Programming WebLogic Security
WebLogic Server supports the use of J2EE security to protect URL (Web), Enterprise JavaBeans (EJBs), and Connector components. In addition, WebLogic Server extends the connector model of specifying additional security policies in the deployment descriptor to the URL and EJB components.
Note: J2EE has requirements for Java 2 security default permissions for different application types (see the J2EE 1.3 specification, section 6.2.2) as does the Connector 1.0 spec (see section 11.2). These specifications are available at http://java.sun.com/j2ee/download.html#platformspec.
Furthermore, the J2EE specification suggests that the deployer be able to add to these security policies. For URL and EJB components, this is done through comments in the deployment descriptor, but the specification states: "A future version of this specification will allow these security requirements to be specified in the deployment descriptor for the application components." The connector specification already provides for deployment descriptors to specify additional security policies using the
<security-permission> tag (see Listing 7-1):
<security-permission>A single grant statement following the syntax of
<description> Optional explanation goes here </description>
http://java.sun.com/j2se/1.3/docs/guide/security/PolicyFiles.html#FileSyntaxwithout the "codebase" and "signedBy" clauses goes here. For example:
permission java.net.SocketPermission "*", "resolve";
In addition to supporting the
<security-permission> tag in the
rar.xml file for resource adapters, WebLogic Server adds the
<security-permission> tag to the
weblogic-ejb-jar.xml files. This extends the connector model to the two other application types, Web applications and EJBs, provides a uniform interface to security policies across all component types, and anticipates future J2EE specification changes.
The Java Security Manager can be used with WebLogic Server to provide additional protection for resources running in a Java Virtual Machine (JVM). Using a Java Security Manager is an optional security step. The following sections describe how to use the Java Security Manager with WebLogic Server:
When you run WebLogic Server under Java 2 (SDK 1.2 or later), WebLogic Server can use the Java Security Manager in Java 2, which prevents untrusted code from performing actions that are restricted by the Java security policy file.
The JVM has security mechanisms built into it that allow you to define restrictions to code through a Java security policy file. The Java Security Manager uses the Java security policy file to enforce a set of permissions granted to classes. The permissions allow specified classes running in that instance of the JVM to permit or not permit certain runtime operations. In many cases, where the threat model does not include malicious code being run in the JVM, the Java Security Manager is unnecessary. However, when untrusted third-parties use WebLogic Server and untrusted classes are being run, the Java Security Manager may be useful.
To use the Java Security Manager with WebLogic Server, specify the
-Djava.security.manager arguments when starting WebLogic Server. The
-Djava.security.policy argument specifies a filename (using a relative or fully-qualified pathname) that contains Java 2 security policies.
If you enable the Java Security Manager but do not specify a security policy file, the Java Security Manager uses the default security policies defined in the
java.policy file in the
To use the Java Security Manager security policy file with your WebLogic Server deployment, you must specify the location of the
weblogic.policy file to the Java Security Manager when you start WebLogic Server. To do this, you set the following arguments on the Java command line you use to start the server:
java.security.managertells the JVM to use a Java security policy file.
java.security.policytells the JVM the location of the Java security policy file to use. The argument is the fully qualified name of the Java security policy, which in this case is
Note: Be sure to use
== instead of
= when specifying the
java.security.policy argument so that only the
weblogic.policy file is used by the Java Security Manager. The
== causes the
weblogic.policy file to override any default security policy. A single equal sign (
=) causes the
weblogic.policy file to be appended to an existing security policy.
weblogic.policyfile and put the backup copy in a secure location.
weblogic.policyfile via the operating system such that the administrator of the WebLogic Server deployment has write and read privileges and no other users have access to the file.
Caution: The Java Security Manager is partially disabled during the booting of Administration and Managed Servers. During the boot sequence, the current Java Security Manager is disabled and replaced with a variation of the Java Security Manager that has the
checkRead() method disabled. While disabling this method greatly improves the performance of the boot sequence, it also minimally diminishes security. The startup classes for WebLogic Server are run with this partially disabled Java Security Manager and therefore the classes need to be carefully scrutinized for security considerations involving the reading of files.
For more information about the Java Security Manager, see the Javadoc for the
java.lang.SecurityManager class which is available on the Web http://java.sun.com/j2se/1.4.1/docs/api/index.html.
Set default security policies for Servlets, EJBs, and J2EE Connector Resource Adapters in the Java security policy file. The default security policies for Servlets, EJBs, and Resource Adapters are defined in the Java security policy file under the following codebases:
Listing 7-2 shows the syntax for adding a security policy to a deployment descriptor:
<security-permission-spec> tag cannot be added to a
weblogic-application.xml file. You are limited to using this tag within a
weblogic.xml file. Also, variables are not supported in the