2 WebLogic Security Programming Overview

The following topics are covered in this section:

What Is Security?

Security refers to techniques for ensuring that data stored in a computer or passed between computers is not compromised. Most security measures involve proof material and data encryption. Proof material is typically a secret word or phrase that gives a user access to a particular application or system. Data encryption is the translation of data into a form that cannot be interpreted without holding or supplying the same secret.

Distributed applications, such as those used for electronic commerce (e-commerce), offer many access points at which malicious people can intercept data, disrupt operations, or generate fraudulent input. As a business becomes more distributed the probability of security breaches increases. Accordingly, as a business distributes its applications, it becomes increasingly important for the distributed computing software upon which such applications are built to provide security.

An application server resides in the sensitive layer between end users and your valuable data and resources. WebLogic Server provides authentication, authorization, and encryption services with which you can guard these resources. These services cannot provide protection, however, from an intruder who gains access by discovering and exploiting a weakness in your deployment environment.

Therefore, whether you deploy WebLogic Server on the Internet or on an intranet, it is a good idea to hire an independent security expert to go over your security plan and procedures, audit your installed systems, and recommend improvements.

Another good strategy is to read as much as possible about security issues and appropriate security measures. The document Securing a Production Environment for Oracle WebLogic Server highlights essential security measures for you to consider before you deploy WebLogic Server into a production environment. The document Securing Resources Using Roles and Policies for Oracle WebLogic Server introduces the various types of WebLogic resources, and provides information that allows you to secure these resources using WebLogic Server. For the latest information about securing Web servers, Oracle also recommends reading the Security Improvement Modules, Security Practices, and Technical Implementations information (http://www.cert.org/) available from the CERT™ Coordination Center operated by Carnegie Mellon University.

Oracle suggests that you apply the remedies recommended in our security advisories. In the event of a problem with an Oracle product, Oracle distributes an advisory and instructions with the appropriate course of action. If you are responsible for security related issues at your site, please register to receive future notifications.

Administration Console and Security

With regard to security, you can use the Administration Console to define and edit deployment descriptors for Web Applications, EJBs, Java EE Connectors, and Enterprise Applications. This document, Programming WebLogic Security, does not describe how to use the Administration Console to configure security. For information on how to use the Administration Console to define and edit deployment descriptors, see Securing Resources Using Roles and Policies for Oracle WebLogic Server and Securing Oracle WebLogic Server.

Types of Security Supported by WebLogic Server

WebLogic Server supports the following security mechanisms:

Authentication

Authentication is the mechanism by which callers and service providers prove that they are acting on behalf of specific users or systems. Authentication answers the question, "Who are you?" using credentials. When the proof is bidirectional, it is referred to as mutual authentication.

WebLogic Server supports username and password authentication and certificate authentication. For certificate authentication, WebLogic Server supports both one-way and two-way SSL (Secure Sockets Layer) authentication. Two-way SSL authentication is a form of mutual authentication.

In WebLogic Server, Authentication providers are used to prove the identity of users or system processes. Authentication providers also remember, transport, and make identity information available to various components of a system (via subjects) when needed. You can configure the Authentication providers using the Web application and EJB deployment descriptor files, or the Administration Console, or a combination of both.

Authorization

Authorization is the process whereby the interactions between users and WebLogic resources are controlled, based on user identity or other information. In other words, authorization answers the question, "What can you access?"

In WebLogic Server, a WebLogic Authorization provider is used to limit the interactions between users and WebLogic resources to ensure integrity, confidentiality, and availability. You can configure the Authorization provider using the Web application and EJB deployment descriptor files, or the Administration Console, or a combination of both.

WebLogic Server also supports the use of programmatic authorization (also referred to in this document as programmatic security) to limit the interactions between users and WebLogic resources.

Java EE Security

For implementation and use of user authentication and authorization, WebLogic Server utilizes the security services of the Java EE Development Kit 6.0 (JDK 6.0). Like the other Java EE components, the security services are based on standardized, modular components. WebLogic Server implements these Java security service methods according to the standard, and adds extensions that handle many details of application behavior automatically, without requiring additional programming.

Security APIs

This section lists the Security packages and classes that are implemented and supported by WebLogic Server. You use these packages to secure interactions between WebLogic Server and client applications, Enterprise JavaBeans (EJBs), and Web applications.

Note:

Several of the WebLogic security packages, classes, and methods are deprecated in this release of WebLogic Server. For more detailed information on deprecated packages and classes, see Appendix A, "Deprecated Security APIs".

The following topics are covered in this section:

JAAS Client Application APIs

You use Java APIs and WebLogic APIs to write client applications that use JAAS authentication.

The following topics are covered in this section:

Java JAAS Client Application APIs

You use the following Java APIs to write JAAS client applications. The APIs are available at https://download.oracle.com/javase/6/docs/api/index.html.

  • javax.naming

  • javax.security.auth

  • javax.security.auth.callback

  • javax.security.auth.login

  • javax.security.auth.spi

For information on how to use these APIs, see JAAS Authentication APIs.

WebLogic JAAS Client Application APIs

You use the following WebLogic APIs to write JAAS client applications:

For information on how to use these APIs, see JAAS Authentication APIs.

SSL Client Application APIs

You use Java and WebLogic APIs to write client applications that use SSL authentication:

The following topics are covered in this section:

Java SSL Client Application APIs

You use the following Java APIs (available from https://download.oracle.com/javase/6/docs/api/index.html) to write SSL client applications:

  • java.security

  • java.security.cert

  • javax.crypto

  • javax.naming

  • javax.net

  • javax.security

  • javax.servlet

  • javax.servet.http

WebLogic Server also supports the javax.net.SSL API (https://download.oracle.com/javase/6/docs/api/index.html), but Oracle recommends that you use the weblogic.security.SSL package when you use SSL with WebLogic Server.

For information on how to use these APIs, see SSL Authentication APIs.

WebLogic SSL Client Application APIs

You use the following WebLogic APIs to write SSL client applications.

For information on how to use these APIs, see SSL Authentication APIs.

Other APIs

Additionally, you use the following APIs to develop WebLogic Server applications: