The Architecture of the WebLogic Security Service

Previous page
Table of content
Next page

This section describes the architecture of the WebLogic Security Service. As shown in Figure 26.3, the architecture comprises four major components , which are discussed in the following sections.

Figure 26.3. The architecture of the WebLogic Server Security Service.

graphics/26fig03.gif

The WebLogic Security Framework

The primary function of the WebLogic Security Framework is to provide a simplified application programming interface (API) that security and application developers can use to define security services. The framework comprises interfaces, classes, and exceptions located in the weblogic.security.service package.

The WebLogic Security Framework also acts as an interface between the WebLogic containers (Web and EJB), the Resource Adapter, and the security providers, delegating requests to the appropriate security plug-in through the corresponding SPI.

The Security Service Provider Interfaces

Security in WebLogic Server is based on a set of Security Service Provider Interfaces (SSPIs) for developing security providers that can be plugged into the WebLogic Security Framework to provide security services to WebLogic applications. Security providers are developed by implementing the appropriate SSPIs from the weblogic.security.spi package to create runtime classes.

The current security SPIs available for WebLogic Server include Authentication, Authorization, Auditing, Credential Mapping, Role Mapping, and Public Key Infrastructure.

The WebLogic Security Framework knows what security providers are installed, when they should be used, and how decisions should be made. However, it is not the decision maker on security; these decisions are brokered to security providers.

The Security Provider Database

The primary role of a security provider database is to store the data the security provider requires to provide a security service, as in these examples:

  • The Authentication provider requires information about users and groups.

  • The Authorization provider requires information about security policies.

  • The Role Mapping provider requires information about security roles.

  • The Credential Mapping provider requires information about credentials.

Types of security provider databases include a relational database that has been structurally aligned with the requirements of a security provider, a properties file, and an LDAP server.

By default, a complete embedded LDAP server is provided out-of-the-box with WebLogic Server to support the WebLogic Authentication, Authorization, Role Mapping, and Credential Mapping security providers. You can use this WebLogic-embedded LDAP server to do the following:

  • Access and modify entries in the LDAP server.

  • Use an LDAP browser to import and export security data into and from the LDAP server.

  • Read and write access by WebLogic security providers.

A WebLogic LDAP server is created for each WebLogic Server instance in a domain. However, the WebLogic LDAP server associated with the WebLogic Administration Server is considered the master LDAP server. The information stored in this LDAP server is managed by the WebLogic Administration Server via the Administration Console, and then replicated to the other WebLogic LDAP servers associated with the domain's managed servers. You can configure properties of the master WebLogic LDAP server, such as backup, cache, and replication settings, via the Administration Console as follows :

  1. Ensure that your WebLogic Server is started and you can launch and log in to your Administration Console from a Web browser.

  2. Click your WebLogic domain node in the left pane of the Administration Console.

  3. Click the Security tab in the right pane, and then click the Embedded LDAP tab. As shown in Figure 26.4, you can modify the following attributes of the WebLogic LDAP server:

    Figure 26.4. Modify the properties of the WebLogic LDAP server.

    graphics/26fig04.gif

    • Credential The administration (cn=Admin) password required to connect to the LDAP serverfor example, from an LDAP browser. If this password has not been set, the default is set to null, which needs to be changed to connect to the LDAP server.

      Tip

      It is recommended that you modify the Credential attribute, which requires rebooting WebLogic Server.

    • Backup Hour The hour at which to back up the embedded LDAP server data files. This attribute is used with the Backup Minute attribute to determine the time at which the embedded LDAP server data files are backed up. At the specified time, WebLogic Server suspends writes to the embedded LDAP server, backs up the data files into a zip file in the ldap/backup directory, and then resumes writes. The default values for these attributes are 23 (hours) and 5 (minutes), respectively.

    • Backup Copies The number of backup copies of the LDAP server data files. This value limits the number of zip files in the ldap/backup directory. The default is 7.

    • Cache Enabled Specifies whether a cache is used when a managed server is reading or writing to the master embedded LDAP server running on the administration server.

    • Cache Size The size of the cache (in KB) used with the embedded LDAP server. The default is 32KB.

    • Cache TTL The time-to-live (TTL) of the cache in seconds. The default is 60 seconds.

    • Refresh Replica At Startup Specifies whether a managed server should refresh all replicated data at boot time. This attribute is useful if you have made a large number of changes when the managed server is not active, and you want to download the entire replica instead of having the administration server push each change to the managed server. The default is false.

    • Master First Specifies that connections to the master LDAP server (running on the administration server) should always be made instead of connections to the local replicated embedded LDAP server.

  4. Click Apply to save your changes.

After you have modified your LDAP server's Credential attributes and rebooted your WebLogic server, you can view the contents of your WebLogic LDAP server by using any LDAP browser, such as Softerra's LDAP Browser 2.5 (http://www.ldapbrowser.com) or the University of Chicago's LDAP Browser\Editor (LBE) Java utility, which are freeware.

To use an LDAP browser to navigate the hierarchy of the WebLogic LDAP server, use the following LDAP connection information:

  • Set the Host field to localhost or your WebLogic Server's hostname.

  • Set the Port field to 7001 (7002 if SSL is being used).

  • Set the Base DN field to dc= mydomain ( mydomain is the name of your WebLogic domain).

  • Clear the Anonymous Bind check box.

  • Set the User DN field to cn=Admin .

  • Set the Password field to the password you specified.

Figure 26.5 shows the contents of the WebLogic LDAP server using the Softerra LDAP browser.

Figure 26.5. View the contents of the embedded LDAP server through an LDAP browser.

graphics/26fig05.gif

Tip

An LDAP browser can also be used to export and import data stored in the embedded LDAP server.


Because this LDAP server is specifically structured to support the WebLogic security providers only, you cannot add attributes to its structure.


Previous page
Table of content
Next page
BEA WebLogic Platform 7
BEA WebLogic Platform 7
ISBN: 0789727129
EAN: 2147483647
Year: 2003
Pages: 360
Authors: Jatinder Prem, Bernard Ciconte, Manish Devgan, Scott Dunbar, Peter Go
BUY ON AMAZON
Metrics and Models in Software Quality Engineering (2nd Edition)
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
Data Structures and Algorithms in Java
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy