Understanding WebLogic Security

Introduction and Roadmap

Document Scope

Document Audience

Guide to this Document

Related Information

Security Samples and Tutorials

Security Examples in the WebLogic Server Distribution

Additional Examples Available for Download

Overview of the WebLogic Security Service

Introduction to the WebLogic Security Service

Features of the WebLogic Security Service

Balancing Ease of Use and Customizability

New and Changed Features in This Release

Security Fundamentals

Auditing

Authentication

Subjects and Principals

Java Authentication and Authorization Service (JAAS)

JAAS LoginModules

JAAS Control Flags

CallbackHandlers

Mutual Authentication

Identity Assertion Providers and LoginModules

Identity Assertion and Tokens

Challenge Identity Assertion

Servlet Authentication Filters

Types of Authentication

Username/Password Authentication

Certificate Authentication

Digest Authentication

Perimeter Authentication

How is Perimeter Authentication Accomplished?

How Does WebLogic Server Support Perimeter Authentication?

Security Assertion Markup Language (SAML)

Single Sign-On (SSO)

Web Browsers and HTTP Clients via SAML

Desktop Clients

Authorization

WebLogic Resources

Security Policies

ContextHandlers

Access Decisions

Adjudication

Identity and Trust

Private Keys

Digital Certificates

Certificate Authorities

Certificate Lookup and Validation

Secure Sockets Layer (SSL)

SSL Features

SSL Tunneling

One-way/Two-way SSL Authentication

Host Name Verification

Trust Managers

Asymmetric Key Algorithms

Symmetric Key Algorithms

Message Digest Algorithms

Cipher Suites

Firewalls

Connection Filters

Perimeter Authentication

J2EE and WebLogic Security

J2SE 5.0 Security Packages

The Java Secure Socket Extension (JSSE)

Java Authentication and Authorization Services (JAAS)

The Java Security Manager

Java Cryptography Architecture and Java Cryptography Extensions (JCE)

Java Authorization Contract for Containers (JACC)

Common Secure Interoperability Version 2 (CSIv2)

Security Realms

Introduction to Security Realms

Users

Groups

Security Roles

Security Policies

Security Providers

Security Provider Databases

What Is a Security Provider Database?

Security Realms and Security Provider Databases

Embedded LDAP Server

Types of Security Providers

Authentication Providers

Identity Assertion Providers

Principal Validation Providers

Authorization Providers

Adjudication Providers

Role Mapping Providers

Auditing Providers

Credential Mapping Providers

Certificate Lookup and Validation Providers

Keystore Providers

Realm Adapter Providers

Security Provider Summary

Security Providers and Security Realms

WebLogic Security Service Architecture

WebLogic Security Framework

The Authentication Process

The Identity Assertion Process

The Principal Validation Process

The Authorization Process

The Adjudication Process

The Role Mapping Process

The Auditing Process

The Credential Mapping Process

The Certificate Lookup and Validation Process

Single Sign-On with the WebLogic Security Framework

WebLogic Server Acting a SAML Source Site

POST Profile

Artifact Profile

Weblogic Server Acting as SAML Destination Site

POST Profile

Artifact Profile

Desktop SSO Process

SAML Token Profile Support in WebLogic Web Services

Sender-Vouches Assertions

Holder-of-Key Assertion

The Security Service Provider Interfaces (SSPIs)

Weblogic Security Providers

WebLogic Authentication Provider

Alternative Authentication Providers

WebLogic Identity Assertion Provider

SAML Identity Assertion Provider

Negotiate Identity Assertion Provider

WebLogic Principal Validation Provider

WebLogic Authorization Provider

WebLogic Adjudication Provider

WebLogic Role Mapping Provider

WebLogic Auditing Provider

WebLogic Credential Mapping Provider

SAML Credential Mapping Provider

PKI Credential Mapping Provider

WebLogic CertPath Provider

Certificate Registry

Versionable Application Provider

WebLogic Keystore Provider

WebLogic Realm Adapter Providers

Terminology