Design Considerations 3-35
provide its security service. If the security provider fails to locate the database, you can have it create one and automatically populate it with the default users, groups,
security policies, security roles, and credentials. This option may be useful for development and testing purposes.
Both the WebLogic security providers and the sample security providers follow this practice. The WebLogic Authentication, Authorization, Role Mapping, and Credential
Mapping providers store the user, group, security policy, security role, and credential information in the embedded LDAP server. If you want to use any of these WebLogic
security providers, you will need to follow the Configuring the Embedded LDAP Server instructions in Securing Oracle WebLogic Server.
3.7.2 Best Practice: Configure an Existing Database
If you already have a database such as an external LDAP server, you can populate that database with the users, groups, security policies, security roles, and credentials
that your Authentication, Authorization, Role Mapping, and Credential Mapping providers require. Populating an existing database is accomplished using whatever
tools you already have in place for performing these tasks.
Once your database contains the necessary information, you must configure the security providers to look in that database. You accomplish this by adding custom
attributes in your security providers MBean Definition File MDF. Some examples of custom attributes are the databases host, port, password, and so on. After you run the
MDF through the WebLogic MBeanMaker and complete a few other steps to generate the MBean type for your custom security provider, you or an administrator use the
WebLogic Server Administration Console to set these attributes to point to the database.
As an example, Example 3–5
shows some custom attributes that are part of the WebLogic LDAP Authentication providers MDF. These attributes enable an
administrator to specify information about the WebLogic LDAP Authentication providers database an external LDAP server, so it can locate information about users
and groups.
Example 3–5 LDAPAuthenticator.xml
... MBeanAttribute
Name = UserObjectClass Type = java.lang.String
Default = quot;personquot; Description = The LDAP object class that stores users.
Note: The sample security providers available at
https:codesamples.samplecode.oracle.comservletst racking?id=S224
on the Oracle Technology Network Web site simply create and use a properties file as their database. For example,
the sample Authentication provider creates a file called SampleAuthenticatorDatabase.java that contains the
necessary information about users and groups.
Note:
For more information about MDFs, MBean types, and the WebLogic MBeanMaker, see
Section 2.2.3, Generating an MBean Type to Configure and Manage the Custom Security Provider.
3-36 Developing Security Providers for Oracle WebLogic Server
MBeanAttribute Name = UserNameAttribute
Type = java.lang.String Default = quot;uidquot;
Description = The attribute of an LDAP user object that specifies the name of the user.
MBeanAttribute Name = UserDynamicGroupDNAttribute
Type = java.lang.String Description = The attribute of an LDAP user object that specifies the
distinguished names DNs of dynamic groups to which this user belongs. If such an attribute does not exist, WebLogic Server determines if a
user is a member of a group by evaluating the URLs on the dynamic group. If a group contains other groups, WebLogic Server evaluates the URLs on
any of the descendents of the group. MBeanAttribute
Name = UserBaseDN Type = java.lang.String
Default = quot;ou=people, o=example.comquot; Description = The base distinguished name DN of the tree in the LDAP directory
that contains users. MBeanAttribute
Name = UserSearchScope Type = java.lang.String
Default = quot;subtreequot; LegalValues = subtree,onelevel
Description = Specifies how deep in the LDAP directory tree to search for Users. Valid values are lt;codegt;subtreelt;codegt;
and lt;codegt;onelevellt;codegt;. ...
3.7.3 Best Practice: Delegate Database Initialization