Security in Oracle WebLogic : Realm, Security Provider, Authentication, Authorization, Users

Security Providers – are modules that provide security service to application to protect Weblogic resource. Types of security providers in WebLogic Server are
Authentication Provider, Authorization Provider, Auditing Providers, Credential Mapping Provider, Identity Assertion Provider, Principal Validation Provider, Adjudication Providers, Role Mapping Providers, Certificate Lookup and Validation Providers, Keystore Providers and Realm Adapter providers.

Security Provider Database – contains users, groups, security roles, security policies and credentials. This database can be embedded LDAP server, properties file or physical database.

Embedded LDAP server– WebLogic Server uses its embedded LDAP server as security provider database to store users, groups, security roles and security policies.

Security Realm– Security Realm comprises mechanism of protecting WebLogic Resource. Each Security realm consists of security providers, users, groups, security roles and security policies. User must be defined in a security realm in order to access any weblogic resource belonging to that realm. Default realm in Weblogic is myrealm.
You can configure multiple security realm in a domain but only one realm can be active at a time.

You can configure security realm using WebLogic Console or WLST (WebLogic Scripting Tool) or JMX (Java Management Extension) API.

.

.

.

.

All Security providers exists within context of realm, some security provider type are compulsory in a security realm while others are optional.

.

Authentication Provider – is to prove identity of user or system.

Auditing Provider –  is to provide auditing services. Audit information may be written to LDAP server, Database or simple file.
Principal – is identity assigned to user or group as result of authentication.

Subject – after successful authentication, principal are signed and stored in subject for future use.

.

LoginModules – is part of Authentication Provider and responsible for authenticating users within security realm and for populating subject with necessary principal (user, group)
.

Authentication– is process to provide credentials (username/password, Certificate..) to provide identity of user/system. Weblogic support following type of authentication
a) Username/Password– Username and password with or without SSL
b) Certificate Authentication – one way or two way SSL authentication where Server authenticate itself by showing SSL certificate and server can ask client for certificate.
c) Digest Authentication– using nonce, timestamp, username and digest
d) Perimeter Authentication – process of authenticating identity of remote user outside of application server domain.

Authorization – is process which determines which user has access on which WebLogic Resources.

WebLogic Resource– is an Object (which represents WebLogic entity) which can be protected. for ex. ear, ejb, network etc.

Security Policy – is kind of ACL(Access Control List) which determines who (user, group, role) has access to which weblogic resource. WebLogic resource is not protected till you assign security policy to it.

Weblogic Server provides SSO with following environments
Web Browser and HTTP Client (via SAML)
Desktop client
More on Single Sign-On with Oracle WebLogic Server coming soon ..

 

Learn Oracle Weblogic Server Administration

 

Get 100 USD OFF + 100% Money Back Guarantee

Click here to get Early Bird Discounts

About the Author Atul Kumar

Oracle ACE, Author, Speaker and Founder of K21 Technologies & K21 Academy : Specialising in Design, Implement, and Trainings.

follow me on:

Leave a Comment:

10 comments
Luis says December 9, 2008

Hello,

I have just installed Oracle BEA Weblogic 10.3 on my Linux machine and everything is working fine.

Now I am wondering how I can integrate Oracle Single Sign On with Weblogic (actually I would like to know whether this is possible or not) or what is the best solution to implement Single Sign On on a Weblogic environment.

Thank You

Luis

Reply
Charan says June 6, 2009

First of all thanks for providing help in WL.
Your tutorials are very good for learners.

could you also provide tutorials on how to install SSL certificates(step-by-step guide) and starting and stopping server instances using node manager

Reply
Kanchana Devi says July 28, 2009

Hi Atul,

We are facing a strange issue in Myrealms of staging domain. we have configured the Active directory authenticator for provider. in AD we have arround 1300 users. so when we click on myrealms and users and groups tab it takes 8 minutes to display all the users.
but in Test domain this is not the case, we have only 600+ users and it takes only 3 seconds to display them all.
so i did lot of test to check if user limitation is there in WL. and found till 990 it displays faster but it crosses even one user it takes 8 minutes.
do you have any comments or suggestion to this.
as we have arround 10 thousand users in Production and we have to resolve this issue.

thanks a lot for your help!!.
-Kanchana

Reply
Jayesh says July 29, 2009

Hi Atul,

I have the follwing environment..

Oracle ADF Application deployed on oracle weblogic 10g r3 server.
Implemented ADF authentication and Authorization that uses JAAS.
Configured a Active Directory LDAP(i.e. ADAM) as the Security provider.

ADF Authentication and Authorization is working well, when we create user in Weblogic LDAP(embedded LDAP server) and assign group to it.

The issue I have is as follows:

In my AD LDAP We don’t have group stored.
if i login through any AD LDAP user it is giveing unauthorized error.

I don’t want to have groups in my AD LDAP and get authorized.

Please help in solving this.

Reply
Paul says May 4, 2010

Hi Atul,
After the installation of the WebLogic and WebCenter, everything looks working fine. Only one thing I don’t see on the top of the webCenter Spaces, and that is “Administrator” menu on the top. I looked at the weblogic admin user group and it is set to default administrator. Any thoughts/idea on this problem?
The weblogiv version is 10.3.2 & webcenter Spaces version is 11.1.1.2

Thanks for your time.

Best Regards,
Paul.

Reply
Mike says February 17, 2012

We have some Web Services written in Java that are secured using the WebLogic myrealm security realm.

Is there a way for the protected Web Service to retrieve the User ID from the credentials used to access the service?

Reply
udaykumar says August 25, 2014

Hi,

I created a user in test but not displaying the user names in the user and groups tab, if I try to create with same user name it is saying already user exists. how to get the displaying for those created user names please suggest me

Reply
Mei says February 5, 2015

Thanks for one’s marvelous posting! I quite enjoyed reading it, you’re a great author.I will remember to bookmark your blog and will eventually come back down the road.

I want to encourage you to definitely continue your great writing, have a nice
holiday weekend!

Reply
Vyshak says October 25, 2015

Hi We have installed BI applications 11.1.1.9.2 in microsoft windows server 2008 R2. I have been finding it difficult to create an external LDAP authenticator provider. Can you assist me.

Reply
SeemaYadav says October 26, 2015

Hi Vyshak,

What issue you are hitting in configuring external authentication and please share screenshot on our private Facebook group http://facebook.com/groups/k21technologies of weblogic domain where you are hitting issue.

Reply
Add Your Reply

Not found