This tutorial describes how to secure URL (Web) resources using the Administration Console. It also provides procedures for creating security policies for URL (Web) resource hierarchies.
After you finish this tutorial, the security for the MedRec application running on the domain you created for these tutorials will be the same as the security configured for the out-of-the-box MedRec application and domain.
Before starting this tutorial:
MedRecDomain
and MedRecServer
, and start MedRecServer
. See Tutorial 1: Creating a WebLogic Domain and Server Instance for Development.
To secure URL (Web) resources by using the Administration Console:
MedRecServer
running, open the Administration Console by navigating in a browser to:http://
host
:7101/console
where host
refers to the computer on which MedRecServer is running. If your browser is on the same computer as MedRecServer, then you can use the URL http://localhost:7101/console
.
weblogic
for both the username and password and click Log In.medrecEar
.patient
Web application module.An assistant appears that enables you to create a security policy for this particular Web Application or a particular component within the Web Application.
*.do
in the URL Pattern field.
The URL pattern of *.do
will secure all components that have a .do
suffix.
*.do
.Role
.MedRecPatient
.
This policy specifies that only users with the MedRecPatient
role are allowed to access these components.
The Policy Conditions section includes the entry Role MedRecPatient
.
The Overwritten Policy section includes the entry Group everyone
.
MedRecPatient
role can access URL resources with the suffix *.jsp
.
The Policy Conditions section includes the entry Role MedRecPatient
.
The Overwritten Policy section includes the entry Group everyone
.
Anonymous
role can access the specific URL resource called login.do
.
The Policy Conditions section includes the entry Role Anonymous
.
The Overwritten Policy section includes the entry Role MedRecPatient
.
The Anonymous
role, unlike MedRecPatient
, is a default global role that is predefined in WebLogic Server. This step overrides the security policy you previously defined for all *.do
URL resources so that every user, regardless of their role, is allowed to view the login.do
page.
Anonymous
role can access the specific URL resource called error.do
.
The Policy Conditions section includes the entry Role Anonymous
.
The Overwritten Policy section includes the entry Role MedRecPatient
.
Anonymous
role can access the specific URL resource called register.do
.
The Policy Conditions section includes the entry Role Anonymous
.
The Overwritten Policy section includes the entry Role MedRecPatient
.
patient
Web application should include the following URL Pattern entries:http://
host
:7101/patient
where host
refers to the computer hosting MedRecServer
. If your browser is on the same computer, then you can use the URL http://localhost:7101/patient
.
The browser prompts you for a username and password.
mary@md.com
, and in the password field, type weblogic
, then click Login.
The login page returns the error Invalid User Name and/or Password
and re-prompts you for a username and password. (If this is the first time you use the browser to navigate to this screen, it might also request information about the digital certificate being used by the application.)
larry@bball.com
, and in the password field, type weblogic
, then click Login.
The browser displays information for the larry@bball.com
patient, whose full name is Larry Parrot.
User mary@md.com
was denied access because you created a security policy for the patient
Web Application based on the global security role MedRecPatient
, which user larry@bball.com
is granted but user mary@md.com
is not.
medrecEar
.admin
Web application module.An assistant enables you to create a security policy for this particular Web Application or a particular component within the Web Application.
*.do
in the URL Pattern field.
The URL pattern of *.do
will secure all components that have a .do
suffix.
*.do
.Role
.MedRecAdmin
.
This policy specifies that only users with the MedRecAdmin
role are allowed to access these components.
The Policy Conditions section includes the entry Role MedRecAdmin
.
The Overwritten Policy section includes the entry Group everyone
.
MedRecAdmin
role can access URL resources with the suffix *.jsp
.
The Policy Conditions section includes the entry Role MedRecAdmin
.
The Overwritten Policy section includes the entry Group everyone
.
Anonymous
role can access the specific URL resource called login.do
.
The Policy Conditions section includes the entry Role Anonymous
.
The Overwritten Policy section includes the entry Role MedRecAdmin
.
The Anonymous
role, unlike MedRecAdmin
, is a default global role that is predefined in WebLogic Server. This step overrides the security policy you previously defined for all *.do
URL resources so that every user, regardless of their role, is allowed to view the login.do
page.
Anonymous
role can access the specific URL resource called error.do
.
The Policy Conditions section includes the entry Role Anonymous
.
The Overwritten Policy section includes the entry Role MedRecAdmin
.
admin
Web application should include the following URL pattern entries:http://
host
:7101/admin
where host
refers to the computer hosting MedRecServer
. If your browser is on the same computer, then you can use the URL http://localhost:7101/admin
.
The browser prompts you for a username and password.
mary@md.com
, and in the password field, type weblogic
, then click Login.
The login page returns the error Invalid User Name and/or Password
and re-prompts you for a username and password. (If this is the first time you use the browser to navigate to this screen, it might also request information about the digital certificate being used by the application.)
admin@avitek.com
, and in the password field, type weblogic
, then click Login. The browser displays a list of administration tasks.
User mary@md.com
was denied access because you created a security policy for the admin
Web Application based on the global security role MedRecAdmin
, which user admin@avitek.com
is granted but user mary@md.com
is not.
physicianEar
.physician
Web application module.An assistant enables you to create a security policy for this particular Web Application or a particular component within the Web Application.
*.do
in the URL Pattern field.
The URL pattern of *.do
will secure all components that have a .do
suffix.
*.do
.Role
.MedRecPhysician
.
This policy specifies that only users with the MedRecPhysician
role are allowed to access these components.
The Policy Conditions section includes the entry Role MedRecPhysician
.
The Overwritten Policy section includes the entry Group everyone
.
MedRecPhysician
role can access URL resources with the suffix *.jsp
.
The Policy Conditions section includes the entry Role MedRecPhysician
.
The Overwritten Policy section includes the entry Group everyone
.
Anonymous
role can access the specific URL resource called login.do
.
The Policy Conditions section includes the entry Role Anonymous
.
The Overwritten Policy section includes the entry Role MedRecPhysician
.
The Anonymous
role, unlike MedRecPhysician
, is a default global role that is predefined in WebLogic Server. This step overrides the security policy you previously defined for all *.do
URL resources so that every user, regardless of their role, is allowed to view the login.do
page.
Anonymous
role can access the specific URL resource called error.do
.
The Policy Conditions section includes the entry Role Anonymous
.
The Overwritten Policy section includes the entry Role MedRecPhysician
.
physician
Web application should include the following URL pattern entries:http://
host
:7101/physician
where host
refers to the computer hosting MedRecServer
. If your browser is on the same computer, then you can use the URL http://localhost:7101/physician
.
The browser prompts you for a username and password.
larry@bball.com
, and in the password field, type weblogic
, then click Login. http://host:7101/physician
page again, and this time enter mary@md.com
in the username field and weblogic
in the password field, then click Login. The browser displays a search page to look up patient information.
User larry@bball.com
was denied access because you created a security policy for the physician
Web Application based on the global security role MedRecPhysician
, which user mary@md.com
is granted but user larry@bball.com
is not.
login.do
) in a Web application overrides a security policy on a group of resources (*.do
). Take care when overriding with less restrictive security policies (that is, giving a wider set of users access to a smaller set of components or WebLogic resources).
This tutorial shows you how to secure various URL (Web) resources using the same security as that of the out-of-the-box MedRec application.