Design Considerations 3-35 provide its security service. If the security provider fails to locate the database, you can have it create one and automatically populate it with the default users, groups, security policies, security roles, and credentials. This option may be useful for development and testing purposes. Both the WebLogic security providers and the sample security providers follow this practice. The WebLogic Authentication, Authorization, Role Mapping, and Credential Mapping providers store the user, group, security policy, security role, and credential information in the embedded LDAP server. If you want to use any of these WebLogic security providers, you will need to follow the Configuring the Embedded LDAP Server instructions in Securing Oracle WebLogic Server.

3.7.2 Best Practice: Configure an Existing Database

If you already have a database such as an external LDAP server, you can populate that database with the users, groups, security policies, security roles, and credentials that your Authentication, Authorization, Role Mapping, and Credential Mapping providers require. Populating an existing database is accomplished using whatever tools you already have in place for performing these tasks. Once your database contains the necessary information, you must configure the security providers to look in that database. You accomplish this by adding custom attributes in your security providers MBean Definition File MDF. Some examples of custom attributes are the databases host, port, password, and so on. After you run the MDF through the WebLogic MBeanMaker and complete a few other steps to generate the MBean type for your custom security provider, you or an administrator use the WebLogic Server Administration Console to set these attributes to point to the database. As an example, Example 3–5 shows some custom attributes that are part of the WebLogic LDAP Authentication providers MDF. These attributes enable an administrator to specify information about the WebLogic LDAP Authentication providers database an external LDAP server, so it can locate information about users and groups. Example 3–5 LDAPAuthenticator.xml ... MBeanAttribute Name = UserObjectClass Type = java.lang.String Default = quot;personquot; Description = The LDAP object class that stores users. Note: The sample security providers available at https:codesamples.samplecode.oracle.comservletst racking?id=S224 on the Oracle Technology Network Web site simply create and use a properties file as their database. For example, the sample Authentication provider creates a file called SampleAuthenticatorDatabase.java that contains the necessary information about users and groups. Note: For more information about MDFs, MBean types, and the WebLogic MBeanMaker, see Section 2.2.3, Generating an MBean Type to Configure and Manage the Custom Security Provider. 3-36 Developing Security Providers for Oracle WebLogic Server MBeanAttribute Name = UserNameAttribute Type = java.lang.String Default = quot;uidquot; Description = The attribute of an LDAP user object that specifies the name of the user. MBeanAttribute Name = UserDynamicGroupDNAttribute Type = java.lang.String Description = The attribute of an LDAP user object that specifies the distinguished names DNs of dynamic groups to which this user belongs. If such an attribute does not exist, WebLogic Server determines if a user is a member of a group by evaluating the URLs on the dynamic group. If a group contains other groups, WebLogic Server evaluates the URLs on any of the descendents of the group. MBeanAttribute Name = UserBaseDN Type = java.lang.String Default = quot;ou=people, o=example.comquot; Description = The base distinguished name DN of the tree in the LDAP directory that contains users. MBeanAttribute Name = UserSearchScope Type = java.lang.String Default = quot;subtreequot; LegalValues = subtree,onelevel Description = Specifies how deep in the LDAP directory tree to search for Users. Valid values are lt;codegt;subtreelt;codegt; and lt;codegt;onelevellt;codegt;. ...

3.7.3 Best Practice: Delegate Database Initialization