Introduction to WebLogic Security

Download Docs

Site Map

Glossary

e-docs > WebLogic Server > Introduction to WebLogic Security

Overview of the WebLogic Security Service

Audience

The Security Challenge of the Web

Practical Benefits

Balancing Ease of Use and Customizability

Securing BEA Web Services Clients

A Key Advantage: Security via Users, Roles, and Security Policies

Authentication and Authorization: Some Details

Authentication

Levels of Authentication

Authorization

Setting Policies: No Programming Required

Security Auditing

Connection Filtering

Counter Measures for Denial-of-Service and other Attacks

Unified Administration for Security Services

Security Management and Storage

What Changed in WebLogic Security

Migrating from BEA WebLogic Server 6.x Security to 8.1 Security

Summary

Security Fundamentals

J2EE and WebLogic Security

SDK 1.3 Security Packages

The Java Secure Socket Extension (JSSE)

Java Authentication and Authorization Services (JAAS)

The Java Security Manager

Java Cryptography Architecture and Java Cryptography Extensions (JCE)

WebLogic APIs versus J2EE APIs

Principals and Subjects

Java Authentication and Authorization Service (JAAS)

CallbackHandlers

JAAS LoginModules

JAAS Control Flags

Identity Assertion Providers and LoginModules

Identity Assertion and Tokens

Mutual authentication

Types of Authentication

Username/Password authentication

Certificate authentication

Perimeter authentication

How is Perimeter Authentication Accomplished?

How Does WebLogic Server Support Perimeter Authentication?

Secure Sockets Layer (SSL)

SSL Features

SSL Tunneling

One-way/Two-way SSL Authentication

Domestic SSL and Exportable SSL

Digital Certificates

Certificate Authorities

Mutual Authentication

host name verification (client-side SSL)

trust managers

Asymmetric Key Algorithms

Symmetric Key Algorithms

Message Digest Algorithms

Cipher Suites

Java Cryptography Extensions (for SP2)

hardware/software accelerators

The Security Service Provider Interfaces (SSPIs)

Security Service Provider Interface (SSPI) MBeans

Security Provider Databases

What Is a Security Provider Database?

Security Realms and Security Provider Databases

Types of Security Providers

Authentication Providers

LDAP Authentication Provider

Identity Assertion Providers

Common Secure Interoperability Version 2 (CSIv2)

Principal Validation Providers

Authorization Providers

Adjudication Providers

Role Mapping Providers

Auditing Providers

Credential Mapping Providers

Keystore Providers

WebLogic Realm Adapter Providers

Security Provider Summary

Security Providers and Security Realms

PKI

Single Sign-on

Web Tier Single Sign-On

Single Sign-On Extensions

Cross-Domain Single Sign-On

Beyond the Web Tier

Single Sign-On with Legacy Systems

Single Sign-On with Other J2EE Application Servers

The WebLogic Security Service Architecture

An Open Architecture: Multi-Vendor and Multi-Protocol Support

Architectural Overview

Security Service Framework

Principal Authenticator

Authorization Manager

Role Manager

Auditor

Credential Manager

The WebLogic Security Providers

WebLogic Authentication Provider

WebLogic Identity Assertion Provider

WebLogic Keystore Provider

WebLogic Authorization Provider

WebLogic Auditing Provider

WebLogic Role Mapping Provider

WebLogic Adjudication Provider

WebLogic Credential Mapping Provider

WebLogic Realm Adapter Providers

Advantages for Developers, Administrators, and Vendors

Benefits for Administrators

Benefits for Third-Party Security Service Providers

Benefits for Application Developers

Terminology