While other security documents in the BEA WebLogic Server™ documentation set guide users through specific tasks—such as programming WebLogic® security, developing a custom security provider, or managing the WebLogic Security Service—this guide is intended for all users of the WebLogic Security Service. Thus, this document is the starting point for understanding the WebLogic Security Service.
The WebLogic® Security Service involves many unique terms. Before reading this manual, familiarize yourself with the terms in Terminology.
This document is intended for the following audiences:
Application Architects—Architects who, in addition to setting security goals and designing the overall security architecture for their organizations, evaluate WebLogic Server security features and determine how to best implement them. Application Architects have in-depth knowledge of Java programming, Java security, and network security, as well as knowledge of security systems and leading-edge, security technologies and tools.
Security Developers—Developers who focus on defining the system architecture and infrastructure for security products that integrate into WebLogic Server and on developing custom security providers for use with WebLogic Server. They work with Application Architects to ensure that the security architecture is implemented according to design and that no security holes are introduced, and work with Server Administrators to ensure that security is properly configured. Security Developers have a solid understanding of security concepts, including authentication, authorization, auditing (AAA), in-depth knowledge of Java (including Java Management eXtensions (JMX), and working knowledge of WebLogic Server and security provider functionality.
Application Developers—Developers who are Java programmers that focus on developing client applications, adding security to Web applications and Enterprise JavaBeans (EJBs), and working with other engineering, quality assurance (QA), and database teams to implement security features. Application Developers have in-depth/working knowledge of Java (including Java Platform, Enterprise Edition (Java EE) Version 5 components such as servlets/JSPs and JSEE) and Java security.
Server Administrators—Administrators work closely with Application Architects to design a security scheme for the server and the applications running on the server, to identify potential security risks, and to propose configurations that prevent security problems. Related responsibilities may include maintaining critical production systems, configuring and managing security realms, implementing authentication and authorization schemes for server and application resources, upgrading security features, and maintaining security provider databases. Server Administrators have in-depth knowledge of the Java security architecture, including Web services, Web application and EJB security, Public Key security, SSL, and Security Assertion Markup Language (SAML).
Application Administrators—Administrators who work with Server Administrators to implement and maintain security configurations and authentication and authorization schemes, and to set up and maintain access to deployed application resources in defined security realms. Application Administrators have general knowledge of security concepts and the Java Security architecture. They understand Java, XML, deployment descriptors, and can identify security events in server and audit logs.
Guide to this Document
This document is organized as follows:
Overview of the WebLogic Security Service introduces the WebLogic Security Service, describes the audiences of this document, lists its key features, and gives a brief list what has changed in this release.
Security Fundamentals describes security concepts as they relate to BEA WebLogic Server™ security. This section includes discussions of auditing, authentication, authorization, Secure Sockets Layer (SSL), firewalls, and the relationship between Java EE and WebLogic security.
Security Realms, describes security realms, which are used to protect WebLogic resources.
WebLogic Security Service Architecture, describes the WebLogic Server Security architecture. This section includes discussions of the WebLogic Security Framework, the Security Service Provider Interfaces (SSPIs), and the WebLogic security providers that are included as part of the product.
Terminology, defines key terms that you will encounter throughout the WebLogic Server security documentation.
The following BEA WebLogic Server documents contain information that is relevant to the WebLogic Security Service:
Securing WebLogic Server—This document explains how to configure security for WebLogic Server and how to use Compatibility security.
Securing a Production Environment—This document highlights essential security measures for you to consider before you deploy WebLogic Server into a production environment.
Securing WebLogic Resources Using Roles and Policies—This document introduces the various types of WebLogic resources, and provides information that allows you to secure these resources using WebLogic Server. The current version of this document primarily focuses on securing URL (Web) and Enterprise JavaBean (EJB) resources.
WebLogic Server Upgrade Guide—This document provides procedures and other information you need to upgrade 6.x and earlier versions of WebLogic Server to WebLogic Server 10.0. It also provides information about moving applications from a 6.x or earlier version of WebLogic Server to 10.0. For specific information on upgrading WebLogic Server security, seeS ecurity in the WebLogic Server Upgrade Guide.
Javadocs for WebLogic Classes—This document provides reference documentation for the WebLogic security packages that are provided with and supported by this release of WebLogic Server.
Security Samples and Tutorials
In addition to the documents listed in Related Information, BEA Systems provides a variety of code samples for developers.
Security Examples in the WebLogic Server Distribution
WebLogic Server optionally installs API code examples in WL_HOME\samples\server\examples\src\examples\security, where WL_HOME is the top-level directory of your WebLogic Server installation. You can start the examples server, and obtain information about the samples and how to run them from the WebLogic Server Start menu.
The following examples illustrate WebLogic security features:
Java Authentication and Authorization Service
Outbound and Two-way SSL
Additional Examples Available for Download
Additional API examples are available for download at http://dev2dev.bea.com. These examples are distributed as .zip files that you can unzip into an existing WebLogic Server samples directory structure.
You build and run the downloadable examples in the same manner as you would an installed WebLogic Server example. See the download pages of individual examples for more information.