Covering J2EE Security and WebLogic Topics

RDBMS Authentication Reborn

Authentication is a concept that I covered in the popular Monty Python Teaches Application Security post. I think I need to work Monty into more posts!

Getting back to business, authentication is about proving the identity of a user requesting access to a protected resource. WebLogic provides a security framework which can accept pluggable authentication providers along with other provider types such as authorization.

BEA provided an RDBMS realm in WebLogic 6.x and prior. This realm managed users and groups that were stored in a database using a specified schema. Since everyone has a database, storing users and groups there was the path of least resistance even though performance would be better with an LDAP store.

However, this functionality was deprecated in 7.0 in favor of the new security framework. If you wanted to use RDBMS authentication you had to use the Compatibility security mode.

I can’t tell you how many times I’ve been asked about an RDBMS authenticator since the release of WebLogic 7.0. Newsgroups and forums also illustrate the pent-up demand for such a beast.

The best that RDBMS authenticator seekers could do was grab the sample one found on the BEA website and modify it. The code was unsupported, of course.

BEA must have heard developers’ cries. Like Shirley McLaine, RDBMS authentication is enjoying a newfound life in the WebLogic 9.0 release. It’s back with a vengeance, too, because there are three types from which to choose: SQLAuthenticator, ReadOnlySQLAuthenticator, and CustomDBMSAuthenticator.

So wallpaper those tables and sweep the rows — users are moving back in!