Subject Types GrantDeny Evaluation Rules
9.5.6 Subject Types
Access control rules can be associated with a number of subject types. The subject of an access control rule determines whether the access control rule applies to the currently connected session. The following subject types are defined: ■ authzID—Applies to a single user that can be specified as part of the subject definition. The identity of that user in the LDAP directory is typically defined as a DN. ■ Group—Applies to a group of users specified by one of the following object classes: – groupOfUniqueNames – groupOfNames – groupOfUniqueURLs The first two types of groups contain lists of users, and the third type allows users to be included in the group automatically based on defined criteria. ■ Subtree—Applies to the DN specified as part of the subject and all subentries in the LDAP directory tree. ■ IP Address—Applies to a particular Internet address. This subject type is useful when all access must come through a proxy or other server. Applies only to a particular host, not to a range or subnet. ■ Public—Applies to anyone connected to the directory, whether they are authenticated or not. ■ This—Applies to the user whose DN matches that of the entry being accessed.9.5.7 GrantDeny Evaluation Rules
The decision whether to grant or deny a client access to the information in an entry is based on many factors related to the access control rules and the entry being protected. Throughout the decision making process, these guiding principles apply: ■ More specific rules override less specific ones for example, individual user entries in an ACL take precedence over a group entry. ■ If a conflict still exists in spite of the specificity of the rule, the subject of the rule determines which rule will be applied. Rules based on an IP Address subject are given the highest precedence, followed by rules that are applied to a specific AuthzID or This subject. Next in priority are rules that apply to Group subjects. Last priority is given to rules that apply to Subtree and Public subjects. ■ When there are conflicting ACL values, Deny takes precedence over Grant. ■ Deny is the default when there is no access control information. Additionally, an entry scope takes precedence over a subtree scope. Managing the Embedded LDAP Server 9-99.6 Backup and Recovery
If any of your security realms use the Default Authentication, Authorization, Credential Mapping, or Role Mapping providers, you should maintain an up-to-date backup of the following directory tree: domain_name serversadminServerdataldap In the preceding directory, domain_name is the domain root directory and adminServer is the directory in which the Administration Server stores run-time and security data. For more information backing up the embedded LDAP server data, see the following topics: ■ Back Up LDAP Repository in Managing Server Startup and Shutdown for Oracle WebLogic Server ■ Configure backups for embedded LDAP servers in Oracle WebLogic Server Administration Console Help If the embedded LDAP server file becomes corrupt or unusable, the Administration Server will generate a NumberFormatException and fail to start. This situation is rare but can occur if the disk becomes full and causes the embedded LDAP file to enter into an invalid state. To recover from an unusable embedded LDAP server file, complete the following steps: 1. Change to the following directory: domain_name serversadminServerdata 2. Rename the embedded LDAP server file, as in the following example: mv ldap ldap.old By renaming the file, and not deleting it completely, it remains available to you for analysis and potential data recovery. 3. Start the Administration Server. When the Administration Server starts, a new embedded LDAP server file is created. 4. Restore any data to the new embedded LDAP server that was added since the time the WebLogic domain was created. If you have configured a backup of the embedded LDAP server, you can restore the backed up data by importing it. For information, see Section 9.4, Exporting and Importing Information in the Embedded LDAP Server.Parts
» Oracle Fusion Middleware Online Documentation Library
» Document Scope Document Audience
» Related Information Oracle Fusion Middleware Online Documentation Library
» New and Changed Security Features Security Realms in WebLogic Server
» Security Providers Oracle Fusion Middleware Online Documentation Library
» WebLogic Resources Security Policies and WebLogic Resources
» Deployment Descriptors and the WebLogic Server Administration Console
» The Default Security Configuration in WebLogic Server Configuring WebLogic Security: Main Steps
» Methods of Configuring Security
» Management Tasks Available in Compatibility Security
» Why Customize the Default Security Configuration?
» Before You Create a New Security Realm
» Creating and Configuring a New Security Realm: Main Steps
» When Do You Need to Configure a Security Provider?
