Customizing the Default Security Configuration 3-3 This option changes the runtime behavior of the Servlet container to use a Web resource rather than a URL resource when performing authorization. For more information, see Configure new security realms in the Oracle WebLogic Server Administration Console Help.

3.3 Creating and Configuring a New Security Realm: Main Steps

To create a new security realm: 1. Define a name and set the configuration options for the security realm. See Section 3.2, Before You Create a New Security Realm, and Configure new security realms in the Oracle WebLogic Server Administration Console Help. 2. Configure the required security providers for the security realm. A valid security realm requires an Authentication provider, an Authorization provider, an Adjudication provider, a Credential Mapping provider, a Role Mapping provider, and a CertPathBuilder. See Chapter 4, Configuring WebLogic Security Providers, and Chapter 5, Configuring Authentication Providers. 3. Optionally, define Identity Assertion, Auditing, and Certificate Registry providers. See Chapter 4, Configuring WebLogic Security Providers, and Chapter 5, Configuring Authentication Providers. 4. If you configured the Default Authentication, Authorization, Credential Mapping or Role Mapping provider or the Certificate Registry in the new security realm, verify that the settings of the embedded LDAP server are appropriate. See Chapter 9, Managing the Embedded LDAP Server. 5. Optionally, configure caches to improve the performance of the WebLogic or LDAP Authentication providers in the security realm. See Section 5.4.10, Improving the Performance of WebLogic and LDAP Authentication Providers. 6. Protect WebLogic resources in the new security realm with security policies. Creating security policies is a multi-step process with many options. To fully understand this process, read Securing Resources Using Roles and Policies for Oracle WebLogic Server in conjunction with Securing Oracle WebLogic Server to ensure security is completely configured for a WebLogic Server deployment. 7. If the security data users and groups, roles and policies, and credential maps defined in the existing security realm will also be valid in the new security realm, you can export the security data from the existing realm and import it into the new security realm. See Chapter 8, Migrating Security Data. 8. Protect user accounts in the new security realm from dictionary attacks by setting lockout attributes. See Section 13.7, Protecting User Accounts. 9. Set the new realm as the default security realm for the WebLogic domain. See Change the default security realm in the Oracle WebLogic Server Administration Console Help. Note: When you create a new security realm, you must configure at least one of the Authentication providers to return asserted LoginModules. Otherwise, run-as tags defined in deployment descriptors will not work. 3-4 Securing Oracle WebLogic Server Note: You can also use the WebLogic Scripting Tool or Java Management Extensions JMX APIs to create a new security configuration. See Oracle WebLogic Scripting Tool. 4 Configuring WebLogic Security Providers 4-1 4 Configuring WebLogic Security Providers The following sections describe how to configure the security providers supplied by WebLogic Server. ■ Section 4.1, When Do You Need to Configure a Security Provider?