Exploring Custom Webcenter Security using Integrated Weblogic Server LDAP

By rajesh | January 11, 2014 | 1 Comment

First thing to consider here is, this post will talk about only the development scenario because when it comes to Production, things will be different as, you will be using External LDAP to manage your users and groups or you will be using Standalone weblogic server.

So, consider using Oracle Jdeveloper 11.1.1.3.0 and onwards. After installation of jdeveloper, you will get Integrated Oracle Weblogic Server with this, to test your application at initial stage only, before making it live.

Let’s begin. Create an application based on the predefined Application templates, which has been provided by Oracle in jdeveloper itself.

1

 

As said earlier, we will be using Custom Webcenter Portal application, So, Choose one and choose technology scope as per your business requirements and click finish.

You will get an application with pre-configured files. Now select any of the available projects in your application.

2

 

Now, Click on the Application menu and you will get all the options to configure Security in your Custom webcenter application. These pre-configured application templates will provide you few default Security options.

3

 

As we are focusing here to explore integrating LDAP which Oracle has provided with Weblogic Server and which you can handle it with Jdeveloper and off-course from Weblogic Server console as well.

Obviously you can configure security by using above mentioned security choosing any of the available options as per your business requirements.

Below are the options which you will get in jdeveloper related to security which directly impact Integrated LDAP.

4

 

So, let’s see what all we can achieve in this.

I will try to relate the possible options with the Application configuration files as well.

As, you can manipulate security options in three different options:

1)      From Weblogic Server console

2)      From Application/ Security menu.

3)      From Direct configuration files.

All these changes will directly impact your integrated LDAP and then your application.

The integrated LDAP server contains user, group, group membership, security role, security policy, and credential map information. By default, each WebLogic domain has an integrated LDAP server configured with the default values set for each type of information. The Default Authentication, Authorization, Credential Mapping, and Role Mapping providers use the integrated LDAP server as their data store. If you use any of these providers in a new security realm, you may want to change the default values for the integrated LDAP server to optimize its use in your environment.

Note:

The performance of the integrated LDAP server is best with fewer than 10,000 users. If you have more users, consider using a different LDAP server and Authentication provider.

The data file and change log file used by the integrated LDAP server can potentially grow quite large. You can configure maximum sizes for these files with the following weblogic.Server command line arguments:

-Dweblogic.security.ldap.maxSize=<max bytes>, which limits the size of the data file used by the integrated LDAP server. When the data file exceeds the specified size, WebLogic Server eliminates from the data file space occupied by deleted entries.

-Dweblogic.security.ldap.changeLogThreshold=<number of entries>, which limits the size of the change log file used by the integrated LDAP server. When the change log file exceeds the specified number of entries, WebLogic Server truncates the change log by removing all entries that have been sent to all Managed Servers.

Location of Security Data in the Embedded LDAP Server

Security Data Embedded LDAP Server DN
Users ou=people,ou=myrealm,dc=mydomain
Groups ou=groups,ou=myrealm,dc=mydomain
Security roles ou=ERole,ou=myrealm,dc=mydomain
Security policies ou=EResource,ou=myrealm,dc=mydomain

 

Now, you can explore all the options to create the groups and users with different permissions and privilege as per requirements.

Click on the application menu and then under security sub menu, you will get an option to create application roles in that.

 

 

5

 

6

 

Just refer that few roles are available in your application by default, so you can leverage these and can create new ones for your project.

Now, to create users for the project, again go to the same menu options and now, you will get an option for USERS.

Click on that and you will get a place to utilize default users or to create new users.

Refer this screen shot:

7

 

You can use Green plus sign to create new users.

From the right most corner, you can assign users to application roles as well to maintain your security layers.

Similar manner, you can create different groups as per requirements from your domain. And needless to say, you can group different users in one and ultimately, you can assign different application roles to different users.

8

 

These all the options will directly impact your integrated LDAP in your weblogic server.

Backup and Recovery

If any of your security realms use the Default Authentication, Authorization, Credential Mapping, or Role Mapping providers, you should maintain an up-to-date backup of the following directory tree:

domain_name/servers/adminServer/data/ldap

In the preceding directory, domain_name is the domain root directory and adminServer is the directory in which the Administration Server stores run-time and security data.

One last point to mention, If you have noticed, there was only one file responsible for the operations mentioned above, jazn-data.xml. which is the main entry and exit point for your security in the application.

You can do all the above mentioned operations from this file as well.

9

 

10

 

11

 

Now, refer the above three screen shots to go the configuration of integrated LDAP in weblogic server console.

Go to console by using :

http://localhost:7101/console

Click on the domain, then on security tab, under that you will get a sub tab Embedded LDAP.

Click on that and you will get the below mentioned option for your integrated LDAP to configure.

12

 

You can change these as per your system architecture.

That will be all for the current scope of this post, for configuring Security in your custom webcenter application and exploring different options available for your integrated LDAP in integrated weblogic server.

You can refer this sample application where I have created few sample roles, groups and the users as well.

Integrated LDAP with Security

1 Comments

08 December, 2015 Reply

[…] First thing to consider here is, this post will talk about only the development scenario because when it comes to Production, things will be different as, you will be using External LDAP to manage your users and groups or you will be using Standalone…http://smconsultant.com/exploring-custom-webcenter-security-using-integrated-weblogic-server-ldap/ […]

Leave a Reply

Your email address will not be published. Required fields are marked *