8 Security 8-1 8 Security Since a resource adapter needs to be able to establish connections with external systems, it needs to be configured with authentication and other security information necessary to make the connections. The following sections discuss WebLogic Server resource adapter security for outbound communication: ■ Section 8.1, Container-Managed and Application-Managed Sign-on ■ Section 8.2, Password Credential Mapping ■ Section 8.3, Security Policy Processing ■ Section 8.4, Configuring Security Identities for Resource Adapters ■ Section 8.5, Configuring Connection Factory-Specific Authentication and Re-authentication Mechanisms For more information about WebLogic security, see Oracle Fusion Middleware Understanding Security for Oracle WebLogic Server and Oracle Fusion Middleware Securing Resources Using Roles and Policies for Oracle WebLogic Server.

8.1 Container-Managed and Application-Managed Sign-on

When a resource adapter makes an outbound connection to an Enterprise Information System EIS, it needs to sign on with valid security credentials. In accordance with the J2CA 1.5 Specification http:java.sun.comj2eeconnector , WebLogic Server supports both container-managed and application-managed sign-on for outbound connections. At runtime, WebLogic Server determines the chosen sign-on mechanism, based on the information specified in either the invoking client components deployment descriptor or the res-auth element of the resource adapter deployment descriptor. A sign-on mechanism specified in a resource adapters deployment descriptor takes precedence over one specified in the calling components deployment descriptor. Even when using container-managed sign-on, any security information explicitly specified by the client component is presented on the call to obtain the connection. If the WebLogic Server J2EE 1.5 Connector Architecture implementation cannot determine which sign-on mechanism is being requested by the client component, the connector container attempts container-managed sign-on.

8.1.1 Application-Managed Sign-on

With application-managed sign-on, the client component supplies the necessary security credentials typically a user name and password when making the call to obtain a connection to an EIS. In this scenario, the application server provides no 8-2 Programming Resource Adapters for Oracle WebLogic Server additional security processing other than to pass along this information in the request for the connection.

8.1.2 Container-Managed Sign-on