Adding Security to a Portal

Download Docs

Site Map

Glossary

e-docs > WebLogic Platform > WebLogic Portal > Development Guide > Adding Security to a Portal

Development Guide

Adding Security to a Portal

A Web server authenticates users and determines which resources within the server users can create, access, or modify. To do this, the Web server uses a security realm. When a user attempts to access a particular resource, the server tries to authenticate and authorize that user by checking the access control list (ACL) and permissions that are assigned to the user within the realm. You can set up multiple security realms, but each instance of a Web server can use only one realm. The server uses the same security realm for your Web site developers and for your visitors.

This section contains information on the following subjects:

Implementing Portal Security

If you choose to use the basic implementation of the RDBMS security realm supplied by BEA, it will be available when you install WebLogic Portal. No further configuration is necessary.

Note: The WebLogic Portal RDBMS Realm is a different implementation than the WebLogic Server RDBMS Realm. The WebLogic Server RDBMS Realm is for testing and is not suitable for use in a production environment. WebLogic Portal's RDBMS realm is shipped in the BEA_HOME/weblogic700/portal/lib/p13n_system.jar file and the implementing class is in com.bea.p13n.security.realm.RDBMSRealmas configured with the config.xml file entry: RealmClassName="com.bea.p13n.security.realm.RDBMSRealm.

Integrating with an LDAP Security Realm

If you don't want to use the basic RDBMS security realm, one popular alternative is to use a lightweight directory access protocol (LDAP) server as your security realm. This section describes how to integrate an LDAP server with WebLogic Portal. Procedures in this section describe the following LDAP integration scenarios:

Supported LDAP Servers

WebLogic Portal supports these LDAP servers:

Netscape Directory Server
Microsoft Site Server
Novell Directory Services
Open LDAP Directory Services

You can find templates for each of these services in Supported Server Templates.

Integrating an LDAP Security Realm

This section shows how WebLogic Portal integrates with a third-party LDAP security realm; security realms are the method used by WebLogic Portal to authenticate users. While WebLogic Portal provides a default user store based on a RDBMS, this can be replaced with an LDAP realm, which uses an LDAP server for security information.

Configuring the LDAP Server for Integration

Configuring the LDAP security realm involves defining attributes that enable the LDAP Security realm in WebLogic Server to communicate with the LDAP server and the attributes that describe how users and groups are stored in the LDAP directory. The LDAP tree and schema is different for every LDAP server.

In Supported Server Templates, you can find templates for the supported LDAP servers. These templates specify default configuration information used to represent users and groups in each of the supported LDAP servers. You choose the template that corresponds to the LDAP server you want to use and then fill in the attributes described in Table 7-1.

Note: In LDAP V1, you can configure these attributes from the LDAP Realm Create screen, on the tab specified in Table 7-1.

Table 7-1 LDAP Realm Configurable Attributes

Attribute	Description
User DN	A list of attributes and their values that, when combined with the attributes in the User Name Attribute attribute, uniquely identifies an LDAP User. Configure this attribute on the Users tab in the LDAP Realm Create screen.
Group DN	List of attributes and values that, combined with the Group Name Attribute attribute, uniquely identifies a Group in the LDAP directory. Configure this attribute on the Groups tab in the LDAP Realm Create screen.
Principal	DN of the LDAP User that WebLogic Server uses to connect to the LDAP server. This user must be able to list LDAP Users and Groups. Configure this attribute on LDAP Realm tab in the LDAP Realm Create screen.
Credential	Password that authenticates the LDAP User defined in the Principal attribute. Configure this attribute on LDAP Realm tab in the LDAP Realm Create screen.

For instructions for configuring the LDAP security realm, please refer to "Configuring the LDAP Security Realm" in the WebLogic Server Administration Guide at http://download.oracle.com/docs/cd/E13222_01/wls/docs61/adminguide/cnfgsec.html#1052314.

Supported Server Templates

Listing 7-1 through Listing 7-4 are the templates you can use to configure supported LDAP servers. You can copy these templates from here directly into the config.xml file for your application.

Warning: Each line in the following code examples must appear on a single line. The examples shown below have been formatted to fit the margins of this document and some lines have been broken to facilitate that formatting. If you paste this text into the config.xml file, be sure to concatenate the lines that are broken so that they appear on a single line in your code.

