Avitek Medical Records Development Tutorials
|
 |
 |
|
 |
 |
Moving to Production
Tutorial 16: Creating Users, Groups, and Global Security Roles
This tutorial describes how to create the users, groups, and global security roles that are required by the MedRec application.
After you finish this tutorial, you will be able to log in to all three MedRec Web applications as the appropriate type of user (administrator, patient, or physician) and start using the application.
Prerequisites
Before starting this tutorial:
- Create
MedRecDomainandMedRecServer, and startMedRecServer. See Tutorial 1: Creating a WebLogic Domain and Server Instance for Development. - Deploy the enterprise application named
MedRecEar. See Tutorial 15: Using WLST and the Administration Console to Deploy the MedRec Package for Production.
Procedure
To create the required users, groups, and security roles using the Administration Console:
- Step 1: Specify security realm settings.
- Step 2: Create groups.
- Step 3: Create users and add the users to groups.
- Step 4: Create global roles and grant the global roles to the groups.
Step 1: Specify security realm settings.
where
hostrefers to the computer on which MedRecServer is running. If your browser is on the same computer as MedRecServer, you can use the URLhttp://localhost:7101/console.- If you have not already done so, click Lock & Edit, located in the upper left Change Center window of the Administration Console.
This setting means that the WebLogic Security Service will perform security checks on all URL (Web) and EJB resources. For more information, see Understanding How to Check Security Roles and Security Policies in Securing WebLogic Resources.
- In the When Deploying Web Applications or EJBs drop-down menu, select
Ignore Roles and Policies From DD. This setting indicates that you will set security for Web Application and EJB resources in the Administration Console, not in deployment descriptors. For more information, see Understanding the On Future Redeploys Setting in Securing WebLogic Resources.
- Restart
MedRecServer. (See Starting and Stopping Servers: Quick Reference in Managing Server Startup and Shutdown.)
http://host:7101/console
Step 2: Create groups.
- In the left Domain Structure pane of the Administration Console, click MedRecDomain
—> Security Realms. The Groups table displays all groups currently defined in the WebLogic Authentication provider's database.
- Repeat steps 4 - 8 to create a group named
MedRecPatients, with a description ofMedRecPatients can log on to the MedRec Patients Web site, andDefaultAuthenticatorprovider.
Step 3: Create users and add the users to groups.
- In the left Domain Structure pane of the Administration Console, click MedRecDomain
—> Security Realms. The Users table displays all users currently defined in the WebLogic Authentication provider's database.
- Click the highlighted arrow to move the
MedRecAdminsgroup from the Available to the Chosen choice box. - Repeat steps 1 - 14 to create a user named
mary@md.com, aMedRec physicianwho also uses theweblogicpassword and theDefaultAuthenticatorprovider, and belongs in theMedRecPhysiciansgroup. - Repeat steps 1 - 14 to create a user named
larry@bball.com, aMedRec patientwho also uses theweblogicpassword and theDefaultAuthenticatorprovider, and belongs in theMedRecPatientsgroup.
Step 4: Create global roles and grant the global roles to the groups.
- In the left Domain Structure pane of the Administration Console, click MedRecDomain
—> Security Realms. The Roles table displays all global and scoped roles currently defined in the WebLogic Role Mapping provider's database.
The Global Roles table displays all global roles currently defined in the WebLogic Role Mapping provider's database.
- Repeat steps 1 - 15 to create a global role named
MedRecPatientand to grant this global role to theMedRecPatientsgroup.
Step 5: Log in to and use the MedRec applications.
Now that you have created all the required users, groups, and roles, you can actually log in to the various MedRec Web applications and start using them. First navigate to the following start page in a browser:
http://host:7101/start.jsp
In the preceding URL, host refers to the computer that hosts MedRecServer. If your browser is on the same computer as MedRecServer, you can use localhost; for example: http://localhost:7101/start.jsp.
The main MedRec application page appears. Click on the links to log in in to the different Web applications, using the following username/passwords:
- Patients—
larry@bball.com,weblogic - Administrators—
admin@avitek.com,weblogic - Physicians—
mary@md.com,weblogic
Best Practices
- The security realm settings are extremely important. If you want to secure URL (Web) resources using the WebLogic Server Administration Console rather than deployment descriptors, you must use the Check Roles and Policies/On Future Redeploys combination specified in Step 1: Specify security realm settings.
- If you have deployed an application (or module) with the On Future Redeploys drop-down menu set to Ignore Roles and Policies From DD one or more times before setting it to Initialize Roles and Policies From DD, you can still set security policies and security roles using the Administration Console. These changes will override any security specified in deployment descriptors.
- Do not use blank spaces, commas, hyphens, or any characters in this comma-separated list for user, group, or security role names: \t, < >, #, |, &, ~, ?, ( ), { }. User, group, and security role names are case sensitive. The proper syntax for a security role name is as defined for an
Nmtokenin the Extensible Markup Language (XML) recommendation. The BEA convention is that group names are plural, and security role names are singular. - BEA recommends assigning users to groups, then creating role statements using the
Grouprole condition. Individual users could also be granted a security role, but this is a less typical practice. - BEA recommends using security roles (rather than users or groups) to secure WebLogic resources. Following this process makes it more efficient for administrators who work with large numbers of users.
The Big Picture
The MedRec application has been coded such that only certain roles are allowed to access certain modules, in particular login to Web Applications such as patient, physician, and admin. This tutorial showed you first how to create groups to represent patients, administrators, and physicians, then how to create individual users and assign them to a particular group, and finally, how to map a group to a role. Once this security configuration is in place, you can log in to the applications using the appropriate user.
You might have noticed, however, that in Step 3: Create users and add the users to groups., you did not create an actual patient user. This is because patients, along with their personal information, are stored in the PointBase database and are authenticated using a Custom DBMS Authenticator. The database also stores the group to which the user is assigned. You must, however, use the Administration Console to create the MedRecPatients group and the MedRecPatient role, and then map the group to the role.
The next tutorials show how to secure specific resources, such as Web applications and EJBs.
