This topic describes configuring and managing security in WebLogic Server 7.0. For more information, see Managing WebLogic Security.
For information about configuring and managing security for WebLogic Server deployments using Compatibility security, see Compatibility Securityand Using Compatibility Security in Managing WebLogic Security.
Tasks
Configuring a Security Realm
Expand the Security node.
Expand the Realms node.
The Security Realms table appears. All the realms available for the WebLogic domain (referred to as the domain) are displayed in a table on the General tab.
Click the Configure a new Realm... link on the Security Realms tab.
Enter the name of the new security realm in the Name attribute on the General tab.
Enable the Ignore Security Data in Deployment Descriptors attribute. (This step is optional).
On application deployment, WebLogic Server reads role and credential information from the weblogic.xml, weblogic-ejb-jar.xml, and weblogic-ra.xml files. This information is used to populate the Authorization and Credential Mapping providers configured for the security realm. Once the role and credential information is in the Authorization and Credential Mapping providers, changes made through the WebLogic Server Administration Console (referred to as the Administration Console) are not persisted to the weblogic.xml, weblogic-ejb-jar.xml, and weblogic-ra.xml files. Before you redeploy the application (which will happen when you redeploy it through the console, modify it on disk, or restart WebLogic Server), you need to enable the Ignore Security Data in Deployment Descriptors attribute on the Security Realm --> General tab. Otherwise, the old data in the weblogic.xml, weblogic-ejb-jar.xml, and weblogic-ra.xml files will overwrite any changes made through the Administration Console.
Click Create.
Configure security providers for the security realm. You must configure an Authorization provider, an Authentication provider, an Adjudication provider, a Credential Mapping provider, a Role Mapping provider, and a Keystore provider. Otherwise, you will not be able to set the realm as the default security realm.
Define users and groups for the security realm.
Grant users and groups roles for the security realm.
Protect resources in the security realm with security policies.
Reboot WebLogic Server. If you do not reboot WebLogic Server, you cannot set the realm to the default security realm.
The pull-down menu on the Name attribute displays the security realms available in the domain.
Select the security realm you want to set as the default security realm.
Reboot WebLogic Server.
To verify you set the default security realm correctly:
Expand the Security node.
Expand the Realm node.
The Security Realm --> General tab appears. All the realms configured for the domain are displayed. The default security realm has the Default Realm attribute set to true.
Deleting A Security Realm
Expand the Security node.
Expand the Realm node.
The Security Realm --> General tab appears. All the realms configured for the domain are displayed in a table.
In the table row for the security realm you want to delete, click the trash can icon.
A Delete confirmation window appears.
Click Yes in response to the following prompt:
Are you sure you want to permanently delete OldRealm from the domain configuration?
A confirmation message appears when the security realm is deleted.
Configuring an Adjudication Provider
Expand the Security node.
Expand the Realm node.
Click the name of the realm you are configuring (for example, TestRealm.)
Expand Providers.
Click Adjudicators.
The Adjudicators tab appears. This tab displays the name of the default Adjudication provider for the realm that is being configured.
Click the Configure a new Default Adjudicator... link
Set the Require Unanimous Permit attribute. (This step is optional).
The Require Unanimous Permit attribute determines how the WebLogic Adjudication provider handles a combination of PERMIT and ABSTAIN votes from the configured Authorization providers.
If the attribute is enabled, all Authorization providers must vote PERMIT in order for the Adjudication provider to vote PERMIT. By default, the Require Unanimous Permit attribute is enabled.
If the attribute is disabled, ABSTAIN votes are ignored. To disable the Require Unanimous Permit attribute, click the checkbox.
If you change the Require Unanimous Permit attribute, reboot WebLogic Server.
Click Apply to save your changes.
Configuring a Custom Adjudication Provider
Expand the Security node.
Expand the Realm node.
Click the name of the realm you are configuring (for example, TestRealm.)
Click the Configure a new Security_Provider_Type... link
where Security_Provider_Type is the name of your Custom Adjudication provider. This name is read from the DisplayName attribute in the MBeanType tag of the MBean Definition File (MDF). In order for this link to appear in the Administration Console, the MBean JAR file for the provider must be in the WL_HOME\lib\mbeantypes directory.
The Default Adjudicator --> General tab appears. The Name attribute displays the name of your Custom Adjudication providers.
Click Apply to save your changes.
Reboot WebLogic Server.
Configuring an Auditing Provider
Expand the Security node.
Expand the Realms node.
Click the name of the realm you are configuring (for example, TestRealm).
Expand the Providers node.
Click Auditors.
The Auditors tab appears. This tab displays the name of the default Auditor for the realm that is being configured.
Click the Configure a new Default Auditor... link.
The decision to audit a particular security event is made by the Auditing provider and is based on the event level set in the Severity attribute. Auditing can be initiated when the following levels of security events occur:
INFORMATION
WARNING
ERROR
SUCCESS
FAILURE
none
Chose the severity level appropriate for your WebLogic Server deployment.
Click Apply to save your changes.
Reboot WebLogic Server.
Configuring a Custom Auditing Provider
Expand the Security node.
Expand the Realm node.
Click the name of the realm you are configuring (for example, TestRealm.)
Click the Configure a new Security_Provider_Type... link
where Security_Provider_Type is the name of your Custom Auditing provider. This name is read from the DisplayName attribute in the MBeanType tag of the MBean Definition File (MDF). In order for this link to appear in the Administration Console, the MBean JAR file for the provider must be in the WL_HOME\lib\mbeantypes directory.
The Default Auditor --> General tab appears. The Name attribute displays the name of your Custom Auditing providers.
Click Apply to save your changes.
Reboot WebLogic Server.
Choosing an Authentication Provider
Expand the Security node.
Expand the Realms node.
Click the name of the realm you are configuring (for example, TestRealm).
Expand the Providers node.
Expand the Authentication Providers node.
