Originally posted by Kelly Dolan:
You stated you could see an installation that has a different authenticator and authorizer for each application and does the correct thing as needed. How would this look to the configuration? Would it be one default security realm that contains a set of "sufficient" authenticators, etc.? How would each application (e.g., EAR) indicate which authenticator to use?
Let's look at this in two parts, authentication and authorization.
For authentication, WebLogic uses "global" users. That is, if the user "bob" is defined anywhere within any authentication provider then "bob" is a valid user, potentially able to log into something. Some people partition this namespace by having their application have a hidden field to indicated, say, department. But most just accept the global namespace and use something like email address. The point is that application A may want to authenticate users from database A while application B may want to authenticate users from database B. In that case you may want to have two different authentication providers, one for A and one for B.
But now it gets, um, fun. Say "bob" is defined in both databases but his password is different in the two db's. You've created authenticatorA and authenticatorB. If they, along with the default authenticator have their control flags set to "sufficient", then bob will be able to log in
with either password(!). That is because one of the authenticators said "yes, let him log in" and so he can.
That is where the authorization providers can help some. The authorization provider looks at both the Subject (i.e. "bob")
and the resource that bob is trying to access (for example, a method on an
EJB). This information, coupled with the roles that bob is in can then be used to determine if bob should have access to something.
The good part is that once you have an authorization provider is that you use regular EJB security to manage it.
It's a bit of a pain. But the important part is that names and roles (i.e. anything that is a javax.security.auth.Subject) are global in nature, at least to a single instance of WLS.
[ October 22, 2004: Message edited by: Scott Dunbar ]