 10 seconds for unsuccessful lookups and 60 seconds for successful lookups. Unless you change the TTL attributes for the User and Group caches, changes in the LDAP directory should be reflected in the LDAP Security realm in 60 seconds.
If some server-side code has performed a lookup in the LDAP Security realm, such as a getUser() call on the LDAP Security realm, the object returned by the realm cannot be released until the code releases it. Therefore, a User authenticated by WebLogic Server remains valid as long as the connection persists, even if you delete the user from the LDAP directory.
Configuring an LDAP Realm V2
Configuring the LDAP Realm V2 involves defining attributes that enable the security realm to communicate with the LDAP server and describe where users and groups are stored in the LDAP directory. The LDAP tree and schema is different for every LDAP server. WebLogic Server provides templates for the supported LDAP servers. These templates specify default configuration information used to represent Users and Groups in each of the supported LDAP servers. For more information, see Supported LDAP Server Templates.
To configure a LDAP security realm V2, you choose the template that corresponds to the LDAP server you want to use and modify it to specify information about your specific configuration.
To use a LDAP Security realm V2:
The configuration window for the chosen LDAP server appears.
server.host—The host name of the LDAP server.
server.port—The port number on which the LDAP server listens.
useSSL—Specifies whether or not to use SSL to protect communications between the LDAP server and WebLogic Server. Set the value to true to enable the use of SSL.
server.principal—The LDAP user used by WebLogic Server to connect to the LDAP server.
server.credential—The password of the LDAP user used by WebLogic Server to connect to the LDAP server.
user.dn—The base DN of the tree in the LDAP directory that contains users.
user.filter—The LDAP search filter for finding a user given the name of the user.
group.dn—The base DN of the tree in the LDAP directory that contains groups.
group.filter—The LDAP search filter for finding a group given the name of the group.
membership.filter—The LDAP search filter for finding the members of a group given the name of the group.
For more information, see Supported LDAP Server Templates.
Note: When using the LDAP v2 realm for Microsoft Site server, you must also specify membership.search=true and the following must be added to the user.filter value so that Microsoft Site server does not authenticate disabled users:
user.filter=(&(sAMAccountName=%u)(objectclassname=user)
(!userAccountControl:1.2.840.113556.1.4.803:=2))
Note: When you use an LDAP Security realm, you must configure and enable the Caching realm; otherwise, the LDAP Security realm will not work.
When configuring the Caching realm, select the defaultLDAPRealmforLDAPserver (for example, defaultLDAPRealmforOpenLDAPDirectoryServices) from the pull-down menu for the Basic attribute on the General tab. The Basic attribute defines the association between the Caching realm and the alternate security realm (in this case, the LDAP Realm).
Supported LDAP Server Templates
Listing 14-1 through Listing 14-5 are templates used to configure LDAP servers supported by the LDAP V2 Realm.
Warning: Each line in the following code examples must appear on a single line. The code in the code examples has been formatted to fit the margins of this document and some lines have been broken to facilitate that formatting.
Listing 14-1 Default Netscape Directory Server Template
<CustomRealmName="defaultLDAPRealmForNetscapeDirectoryServer" RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm" ConfigurationData= "server.host=ldapserver.example.com; server.port=700; useSSL=true; server.principal=uid=admin, ou=Administrators,ou=TopologyManagement,o=NetscapeRoot; server.credential=*secret*; user.dn=ou=people,o=beasys.com; user.filter=(&(uid=%u)(objectclass=person)); group.dn=ou=groups,o=beasys.com; group.filter=(&(cn=%g)(objectclass=groupofuniquenames)); membership.filter=(&(uniquemember=%M) (objectclass=groupofuniquenames)); "Notes="Before enabling the LDAP V2 security realm, edit the configuration parameters for your environment."/>
Listing 14-2 Default Microsoft Site Server Template
