If an EJB requests a connection to the EIS with a ConnectionFactory.getConnection() call, this connection is set up in the security context of BeanConnect. In particular, the authentication data (user name and password) required for the EJB to access the EIS is assigned when the connection is set up.

EJBs can authenticate themselves to the EIS in two ways:

• Application-managed authentication

• Container-managed authentication

It is recommended that container-managed authentication is used.

The basic procedure for application- and container-managed authentication is explained below.

Application-managed authentication

In this case, the authentication data must be provided in the program code of the EJB (see Interfaces and programming ). For EJBs which perform authentication themselves, the <res-auth> tag of the associated EJB deployment descriptor must be specified as follows:

<res-auth>Application</res-auth>

Example of setting by EJB:

getConnection(new PasswordCredential(user, password));

Container-managed authentication

In this case, the application server regulates the transfer of authentication data. For EJBs which allow the application server to perform authentication, the <res-auth> tag of the associated EJB deployment descriptor must be specified as follows:

<res-auth>Container</res-auth>

The configuration for container-managed authentication is specific to the different type of application server.

The following applies to Oracle WebLogic Server:

• The container-managed sign-on procedure in Oracle WebLogic Server is based on outbound credential mapping during which the WebLogic credentials (normally the user name and password) are mapped to the user name and password of the EIS partner.

• In general terms, it is important to note that Oracle WebLogic Server only supports outbound credential mapping for the default security realm (normally "myrealm").

• In this case, a WebLogic user name can be mapped to the user name of the EIS system either specifically for an individual managed connection factory or for the entire resource adapter.

• Oracle WebLogic Server also makes it possible to define a default mapping for user names for which no explicit mapping has been specified and to define a user name for non-authenticated users (anonymous mapping).

During outbound credential mapping, Oracle WebLogic Server checks the following items in the specified order:

1. Has a mapping been defined for the current managed connection factory for the user name or, in the case of a non-authenticated user, has an anonymous mapping been defined?

2. Has a mapping been defined for the resource adapter for the user name or, in the case of a non-authenticated user, has an anonymous mapping been defined?

3. Has a default mapping been defined for the current managed connection factory?

4. Has a default mapping been defined for the resource adapter?

The user name is mapped as defined for the first condition that is satisfied.

If none of the conditions is satisfied, Oracle WebLogic Server does not pass any authentication data to the resource adapter. In this case, BeanConnect performs application managed authentication.

Under Oracle WebLogic Server, you use the WebLogic Server Administration Console to perform outbound credential mapping as follows:

1. On the left side of the WebLogic Server Administration Console output screen, choose the option Deployments.

2. In the Deployments page click the name of the resource adapter.

3. In the resource adapter’s Settings page, choose the Security and Outbound Credential Mapping tabs one after the other.

4. Perform the required mappings.

For details on outbound credential mapping in Oracle WebLogic Server , refer to the section "Outbound Credential Mappings" in the application server documentation.