Security 8-5
If an application authenticated as user1 makes a request against poolA, it finds no mapping for user1 for poolA. The following sequence occurs:
1.
The application searches at the global level, which also has no mapping for user1.
2.
The application searches the poolA mappings for a default mapping and finds a default mapping.
If an application doesnt authenticate to WLS and makes a request against poolA, it finds no mapping for anonymous user for poolA. It then searches at the global level
and finds a mapping for the anonymous user foobar.
8.2.2.2 Initial Connection: Requires a ManagedConnection from Adapter Without Applications Request
WebLogic Server requires a ManagedConnection from adapter without applications request. This can either be when WebLogic Server creates initial connections at
deployment time meaning the initial-capacity element in the weblogic-ra.xml is set to greater than 0, or when WebLogic needs to get a ManagedConnection specifically for
XA recovery.
The server searches for mappings in the following order:
1.
Initial mappings at the connection factory level.
2.
Initial mappings at the global level.
3.
Default mappings at the connection factory level.
4.
Default mappings at the global level. If neither initial nor default mapping is defined, WebLogic Server uses null as
Subject when calls to adapter to create a ManagedConnection.
For example, consider two connection pools with the following credential mappings:
Example 8–2 Credential Mapping Examples
poolA initial user name: admin
initial password: adminpw poolB
default user name: harry default password: harrypw
global initial user name: sysman
initial password: sysmanpw Referring to the example provided in
Example 8–2 , WebLogic Server needs to perform
XA Recovery for poolA and so makes a connection request against poolA. Because the initial credential mapping is defined for system for poolA, the resource adapter uses
this mapping adminadminpw.
If WebLogic Server makes the same request against poolB, there is no corresponding initial credential mapping for poolB. WebLogic Server then searches for the initial
credential mapping at the global level where it finds a mapping sysmansysmanpw.
Note: Applies to both Container-Managed sign-on and
Application-Managed sign-on.
8-6 Programming Resource Adapters for Oracle WebLogic Server
8.2.2.3 Special Users
Three special users are provided for use by resource adapters:
■
Initial User User for creating initial connections—If you define a mapping for this user, the specified credentials are used for the initial connections created
when:
– Starting the connection pool for this resource adapter
– Doing XA transaction recovery for the connection pool
The InitialCapacity parameter on the pool specifies the number of initial connections. If you do not define a mapping for this user the default mapping if
provided is used. Otherwise, no credentials are provided for the initial connections.
■
Anonymous User Unauthenticated WLS User—If you define a mapping for this user, the specified credentials are used when no user is authenticated for the
connection request on the resource adapter.
■
Default User—If you define a mapping for this user, the specified credentials are used when:
– No other mapping applies for the current user
– No anonymous mapping is provided in the case where there is no
authenticated user.
8.2.3 Creating Credential Mappings Using the Console