This chapter describes the most important changes introduced in releases 11gR1, 11gR1 PS1, 11gR1 PS2, and 11gR1+.
The features introduced in release 11gR1+ include the following:
Oracle Authorization Policy Manager, a tool to manage application security artifacts. The set of available tools to administer application security is expanded to Oracle WebLogic Administration Console, Oracle Enterprise Manager Fusion Middleware Control, WSLT commands, and Oracle Authorization Policy Manager.
New material in this guide includes:
An appendix that lists all security-related WLST commands. For details, see Appendix I, "WLST Security Commands."
The features introduced in release 11gR1 PS2 include the following:
The Resource Catalog, a way of specifying resource types, resources, actions, and entitlements in an application policy grant. Starting with this release, OPSS supports resource-based policies with the introduction of the resource catalog. For details see Section 17.2.1, "The Resource Catalog," and Appendix B, "File-Based Identity and Policy Store Reference".
Instructions for developing custom User and Role providers. For details, see Section 18.10, "Developing Custom User and Role Providers" and Section 18.9, "The User and Role API Reference."
Use of the class ResourcePermission in permissions. For details, see Section 17.2.1.2.2, "Resource Permissions."
New WLST commands to manage resource types. For details, see Section 7.4.2, "Managing Policies with WLST Commands."
The system property jps.deployment.handler.disabled
of the Oracle WebLogic Server has been introduced. For details, see Section 6.5.2, "Migrating Policies and Credentials at Deployment," and Section F.1, "OPSS System Properties."
A new use of the command upgradeSecurityStore
. For details, see Section G.1.1.4, "Example 4 - Upgrading File-Based Policies to Use the Resource Catalog.".
A new argument to the command migrateSecurityStore
to control the migration behavior upon encountering duplicate items. It applies only when migrating application policies. For details, see Section 7.3.2, "Migrating Policies with the Command migrateSecurityStore."
The features introduced in release 11gR1 PS1 include the following:
The class Resource Permission. For details, see Section 17.2.1.2.2, "Resource Permissions."
Principal name comparison has been enhanced. For details, see Section 2.7, "Principal Name Comparison Logic."
Manual settings for policy migration have been simplified. In particular, versioning the application is no longer required. For details, see Section 14.4.1, "Parameters Controlling Policy Migration," and Section 14.4.2, "Policy Parameter Configuration According to Behavior."
The WLST command migrateSecurityStore
supports the embedded LDAP store as a target. For details, see Section 14.4.8, "Migrating Identities with the Command migrateSecurityStore."
The configuration of the identity store has been simplified. For example, previously required properties such as username.attr and login.name.attr are no longer needed when configuring an LDAP identity store.
The WLST command reassociateSecurityStore
supports an existing LDAP node as a target. For details, see Section 7.4.2.14, "reassociateSecurityStore."
New and improved Oracle Fusion Middleware Control pages. In particular, using these pages, one can specify the SSO service to use in a domain. For details, see the following sections:
New material in this guide includes:
Section 7.2.3, "Cataloging Oracle Internet Directory Attributes"
Section 7.4.2.15, "Granting Policies to Anonymous and Authenticated Roles with WLST Commands"
Section 7.4.2.16, "Application Stripe for Versioned Applications in WLST Commands"
Section J.2.1, "Missing Policies in Reassociated Policy Store"
The single most important new feature in the 11gR1 release is the introduction of the Oracle WebLogic Server as the environment where applications run and where security is provisioned.
The features introduced in release 11gR1 include the following:
Support for application policies and roles, and the authenticated and anonymous users and roles
Credential Store Framework
Auditing framework for Oracle Platform Security Services (OPSS) events for credential and policy management, and authorization checks
Support for application lifecycle security integrated with JDeveloper
Enhanced authorization framework
Consolidation of code-based and subject-based policies in system-jazn-data.xml
Management of security with Oracle Fusion Middleware and WLST commands
New security-related WLST commands
The features de-supported in release 11gR1 include the following:
Jazn is replaced with OPSS.
Jazn Realm API is replaced by the User and Role API.
Migration of OSDT toolkit from proprietary objects to JCE is desupported.
The identity store, as previously configured in system-jazn-data.xml, is replaced by the use of WebLogic authenticators.
The functions of Oracle Jazn Administration Tool are replaced as follows:
User and Role CRUD operations are replaced by the use of the Embedded LDAP configured and operated with the Oracle WebLogic Administration Console
The configuration of login modules is replaced with the use of the Oracle WebLogic Administration Console to configure authenticators
JavaSSO is no longer supported. On a Oracle WebLogic Server domain, Single Sign-On (SSO) is automatic within clusters only when session replication is turned on.
To upgrade from a previous release to the current, see any of the following documents: