PK *Hoa, mimetypeapplication/epub+zipPK *H OEBPS/toc.htm9
Developing and Administering Spring Applications for Oracle WebLogic Server
12c (12.1.3)
E41930-01
June 2014
This document describes Spring support in WebLogic Server, tells how to enable the Spring extension and the Spring console-extension, and provides information about developing Spring applications for WebLogic Server.
Oracle Fusion Middleware Developing and Administering Spring Applications for Oracle WebLogic Server, 12c (12.1.3)
E41930-01
Copyright © 2007, 2014, Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate failsafe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.
This chapter describes how to integrate the WebLogic Server security system with the Spring security framework.
The WebLogic Server security system supports and extends Java EE security while providing a rich set of security providers that you can be customize to integrate with different security databases or security policies.
As described at the Spring Security Web site (http://static.springsource.org/spring-security/site/
), Acegi Security is now Spring Security, the official security project of the Spring Portfolio. The Spring Security (acegi) framework provides security to a Spring application and includes a rich set of security providers.
The question then becomes how to integrate the two security frameworks.
For a combined Java EE and Spring application, rather than require authentication with both security frameworks, WLS security and Spring security work together. WLS security handles the authentication via the default Authentication provider for the security realm, and converts WLS principals to Spring GrantedAuthority principals through a mapper class. Once authenticated by WLS security, a user is authenticated for Spring security. You can then decide how to secure the objects in the application. One common practice is to secure Java EE resource with WebLogic security and secure Spring resource with Spring security.
As described in the Spring Security Reference, Container Adapters enable Spring Security to integrate directly with the containers used to host end user applications, in this case WebLogic Server.
The integration between a container and Spring Security is achieved through an adapter. The adapter provides a container-compatible user authentication provider, and needs to return a container-compatible user object.
applicationContext-acegi-security.xml
is the configuration file for Spring security. For WebLogic Server, WeblogicAuthenticationFilter
is added to the list of filters in applicationContext-acegi-security.xml
. This filter is responsible for converting the WebLogic principals to Spring GrantedAuthority subjects, based on the mapper. The mapper is configured as a property for the WeblogicAuthenticationFilter
, and it is injected at creation time.
The following is an example of the mapper class.
public class MyAuthorityGranter implements AuthorityGranter { public Set grant(Principal principal) { Set rtnSet = new HashSet(); if (principal.getName().equals("fred@oracle.com")) { rtnSet.add("ROLE_SUPERVISOR"); rtnSet.add("IS_AUTHENTICATED_ANONYMOUSLY"); } return rtnSet; } }
In this example, user fred@oracle.com
in the WebLogic domain is mapped to ROLE_SUPERVISOR
and IS_AUTHENTICATED_ANONYMOUSLY
.
The following code is added to web.xml
to plug in the applicationContext-acegi-security.xml
file:
<filter>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<filter-class>org.acegisecurity.util.FilterToBeanProxy</filter-class>
<init-param>
<param-name>targetClass</param-name>
<param-value>org.acegisecurity.util.FilterChainProxy</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>Acegi Filter Chain Proxy</filter-name>
<url-pattern>/main/secure/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext-acegi-security.xml
</param-value>
</context-param>
This preface describes the document accessibility features and conventions used in this guide—Developing and Administering Spring Applications for Oracle WebLogic Server.
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc
.
Access to Oracle Support
Oracle customers have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info
or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs
if you are hearing impaired.
The following text conventions are used in this document:
Convention | Meaning |
---|---|
boldface |
Boldface type indicates graphical user interface elements associated with an action, or terms defined in text or the glossary. |
italic |
Italic type indicates book titles, emphasis, or placeholder variables for which you supply particular values. |
|
Monospace type indicates commands within a paragraph, URLs, code in examples, text that appears on the screen, or text that you enter. |