» Configuring an Authorization Provider Configuring the WebLogic Adjudication Provider
» Configuring a Role Mapping Provider
» Auditing ContextHandler Elements Configuring the WebLogic Auditing Provider
» Configuration Auditing Enabling Configuration Auditing
» Configuration Auditing Messages Configuring the WebLogic Auditing Provider
» Audit Events and Auditing Providers
» Configuring a WebLogic Credential Mapping Provider
» PKI Credential Mapper Attributes Credential Actions
» SAML 2.0 Credential Mapping Provider Attributes
» Lookup String Syntax The partner lookup string has the following syntax:
» CertPath Provider Certificate Registry
» Configuring a WebLogic Keystore Provider Choosing an Authentication Provider
» Setting the JAAS Control Flag Option Changing the Order of Authentication Providers
» Setting User Attributes Configuring the WebLogic Authentication Provider
» Accessing Other LDAP Servers Enabling an LDAP Authentication Provider for SSL
» Configuring Static Groups Use of GUID and LDAP DN Data in WebLogic Principals
» Optimizing the Group Membership Caches
» Optimizing the Connection Pool Size and User Cache
» Domain Controller Settings Configuring a Windows NT Authentication Provider
» Password Composition Rules for the Password Validation Provider
» Using the Password Validation Provider with the WebLogic Authentication Provider
» Creating an Instance of the Password Validation Provider Specifying the Password Composition Rules
» Partner Lookup Strings Required for Web Service Partners For web service Identity
» Configuring a Negotiate Identity Assertion Provider Ordering of Identity Assertion for Servlets
» Configuring Identity Assertion Performance in the Server Cache Configuring a User Name Mapper
» Configuring a Custom User Name Mapper
» Configuring the SAML Authentication Provider Overview of Single Sign-On with Microsoft Clients
» Configuring Your Network Domain to Use Kerberos Creating a JAAS Login File
» Configure the SAML 1.1 Credential Mapping Provider Configure the Source Site Federation Services
» Configuring Relying and Asserting Parties with WLST
» Configuring SAML 2.0 Services: Main Steps
» About SAML 2.0 General Services
» Publishing and Distributing the Metadata File
» Viewing Partner Site, Certificate, and Service Endpoint Information
» About SAML Debug Scopes and Attributes Enabling Debugging Using the Command Line
» Enabling Debugging Using the WebLogic Server Administration Console
» Enabling Debugging Using the WebLogic Scripting Tool Sending Debug Messages to Standard Out
» Overview of Security Data Migration
» Migration Concepts Formats and Constraints Supported by WebLogic Security Providers
» Configuring the Embedded LDAP Server
» The Access Control File Access Control Location
» Access Control Scope Attributes Types
» Subject Types GrantDeny Evaluation Rules
» Backup and Recovery Oracle Fusion Middleware Online Documentation Library
» Security Providers that Use the RDBMS Security Store
» Oracle Example MS-SQL Example
» DB2 Example For More Information About Default Connection Properties Internally, the RDBMS
» Configuring JMS Connection Recovery in the Event of Failure
» Using Your Own Certificate Authority Converting a Microsoft p7b Format to PEM Format
» How End User Certificate Callback Handlers Work Creating a Certificate Callback Implementation
» SSL: An Introduction One-Way and Two-Way SSL
» Java Secure Socket Extension JSSE SSL Implementation Supported Setting Up SSL: Main Steps
» Using Host Name Verification SSL Session Behavior
» Controlling the Level of Certificate Validation Accepting Certificate Policies in Certificates
» Checking Certificate Chains Using Certificate Lookup and Validation Providers
» Configuring RMI over IIOP with SSL Using the nCipher JCE Provider with WebLogic Server
» System Property Differences Between the JSSE-Based and Certicom SSL Implementations
» Supported Cipher Suites Using the JSSE-Based SSL Implementation
» Using Debugging with JSSE SSL
» Configuring Cross-Domain Security Enabling Cross Domain Security Between WebLogic Server Domains
» Configuring a Cross-Domain User Configure a Credential Mapping for Cross-Domain Security
» Enabling Global Trust Enabling Trust Between WebLogic Server Domains
» Using Connection Filters Oracle Fusion Middleware Online Documentation Library
» Using the Java Authorization Contract for Containers Viewing MBean Attributes
» How Passwords Are Protected in WebLogic Server Protecting User Accounts
» Configuring a Domain to Use JAAS Authorization
» Running Compatibility Security: Main Steps
» Configuring a Realm Adapter Authentication Provider
» Accessing 6.x Security from Compatibility Security
Show more