Weblogic - Login Module (Control Flag and authentication flow)

Card Puncher Data Processing


LoginModules are components of Authentication providers.

They are responsible for authenticating users within the security realm and for populating a subject with the necessary principals (users/groups).

They are called in the order in which the Authentication providers are configured.

LoginModules can be written to handle a variety of authentication mechanisms, including username/password combinations, smart cards, biometric devices, and so on.


A subject is a container for authentication information.

The Java Authentication and Authorization Service (JAAS) requires subjects to used them as containers for authentication information, including principals.

Each principal stored in the same subject represents a separate aspect of the same user’s identity, much like cards in a person’s wallet. (For example, an ATM card identifies someone to their bank, while a membership card identifies them to a professional organization to which they belong.)

Weblogic Subject Principal

If there are multiple Authentication providers configured in a security realm, each of the Authentication providers’ LoginModules will store principals within the same subject.

Therefore, if a principal that represents a WebLogic Server user named “Joe” is added to the subject by one Authentication provider’s LoginModule, any other Authentication provider in the security realm should be referring to the same person when they encounter “Joe”.

In other words, the other Authentication providers’ LoginModules should not attempt to add another principal to the subject that represents a WebLogic Server user (for example, named “Joseph”) to refer to the same person.

However, it is acceptable for a another Authentication provider’s LoginModule to add a principal of a type other than WLSUser with the name “Joseph”.


Control Flag

The way each LoginModule’s control flag is set specifies how a failure during the authentication process should be handled and is is especially important for multipart authentication.

Below: LoginModule = Authentication

JAAS Control Flag Authentication provider
Always Called ?
must succeed
Next Step if authentication succeeds Next Step if authentication fails
SUFFICIENT No No Control is returned to the application if other Authentication providers are configured, authentication proceeds down the LoginModule list
OPTIONAL No No * Authentication proceeds down the list of LoginModules
REQUIRED Yes Yes Authentication proceeds down the list of LoginModules
REQUISITE No Yes Authentication proceeds down the list of LoginModules. Control is returned to the application

Weblogic Adsi Provider

  • *If all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.

When additional Authentication providers are added to an existing security realm, by default the Control Flag is set to OPTIONAL.

The non-dynamic attribute ControlFlag when changed may require redeploying or rebooting configured entities.


The figure below illustrates a sample flow involving three different LoginModules. It illustrates what happens to the subject for different authentication outcomes.

Weblogic Login Module Flow

  • If the control flag for Custom Authentication Provider #1 had been set to Required, the authentication failure in its User Authentication step would have caused the entire authentication process to have failed.
  • If the user had not been authenticated by the WebLogic Authentication provider (or custom Authentication provider #2), the entire authentication process would have failed.

If the authentication process had failed in any of these ways, all three LoginModules would have been rolled back and the subject would not contain any principals.

Documentation / Reference

Discover More
Ldap Member Attribute
(Weblogic|OBIEE) - Active Directory (ADSI) Configuration

This article show how to configure Weblogic in order to let OBIEE authenticate against Active Directory. Once the AD domain is recognise as a valid user store to authenticate Oracle BI, users will be...
Obiee 11g Bisqlprovider Schema
OBIEE 11G - BISQLProvider

A authentication provider called BISQLGroupProvider that provide the groups through database look-up. This group can then be linked to application role. The database just stores the groups to be associated...
Wna Sso Kerberos Weblogic
OBIEE 11G - SSO Authentication with Windows Native Authentication (WNA)

This article will go through an SSO Authentication with Windows Native Authentication (WNA) and kerberos Weblogic is on a Unix machines A Windows 2000 (or later release) Server domain...
Weblogic Authentication Providers
Weblogic - Authentication Provider

authentication provider in Weblogic. Oracle Fusion Middelware application delegates user authentication to the first authentication provider configured for the domain. Each authentication provider as...
Weblogic Subject Principal
Weblogic - Principal (Users/groups Identity)

A principal is an identity assigned to a user or group as a result of authentication. It represents then a user or group. As part of a successful authentication, principals are signed and stored in...

Share this page:
Follow us:
Task Runner