The Authenticators tab appears. This tab displays the name of the default Authentication and Identity Assertion providers. By default, the WebLogic Authentication and Identity Assertion providers are configured.
Chose a different Authentication and/or Identity Assertion provider by clicking on one or more of the following links:
Configure a new iPlanet Authenticator...
Configure a new Realm Adapter Authenticator...
Configure a new Active Directory Authenticator...
Configure a new Default Authenticator...
Configure a new Default Identity Asserter...
Configure a new OpenLDAP Authenticator...
Configure a new Novell Authenticator...
Configure the Authentication and/or Identity Assertion provider.
Chose the Configure a new iPlanet Authenticator... link from the Authenticators tab.
Click the General tab.
Define values for the attributes on the General tab. The Control Flag attribute determines how the iPlanet Authentication provider is used with other LDAP Authentication providers. For more information, see Setting the JAAS Control Flag in Managing WebLogic Security.
Click the iPlanet LDAP tab.
Enable communication between WebLogic Server and the iPlanet LDAP server by defining values for the attributes shown on the iPlanet LDAP tab.
Click Apply to save your changes.
For a more secure deployment, BEA Systems recommends using the SSL protocol to protect communications between the iPlanet LDAP server and WebLogic Server.
Click the Users tab.
Define information about how users are stored and located in the iPlanet LDAP directory by defining values for the attributes shown on the iPlanet Authentication Provider--> Users tab.
Note: To use dynamic groups with the iPlanet Authentication provider, you need to set the User Dynamic Group DN, Dynamic Group Object Class, Dynamic Group Name Attribute, and Dynamic Member URL Attribute attributes.
Click Apply to save your changes.
Click the Groups tab.
Define information about how groups are stored and located in the iPlanet LDAP directory by defining values for the attributes shown on the iPlanet Authentication Provider--> Groups tab.
Click Apply to save your changes.
Click the Membership tab.
Define information about how group members are stored and located in the iPlanet LDAP directory by defining values for the attributes shown on the iPlanet Authentication Provider--> Members tab.
Configuring the Active Directory Authentication Provider
Chose the Configure a new Active Directory Authenticator... link from the Authenticators tab.
Click the General tab.
Define values for the attributes on the General tab. The Control Flag attribute determines how the Active Directory Authentication provider is used with other LDAP Authentication providers. For more information, see Setting the JAAS Control Flag in Managing WebLogic Security.
For a more secure deployment, BEA Systems recommends using the SSL protocol to protect communications between the Active Directory LDAP server and WebLogic Server. For more information, see Configuring the SSL Protocol.
Click the Users tab.
Define information about how users are stored and located in the Active Directory LDAP directory by defining values for the attributes shown on the Active Directory Authentication Provider--> Users tab.
Click Apply to save your changes.
Click the Groups tab.
Define information about how groups are stored and located in the Active Directory LDAP directory by defining values for the attributes shown on the Active Directory Authentication Provider--> Groups tab.
Click Apply to save your changes.
Click the Membership tab.
Define information about how group members are stored and located in the Active Directory LDAP directory by defining values for the attributes shown on the Active Directory Authentication Provider --> Members tab.
Chose the Configure a new OpenLDAP Authenticator... link from the Authenticators tab.
Click the General tab.
Define values for the attributes on the General tab. The Control Flag attribute determines how the Open LDAP Authentication provider is used with other LDAP Authentication providers. For more information, see Setting the JAAS Control Flag in Managing WebLogic Security.
For a more secure deployment, BEA Systems recommends using the SSL protocol to protect communications between the Open LDAP server and WebLogic Server. For more information, see Configuring the SSL Protocol.
Click Apply to save your changes.
Click the Users tab.
Define information about how users are stored and located in the Open LDAP directory by defining values for the attributes shown on the Open LDAP Authentication Provider--> Users tab.
Click Apply to save your changes.
Click the Groups tab.
Define information about how groups are stored and located in the Open LDAP directory by defining values for the attributes shown on the Open LDAP Authentication Provider--> Groups tab.
Click Apply to save your changes.
Click the Membership tab.
Define information about how group members are stored and located in the Open LDAP directory by defining values for the attributes shown on the Open LDAP Authentication Provider--> Configuration --> Members tab.
Chose the Configure a new Novell Authenticator... link from the Authenticators tab.
Click the General tab.
Define values for the attributes on the General tab. The Control Flag attribute determines how the Novell Authentication provider is used with other LDAP Authentication providers. For more information, see Setting the JAAS Control Flag in Managing WebLogic Security.
For a more secure deployment, BEA Systems recommends using the SSL protocol to protect communications between the NDS LDAP server and WebLogic Server. For more information, see Configuring the SSL Protocol.
Click Apply to save your changes.
Click the Users tab.
Define information about how users are stored and located in the NDS directory by defining values for the attributes shown on the Novell Authentication Provider--> Users tab.
Click Apply to save your changes.
Click the Groups tab.
Define information about how groups are stored and located in the NDS directory by defining values for the attributes shown on the Novell Authentication Provider-->Groups tab.
Click Apply to save your changes.
Click the Membership tab.
Define information about how group members are stored and located in the NDS directory by defining values for the attributes shown on the Novell Authentication Provider-->Members tab.
Configuring Failover for LDAP Authentication Providers
In WebLogic Server 7.0 SP2 and greater, you can configure an external LDAP provider with multiple LDAP servers and enable failover if one LDAP server is not available.
To configure failover of the LDAP servers configured for an LDAP Authentication provider, perform the following steps:
Click the LDAP tab under the Configuration tab for the LDAP Authentication provider for which you want to configure failover.
For example, click the iPlanet LDAP tab under the iPlanet Configuration tab.
Click the LDAP tab.
