BEA Logo BEA WebLogic Server Release 5.0

  Corporate Info  |  News  |  Solutions  |  Products  |  Partners  |  Services  |  Events  |  Download  |  How To Buy

   e-docs   |   Site Map   |   Search   |   Contact   |   Glossary   |   WebLogic Server Documentation

Administering the WebLogic UNIX security realm

Installing the WebLogic UNIX realm
Testing your UNIX realm

This document describes how to install and configure the WebLogic UNIX security realm for your WebLogic Server. After installing the UNIX realm, WebLogic Server authenticates users with UNIX authentication services in place of weblogic.password and weblogic.security.group properties in the weblogic.properties file. Access control lists (ACLs) are still defined in the weblogic.properties file.

WebLogic Server executes a small native program, wlauth, to look up users and groups, and to authenticate users given UNIX login names and passwords. On some platforms, wlauth uses PAM (Pluggable Authentication Modules), which allows you to configure authentication services in the operating system without altering applications that use the service. On platforms where PAM is not available, wlauth uses the standard login mechanism, including shadow passwords, where supported.

Since WebLogic Server reads ACLs from the weblogic.properties file at start up time, you must still restart WebLogic Server after you change an ACL. If you use groups with your ACLs, however, you can avoid having to restart the server as often. Changing UNIX groups allows you to manage individual users' access to WebLogic Server resources dynamically.

The UNIX security realm is hosted by CachingRealm, a realm that provides caching services, as well as delegating to an alternate realm. CachingRealm falls back on the weblogic.properties file when the UNIX realm cannot satisfy a lookup. See Administering the WebLogic Caching realm for help setting up and configuring the cache.

Installing the WebLogic UNIX realm

The wlauth program must run setuid root. You will need root permission to modify the ownership and file attributes on this file and to set up the PAM configuration file for wlauth.

Follow these steps to set up the UNIX realm:

  1. If you installed WebLogic Server on a network drive, copy wlauth to a file system on the computer that executes WebLogic Server, for example, the /usr/sbin directory. The file is in the weblogic/lib/arch directory, where arch is the name of your platform.

  2. As root, change the wlauth owner and permissions with these commands:
      # chown root wlauth
  # chmod +xs wlauth

  3. On PAM platforms (Solaris and Linux), set up the PAM configuration for wlauth.

    Solaris

    Add the following lines to your /etc/pam.conf file:

      # Setup for WebLogic authentication on Solaris machines
  #
  wlauth auth required      /usr/lib/security/pam_unix.so.1 
  wlauth password required  /usr/lib/security/pam_unix.so.1 
  wlauth account required   /usr/lib/security/pam_unix.so.1

    Linux

    Create a file /etc/pam.d/wlauth containing the following:

      #%PAM-1.0
  #
  # File name:
  # /etc/pam.d/wlauth 
  #
  # If you do not use shadow passwords, delete "shadow".
  auth required     /lib/security/pam_pwdb.so shadow
  account required  /lib/security/pam_pwdb.so

    Note: Omit "shadow" if you are not using shadow passwords.

  4. Add the following properties to your weblogic.properties file: 
      weblogic.security.realmClass=\
    weblogic.security.unixrealm.UnixRealm

  5. You can also set properties that control the cache size and time-to-live of cached users and groups. See Administering the WebLogic Caching realm for help with these properties.

  6. If wlauth is not in WebLogic Server's path, or if you have renamed it to something other than wlauth, you must add a Java command line property when you start WebLogic Server. Edit the script you use to start Weblogic Server and add this option after the java command: 
      -Dweblogic.security.unixrealm.authProgram=wlauth_prog

    Replace wlauth_prog with the name of the wlauth program, including the full path if the program is not in the search path. If wlauth is in the WebLogic Server path and is named wlauth, this step is not needed.

  7. Start WebLogic Server.

Testing the UNIX realm

After you have started WebLogic Server with the UNIX realm installed, you can perform the following checks to test that it is working properly.

  1. Load the AdminRealm servlet in a browser. This servlet displays information about the realm WebLogic Server is using, and it includes lists of all known users and groups. Load the servlet using a URL like this:
      http://localhost:7001/AdminRealm

  2. Display the realm in the WebLogic Console. The Console displays all users and ACLs known in the realm.

  3. Add an ACL to your weblogic.properties file for the helloWorld example servlet. First find the weblogic.httpd.register property for the helloWorld servlet and make sure that it is not commented out. Add the following property: 
    weblogic.allow.execute.weblogic.servlet.helloWorld=\
    username,groupname

    Replace username with the name of a UNIX user. Replace groupname with the name of a UNIX group -- but select a group that does not include username.

    Restart WebLogic Server and then load the helloWorld servlet with an ACL like this: 

      http://localhost:7001/helloWorld

    Try entering the name and password for UNIX user who is not included in the ACL you added for the servlet. You should get a message telling you that you were not authorized.

    Try entering the name and password of a UNIX user who you did include in the ACL, either as an individual or a member of the group. The servlet should load and display the "Hello World" message.

 

Copyright © 2000 BEA Systems, Inc. All rights reserved.
Required browser: Netscape 4.0 or higher, or Microsoft Internet Explorer 4.0 or higher.
Last updated 2/1/2000