Listing 7-1 Default Netscape Customer Security Realm Template

<CustomRealm
   Name="defaultLDAPRealmForNetscapeDirectoryServer"
   RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm"
   Password="*secret*"
   ConfigurationData="server.host=ldapserver.example.com;server.principal=uid=
      admin,
   ou=Administrators, ou=TopologyManagement, o=NetscapeRoot;user.dn=ou=people,
   o=beasys.com;user.filter=(&amp;(uid=%u)(objectclass=person));group.dn=
      ou=groups,
   o=beasys.com;group.filter=(&amp;(cn=%g)(objectclass=groupofuniquenames));
      membership.filter=(&amp;(uniquemember=%M)(objectclass=
      groupofuniquenames));"
   Notes="This is provided as an example. Before enabling this Realm, you must
   edit the configuration parameters as appropriate for your environment."
/>

Listing 7-2 Default Microsoft Customer Security Realm Template

<CustomRealm
   Name="defaultLDAPRealmForMicrosoftSiteServer"
   RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm"
   Password="*secret*"
   ConfigurationData="server.host=ldapserver.example.com;server.principal=cn=
      Administrator,
   ou=Members, o=ExampleMembershipDir;user.dn=ou=Members,
   o=ExampleMembershipDir;user.filter=(&amp;(cn=%u)(objectclass=member));
      group.dn=ou=Groups,
   o=ExampleMembershipDir;group.filter=(&amp;(cn=%g)(objectclass=mgroup));
      membership.scope.depth=1;microsoft.membership.scope=sub;membership.
      filter=(|(&amp;(memberobject=%M)(objectclass=memberof))
      (&amp;(groupobject=%M)(objectclass=groupmemberof)));"
   Notes="This is provided as an example. Before enabling this Realm, 
      you must edit the configuration parameters as appropriate for your 
      environment."
/>

Listing 7-3 Default Novell Customer Security Realm Template

<CustomRealm
   Name="defaultLDAPRealmForNovellDirectoryServices"
   RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm"
   Password="*secret*"
   ConfigurationData="server.host=ldapserver.example.com;server.principal=cn=
      admin,
   o=example.com;user.dn=ou=people,
   o=example.com;user.filter=(&amp;(cn=%u)(objectclass=person));group.dn=ou=
      groups,
   o=example.com;group.filter=(&amp;(cn=%g)(objectclass=groupofuniquenames));
      membership.filter=(&amp;(member=%M)(objectclass=groupofuniquenames));"
   Notes="This is provided as an example. Before enabling this Realm, you must
      edit the configuration parameters as appropriate for your environment."
/>

Listing 7-4 Default OpenLDAP Security Realm Template

<CustomRealm
   Name="defaultLDAPRealmForOpenLDAPDirectoryServices"
   RealmClassName="weblogic.security.ldaprealmv2.LDAPRealm"
   Password="*secret*"
   ConfigurationData="server.host=ldapserver.example.com;server.principal=cn=
      Manager,
   dc=example, dc=com;user.dn=ou=people, dc=example,
   dc=com;user.filter=(&amp;(uid=%u)(objectclass=person));group.dn=ou=groups,
   dc=example,
   c=com;group.filter=(&amp;(cn=%g)(objectclass=groupofuniquenames));membership.
      filter=(&amp;(uniquemember=%M)(objectclass=groupofuniquenames));"
   Notes="This is provided as an example. Before enabling this Realm, you must
      edit the configuration parameters as appropriate for your environment."
/>

Integrating with LDAP Security and a User Profile

This integration scenario is similar to that shown in Integrating an LDAP Security Realm, except that, in addition to integrating a security realm, you will also be integrating user profile information. An example of this scenario might be reading the user's e-mail attribute from LDAP and exposing it through a Unified User Profile (UUP).

Prerequisites

In order to successfully retrieve the user profile from the LDAP server, ensure that you've done the following:

If you have already deployed the application on a WebLogic Portal instance, stop the server.
Deploy the ldapprofile.jar component within your application.
Start the server and deploy the application.
Start the WebLogic Server Administration Console for the active domain,

Configuring the Server for Integration

Configuring the WebLogic server to integrate with an LDAP security realm and profile requires two configuration processes.

Define the attributes that enable the LDAP Security realm in WebLogic Server to communicate with the LDAP server and with the attributes that describe how users and groups are stored in the LDAP directory.

Configure the connection variables in the ldapprofile.jar file. This Java archive file provides access for your application to user and group profile information that is stored in an LDAP server. Table 7-2 shows which variables need to be configured.

You can configure these variables from the WebLogic Server Administration Console.

Table 7-2 Configurable Connection Variables

Connection Variables

Description

config/serverURL

The URL of your LDAP server.

config/principal

The name of the principal to use when connecting to your LDAP server, usually "admin" or something similar to a directory administrator.

config/principalCredential

The password of the principal defined above.

config/userDN

The location or distinguished name of users in your LDAP directory.

config/groupDN

The location or distinguished name of groups in your LDAP directory

config/usernameAttribute

The attribute used to describe usernames in your LDAP directory, usually "uid". This will be used to map WLS usernames to LDAP usernames.

config/groupnameAttribute

The attribute used to describe group names in your LDAP directory, usually "cn". This will be used to map WLS group names to LDAP group names.