Specify more than on LDAP server name in the Host attribute on the LDAP tab. The attribute must contain a space-delimited list of host names. Each host name may include a trailing colon and port number. For example:
The Parallel Connect Delay attribute specifies the number of seconds to delay when making concurrent attempts to connect to multiple servers. An attempt is made to connect to the first server in the list. The next entry in the list is tried only if the attempt to connect to the current host fails. This setting might cause your application to block for unacceptably long time if a host is down. If the attribute is set to a value greater than 0, another connection setup thread is started after the specified number of delay seconds has passed. If the attribute is set to 0, connection attempts are serialized.
Set the Connection Timeout attribute.
The Connection Timeout attribute specifies the maximum number of seconds to wait for the connection to the LDAP server to be established. If the attribute is set to 0, there is no maximum time limit and WebLogic Server will wait until the TCP/IP layer times out to return a connection failure. This attribute may be set to a value over 60 seconds depending upon the configuration of TCP/IP.
Click Apply.
Reboot WebLogic Server.
Configuring a Realm Adapter Authentication Provider
Chose the Configure a new Realm Adapter Authenticator... link from the Authentication Providers tab.
Click the name of the realm you are configuring (for example, TestRealm.)
Expand the Providers node.
Expand the Authentication Providers node.
The Authenticators tab appears.
Click the Configure a new Security_Provider_Type... link
where Security_Provider_Type is the name of your Custom Authentication provider. This name is read from the DisplayName attribute in the MBeanType tag of the MBean Definition File (MDF). In order for this link to appear in the Administration Console, the MBean JAR file for the provider must be in the WL_HOME\lib\mbeantypes directory.
Click the name of the realm you are configuring (for example, TestRealm.)
Expand the Providers node.
Expand the Authentication Providers node.
The Authenticators tab appears.
Click the Configure a new Security_Provider_Type... link
where Security_Provider_Type is the name of your Custom Identity Assertion provider. This name is read from the DisplayName attribute in the MBeanType tag of the MBean Definition File (MDF). In order for this link to appear in the Administration Console, the MBean JAR file for the provider must be in the WL_HOME\lib\mbeantypes directory.
Click the Configure a new Security_Provider_Type... link
where Security_Provider_Type is the name of your Custom Authorization provider. This name is read from the DisplayName attribute in the MBeanType tag of the MBean Definition File (MDF). In order for this link to appear in the Administration Console, the MBean JAR file for the provider must be in the WL_HOME\lib\mbeantypes directory.
Click the Configure a new Security_Provider_Type... link
where Security_Provider_Type is the name of your Custom Credential Mapping provider. This name is read from the DisplayName attribute in the MBeanType tag of the MBean Definition File (MDF). In order for this link to appear in the Administration Console, the MBean JAR file for the provider must be in the WL_HOME\lib\mbeantypes directory.
Click the name of the realm you are configuring (for example, TestRealm).
Expand the Providers node.
Click Key Stores.
The Keystore tab appears. This tab displays the name of the default Keystore for the realm that is being configured.
Click the Configure a new Default Keystore... link.
The Default Keystore-->General tab appears.
Enter the directory location of the file for the Keystore Provider in the Private Key Store Location attribute on the Default Keystore-->General tab.
This attribute requires both a directory and filename location that is either absolute or relative to the root directory of the server. The default value is WL_HOME\server\lib\wlDefaultKeyStore.jks.
Enter the directory location of the file that contains the private keys for the certificate authorities trusted by WebLogic Server in the Root CAKey Store Location attribute.
This attribute requires both a directory and filename location that is either absolute or relative to the root directory of the server. The default value is WL_HOME\server\lib\cacerts.
If you do not specify a value for this attribute, WebLogic Server uses the trusted certificate authority Keystore installed in the JDK in the JAVA_Home/jre/lib/security/cacerts directory.
Click Apply to save your changes.
Reboot WebLogic Server.
Configuring a Custom Keystore Provider
Expand the Security node.
Expand the Realm node.
Click the name of the realm you are configuring (for example, TestRealm.)
Click the Configure a new Security_Provider_Type... link
where Security_Provider_Type is the name of your Custom Keystore provider. This name is read from the DisplayName attribute in the MBeanType tag of the MBean Definition File (MDF). In order for this link to appear in the Administration Console, the MBean JAR file for the provider must be in the WL_HOME\lib\mbeantypes directory.
The Default Keystore-->General tab appears. The Name attribute displays the name of your Custom Keystore provider.
Click Apply to save your changes.
Reboot WebLogic Server.
Configuring a Role Mapping Provider
Expand the Security node.
Expand the Realms node.
Click the name of the realm you are configuring (for example, TestRealm).
Click the Providers node.
Click Role Mappers.
The Role Mappers tab appears. This tab displays the name of the default Role Mapping provider for the realm that is being configured.
Click the Configure a new Default Role Mapper... link.
Click the Configure a new Security_Provider_Type... link
where Security_Provider_Type is the name of your Custom Credential Mapping provider. This name is read from the DisplayName attribute in the MBeanType tag of the MBean Definition File (MDF). In order for this link to appear in the Administration Console, the MBean JAR file for the provider must be in the WL_HOME\lib\mbeantypes directory.
Click the name of the realm in which the provider you want to delete is configured (for example, TestRealm).
Expand the Providers node.
Click the type of provider you want to delete (for example, Authorizers).
The tab page for the provider appears (for example, the Authorizers tab). The tab page for the providers displays the names of all the configured providers.
To delete a provider, click the trash can icon in the table on the provider tab.
Defining Users
Note: This section applies to the WebLogic Authentication provider only. If you customize the default security configuration to use another Authentication provider, you must use the administration tools supplied by that provider to define a user.
Expand the Security node.
Expand the Realms node.
Click the name of the realm you are configuring (for example, TestRealm).
Click Users.
The Users tab appears. This tab displays the names of all users defined in the default Authentication provider.
Click the Configure a New User... link.
Choose the Authentication or Identity Assertion provider in which to define this user.
Note: Do not use blank spaces, commas, hyphens, or any characters in this comma-seperated list: \t, < >, #, |, &, ~, ?, ( ), { }, *.
Enter a password for the user.
