Security 8-5 If an application authenticated as user1 makes a request against poolA, it finds no mapping for user1 for poolA. The following sequence occurs: 1. The application searches at the global level, which also has no mapping for user1. 2. The application searches the poolA mappings for a default mapping and finds a default mapping. If an application doesnt authenticate to WLS and makes a request against poolA, it finds no mapping for anonymous user for poolA. It then searches at the global level and finds a mapping for the anonymous user foobar.

8.2.2.2 Initial Connection: Requires a ManagedConnection from Adapter Without Applications Request

WebLogic Server requires a ManagedConnection from adapter without applications request. This can either be when WebLogic Server creates initial connections at deployment time meaning the initial-capacity element in the weblogic-ra.xml is set to greater than 0, or when WebLogic needs to get a ManagedConnection specifically for XA recovery. The server searches for mappings in the following order: 1. Initial mappings at the connection factory level. 2. Initial mappings at the global level. 3. Default mappings at the connection factory level. 4. Default mappings at the global level. If neither initial nor default mapping is defined, WebLogic Server uses null as Subject when calls to adapter to create a ManagedConnection. For example, consider two connection pools with the following credential mappings: Example 8–2 Credential Mapping Examples poolA initial user name: admin initial password: adminpw poolB default user name: harry default password: harrypw global initial user name: sysman initial password: sysmanpw Referring to the example provided in Example 8–2 , WebLogic Server needs to perform XA Recovery for poolA and so makes a connection request against poolA. Because the initial credential mapping is defined for system for poolA, the resource adapter uses this mapping adminadminpw. If WebLogic Server makes the same request against poolB, there is no corresponding initial credential mapping for poolB. WebLogic Server then searches for the initial credential mapping at the global level where it finds a mapping sysmansysmanpw. Note: Applies to both Container-Managed sign-on and Application-Managed sign-on. 8-6 Programming Resource Adapters for Oracle WebLogic Server

8.2.2.3 Special Users

Three special users are provided for use by resource adapters: ■ Initial User User for creating initial connections—If you define a mapping for this user, the specified credentials are used for the initial connections created when: – Starting the connection pool for this resource adapter – Doing XA transaction recovery for the connection pool The InitialCapacity parameter on the pool specifies the number of initial connections. If you do not define a mapping for this user the default mapping if provided is used. Otherwise, no credentials are provided for the initial connections. ■ Anonymous User Unauthenticated WLS User—If you define a mapping for this user, the specified credentials are used when no user is authenticated for the connection request on the resource adapter. ■ Default User—If you define a mapping for this user, the specified credentials are used when: – No other mapping applies for the current user – No anonymous mapping is provided in the case where there is no authenticated user.

8.2.3 Creating Credential Mappings Using the Console