The Carbon Authorization Security Module

Purpose

This module provides adapter classes to allow one to tie Weblogic 6.1 into the Carbon User Manager service. This allows one to protect Weblogic resources such as Servlets, JSPs, EJBs, Data sources, etc., using a standardized User Management service that can also be used by the application for managing users.

Who needs it and why

This module is needed by anyone using a Weblogic 6.1 release that is using a user store which is not one natively supported by Weblogic. This will allow one to Weblogic directly into the security service and allow full use of the J2EE security model.

Dependencies

• Weblogic 6.1
• Any dependencies used by the User Manager implementation.

The App Server Classpath

The classes used here, and all dependencies must be installed into Weblogic's root classpath. This means one must edit the startWeblogic file for the environment to properly setup the classpath and any other Carbon deployment properties. This allows Carbon, and including the User Manager service this depends on, to run within the main application server sandbox and give proper access to all the needed classes and memories locations.

The consequence is that only instance of Carbon can run in the application server. This instance will be initialized when the application server starts. All applications installed within the application server context will use the main applications instance of Carbon. Any deployment properties set using CarbonDeploymentConfig.properties inside and application specific classpath (the EAR, WAR or JAR) will not be used.

Weblogic Documentation

To setup the Carbon User Manager requires defining a new custom security realm is referenced by the J2EE application. Weblogic provides complete instructions on the generic process available from their online help at:

Installing a Custom Security Realm

Create/Configure Custom Realm

After starting the application server the custom realm must be configured. This tells Weblogic which classes are used to work with the realm. The following steps are done in the Weblogic console, usually accessible at http://localhost:7001/console

1. In the left, go to [domain name]->Security->Realms
2. Click "Configure a new Custom Realm..."
3. Give the Realm a name. This example uses Carbon Realm
4. Set the "Realm Class Name" to: org.sape.carbon.services.security.auth.weblogic61.WeblogicCarbonRealm
5. In the "Configuration Data" field you must give the Realm the path of the User Manager service the Realm is configured against. The property is called userManagerPath. An example entry the box is (without the quotes): "userManagerPath=/security/management/RdbmsUserManager"
6. Click the "Create" button
7. In the left, go to [domain name]->Security->Caching Realms
8. Click "Configure a new Caching Realm..."
9. Give the Caching Realm a name. This example uses Carbon Cached Realm
10. Select the Basic Realm you configured before, such as "Carbon Realm"
11. Click the "Create" button
12. In the left, go to [domain name]->Security
13. Select the "Filerealm" tab
14. Select the Caching Realm you just created, such as "Carbon Cached Realm"
15. Click the "Apply" button
16. Reboot Weblogic

Example Weblogic Config.xml

After performing the above steps in the console, Weblogic's config.xml file for the domain will have entries similar to the following adding to it:

<CustomRealm
    Name="Carbon Realm"
    RealmClassName="org.sape.carbon.services.security.auth.weblogic61.WeblogicCarbonRealm"
    ConfigurationData="/security/management/RdbmsUserManager"
    />

<CachingRealm
    Name="Carbon Cached Realm"
    BasicRealm="Carbon Realm"
    />

<FileRealm
    Name="wl_default_file_realm"
    />

<Realm
    Name="wl_default_realm"
    FileRealm="wl_default_file_realm"
    CachingRealm="Carbon Cached Realm"
    />