Overview of Security Management

The following sections provide an overview of the new security subsystem for WebLogic Server including the differences between WebLogic Server 6.x and WebLogic Server 7.0.

• Audience
• How Security Changed in WebLogic Server 7.0
• The Default Security Configuration in WebLogic Server 7.0
• Configuration Steps for Security
• What Is Compatibility Security?
• Management Tasks Available in Compatibility Security

Note: Throughout this document, the term 6.x refers to WebLogic Server 6.0 and 6.1 and their associated Service Packs.

 

---

Audience

Managing WebLogic Security is intended for system administrators responsible for securing WebLogic Server.

 

---

How Security Changed in WebLogic Server 7.0

WebLogic Server 7.0 offers a new security service that simplifies the configuration and management of security while offering robust capabilities for securing your WebLogic Server deployment. This section describes how the security service changed in WebLogic Server 7.0.

Change in Scope of Security Realms

In WebLogic Server 6.x, security realms provided authentication and authorization services. You chose from the File realm or a set of alternative security realms including the Lightweight Data Access Protocol (LDAP), Windows NT, Unix, or RDBMS realms. If you wanted to customize authentication, you could write you own security realm and integrate it into the WebLogic Server environment. A security realm applied to a domain and you could not have multiple security realms in a domain.

In WebLogic Server 7.0, security realms act as a scoping mechanism. Each security realm consists of a set of configured security providers, users, groups, roles, and security policies. You can configure multiple security realms in a domain, however, only one can be the default (active) security realm. WebLogic Server provides two default security realms:

• myrealm—Has the WebLogic Authentication, Identity Assertion, Authorization, Adjudication, Role Mapping, and Credential Mapping providers configured by default.
• Compatibility realm—Provides backward compatibility for 6.x security configurations. You can access an existing 6.x security configuration through the Compatibility realm.

You can no longer write a custom security realm using the application programming interfaces in WebLogic Server 7.0; rather, you configure a new security realm to provide the security services you want and then set the new security realm as the default security realm.

For information about the default security configuration in WebLogic Server, see The Default Security Configuration in WebLogic Server 7.0.

For information about configuring a security realm and setting it as the default security realm, see [xref]

For information about using Compatibility security, see Using Compatibility Security.

What Are Security Providers?

Security providers are modular components that handle specific aspects of security, such as authentication and authorization. Although applications can leverage the services offered via the default WebLogic security providers, the WebLogic Security Service flexible infrastructure also allows security vendors to write their own custom security providers for use with WebLogic Server. WebLogic security providers and custom security providers can be mixed and matched to create unique security solutions, allowing organizations to take advantage of new technology advances in some areas while retaining proven methods in others. The WebLogic Server Administration Console (referred to as the Administration Console) allows you to administer and manage all your security providers through one unified management interface.

The WebLogic Security Service supports the following types of security providers:

• Auditing—Auditing is the process whereby information about operating requests and the outcome of those requests are collected, stored, and distributed for the purpose of non repudiation. In other words, auditing provides an electronic trail of computer activity. The WebLogic Auditing provider supplies these services.
• Authentication—Authentication is the process whereby the identity or users or system processes are proved or verified. Authentication also involves remembering, transporting, and making identity information available to various components of a system when that information is needed. The WebLogic Security Service supports the following types of authentication:
• Username and password authentication
• Certificate-based authentication directly with WebLogic Server
• HTTP certificate-based authentication proxied through an external Web server

The WebLogic Authentication provider supplies these services.