Click Apply to save your changes.
Click the Groups tab to add the new user to a group.
All the groups available in the selected authentication provider appear in the Possible Groups table.
All the groups to which the user belongs appear in the Current Groups table.
To add a user to a group, highlight the desired group name and click the right arrow to move the group name to the Current Groups table.
Click Apply to save your changes.
If you have a large number of users, use the Filter option on the Users tab to search the store and list the users that match the search criteria. The Filter option uses the asterisk (*) as the wildcard character.
Deleting a User
Expand the Security node.
Expand the Realms node.
Click the name of the realm you are configuring (for example, TestRealm).
Click Users.
The Users tab appears. This tab displays the names of all users defined in the default Authentication provider.
To delete a user, click the trash can icon in the table on the Users tab.
Unlocking a User Account
Click the Details link in the table on the Users tab.
The Details tab appears. The Details tab describes the security event for the user account.
Click Unlock to unlock the user account.
Defining Groups
Note: This section applies to the WebLogic Authentication provider only. If you customize the default security configuration to use another Authentication provider, you must use the administration tools supplied by that provider to define a group.
Expand the Security node.
Expand the Realms node.
Click the name of the realm you are configuring (for example, TestRealm).
Click Groups.
The Groupstab appears. This tab displays the names of all groups defined in the default Authentication provider.
Note: Do not use blank spaces, commas, hyphens, or any characters in this comma-seperated list: \t, < >, #, |, &, ~, ?, ( ), { }, *.
Enter a short description of the group.
Click Apply to save your changes.
Click the Membership tab to add existing groups to the new group.
All the groups available in the selected authentication provider appear in the Possible Groups table.
All the groups currently defined for a group appear in the Current Groups table.
To add a group to another group, highlight the desired group name and click the right arrow to move the group name to the Current Groups table.
Click Apply to save your changes.
If you have a large number of groups, use the Filter option on the Groupstab to search the store and list the groups that match the search criteria. The Filter option uses the asterisk (*) as the wildcard character.
Deleting a Group
Expand the Security node.
Expand the Realms node.
Click the name of the realm you are configuring (for example, TestRealm).
Click Groups.
The Groupstab appears. This tab displays the names of all groups defined in the default Authentication provider.
To delete a group, click the trash can icon in the table on the Groups tab.
Granting Global Roles
Expand the Security node.
Expand the Realms node.
Click the name of the realm you are configuring (for example, TestRealm).
Click Roles.
The Rolestab appears. This tab displays the names of all roles defined in the WebLogic Role Mapping provider.
Notes: Do not use blank spaces, commas, hyphens, or any characters in this comma-seperated list: \t, < >, #, |, &, ~, ?, ( ), { }. Security role names are case sensitive. The BEA convention is that all security role names are singular.
In the Role Condition list box, click one of the following conditions:
User name of the caller—Creates a condition for a security role based on a user name.
Caller is member of group—Creates a condition for a security role based on a group.
Hours of Access are between—Creates a condition for a security role based on a specified time period.
When you use the Hours of Access are Between role condition, the security role will be granted to all users during the hours you specify, unless you further restrict the users by adding one of the other role conditions.
Click Add.
A customized window appears.
If you selected the Hours of Access are Between condition, use the Time Constraint window to select start and end times, and then click the OK button.
If you selected one of the other conditions, follow these steps:
Use the Users or Groups window to enter the name of a user or group, and then click the Add button.
Note: You can repeat this step multiple times to add more than one user or group.
If necessary, use the buttons located to the right of the list box to modify the expressions.
The Move Up and Move Down buttons change the ordering of the highlighted user or group name. The Change button switches the highlighted and and or statements between expressions. The Remove button deletes the highlighted user or group name.
If desired, repeat steps 9-11 to add expressions based on different role conditions.
If necessary, use the buttons located to the right of the Role Statement list box to modify the expressions:
The Move Up and Move Down buttons change the ordering of the highlighted expression.
The Change button switches the highlighted and and or statements between expressions.
The Edit... button reopens the customized window for the highlighted expression and allows you to modify the expression.
The Remove button deletes the highlighted expression.
When all the expressions in the Role Statement list box are correct, click the Apply button.
Note: Clicking the Reset button will delete all expressions shown in the Role Statement list box.
To create a scoped role for a URL (Web) resource, follow these steps:
Using the navigation tree at the left side of the WebLogic Server Administration Console, click the + sign next to Deployments.
The Deployments node expands to show the types of WebLogic resources that can be deployed.
Click the right mouse button at the level of the URL (Web) resource at which you want to create the scoped role.
A menu of options appears.
To create a scoped role for all Web applications (WARs), click the right mouse button on Web Applications.
To create a scoped role for a particular WAR or a component in a WAR (for example, a specific servlet or JSP), click the + sign next to Web Applications, then click the right mouse button on the name of a Web application (WAR).
If you are creating the scoped role for all Web applications (WARs), select the Define Role... option.
The Select Rolespage appears. If any are available, this page displays the scoped roles that are currently defined for this WebLogic resource in the WebLogic Role Mapping provider's database.
If you are creating the scoped role for a particular WAR, or a component within a WAR, follow these steps:
Select the Define Role... option. The General tab appears.
Enter a URL pattern in the text field.
A URL pattern is a path to a specific component within a Web application. Or, you can use /* to associate the scoped role with all components (servlets, JSPs, and so on) within the Web application.
Click the Define Role... button to proceed. The Select Rolespage appears. If any are available, this page displays the scoped roles that are currently defined for this WebLogic resource in the WebLogic Role Mapping provider's database.
Click the Configure a New Role... link. The Create Role page appears
On General tab, enter the name of the scoped role in the Name field.
Notes: Do not use blank spaces, commas, hyphens, or any characters in this comma-seperated list: \t, < >, #, |, &, ~, ?, ( ), { }. Security role names are case sensitive. The BEA convention is that all security role names are singular.
