Skip navigation.

Securing WebLogic Resources

  Previous Next vertical dots separating previous/next from contents/index/pdf Contents Index View as PDF   Get Adobe Reader

Understanding WebLogic Resource Security

This chapter describes how resource security works and outlines the main tasks for securing WebLogic Server resources:

 


Overview of Securing WebLogic Resources

WebLogic Server security includes many unique terms and concepts. These terms and concepts, which you will encounter throughout the WebLogic Server security documentation, are defined in the Security Fundamentals and Terminology sections of Understanding WebLogic Security

A WebLogic resource represents an underlying WebLogic Server entity that can be protected from unauthorized access using security roles and security policies. Examples of WebLogic resources include enterprise applications (EARs), EJBs (JARs), and Web applications (WARs). For more information about the different types of WebLogic resources, see Types of WebLogic Resources.

Resource Security Process

Figure 2-1 illustrates the overall process for securing WebLogic resources, and a brief explanation follows.

Figure 2-1 Securing WebLogic Resources

Securing WebLogic Resources


 
  1. Administrators statically assign users to groups, which can represent organizational boundaries. The same user can be a member of multiple groups. Figure 2-1 shows three groups with two users each. User 1 and User 3 are members of multiple groups.
  2. BEA recommends assigning users to groups because doing so increases efficiency for administrators who work with many users.

  3. Administrators create a security role based on their organization's established business procedures. The security role consists of one or more role statements, each of which include a role condition. The role condition specifies the circumstances under which a particular group should be granted the security role.
  4. At runtime, the WebLogic Security Service compares the groups against the role condition(s) to determine whether users in the group should be dynamically granted a security role. This process is referred to as role mapping. In Figure 2-1, Group 2 is the only group that is granted a security role.
  5. Individual users can also be granted a security role, but this is a less typical practice.

  6. Administrators create a security policy based on their organization's established business procedures. The security policy consists of one or more policy statements, each of which include a policy condition. The policy condition specifies the circumstances under which a particular security role should be granted access to a protected WebLogic resource.
  7. At runtime, the WebLogic Security Service uses the security policy and the WebLogic resource itself to determine whether access to the protected WebLogic resource should be granted. Only users who are members of the group that is granted the security role can access the WebLogic resource. In Figure 2-1, User 3 and User 6 can access the protected WebLogic resource because they are members of Group 2, and Group 2 is granted the necessary security role.

 


Securing WebLogic Resources: Main Steps

The main steps for securing a WebLogic resource are:

  1. Determine which WebLogic resource to secure. For more information, see Types of WebLogic Resources..
  2. If you want to secure any Weblogic Resource except a Web application or EJB, go to step 4.
  3. If you want to secure a Web application or EJB resource, you have a choice of security techniques and models. See Options for Securing EJB and Web Application Resources.
    1. Decide which security technique to use. See Choose a Security Technique.
    2. When you deploy your application, choose one of the security models. See Choose a Security Model
    3. If you choose the Advanced security model (compatible with WebLogic Server 8.x) you might need to reset come realm configurations. See Using the Advanced Security Model.

    4. If you want to use the WebLogic Server Administration Console to secure your Web application or EJB resource see step 4.
    5. If you want to use deployment descriptors to secure your Web application or EJB resource, see Adding Declarative Security to Web Applications or Adding Declarative Security to EJBs in Programming WebLogic Security, respectively.
  4. Use the Administration Console to secure your WebLogic resource:
    1. Create users and groups—representations of individuals and collections of individuals—who may be granted a security role. For more information, see For more information, see Manage Users and Groups in Administration Console Online Help.
    2. Create security roles—dynamically computed privileges granted to users or groups based on specific conditions—which are used to restrict access to WebLogic resources. For more information, see Manage Security Roles in Administration Console Online Help.
    3. For information about expressions that you can use to define security roles, see Components of a Security Role: Conditions, Expressions, and Statements.

    4. Create a security policy—an association between the WebLogic resource and a user, group, or security role—that specifies who has access to the WebLogic resource. For more information, see Manage Security Policies in Administration Console Online Help.
    5. For information about expressions that you can use to define security policies, see Components of a Security Policy: Conditions, Expressions, and Statements.

 

Skip navigation bar  Back to Top Previous Next