Connection Variables	Description
config/serverURL	The URL of your LDAP server.
config/principal	The name of the principal to use when connecting to your LDAP server, usually "admin" or something similar to a directory administrator.
config/principalCredential	The password of the principal defined above.
config/userDN	The location or distinguished name of users in your LDAP directory.
config/groupDN	The location or distinguished name of groups in your LDAP directory
config/usernameAttribute	The attribute used to describe usernames in your LDAP directory, usually "uid". This will be used to map WLS usernames to LDAP usernames.
config/groupnameAttribute	The attribute used to describe group names in your LDAP directory, usually "cn". This will be used to map WLS group names to LDAP group names.

Other Supported Security Realms

In addition to LDAP, WebLogic Server supports these security realms:

Windows NT Security Realm

This security realm uses Windows NT account information to authenticate users. Users and groups defined through Windows NT can be used by your Web application. You can use the WebLogic Server Administration Console to view this realm, but you must use the facilities provided by Windows NT to define users and groups.
UNIX Security Realm

A UNIX security realm executes a native program, wlauth, to authenticate users and groups using UNIX login IDs and passwords. On some UNIX platforms, wlauth uses a Pluggable Authentication Module (PAM) that allows you to configure authentication services in a UNIX platform without altering applications that use those services. On UNIX platforms for which PAM is not available, wlauth uses the standard login mechanism, including shadow passwords when they are supported. You can use the Administration Console to view this realm, but you must use the facilities provided by the UNIX platform to define users and groups.
File Realm

When you start the server, the File realm creates user, group, and ACL objects from properties defined through the WebLogic Server Administration Console and stores them in the fileRealm.properties file.

Note: The File realm is designed for use with 10,000 or fewer users. If you have more than 10,000 users, use an alternate security realm.

Enabling Secure Sockets Layer Security

The Webflow and Pipeline mechanisms that direct the presentation and business logic associated with WebLogic Portal's Commerce JSP templates make use of the Secure Sockets Layer (SSL) and declarative transport mechanisms. Links that invoke protected JSP files, as well as certain Input Processors and Pipelines, need to be accessed via the HTTPS protocol. There are a number of these links already defined in the Commerce (wlcs) Web application's web.xml deployment descriptor. Secured JSP templates that rely on SSL also require a setting in the web.xml file that indicates the transport guarantee. This guarantee can be CONFIDENTIAL or INTEGRAL.

A CONFIDENTIAL setting prevents other entities from observing the contents of the transmission.
An INTEGRAL setting prevents the data from being changed while transmitting between the client and server.

See Setting Up Portal Navigation for information on Webflows and Pipelines.

Note: For SSL connections to work, you must have a valid SSL certificate from a certificate authority set up on your server.

config.xml Requirements for SSL

To enable SSL for your Web application, you need to ensure that the domain's config.xml file has SSL enabled, as shown in Listing 7-5.

Listing 7-5 Enabling SSL in the config.xml File

<server>
.
.
.
   <SSL Enabled="true" ListenPort="7502" Name="portalServer"
      ServerCertificateChainFileName="ca.pem"
      ServerCertificateFileName="democert.pem"
   ServerKeyFileName="demokey.pem"/>

</server>

The SSL attribute should also identify the necessary certificate filenames, the server key filename, and the server name.

config.xml is stored in <BEA_HOME>/user_projects/<YOUR_DOMAIN>.

where <YOUR_DOMAIN> is the domain folder created when you ran the Configuration Wizard.

web.xml Requirements for SSL

You must also ensure that the secure listening ports in the Web application's deployment descriptor (web.xml) match that set in config.xml, as shown in Listing 7-6.

Listing 7-6 Identifying Listen Ports

<context-param> 
  <param-name>HTTPS_PORT</param-name> 
  <param-value>7502</param-value> 
</context-param>

Enabling Single Sign-On

With single sign-on enabled, a visitor needs only to sign-on once to access multiple web applications, provided those applications are running on the same server or cluster. Enabling single sign-on requires these steps:

Ensure that the user has the same cookies for each Web application.
Ensure that the same user properties are used for each Web application.

Setting the Cookie Name

Set the cookie name for each application to which the visitor will have single sign-on access. To do this, edit the weblogic.xml file located in <BEA_HOME>weblogic700\ samples\portal<PORTAL_DOMAIN>\beaApps\<PORTAL_APP>\<PORTAL>\WEB-INF\ for each application to which the visitor will have single sign-on access.

Open the specific weblogic.xml file and locate the <session-param> element that identifies the CookieName parameter, as shown in Listing 7-7.

Listing 7-7

<session-param>
   <param-name>CookieName</param-name>
   <param-value>JSESSIONID_SAMPLEPORTAL</param-value>
</session-param>

Change the <param-value> value to the appropriate cookie name.
Repeat steps 1 and 2 for each Web application.

Setting the User Properties

Each Web application to which a visitor has single sign-on access must use the same user property sets for the specific visitor. You will need to ensure this by editing these property sets and making them match. For details on editing user property sets, see Creating a Property Set Definition.