The following overview sets out the aims of security and the security technologies available in WebLogic Workshop.
All security technologies are designed to achieve three basic goals.
The topics below provide detailed information to help you implement a security strategy for your WebLogic Workshop application.
WebLogic Workshop offers three main areas of security technology:
Transport security refers to the mechanisms used to enable the http protocol to operate over a secure transport connection. Transport security lets you secure your web resources through SSL, username/password authentication, and client digital certificates.
An advantage of transport security is that is well known and relatively easy to implement. A disadvantage is that data is secured only while it is in transport over the wire. The transport security mechanisms no longer apply once the data has reached the recipient, so if the data is logged on the recipient's machine, its confidentiality may be at risk. This is not the case with Web service security, where the security mechanisms are applied to the data itself.
For detailed information on implementing SSL and client certificates see Transport Security. For detailed information on implementing username/password authentication see Username/Password Authentication.
Web service security provides message-level security for web services through an implementation of the Oasis Web Service Security standard. Web service security, often referred to as "WS-Security" or simply "WSSE", lets you secure the SOAP messages that pass between web services with security tokens (username and password), digital signatures, and encryption.
An advantage of WS-Security is that the security mechanisms are applied to
the SOAP messages that pass between web services. So WS-Security security
mechanisms apply both while the SOAP message is in transit and once the
message has arrived at the recipient's machine.
The disadvantages of WS-Security are that it is not a widely used form of
security and it is relatively more difficult to implement than the analogous
transport security technologies. For example, users must be familiar with some
of the inner workings of the Public Key Infrastructure (PKI) to effectively
use WS-Security's encryption and digital signature technologies.
For detailed information on implementing see Web Service Security.
Role-based security lets you secure a web resource by restricting access to only those users who have been granted a particular security role. For detailed information on see Role-Based Security.
The following samples illustrate WebLogic Workshop's security technologies.
BasicAuthentication.jws Sample
HelloWorldSecureClient.jws Sample