Using Security


	Corporate Info \| News \| Solutions \| Products \| Partners \| Services \| Events \| Download \| How To Buy
	http://www.oracle.com/technology/documentation/index.html \| Site Map \| Search \| PDF Files \| Contact \| Glossary

WebLogic Enterprise Doc Home \| Getting Started & Related Topics \| Previous Topic \| Next Topic \| Contents \| Index

Using Security

This topic includes the following sections:

Overview of the Security Service
How Security Works
The Security Sample Application
Development Steps
Note: This chapter describes using username/password authentication. For a complete description of all the security features available in the WebLogic Enterprise product and instructions for implementing the security features, see Using Security in the WebLogic Enterprise online documentation.

Overview of the Security Service

The WebLogic Enterprise product offers a security model based on the CORBAservices Security Service. The WebLogic Enterprise security model implements the authentication portion of the CORBAservices Security Service.

Security information is defined on a domain basis. The security level for the domain is defined in the configuration file. Client applications use the SecurityCurrent object to provide the necessary authentication information to log on to the WebLogic Enterprise domain.

The following levels of authentication are provided:

TOBJ_NOAUTH
No authentication is needed; however, the client application may still authenticate itself, and may specify a username and a client application name, but no password.
TOBJ_SYSAUTH
The client application must authenticate itself to the WebLogic Enterprise domain and must specify a username, client application name, and application password.
TOBJ_APPAUTH
In addition to the TOBJ_SYSAUTH information, the client application must provide application-specific information. If the default WebLogic Enterprise authentication service is used in the application configuration, the client application must provide a user password; otherwise, the client application provides authentication data that is interpreted by the custom authentication service in the application.

Note: If a client application is not authenticated and the security level is TOBJ_NOAUTH, the IIOP Listener/Handler of the WebLogic Enterprise domain registers the client application with the username and client application name sent to the IIOP Listener/Handler.

In the WebLogic Enterprise software, only the PrincipalAuthenticator and Credentials properties on the SecurityCurrent object are supported. For a description of the SecurityLevel1::Current and SecurityLevel2::Current interfaces, see the C++ and Java topics in Commands, System Processes, and MIB Reference in the WebLogic Enterprise online documentation.

How Security Works

Figure 5-1 illustrates how security works in a WebLogic Enterprise domain.

Figure 5-1 How Security Works in a WebLogic Enterprise Domain

The steps are as follows:

The client application uses the Bootstrap object to return an object reference to the SecurityCurrent object for the WebLogic Enterprise domain.
The client application obtains the PrincipalAuthenticator.
The client application uses the Tobj::PrincipalAuthenticator::get_auth_type() method to get the authentication level for the WebLogic Enterprise domain.
The proper authentication level is returned to the client application.
The client application uses the Tobj::PrincipalAuthenticator::logon() method to log on to the WebLogic Enterprise domain with the proper authentication information.

The Security Sample Application

The Security sample application demonstrates username/password authentication. The Security sample application requires each student using the application to have an ID and a password. The Security sample application works in the following manner:

The client application has a logon() operation. This operation invokes operations on the PrincipalAuthenticator object, which is obtained as part of the process of logging on to access the domain.
The server application implements a get_student_details() operation on the Registrar object to return information about a student. After the user is authenticated, logon is complete and the get_student_details() operation accesses the student information in the database to obtain the student information needed by the client logon operation.
The database in the Security sample application contains course and student information.

Figure 5-2 illustrates the Security sample application.

Figure 5-2 Security Sample Application

The source files for the Security sample application are located in the \samples\corba\university directory in the WebLogic Enterprise software. For information about building and running the Security sample application, see Using Security in the WebLogic Enterprise online documentation.

Development Steps

Table 5-1 lists the development steps for writing a WebLogic Enterprise CORBA application that has username/password authentication security.

Table 5-1 Development Steps for WebLogic Enterprise CORBA Applications That Have Security

Step
Description

1

Define the security level in the configuration file.

2

Write the CORBA client application.

Step	Description
1	Define the security level in the configuration file.
2	Write the CORBA client application.

Step 1: Define the Security Level in the Configuration File

The security level for a WebLogic Enterprise domain is defined by setting the SECURITY parameter in the RESOURSES section of the configuration file to the desired security level. Table 5-2 lists the options for the SECURITY parameter.

Table 5-2 Options for the SECURITY Parameter

Option
Definition

NONE

No security is implemented in the domain. This option is the default. This option maps to the TOBJ_NOAUTH level of authentication.

APP_PW

Requires that client applications provide an application password during initialization. The tmloadcf command prompts for an application password. This option maps to the TOBJ_APPAUTH level of authentication.

USER_AUTH

Requires an application password and performs a per-user authentication during the initialization of the client application. This option maps to the TOBJ_SYSAUTH level of authentication.

Option	Definition
NONE	No security is implemented in the domain. This option is the default. This option maps to the TOBJ_NOAUTH level of authentication.
APP_PW	Requires that client applications provide an application password during initialization. The tmloadcf command prompts for an application password. This option maps to the TOBJ_APPAUTH level of authentication.
USER_AUTH	Requires an application password and performs a per-user authentication during the initialization of the client application. This option maps to the TOBJ_SYSAUTH level of authentication.

In the Security sample application, the SECURITY parameter is set to APP_PW for application-level security. For information about adding security to a WebLogic Enterprise CORBA application, see Using Security in the WebLogic Enterprise online documentation.

Step 2: Write the CORBA Client Application

Write client application code that does the following:

Uses the Bootstrap object to obtain a reference to the SecurityCurrent object for the specific WebLogic Enterprise domain.
Gets the PrincipalAuthenticator object from the SecurityCurrent object.
Uses the get_auth_type() operation of the PrincipalAuthenticator object to return the type of authentication expected by the WebLogic Enterprise domain.

Listing 5-1 and Listing 5-2 include the portions of the CORBA C++ and CORBA Java client applications in the Security sample application that illustrate the development steps for security.

Listing 5-1 Example of Security in a CORBA C++ Client Application

CORBA::Object_var var_security_current_oref =   
     bootstrap.resolve_initial_references("SecurityCurrent");
SecurityLevel2::Current_var var_security_current_ref = 
     SecurityLevel2::Current::_narrow(var_security_current_oref.in());

//Get the PrincipalAuthenticator
SecurityLevel2::PrincipalAuthenticator_var var_principal_authenticator_oref =
     var_security_current_ref->principal_authenticator();
//Narrow the PrincipalAuthenticator
Tobj::PrincipalAuthenticator_var var_bea_principal_authenticator =
     Tobj::PrincipalAuthenticator::_narrow 
                                     var_principal_authenticator_oref.in());

//Determine the security level
Tobj::AuthType auth_type = var_bea_principal_authenticator->get_auth_type();
Security::AuthenticationStatus status = var_bea_principalauthenticator->logon(
                                                   user_name,
                                                   client_name,
                                                   system_password,
                                                   user_password,
                                                   0);

Listing 5-2 Example of Security in a CORBA Java Client Application

org.omg.CORBA.Object SecurityCurrentObj = 
      gBootstrapObjRef.resolve_initial_references("SecurityCurrent");
org.omg.SecurityLevel2.Current secCur =
     org.omg.SecurityLevel2.CurrentHelper.narrow(secCurObj);

//Get the PrincipalAuthenticator
org.omg.SecurityLevel2.PrincipalAuthenticator authlevel2 =   
     secCur.principal_authenticator();
//Narrow the PrincipalAuthenticator
com.beasys.Tobj.PrincipalAuthenticatorObjRef gPrinAuthObjRef = 
     (com.beasys.Tobj.PrincipalAuthenticator)
     org.omg.SecurityLevel2.PrincipalAuthenticatorHelper.narrow(authlevel2);

//Determine the security level
com.beasys.Tobj.Authtype authType = gPrinAuthObjRef.get_auth_type();

org.omg.Security.AuthenticationStatus status = gPrinAuthObjRef.logon
     (gUserName, ClientName, gSystemPassword, gUserPassword,0);