<CustomRealmName="defaultLDAPRealmForMicrosoftSiteServer" RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm" ConfigurationData= "server.host=ldapserver.example.com; server.port=700; useSSL=true; server.principal=cn=Administrator,ou=Members, o=ExampleMembershipDir; server.credential=*secret* user.dn=ou=Members, o=ExampleMembershipDir; user.filter=(&(cn=%u)(objectclass=member)(!userAccountControl:1.2.840.113556.1.4.803:=2))); group.dn=ou=Groups, o=ExampleMembershipDir; group.filter=(&(cn=%g)(objectclass=mgroup)); membership.scope.depth=1;microsoft.membership.scope=sub; membership.filter=(|(&(memberobject=%M) (objectclass=memberof))(&(groupobject=%M) (objectclass=groupmemberof))); membership.search=true;
"Notes="Before enabling the LDAP V2 security realm, edit the configuration parameters for your environment."/>
Listing 14-3 Default Novell Directory Services Template
<CustomRealmName="defaultLDAPRealmForNovellDirectoryServices" RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm" ConfigurationData= "server.host=ldapserver.example.com; server.port=700; useSSL=true; server.principal=cn=Admin, DC=BEASYS server.credential= *secret*; user.dn=ou=people,o=example.com; user.filter=(&(cn=%u)(objectclass=person)); group.dn=ou=groups,o=example.com; group.filter=(&(cn=%g)(objectclass=groupofuniquenames)); membership.filter=(&(member=%M) (objectclass=groupofuniquenames));"
"Notes="Before enabling the LDAP V2 security realm, edit the configuration parameters for your environment."/>
Listing 14-4 Default Open LDAP Directory Services Template
<CustomRealmName="defaultLDAPRealmForOpenLDAPDirectoryServices" RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm" ConfigurationData= "server.host=ldapserver.example.com; server.port=700; useSSL=true; server.principal=cn=Manager, dc=example, dc=com; server.credential= *secret*; user.dn=ou=people, dc=example,dc=com; user.filter=(&(uid=%u)(objectclass=person)); group.dn=ou=groups,dc=example,c=com; group.filter=(&(cn=%g)(objectclass=groupofuniquenames)); membership.filter=(&(uniquemember=%M) (objectclass=groupofuniquenames));" "Notes="Before enabling the LDAP V2 security realm, edit the configuration parameters for your environment."/>
Using Microsoft Active Directory with WebLogic Server
By default, WebLogic Server does not support Microsoft Active Directory LDAP server. To use Microsoft Active Directory with WebLogic Server, perform the following steps:
The configuration window for the chosen LDAP server appears.
server.host—The host name of the LDAP server.
server.port—The port number on which the LDAP server listens.
useSSL—Specifies whether or not to use SSL to protect communications between the LDAP server and WebLogic Server. Set the value to true to enable the use of SSL.
server.principal—The LDAP user used by WebLogic Server to connect to the LDAP server.
server.credential—The password of the LDAP user used by WebLogic Server to connect to the LDAP server.
user.dn—The base DN of the tree in the LDAP directory that contains users.
user.filter—The LDAP search filter for finding a user given the name of the user.
group.dn—The base DN of the tree in the LDAP directory that contains groups.
group.filter—The LDAP search filter for finding a group given the name of the group.
membership.filter—The LDAP search filter for finding the members of a group given the name of the group.
WebLogic Server authenticates by binding to the LDAP server and passing the DN and password of the user. Even if you have disabled a user account by setting the LDAP userAccountControl attribute to ACCOUNTDISABLE, the authentication will succeed unless you have modified the user.filter value to ignore accounts that have been disable. Modify the user.filter value to only return accounts that do not have the UF_ACCOUNTDISABLE bit set. For example:
user.filter=(&(sAMAccountName=%u)(objectclassname=user)
(!userAccountControl:1.2.840.113556.1.4.803:=2))
When specifying the group.filter value, CN must be specified as CN=%G otherwise the filter fails to find the members of a group.
Note: When you use an LDAP Security realm, you must configure and enable the Caching realm; otherwise, the LDAP Security realm will not work.
When configuring the Caching realm, select the defaultLDAPRealmforLDAPserver (for example, defaultLDAPRealmforOpenLDAPDirectoryServices) from the pull-down menu for the Basic attribute on the General tab. The Basic attribute defines the association between the Caching realm and the alternate security realm (in this case, the LDAP Realm).
Configuring the Windows NT Security Realm
The Windows NT Security realm uses account information defined for a Windows NT domain to authenticate Users and Groups. You can view Users and Groups in the Windows NT Security realm through the Administration Console, but you must manage Users and Groups through the facilities provided by Windows NT.
