5-20 Securing Oracle WebLogic Server

5.5.3 Configuring the Read-Only SQL Authenticator

For detailed information about configuring a Read-Only SQL Authentication provider, see Security Realms: Security Providers: Read-Only SQL Authenticator: Provider Specific in the Oracle WebLogic Server Administration Console Help. In addition to the attributes described in Section 5.5.1, Common RDBMS Authentication Provider Attributes, the Read-Only SQL Authentication providers configurable attributes include attributes that specify the SQL statements used by the provider to list the username, password, and group information in the database. You can modify these attributes as needed to match the schema of your database.

5.5.4 Configuring the Custom DBMS Authenticator

The Custom DBMS Authentication provider, like the other RDBMS Authentication providers, uses a relational database as its data store for user, password, and group information. Use this provider if your database schema does not map well to the SQL schema expected by the SQL Authenticator. In addition to the attributes described in Section 5.5.1, Common RDBMS Authentication Provider Attributes, the Custom DBMS Authentication providers configurable attributes include the following.

5.5.4.1 Plug-In Class Attributes

A Custom DBMS Authentication provider requires that you write a plug-in class that implements the weblogic.security.providers.authentication.CustomDBMSAuthenticat orPlugin interface. The class must exist in the system classpath and must be specified in the Plug-in Class Name attribute for the Custom DBMS Authentication provider. Optionally, you can use the Plugin Properties attribute to specify values for properties defined by your plug-in class.

5.6 Configuring a Windows NT Authentication Provider

The Windows NT Authentication provider uses account information defined for a Windows NT domain to authenticate users and groups and to permit Windows NT users and groups to be listed in the WebLogic Server Administration Console. To use the Windows NT Authentication provider, create the provider in the Administration Console. In most cases, you should not need to do anything more to configure this Authentication provider. Depending on how your Windows NT domains are configured, you may want to set the Domain Controllers and Domain Controller List attributes, which control how the Windows NT Authentication provider interacts with the Windows NT domain.

5.6.1 Domain Controller Settings

Usernames in a Windows NT domain can take several different forms. You may need to configure the Windows NT Authentication provider to match the form of usernames you expect your users to sign on with. A simple username is one that gives no indication of the domain, such as smith. Compound usernames combine a username with a domain name and may take a form like domain\smith or smithdomain. Note: The Windows NT Authentication provider is deprecated as of WebLogic Server 10.0. Use one or more other supported authentication providers instead. Configuring Authentication Providers 5-21 If the local machine is not part of a Microsoft domain, then no changes to the Domain Controllers and Domain Controller List attributes are needed. On a stand-alone machine, the users and groups to be authenticated are defined only on that machine. If the local machine is part of a Microsoft domain and is the domain controller for the local domain, then no changes are needed to the Domain Controller List attribute. Users defined on the local machine and the domain are the same in this case, so you can use the default Domain Controllers setting. If the local machine is part of a Microsoft domain, but is not the domain controller for the local domain, then a simple username might be found on either the local machine or in the domain. In this case, consider the following: ■ Do you want to prevent the users and groups from the local machine from being displayed in the Console when the local machine is part of a Microsoft domain? ■ Do you want users from the local machine to be found and authenticated when a simple username is entered? If the answer to either question is yes, then set the Domain Controller attribute to DOMAIN. If you have multiple trusted domains, you may need to set the Domain Controller attribute to LIST and specify a Domain Controller List. Do this if: ■ You require the users and groups for other trusted domains to be visible in the Console, or ■ You expect that your users will be entering simple usernames and expect them to be located in the trusted domains that is, users will sign on with a simple username like smith, not smithdomain or domain\Smith. If either of these situations is the case, then set the Domain Controllers attribute to LIST and specify the names of the domain controllers in the Domain Controller List attribute for the trusted domains that you want to be used. Consider also whether to use explicit names for the local machine and local domain controller or if you want to use placeholders in the list for those. You can use the following placeholders in the Domain Controller List attribute: ■ [Local] ■ [LocalAndDomain] ■ [Domain]

5.6.2 LogonType Setting