Warning: If you create a scoped role with the same name as a global role, the scoped role takes precedence over the global role.
Click the Apply button to save your changes.
Click the Conditions tab. The Role Editor page appears.
In the Role Condition list box, click one of the following conditions:
User name of the caller—Creates a condition for a security role based on a user name.
Caller is member of group—Creates a condition for a security role based on a group.
Hours of Access are between—Creates a condition for a security role based on a specified time period.
When you use the Hours of Access are Between role condition, the security role will be granted to all users during the hours you specify, unless you further restrict the users by adding one of the other role conditions.
Note: BEA recommends that you create expressions using the Caller is a Member of the Group condition. When a group is used to create a security role, the security role can be granted to all members of the group (that is, multiple users).
Click the Add button.
A customized window appears.
If you selected the Hours of Access are Between condition, use the Time Constraint window to select start and end times, and then click the OK button.
If you selected one of the other conditions, follow these steps:
Use the Users or Groups window to enter the name of a user or group, and then click the Add button. An expression appears in the list box.
Note: You can repeat this step multiple times to add more than one user or group.
If necessary, use the buttons located to the right of the list box to modify the expressions.
The Move Up and Move Down buttons change the ordering of the highlighted user or group name. The Change button switches the highlighted and and or statements between expressions. The Remove button deletes the highlighted user or group name.
Click OK to add the expression to the role statement.
If desired, repeat steps 8 - 10 to add expressions based on different role conditions.
If necessary, use the buttons located to the right of the Role Statement list box to modify the expressions:
The Move Up and Move Down buttons change the ordering of the highlighted expression.
The Change button switches the highlighted and and or statements between expressions.
The Edit... button reopens the customized window for the highlighted expression and allows you to modify the expression.
The Remove button deletes the highlighted expression.
When all the expressions in the Role Statement list box are correct, click the Apply button.
Note: Clicking the Reset button will delete all expressions shown in the Role Statement list box.
Creating a Scoped Role for Enterprise JavaBean (EJB) Resources
To create a scoped role for an EJB resource, follow these steps:
Using the navigation tree at the left side of the WebLogic Server Administration Console, click the + sign next to Deployments.
The Deployments node expands to show the types of WebLogic resources that can be deployed.
Click the right mouse button at the level of the EJB resource for which you want to create the scoped role.
A menu of options appears.
To create a scoped role for all EJB JARs, click the right mouse button on EJB.
To create a scoped role for a particular EJB JAR, or for an EJB within a JAR, click the + sign next to EJB, then click the right mouse button on the name of an EJB JAR.
If you are creating the scoped role for all EJB JARs or for a particular EJB JAR, select the Define Role... option. The Select Rolespage appears. If any are available, this page displays the scoped roles that are currently defined for this WebLogic resource in the WebLogic Role Mapping provider's database.
If you are creating the scoped for a particular EJB within an EJB JAR, follow these steps:
Select the Define Policies and Roles for Individual Beans... option. A list of EJBs appears.
Click the [Define Roles] link that is located in the same row as the particular EJB for which you want to create the scoped role. The Select Rolespage appears. If any are available, this page displays the scoped roles that are currently defined for this WebLogic resource in the WebLogic Role Mapping provider's database.
Click the Configure a New Role... link. The Create Role page appears.
On General tab, enter the name of the scoped role in the Name field.
Notes: Do not use blank spaces, commas, hyphens, or any characters in this comma-seperated list: \t, < >, #, |, &, ~, ?, ( ), { }. Security role names are case sensitive. The BEA convention is that all security role names are singular.
Warning: If you create a scoped role with the same name as a global role, the scoped role takes precedence over the global role.
Click the Apply button to save your changes.
Click the Conditions tab. The Role Editor page appears.
In the Role Condition list box, click one of the following conditions:
User name of the caller—Creates a condition for a security role based on a user name.
Caller is member of group—Creates a condition for a security role based on a group.
Hours of Access are between—Creates a condition for a security role based on a specified time period.
When you use the Hours of Access are Between role condition, the security role will be granted to all users during the hours you specify, unless you further restrict the users by adding one of the other role conditions.
Note: BEA recommends that you create expressions using the Caller is a Member of the Group condition. When a group is used to create a security role, the security role can be granted to all members of the group (that is, multiple users).
Click the Add button. A customized window appears.
If you selected the Hours of Access are Between condition, use the Time Constraint window to select start and end times, and then click the OK button.
If you selected one of the other conditions, follow these steps:
Use the Users or Groups window to enter the name of a user or group, and then click the Add button. An expression appears in the list box.
Note: You can repeat this step multiple times to add more than one user or group.
If necessary, use the buttons located to the right of the list box to modify the expressions.
The Move Up and Move Down buttons change the ordering of the highlighted user or group name. The Change button switches the highlighted and and or statements between expressions. The Remove button deletes the highlighted user or group name.
Click OK to add the expression to the role statement.
If desired, repeat steps 8 - 10 to add expressions based on different role conditions.
If necessary, use the buttons located to the right of the Role Statement list box to modify the expressions:
The Move Up and Move Down buttons change the ordering of the highlighted expression.
The Change button switches the highlighted and and or statements between expressions.
The Edit... button reopens the customized window for the highlighted expression and allows you to modify the expression.
The Remove button deletes the highlighted expression.
When all the expressions in the Role Statement list box are correct, click the Apply button.
Note: Clicking the Reset button will delete all expressions shown in the Role Statement list box.
Creating a Scoped Role for JNDI Resources
To create a scoped role for a JNDI resource, follow these steps:
Using the navigation tree at the left side of the WebLogic Server Administration Console, click the + sign next to Servers.
The Servers node expands to show the servers available in the current WebLogic Server domain.
Click the right mouse button on the name of the server that contains the JNDI resource for which you want to create the scoped role. (For example, myserver.) A menu of options appears.
Select the View JNDI Tree option. The JNDI tree for the server appears in a new Administration Console window.