The Windows NT Security realm provides authentication (Users and Groups) but not authorization (ACLs). To update the ACL information in the filerealm.properties file that WebLogic Server uses, click the Refresh button on the General tab in the Security node after you change an ACL. If you use Groups with your ACLs, you can reduce the frequency with which you must refresh the information in WebLogic Server. Changing the members of a Windows NT Group allows you to manage individual Users' access to WebLogic Server resources dynamically.
It is possible to use the Windows NT Security realm to authenticate against a Windows 2000 Active Directory primary domain controller. However, the authentication must be from a machine which is a member of the domain not the domain controller itself. There is no way to authenticate to the local User and Group store if the machine running the Windows NT Security realm is a member of another domain.
The Windows NT Security realm can be run on the primary domain controller, on a machine that is a member of a Windows NT domain, or on a machine that is a member of the Windows NT domain and wants to use a mutually trusted domain.
To use the Windows NT Security realm:
The following table describes the attributes you set in the NT Realm Configuration window.
Note: When you use an Windows NT Security realm, you must configure and enable the Caching realm; otherwise, the Windows NT Security realm will not work.
When configuring the Caching realm, select your Windows NT Security realm from the pull-down menu for the Basic attribute on the General tab. The Basic attribute defines the association between the Caching realm and the alternate security realm (in this case, the Windows NT Security realm).
Note: When you use an Windows NT Security realm, you must configure and enable the Caching realm; otherwise, the Windows NT Security realm will not work.
Use the following command to verify that you have the correct privileges to run WebLogic Server as the specified Windows NT user:
java weblogic.security.ntrealm.NTRealm username password
where username and password are the username and password of the Windows NT account under which WebLogic Server runs.
The output from this command will tell if the specified username and password authenticated properly.
|
Command Output |
Meaning |
|---|---|
|
|
The entered username and password authenticated correctly. |
|
|
The entered username and password did not authenticate properly. |
If the test comes up with an immediate failure stating that the client or user running WebLogic Server does not have the privileges to run the Windows NT Security realm, you need to update the permissions (referred to as rights) for the Windows user running WebLogic Server.
To update the rights in Windows NT:
To update the rights in Windows 2000:
The following are common Windows NT error codes that occur when using the Windows NT Security realm:
A full explanation of the Windows NT error codes is found in the winerror.h file.
Configuring the UNIX Security Realm
Note: The UNIX Security realm runs only on the Solaris platform.
The UNIX Security realm executes a small native program, wlauth, to look up Users and Groups and to authenticate Users on the basis of their UNIX login names and passwords. The wlauth program uses PAM (Pluggable Authentication Modules) which allows you to configure authentication services in the operating system without altering applications that use the service.
In UNIX, a user is defined as a member of a group in the following ways:
etc/passwd.
etc/group entry for a specific group. The UNIX Security realm supports only this method of determining the members of a group.
After you change an ACL, click the Refresh button on the General tab in the Security to update the information in the filerealm.properties file that WebLogic Server uses. If you use Groups with your ACLs, you can reduce the frequency with which you must refresh the information in WebLogic Server. Changing the members of a UNIX Group allows you to manage individual Users' access to WebLogic Server resources dynamically.
It is possible to run wlauth to verify authentication. At a UNIX command prompt:
If the command returns a 0, the authentication check was successful. If the command returns a 1, the authentication check failed.
To use the UNIX Security realm:
The following table describes the attributes you set in the UNIX Realm Create window.
Note: When you use an UNIX Security realm, you must configure and enable the Caching realm; otherwise, the UNIX Security realm will not work.
When configuring the Caching realm, select your UNIX Security realm from the pull-down menu for the Basic attribute on the General tab. The Basic attribute defines the association between the Caching realm and the alternate security realm (in this case, the UNIX Security realm).
Note: When you use an UNIX Security realm, you must configure and enable the Caching realm; otherwise, the UNIX Security realm will not work.
If wlauth is not in the WebLogic Server class path or if you have given the program a name other than wlauth, you must add a Java command-line property when you start WebLogic Server. Edit the script you use to start WebLogic Server and add the following option after the java command:
-Dweblogic.security.unixrealm.authProgram=wlauth_prog
Replace wlauth_prog with the name of the wlauth program, including the full path if the program is not in the search path. Start WebLogic Server. If the wlauth program is in the WebLogic Server path and is named wlauth, this step is not needed.
