For Web applications and EJBs, this task is not valid if you
are using the DDOnly security model. With this model, the resource
ignores policies that you create in the Administration Console. See
Manage security for Web
applications and EJBs.
You can create a security policy that applies to a specific resource
instance. If the instance contains other resources, the policy will
apply to the included resource as well.
If policies conflict, the policy of the narrower scope overrides
policy of a broader scope. For example, if you create a security policy
for an EAR and a policy for an EJB that is in the EAR, if the policies
conflict, the EJB will be protected by its own policy and will ignore
the policy for the EAR. For more information, see Manage security
To create a security policy for a specific instance of a WebLogic
Edit Policies page for the resource
Each resource instance provides its own Edit
Policies page, and you can access it through any of
several navigational paths.
For other resource instances, a recommended path
In the left pane of the Administration Console, select
On the Summary of Security Realms page,
select the name of the realm that you want to secure the resource
(for example, myrealm).
On the Settings page, select the
Roles and Policies tab. Then select the
The Roles and Policies: Policies page
organizes all of the domain's resources and corresponding
policies in a hierarchical tree control.
On the Roles and Policies: Policies
page, in the Policies table, expand the
nodes in the Names column until you find
the resource instance that you want to secure.
For information on finding resources in the
Names column, see Column Display.
Do one of the following:
If the Policy column for the
resource instance contains a View
Policy link, click the link. The presence of this
link means that a policy has already been created for the
resource instance. You can modify this policy to suit your
If the Policies table does not
already list a URL pattern that you want to secure, create a
new URL pattern by selecting the name of the URL
Otherwise, click the radio button next to the resource
instance. Then click the Create Policy
The Administration Console displays the resource's
Edit Policies page.
On the Edit Policies page, if you have
configured more than one authorization provider for the realm, from
the Authorization Providers list, select the
provider you want to use to secure this resource.
On the Edit
Policies page, click Add Conditions.
On the Choose a Predicate page, in the
Predicate List, select a condition.
BEA recommends that you use the Role
condition where possible. Basing conditions on security roles
enables you to create one security policy that takes into account
multiple users or groups, and is a more efficient method of
steps depend on the condition that you chose:
If you selected Role, click
Next, enter the name of a security role in
the argument field, and click Add. If the
security role that you name does not already exist, create one by
that name after you finish creating policies.
If you selected Group or
User, click Next ,
enter a name in the argument field, and click
Add. If the user or group that you name does
not already exist, create one by that name.
If you selected a boolean predicate (Server is in
development mode , Allow access to
everyone, or Deny access to
everyone), there are no arguments to enter. Click
Finish and go to step 10..
If you selected a context predicate, such as
Context element's name equals a numeric
constant, click Next and enter
the context name and an appropriate value. It is your responsibility
to ensure that the context name and/or value exists at
If you selected a time-constrained predicate, such as
Access occurs between specified hours, click
Next and provide values for the
Edit Arguments fields.
Create additional conditions.
(Optional) The WebLogic Security Service evaluates conditions in
the order they appear in the list. To change the order, select the
check box next to a condition and click the Move
Up or Move Down button.
Use other buttons in the Policy Conditions
section to specify relationships between the conditions:
Select And/Or between expressions to
switch the and /
Click Combine or
Uncombine to merge or unmerge selected
Click Negate to make a condition
negative; for example, NOT Group Operators
excludes the Operators group from the role.
The policy appears on the Roles and Policies:
Policies page in the Policies
After you finish
If your policies grant access to roles, specify users and groups
for your roles. See Manage security