Manage security for Web applications and EJBs

WebLogic Server offers a choice of models for securing each Web application or EJB. You choose a model when you deploy the Web application or EJB, and your choice is immutable for the life time of the deployment. To change the model, you must delete the Web application or EJB and re-install it.

Note: If you are implementing security using JACC (Java Authorization Contract for Containers as defined in JSR 115), you must use the J2EE standard model. Other WebLogic Server models are not available and the security functions for Web applications and EJBs in the Administration Console are disabled. See Using the Java Authorization Contract for Containers.

To manage security for Web applications and EJBs, do one of the following:

(DDOnly model) To use only roles and policies that are defined in the Web application or EJB's deployment descriptors:
Use the Install Application Assistant to deploy the Web application or EJB. When the assistant prompts you to choose a security model, select DDOnly.

See Install a Web application or Install Standalone EJBs.
(CustomRoles model) To use policies from the deployment descriptors and use role mappings that you define in the Administration Console:
1. Use the Install Application Assistant to deploy the Web application or EJB. When the assistant prompts you to choose a security model, select CustomRoles.
  See Install a Web application or Install Standalone EJBs.
2. View the list of roles that are used in the module's policies:
  1. After you deploy the module, activate your changes. See Use the Change Center.
  2. View the Policy Conditions page for each policy in the module.
    The Policy Conditions page states which role can access the protected resource. See Create policies for resource instances.
3. For each role that is named in the module's policies, create a global role or a scoped role.
  See Manage security roles.
(CustomRolesAndPolicies model) To use only the roles and policies that you define in the Administration Console:
1. Use the Install Application Assistant to deploy the Web application or EJB. When the assistant prompts you to choose a security model, select CustomRolesAndPolicies.
  See Install a Web application or Install Standalone EJBs.
2. Define roles and policies.
  See:
  - Manage security roles.
  - Manage security policies.
(Advanced model) To import security information from deployment descriptors on an initial deployment and then use the Administration Console to modify, remove, or add to these roles and polices:
(Advanced model) To re-import security data from modules that you have already deployed and already imported security data, BEA recommends that you delete the module and then reinstall it. Deleting the module ensures that all related security data is also deleted. If you do not delete the module, you risk introducing inconsistent security data. To re-import security data:
1. Delete the Web application or EJB:
  - Delete Web applications.
  - Delete EJBs.
2. Import security data from deployment descriptors.
3. Verify imported roles and Verify imported policies
4. Stop importing roles and policies.