• Identity Assertion—An Authentication provider that performs perimeter authentication is called an Identity Assertion provider. Identity assertion involves establishing a client's identity through the use of client-supplied tokens that may exist outside of the request. Thus, the function of an Identity Assertion provider is to validate and map a token to a username. Once this mapping is complete, a JAAS LoginModule converts the username to a Principal. The WebLogic Identity Assertion provider supplies these services.
• Authorization—Authorization is the process whereby the interactions between users and WebLogic resources are limited to ensure integrity, confidentiality, and availability. In other words, authorization is responsible for controlling access to WebLogic resources based on user identity or other information. The WebLogic Authorization provider supplies these services.
• Adjudication—When multiple Authorization providers are configured in a security realm, each may return a different answer to the "is access allowed" question for a given resource. Determining what to do if multiple Authorization providers do not agree is the primary function of an Adjudication provider. Adjudication providers resolve authorization conflicts by weighting each Authorization provider's answer and returning a final decision.
• Role Mapping—Obtains a computed set of rules granted to a requestor for a given resource. Role Mapping providers supply Authorization providers with this information so that the Authorization provider can answer the "is access allowed?" question for WebLogic resources that use role-based security (that is, Web applications and Enterprise JavaBeans (EJBs).
• Credential Mapping—Credential mapping is the process whereby a legacy system's authentication mechanism is used to obtain an appropriate set of credentials to authenticate users to a target resource. A Credential Mapping provider supplies credential mapping services and bring new types of credentials into the WebLogic Server environment.

For information about the functionality provided by the WebLogic security providers, see The WebLogic Security Providers in the Introduction to WebLogic Security.

For information about the default security configuration, see The Default Security Configuration in WebLogic Server 7.0

For information about writing a custom security provider, see Developing Security Providers for WebLogic Server.

Security Policies Instead of ACLs

In WebLogic Server 6.x, access control lists (ACLs) and permissions were used to protect WebLogic resources. In WebLogic Server 7.0, security policies replace ACLs and permissions. Security policies answer the question "who has access" to a WebLogic resource. A security policy is created when you define an association between a WebLogic resource and a user, group, or role. You can also optionally associate a time constraint with a security policy. A WebLogic resource has no protection until you assign it a security policy.

For information about creating security policies, see Protecting WebLogic Resources.

For information about using ACLs in Compatibility security, see Defining ACLs in the Compatibility Realm.

WebLogic Resources

WebLogic Server defines the following resources:

• Administrative resources such as the WebLogic Server Administration Console (referred to as the Administration Console) and the weblogic.Admin tool.
• Application resources (including individual EAR files)
• COM resources
• EIS resources
• EJB resources (including individual EJB method, components, and JAR files)
• JDBC resources
• JNDI resources
• JMS resources
• MBean resources
• Server resources
• Web resources (including individual WAR files)
• Web Services resources

Deployment Descriptors and the WebLogic Security Providers

The WebLogic Security Service now uses information defined in deployment descriptors to grant roles and define security policies for WebLogic resources and create credentials maps for remote users wanting to access WebLogic resources. When WebLogic Server is booted for the first time, role, security policy, and credential map information stored in weblogic.xml, weblogic-ejb-jar.xml, and weblogic-ra.xml files is loaded into the Authorization, Role Mapping, and Credential Mapping providers configured in the default security realm. Changes to the information can then be made through the Administration Console.

To use information in deployment descriptors, at least one Authorization, Credential Mapping, and Role Mapping provider in the security realm must implement the DeployableAuthorizationProvider, DeployableCredentialProvider, and DeployableRoleProvider Security Service Provider Interface (SSPI). This SSPI allows the providers to store (rather than retrieve) information from deployment descriptors. By default, the WebLogic Authorization, Role Mapping, and Credential Mapping providers implement this SSPI.

If you change role, security policy, and credential map information in deployment descriptors through the Administration Console, use the Ignore Security Data in Deployment Descriptors attribute to ensure changes made through the Administration Console are not overwritten by old information in the deployment descriptors.

For more information, see Preventing Overwriting of Administration Console Changes.

