Securing WebLogic Resources Using Roles and Policies

Introduction and Roadmap

Document Scope and Audience

Guide to This Document

Related Information

Tutorials and Samples

New and Changed Features

Understanding WebLogic Resource Security

Overview of Securing WebLogic Resources

Using Policies to Protect Multiple Resources

Protecting Policies by Type

Protecting a Hierarchy of Resources

Designing Roles and Policies for WebLogic Resources: Main Steps

Best Practices: Conditionalize Policies or Conditionalize Roles

Best Practices: Configure Entitlements Caching When Using WebLogic Providers

Resource Types You Can Secure with Policies

Administrative Resources

Application Resources

COM Resources

EJB Resources

Enterprise Information Systems (EIS) Resources

Java DataBase Connectivity (JDBC) Resources

JDBC Operations

Java Messaging Service (JMS) Resources

JMS Operations

Java Naming and Directory Interface (JNDI) Resources

JNDI Operations

JMX Resources

Maintaining a Consistent Security Scheme

Server Resources

Permissions for the weblogic.Server Command and the Node Manager

Permissions for Using the weblogic.Server Command

Permissions for Using the Node Manager

URL Resources

Web Service Resources

Work Context Resources

Options for Securing Web Application and EJB Resources

Comparison of Security Models for Web Applications and EJBs

Discussion of Each Model

Deployment Descriptor Only Model

Custom Roles Model

Custom Roles and Policies Model

Advanced Model

Understanding the Advanced Security Model

Understanding the Check Roles and Policies Setting

Understanding the When Deploying Web Applications or EJBs Setting

How the Check Roles and Policies and When Deploying Web Applications or EJBs Settings Interact

Understanding the Combined Role Mapping Enabled Setting

Usage Examples

Example for EAR, WAR and EJB

Example for EAR and WAR

Securing Web Applications and EJBs

Security Policies

Security Policy Storage and Prerequisites for Use

Default Root Level Security Policies

Security Policy Conditions

Basic Policy Conditions

Date and Time Policy Conditions

Context Element Policy Conditions

Protected Public Interfaces

Using the Administration Console to Manage Security Policies

Users, Groups, And Security Roles

Overview of Users and Groups

Default Groups

Runtime Groups

Best Practices: Add a User To the Administrators Group

Overview of Security Roles

Types of Security Roles: Global Roles and Scoped Roles

Default Global Roles

Security Role Conditions

Basic Role Conditions

Date and Time Role Conditions

Context Element Role Conditions

Using the Administration Console to Manage Users, Groups, and Roles

Using XACML Documents to Secure WebLogic Resources

Prerequisites

Adding a XACML Role or Policy to a Realm: Main Steps

Caution: Indeterminate Results Can Lock Out All Users

Determine Which Resource to Secure

Get the ID of the Resource to Secure

Create XACML Documents

Example: Defining Role Assignments

Example: Defining Authorization Policies

Use WebLogic Scripting Tool to Add the Role or Policy to the Realm

Verify That Your Roles and Policies Are in the Realm

Creating Roles and Polices for Custom MBeans

Determine the Resource IDs for a Custom MBean

Exporting Roles and Policies to XACML Documents

Reference for XACML on WebLogic Server

Comparison of WebLogic Server and XACML Security Models

Comparison of Terminology

Description of Data Types

Action Identifiers

Examples

Environment Identifiers

Examples

Policy and PolicySet Identifiers

Examples

Resource Identifiers

Examples

Subject Identifiers

Examples

WebLogic Server Functions for XACML

Custom Data Type Variants

Examples

Miscellaneous Functions

Example

Time/Date Conversions

Arithmetic Conversions and Functions

Object Type Conversions

Object Comparisons

String Comparisons and Manipulations

Rule and Policy-Combining Algorithm