In the new Administration Console window, click the right mouse button at the level of the JNDI tree at which you want to create the scoped role. A menu of options appears.
Select the Define Role... option.
Click the Configure a New Role... link. The Create Role page appears. If any are available, this page displays the scoped roles that are currently defined for this WebLogic resource in the WebLogic Role Mapping provider's database.
On General tab, enter the name of the scoped role in the Name field.
Notes: Do not use blank spaces, commas, hyphens, or any characters in this comma-seperated list: \t, < >, #, |, &, ~, ?, ( ), { }. Security role names are case sensitive. The BEA convention is that all security role names are singular.
Warning: If you create a scoped role with the same name as a global role, the scoped role takes precedence over the global role.
Click the Apply button to save your changes.
Click the Conditions tab. The Role Editor page appears.
In the Role Condition list box, click one of the following conditions:
User name of the caller—Creates a condition for a security role based on a user name.
Caller is member of group—Creates a condition for a security role based on a group.
Hours of Access are between—Creates a condition for a security role based on a specified time period.
When you use the Hours of Access are Between role condition, the security role will be granted to all users during the hours you specify, unless you further restrict the users by adding one of the other role conditions.
Note: BEA recommends that you create expressions using the Caller is a Member of the Group condition. When a group is used to create a security role, the security role can be granted to all members of the group (that is, multiple users).
Note: BEA recommends that you create expressions using the Caller is a Member of the Group condition. When a group is used to create a security role, the security role can be granted to all members of the group (that is, multiple users).
Click the Add button. A customized window appears.
If you selected the Hours of Access are Between condition, use the Time Constraint window to select start and end times, and then click the OK button.
If you selected one of the other conditions, follow these steps:
Use the Users or Groups window to enter the name of a user or group, and then click the Add button. An expression appears in the list box.
Note: You can repeat this step multiple times to add more than one user or group.
If necessary, use the buttons located to the right of the list box to modify the expressions.
The Move Up and Move Down buttons change the ordering of the highlighted user or group name. The Change button switches the highlighted and and or statements between expressions. The Remove button deletes the highlighted user or group name.
Click OK to add the expression to the role statement.
If desired, repeat steps 10 - 12 to add expressions based on different role conditions.
If necessary, use the buttons located to the right of the Role Statement list box to modify the expressions:
The Move Up and Move Down buttons change the ordering of the highlighted expression.
The Change button switches the highlighted and and or statements between expressions.
The Edit... button reopens the customized window for the highlighted expression and allows you to modify the expression.
The Remove button deletes the highlighted expression.
When all the expressions in the Role Statement list box are correct, click the Apply button.
Note: Clicking the Reset button will delete all expressions shown in the Role Statement list box.
Creating Scoped Roles for Other Types of WebLogic Resources
With the exception of Web Services resources, you can create scoped roles for the other types of WebLogic resources using the WebLogic Server Administration Console. However, not all WebLogic resource types are listed under the Deployments node in the Administration Console's navigation tree, and not all of the WebLogic resource types allow scoped roles to be created at the same levels in the resource hierarchy. JDBC connection pools, for example, are shown under the Services —> JDBC node, and scoped roles for JMS resources may only be created at the Services —> JMS node. Therefore, you will need to adapt the instructions provided in the previous sections to create scoped roles for other WebLogic resource types, as the process for accomplishing this task differs only in small ways.
Modifying Security Roles
The procedure for modifying security roles are, for the most part, the same as the procedure for creating a security role (global or scoped). Follow these steps:
Navigate to the Role Editor page and make your changes.
Note: The way you navigate to the Role Editor page is dependent upon the type of WebLogic resource, the type of security role (global or scoped), and the granularity at which you created the security role.
Click the Apply button to save your changes.
Deleting a Global Role
Expand the Security node.
Expand the Realms node.
Click the name of the realm you are configuring (for example, TestRealm).
Click Roles.
The Select Rolespage appears. This page displays all the global roles currently defined in the WebLogic Role Mapping provider's database.
Click the trash can icon that is located in the same row as the global role you want to delete.
Click the Yes button.
Click the Continue link.
The Select Roles page appears, and the deleted global role no longer appears in the table.
Deleting a Scoped Role
To delete a scoped role, follow these steps:
Navigate to the Select Roles page for your WebLogic resource. This page displays all the scoped roles currently defined in the WebLogic Role Mapping provider's database.
Note: The way you navigate to the Select Roles page is dependent upon the type of WebLogic resource and the granularity at which you created the scoped role.
Click the trash can icon that is located in the same row as the scoped role you want to delete.
Click the Yes button.
Click the Continue link. The Select Roles page appears, and the deleted scoped role no longer appears in the table.
Creating a Security Policy for URL (Web) Resources
To create a security policy for a URL (Web) resource, follow these steps:
Using the navigation tree at the left side of the WebLogic Server Administration Console, click the + sign next to Deployments. The Deployments node expands to show the types of WebLogic resources that can be deployed.
Click the right mouse button at the level of the Web application resource at which you want to create the security policy. A menu of options appears.
To secure all the Web applications (WARs) with a single security policy, click click the right mouse button on Web Applications. To secure a particular WAR or a component of a WAR (for example, a specific servlet or JSP), click the + sign next to Web Applications, then click the right mouse button on the name of a Web application (WAR).
If you are creating a security policy for all Web applications (WARs), select the Define Policy... option. The Policy Editor page appears..
If you are creating the security policy for a particular WAR or component of the WAR, follow these steps:
Select the Define Policy... option. The General tab appears.
Enter a URL pattern in the text field.
Note: A URL pattern is a path to a specific servlet within a Web application. Or, you can use /* to protect all servlets within the Web application.
Click the Define Policy... button to proceed. The Policy Editor page appears.
Note: Notice any policy statements that may have been inherited from security policies associated with the URL (Web) resource type.If inherited policy statements exist, you will be overriding them here. For more information, see Securing WebLogic Resources.