Configuring the RDBMS Security Realm
The RDBMS Security realm is a BEA-provided custom security realm that stores Users, Groups and ACLs in a relational database.The RDBMS Security realm is an example and is not ment to be used in a production environment. You can perform the following managment functions on the RDBMS Security realm through the Administration Console:
SQL scripts that populate a database are used to create Groups for the RDBMS Security realm
The RDBMS Security realm can be used as a starting point for creating a production security realm. You can extend the RDBMS Security realm by using the following interfaces in the weblogic.security.acl package to add management capabilities to the RDBMS Security realm:
ManageableRealm—Create Groups, create and delete ACLs, and perform lookups of Users, Groups, and ACLs.
User—Change the password.
ACL—Add and remove permissions for Users and Groups.
If you extend the RDBMS Security realm with any of these interfaces, you may also need to update the database schema.
Note: The RDBMS example does not work with databases that have an autocommit feature enabled. If you use the RDBMS example as a starting point for your RDBMS implementation, use explicit commit statements in your code and make sure the autocommit feature in the database you are using is disabled.
To use the RDBMS Security realm:
The following table describes the attributes you set on the General tab.
The following table describes the attributes you set on the Database tab.
Listing 14-5 contains the database statements entered in the Schema properties for the RDBMS code example shipped with WebLogic Server in the /samples/examples/security/rdbmsrealm directory.
Listing 14-5 Sample Schema for RDBMS Security Realm
"getGroupNewStatement=true;getUser=SELECT U_NAME, U_PASSWORD FROM users WHERE U_NAME = ?; getGroupMembers=SELECT GM_GROUP, GM_MEMBER from groupmembers WHERE GM_GROUP = ?; getAclEntries=SELECT A_NAME, A_PRINCIPAL, A_PERMISSION FROM aclentries WHERE A_NAME = ? ORDER BY A_PRINCIPAL; getUsers=SELECT U_NAME, U_PASSWORD FROM users; getGroups=SELECT GM_GROUP, GM_MEMBER FROM groupmembers; getAcls=SELECT A_NAME, A_PRINCIPAL, A_PERMISSION FROM aclentries ORDER BY A_NAME, A_PRINCIPAL; getPermissions=SELECT DISTINCT A_PERMISSION FROM aclentries; getPermission=SELECT DISTINCT A_PERMISSION FROM aclentries WHERE A_PERMISSION = ?; newUser=INSERT INTO users VALUES ( ? , ? ); addGroupMember=INSERT INTO groupmembers VALUES ( ? , ? ); removeGroupMember=DELETE FROM groupmembers WHERE GM_GROUP = ? AND GM_MEMBER = ?; deleteUser1=DELETE FROM users WHERE U_NAME = ?; deleteUser2=DELETE FROM groupmembers WHERE GM_MEMBER = ?; deleteUser3=DELETE FROM aclentries WHERE A_PRINCIPAL = ?; deleteGroup1=DELETE FROM groupmembers WHERE GM_GROUP = ?; deleteGroup2=DELETE FROM aclentries WHERE A_PRINCIPAL = ?"
Note: When you use an RDBMS Security realm, you must configure and enable the Caching realm; otherwise, the RDBMS Security realm will not work.
When configuring the Caching realm, select the RDBMS Security realm from the pull-down menu for the Basic attribute on the General tab. The Basic attribute defines the association between the Caching realm and the alternate security realm (in this case, the RDBMS Security realm).
Note: When you use an RDBMS Security realm, you must configure and enable the Caching realm; otherwise, the RDBMS Security realm will not work.
Installing a Custom Security Realm
You can create a custom security realm that draws from an existing store of Users such as directory server on the network. To use a custom security realm, you create an implementation of the weblogic.security.acl.AbstractListableRealm interface or the weblogic.security.acl.AbstractManageableRealm interface and then use the Administration Console to install your implementation.
To install a custom security realm:
The following table describes the attributes you set on the Custom Security Realm Configuration window.
Note: When you use an custom security realm, you must configure and enable the Caching realm; otherwise, the custom security realm will not work.
When configuring the Caching realm, select the Custom Security realm from the pull-down menu for the Basic attribute on the General tab. The Basic attribute defines the association between the Caching realm and the custom security realm.