 

---

The Default Security Configuration in WebLogic Server 7.0

To simplify the configuration and management of security in WebLogic Server, a default security realm (myrealm) is provided. The default security realm has WebLogic Authentication, Identity Assertion, Authorization, Adjudication, Role Mapping, and Credential Mapping providers configured. When using the default security configuration, you only need to define groups, users, and roles for the security realm and create security policies for the WebLogic resources in the domain. You also need to verify that the configuration of the embedded LDAP server configuration is appropriate for your use. Optionally, you can configure an Auditing provider for the default realm.

For a description of the functionality provided by the WebLogic Security providers, see The WebLogic Security providers in Introduction to WebLogic Security. If the WebLogic security providers do not fully meet your security requirements, you can supplement or replace them. For more information, see Developing Security Services for WebLogic Server.

If the default security configuration does not meet your requirements, you can create a new security realm with any combination of WebLogic and custom security providers and then set the new security realm as the default security realm. For more information, see Customizing the Default Security Configuration

 

---

Configuration Steps for Security

Because the security features are closely related, it is difficult to determine where to start when configuring security. In fact, configuring security for your WebLogic Server deployment may be an iterative process. Although more than one sequence of steps may work, BEA Systems recommends the following procedure:

1. Determine whether or not to use the default security configuration by reading Why Customize the Default Security Configuration?.
   • If you are using the default security configuration, begin at step 3.
   • If you are not using the default security configuration, begin at step 2.
2. Change the configuration of the default security realm or create a new security realm. This step is optional. See [xref].
3. Define groups for the default security realm. See Defining Groups.
4. Define users for the default security realm. See Defining Users.
5. Define global roles for the default security realm.
6. Grant users and groups the global roles. See Defining Global Roles.
7. Protect WebLogic resources with roles (either global or scoped) and security policies. See Protecting WebLogic Resources.
8. Configure the embedded LDAP server. See Configuring the Embedded LDAP Server.
9. Configure the SSL protocol. (This step is optional but encouraged.) For more information, see Configuring the SSL Protocol.
10. Set attributes for logging security information. By default, WebLogic Server enables the logging of security information. However, you should review the attributes and their settings to ensure they are appropriate for your environment.

In addition, you can:

• Map a WebLogic Server user defined in the configured Authentication provider to credentials for another system (for example, the username and password for an Oracle database). See Providing WebLogic Server Users Access to Other Applications.
• Configure a connection filter. See Configuring Connection Filtering.
• Enable interoperability between WebLogic domains. See Enabling Trust Between WebLogic Domains.

 

---

What Is Compatibility Security?

Compatibility security refers to the capability to run security configurations from WebLogic Server 6.x in WebLogic Server 7.0. In Compatibility security, you configure 6.x security realms, define users, groups, and ACLs, manage the protection of user accounts, and install custom auditing providers.

The only security realm available in Compatibility security is the Compatibility realm. The Realm Adapter providers in the Compatibility realm allow backward compatibility to the authentication and authorization services in 6.x security realms. You must run Compatibility security in order to access the Compatibility realm and the Realm Adapter providers through the WebLogic Server Administration Console (referred to as the Administration Console). For more information, see Using Compatibility Security.

 

---

Management Tasks Available in Compatibility Security

Because Compatibility security only allows you to access authentication, authorization, and custom auditing services supported in WebLogic Server 6.x, not all 6.x security tasks are allowed in Compatibility security. Use Compatibility security to:

1. Change the password of the system user to protect your WebLogic Server deployment.
2. Change the security realm in the Compatibility realm. By default, WebLogic Server is installed with the File realm in place. However, you may prefer an alternate security realm or a custom security realm.
3. Define users for the security realm in the Compatibility realm. Organize users further by implementing groups in the security realm.
4. Define ACLs and permissions for the resources in your WebLogic Server deployment.

You can still use the SSL protocol, configure connection filters, and enable interoperability between domains; however, you use the security features available in WebLogic Server 7.0 to perform these tasks. For more information, see:

• Configuring the SSL Protocol
• Configuring Security for a WebLogic Domain