If the Methods drop-down menu is shown, specify which Web application method you want to protect.
Note: The Methods drop-down menu is shown only if you chose to secure a particular WAR or component of a particular WAR. In other words, it will not appear if you chose to secure all WARs.
In the Policy Condition list box, click one of the following conditions:
User Name of the Caller—Creates a condition for a security policy based on a user name.
Caller is a Member of the Group—Creates a condition for a security policy based on a group. When a group is used to create a security policy, the security policy is assigned to all members of the group.
Caller is Granted the Role—Creates a condition for a security policy based on a security role.
Hours of Access are Between—Creates a condition for a security policy based on a specified time period.
Note: BEA recommends that you create expressions using the Caller is Granted the Role condition. Basing expressions on security roles allows you to create one security policy that takes into account multiple users or groups, and is a more efficient method of management.
Click the Add button.
If you selected the Hours of Access are Between condition, use the Time Constraint window to select start and end times, and then click the OK button.
If you selected one of the other conditions, follow these steps:
Use the Users, Groups, or Roles window to enter the name of a user, group, or security role, and then click the Add button.
Note: You can repeat this step multiple times to add more than one user, group, or security role.
If necessary, use the buttons located to the right of the list box to modify the expressions:
The Move Up and Move Down buttons change the ordering of the highlighted user or group name. The Change button switches the highlighted and and or statements between expressions. The Remove button deletes the highlighted user or group name.
Click OK to add the expression to the policy statement.
If desired, repeat steps 5 - 7 to add expressions based on different policy conditions.
If necessary, use the buttons located to the right of the Policy Statement list box to modify the expressions:
The Move Up and Move Down buttons change the ordering of the highlighted expression.
The Change button switches the highlighted and and or statements between expressions.
The Edit... button reopens the customized window for the highlighted expression and allows you to modify the expression.
The Remove button deletes the highlighted expression.
When all the expressions in the Policy Statement list box are correct, scroll down the page and click the Apply button.
Note: Clicking the Reset button will delete all expressions shown in the Policy Statement list box.
Creating a Security Policy for Enterprise JavaBean (EJB) Resources
To create a security policy for an EJB resource, follow these steps:
Using the navigation tree at the left side of the WebLogic Server Administration Console, click the + sign next to Deployments. The Deployments node expands to show the types of WebLogic resources that can be deployed.
Click the right mouse button at the level of the EJB resource at which you want to create the security policy. A menu of options appears.
To secure all the EJB JARs with a single security policy, click the right mouse button on EJB. To secure a particular EJB JAR, an EJB within a JAR, or a method on one of the EJBs within a JAR, click the + sign next to EJB, then click the right mouse button on the name of an EJB JAR.
If you are creating a security policy for all EJB JARs or for a particular EJB JAR, select the Define Policy... option. The Policy Editor page appears.
If you are creating the security policy for a particular EJB within an EJB JAR, or a method on one of the EJBs within the JAR, follow these steps:
Select the Define Policies and Roles for Individual Beans... option. A list of EJBs appears.
Click the [Define Policies] link that corresponds to the particular EJB you want to secure (regardless of whether you want to secure the entire EJB or a particular method within the EJB). The Policy Editor page appears.
Note: Notice any policy statements that may have been inherited from security policies created for the EJB resource type. If inherited policy statements exist, you will be overriding them here. For more information, see Securing WebLogic Resources.
If the Methods drop-down menu is shown, specify which EJB method you want to protect.
Note: The Methods drop-down menu is shown only if you chose to secure a particular EJB with an EJB JAR, or a method on one of the EJBs within the JAR. In other words, it will not appear if you chose to secure all EJB JARs or a particular EJB JAR.
In the Policy Condition list box, click one of the following conditions:
User Name of the Caller—Creates a condition for a security policy based on a user name.
Caller is a Member of the Group—Creates a condition for a security policy based on a group. When a group is used to create a security policy, the security policy is assigned to all members of the group.
Caller is Granted the Role—Creates a condition for a security policy based on a security role.
Hours of Access are Between—Creates a condition for a security policy based on a specified time period.
Note: BEA recommends that you create expressions using the Caller is Granted the Role condition. Basing expressions on security roles allows you to create one security policy that takes into account multiple users or groups, and is a more efficient method of management.
Click the Add button.
If you selected the Hours of Access are Between condition, use the Time Constraint window to select start and end times, and then click the OK button.
If you selected one of the other conditions, follow these steps:
Use the Users, Groups, or Roles window to enter the name of a user, group, or security role, and then click the Add button. An expression appears in the list box.
Note: You can repeat this step multiple times to add more than one user, group, or security role.
If necessary, use the buttons located to the right of the list box to modify the expressions:
The Move Up and Move Down buttons change the ordering of the highlighted user or group name. The Change button switches the highlighted and and or statements between expressions. The Remove button deletes the highlighted user or group name.
Click OK to add the expression to the policy statement. If desired, repeat steps 5 - 7 to add expressions based on different policy conditions.
If necessary, use the buttons located to the right of the Policy Statement list box to modify the expressions:
The Move Up and Move Down buttons change the ordering of the highlighted expression.
The Change button switches the highlighted and and or statements between expressions.
The Edit... button reopens the customized window for the highlighted expression and allows you to modify the expression.
The Remove button deletes the highlighted expression.
When all the expressions in the Policy Statement list box are correct, scroll down the page and click the Apply button.
Note: Clicking the Reset button will delete all expressions shown in the Policy Statement list box.
Creating a Security Policy for JNDI Resources
To create a security policy for a JNDI resource, follow these steps:
Using the navigation tree at the left side of the WebLogic Server Administration Console, click the + sign next to Servers. The Servers node expands to show the servers available in the current WebLogic Server domain.
Click the right mouse button on the name of the server that contains the JNDI resource for which you want to create the security policy. (For example, myserver.) A menu of options appears.
Select the View JNDI Tree option. The JNDI tree for the server appears in a new Administration Console window.
