To configure Enterprise Security in WebLogic, the WebLogic administrator must configure the Sybase security provider for the default WebLogic security realm, using either:
The securetool wls_configmw command—see wls_configmw, or
The WebLogic Server Console—see “Configuring Enterprise Security using the WebLogic Server Console”
Once configured, the WebLogic server contains two authentication providers, and a SybaseIdentityAsserter provider, which handles certificate authentication. To enable the SybaseIdentityAsserter to perform certificate authentication, you must first enable two-way SSL on your WebLogic server. See the BEA WebLogic documentation.
The authentication providers include the default provider, which houses the standard WebLogic users and any users added to the WebLogic user database, and the Sybase provider. When authentication is required, the two authentication providers are queried in sequence. If a user cannot authenticate against the WebLogic user database, WebLogic attempts to authenticate the user against the Sybase provider.
As part of the authentication process, the Sybase provider adds principals to the WebLogic subject structure. Each principal represents one Enterprise Security role. The value of the Role Prefix field in the Sybase provider’s Details tab specifies the prefix used when adding principals. For example, if the Role Prefix field is blank, the PortalAdmin user might have this principal added “r1=PortalAdmin,o=Sybase.com,c=us”. If the value of Role Prefix is “SybaseRole”, then the principal would be “SybaseRole:r1=PortalAdmin,o=Sybase.com,c=us”. If the prefix is not blank, the colon is added implicitly to separate the prefix from the rest of the principal.
To map J2EE security roles to BEA principals:
In the WebLogic Server Console, launch the deployment descriptor editing application from the context menu of the J2EE entity whose deployment descriptor you want to edit.
Expand the WebLogic EJB JAR folder, then highlight the Security Role Assignments folder, right-click, and select Configure New Role Assignment.
In the Configuration dialog box, enter the role name, one or more principal names, and click Apply.
Each role assignment maps a local J2EE security role to one or more WebLogic principals. When a user attempts to access a resource that has a role defined, the user must have at least one of the specified principals. Therefore, you can combine Sybase role principals with local role and group principals in the WebLogic security database.