Note: When you use an custom security realm, you must configure and enable the Caching realm; otherwise, the custom security realm will not work.
For information about writing a custom security realm, see Writing a Custom Security Realm.
Migrating Security Realms
WebLogic Server provides a management architecture for security realms. The management architecture implemented through MBeans allows you to manage security realms through the Administration Console. If you have a security realm from a previous release of WebLogic Server, use the following information to migrate to the new architecture:
\samples\examples\security\rdbmsrealm directory as a guide to converting your RDBMS security realm. Once you have converted your RDBMS security realm to MBeans, follow the instructions inConfiguring the RDBMS Security Realm to define information about the JDBC driver being used to connect to the database and the schema used by the security realm.
Note: This section explains how to add Users to the File realm. If you are using an alternate security realm, you must use the administration tools provided in that realm to define a User.
User and group names must be unique. You can use multibyte characters and all special characters except a comma (,) in user and group names.
Users are entities that can be authenticated in a WebLogic Server security realm. A User can be a person or a software entity, such as a Java client. Each User is given a unique identity within a WebLogic Server security realm. As a system administrator you must guarantee that no two Users in the same security realm are identical.
Defining Users in a security realm involves specifying a unique name and password for each User that will access resources in the WebLogic Server security realm in the Users window of the Administration Console.
WebLogic Server has two special users, system and guest:
system User is the administrative user who controls system-level WebLogic Server operations, such as starting and stopping servers, and locking and unlocking resources. The system User and its password are defined during the WebLogic Server installation procedure. As a security precaution, BEA recommends changing the password for the system User. For more information, see Changing the System Password.
guest User is automatically provided by WebLogic Server. When authorization is not required, WebLogic Server assigns the guest identity to a client, thus giving the client access to any resources that are available to the guest user. A client can log in as the guest User by entering guest as the username and guest as the password when prompted by a Web browser or by supplying the guest username and password in a Java client. By default, the guest account is enabled.
For a more secure deployment, BEA recommends running WebLogic Server with the guest account disabled. To disable the guest account, select the Guest Disabled attribute on the General tab of the Security Configuration window. Disabling the guest account just disables the ability to log in into the account guest; it does not disable the ability for unauthenticated users to access a WebLogic Server deployment.
Warning: Be advised it is still possible to access a deployment through an anonymous user if the ACLs on the anonymous user are not set properly. Set ACLs so that unauthorized access is not possible.
The system and guest Users are like other Users in a WebLogic Server security realm:
To define a User:
The User Configuration window appears.
To delete a User:
To change the password of a User:
While using WebLogic Server, you may have Users that are locked. Perform the following steps to unlock a User:
For more information about Users and the access control model in WebLogic Server, see Introduction to WebLogic Security and Security Fundamentals.
Note: This section describes how to add Groups to the File realm. If you are using an alternate security realm, you need to use the management tools provided in that realm to define a Group.
User and group names must be unique. You can use multibyte characters and all special characters except a comma (,) in user and group names.
A Group represents a set of Users who usually have something in common, such as working in the same department in a company. Groups are a means of managing a number of Users in an efficient manner. When a Group is granted a permission in an ACL, all members of the Group effectively receive that permission. BEA recommends assigning permissions to Groups rather than to individual Users.
By default, WebLogic Server has the following Groups:
everyone Group.
guest user are automatically members of the users Group.
system User is a member of the Administrators Group. This Group should be given the permissions appropriate for a user responsible for starting and stopping servers and maintaining a running WebLogic Server deployment. Access to this group should be limited.
You can register a Group with the WebLogic Server security realm by performing the following steps:
The Group Configuration window appears.
To delete Groups, enter the name of the Group in the Remove These Groups list box on the Group Configuration window and click Remove.
For more information about Groups and the access control model in WebLogic Server, see Introduction to WebLogic Security and Security Fundamentals.
Users access resources in a WebLogic Server security realm. Whether or not a User can access a resource is determined by the access control lists ACLs for that resource. An ACL defines the permissions by which a User can interact with the resource. To define ACLs, you create an ACL for a resource, specify the permission for the resource and then grant the permission to a specified set of Users and Groups. BEA recommends assigning ACLs to Groups.
Each WebLogic Server resource has one or more permissions that can be granted. The following table summarizes the functions for various WebLogic Server resources for which permissions can be restricted with an ACL.