In the new Administration Console window, click the right mouse button at the level of the JNDI tree at which you want to create the security policy. A menu of options appears.
Select the Define Policy... option.
In the Policy Condition list box, click one of the following conditions:
User Name of the Caller—Creates a condition for a security policy based on a user name.
Caller is a Member of the Group—Creates a condition for a security policy based on a group. When a group is used to create a security policy, the security policy is assigned to all members of the group.
Caller is Granted the Role—Creates a condition for a security policy based on a security role.
Hours of Access are Between—Creates a condition for a security policy based on a specified time period.
Note: BEA recommends that you create expressions using the Caller is Granted the Role condition. Basing expressions on security roles allows you to create one security policy that takes into account multiple users or groups, and is a more efficient method of management.
Click the Add button.
If you selected the Hours of Access are Between condition, use the Time Constraint window to select start and end times, and then click the OK button.
If you selected one of the other conditions, follow these steps:
Use the Users, Groups, or Roles window to enter the name of a user, group, or security role, and then click the Add button.
Note: You can repeat this step multiple times to add more than one user, group, or security role.
If necessary, use the buttons located to the right of the list box to modify the expressions:
The Move Up and Move Down buttons change the ordering of the highlighted user or group name. The Change button switches the highlighted and and or statements between expressions. The Remove button deletes the highlighted user or group name.
Click OK to add the expression to the policy statement.
If desired, repeat steps 6 - 8 to add expressions based on different policy conditions.
If necessary, use the buttons located to the right of the Policy Statement list box to modify the expressions:
The Move Up and Move Down buttons change the ordering of the highlighted expression.
The Change button switches the highlighted and and or statements between expressions.
The Edit... button reopens the customized window for the highlighted expression and allows you to modify the expression.
The Remove button deletes the highlighted expression.
When all the expressions in the Policy Statement list box are correct, scroll down the page and click the Apply button.
Note: Clicking the Reset button will delete all expressions shown in the Policy Statement list box.
Creating a Security Policy for Other Types of WebLogic Resources
With the exception of Web Services resources, you can create security policies for the other types of WebLogic resources using the WebLogic Server Administration Console. However, not all WebLogic resource types are listed under the Deployments node in the Administration Console's navigation tree, and not all of the WebLogic resource types allow security policies to be created at the same levels in the resource hierarchy. JDBC connection pools, for example, are shown under the Services —> JDBC node, and security policies for JMS resources may only be created at the Services —> JMS node. Therefore, you will need to adapt the instructions provided in the previous sections to secure other WebLogic resource types, as the process for accomplishing this task differs only in small ways.
Modifying and Deleting Security Policies
The procedures for modifying and deleting security policies are, for the most part, the same as the procedure for creating a security policy. Follow these steps:
Navigate to the Policy Editor page and make your modifications and/or deletions.
Notes: The way you navigate to the Policy Editor page is dependent upon the type of WebLogic resource and the granularity at which you created the security policy.
If you are modifying an existing security policy, pay special attention to the Inherited Policy Statement list box to ensure that you understand which security policies you may be overriding.
Click the Apply button to save your changes.
Using WebLogic Server to Authenticate to Remote Systems
Verify the Ignore Security Data in Deployment Descriptors attribute is enabled on the default (active) security realm. Otherwise, you risk overwriting credential maps with old information in weblogic-ra.xml deployment descriptor files.
Define a user or group for the EIS user.
Expand the Connectors node.
Right-click on the desired resource adapter.
Click the Define Cred Map option.
The Credential Maps table displays all the credential maps defined in the configured Credential Mapper.
Click the Configure a New Cred Map... link.
Enter the username of the EIS user in the Remote User Cred Map field. For example, scott.
Enter the password for the EIS user inthe Remote Password field. For example, tiger.
Click Apply.
Right-click on the desired resource adapter.
Click the Define Role Map option.
Enter the WebLogic Server user or group name you defined for the EIS user in step 2 in the WLS User field.
Enter the name of the EIS user in Remote User field.
Click the server to be configured to use the SSL protocol.
Click the Connections tab.
Ensure the SSL protocol is enabled on the Server-->SSL Ports tab.
Enable one of the following attributes on the Server-->SSL tab:
Check the Client Certificate Enforced attribute to require a client to present a certificate. If a certificate is not presented, the SSL connection is terminated.
Check the Client Certificate Requested But Not Enforced attribute to ask for a certificate from the client. If this option is enabled, the connection will continue if the client does not present a certificate.
Click Apply to save your changes.
Reboot WebLogic Server.
Using a Custom Hostname Verifier
Expand the Server node.
Click the Configure a New Server link.
Click the Connections tab.
Ensure the SSL protocol is enabled on the Server-->SSL Ports tab.
Enter the name of the Java class used to load your custom Hostname Verifier in the Hostname Verifier attribute on the Server-->SSL tab.
Click Apply to save your changes.
Reboot WebLogic Server.
Click the Connections tab.
Enabling Trust Between WebLogic Domains
Note: To establish a trust relationship between two domains, the password for the domains must be the same.
Expand the Domains node.
Click the Security tab.
Click the Advanced tab.
Uncheck the Enable Generated Credential attribute.
Click the Change... link in the Credential attribute.
Enter a password for the domain. Choose the password carefully. BEA Systems recommends using a combination of upper and lower case letters and numbers.
Confirm the password.
Click Apply.
Reboot WebLogic Server.
Configuring Connection Filtering
Expand the Domains node.
Click the Security tab.
Click the Filter tab.
Enter the class that implements the network connection filter in the Connection Filter attribute.
Enter the syntax for the connection filter rules. For more information about connection filter rules, see Writing a Network Connection Filter in Programming WebLogic Security.
Click Apply.
Reboot WebLogic Server.
Expand the Domains node.
Click the Security tab.
Click the Advanced tab.
Click the Connection Logger Enabled attribute to enable the logging of accepted messages.
