|
|
A security policy specifies who can access a WebLogic Server resource. You can create simple policies, such as “allow access if user is in Admin role,” or more complex policies, such as “between the hours of 8 and 5, allow access if user is in Admin role.”
The following sections describe the features and functions of security policies:
For information on using security policies to protect multiple resources, see Using Policies to Protect Multiple Resources.
Security policies for all resources other than Web Application resources and EJB resources are always stored in the security provider database of the Authorization provider that is configured in the default (active) security realm. The security realm that WebLogic Server provides stores policies in the embedded LDAP server.
For Web Application resources and EJB resources, the location of policies depends on the following:
See Options for Securing Web Application and EJB Resources.
Each user or group that you add to a security policy must be defined in the security provider database of the Authentication provider that is configured in the active security realm. Each role that you add must be defined in the security provider database of the Role Mapping provider that is configured in the active security realm. The security realm that WebLogic Server provides is configured to use the WebLogic Authentication and WebLogic XACML Role Mapping providers, which store users, groups, and roles in the embedded LDAP server.
For more information about the WebLogic Authentication, Authorization, and Role Mapping providers, see “WebLogic Security Providers” in Understanding WebLogic Security.
A root level policy is inherited by all instances of a specific resource type. Table 5-1 describes the default root level policies that are defined in the security realm that WebLogic Server installs. For information about the roles and groups that are named in these policies, see Users, Groups, And Security Roles.
| Note: | You can access root level policies in the Administration Console. See Create root level policies in Administration Console Online Help. |
| Caution: | Do not modify the default root level policies for Administrative and Server resources to make them more restrictive. Eliminating some of the existing security roles might negatively impact the functioning of WebLogic Server. However, if you like, you can make the default security policies more inclusive (for example, by adding new security roles). See Maintaining a Consistent Security Scheme. |
To determine who can access a resource, a policy contains one or more conditions. The most basic policy simply contains the name of a security role or a principal. For example, a basic policy might simply name the “Admin” global role. At runtime, the WebLogic Security Service interprets this policy as “allow access if user is in Admin role.” You can create more complex conditions and combine them using the logical operators AND and OR (which is an inclusive OR). You can also negate any condition, which would prohibit access under the specified condition.
The WebLogic Server Authorization providers display three kinds of built-in policy conditions in the Administration Console:
| Note: | These sections describe the conditions that are available in realms that use the WebLogic Authorization provider or the WebLogic XACML Authorization provider. If your security realm uses a third-party Authorization provider, refer to the third-party documentation for information on its capabilities. |
The basic policy conditions that are available in this release of WebLogic Server are:
User—Allows a specific user to access the resource. For example, you might create a condition indicating that only the user John can access the Deposit EJB.Group—Allows all users or groups in the specified group to access the resource unless a User or Role condition contradicts the Group condition.Role—Allows all users or groups in the specified role to access the resource unless a User or Group condition contradicts the Role condition. For example, if you create a Role condition that specifies “Admin” and a User condition that negates “joe”, then user joe will be denied access even if he is in the Admin role.Server is in Development Mode—Allows access if the server that hosts the resource is running in development mode. See
“Creating a WebLogic Domain” in Creating WebLogic Domains Using the Configuration Wizard.Allow access to everyone—Allows access for all users, groups, and roles.Deny access to everyone—Prohibits access for all users, groups, and roles. Element requires signature by—(Used only when securing Web Services resources) Creates a condition for a security policy based on who has digitally signed an element in the SOAP request message that invokes a Web Service operation. For example, you might create a condition that says the getBalance operation can only be invoked if the AccountNumber element in the incoming SOAP request has been digitally signed by a user who is named joe.
To create an Element requires signature by condition, provide the following information:
For example, enter user to specify that a user must sign the element.
{Namespace}LocalPart
For example:{http://schemas.xmlsoap.org/soap/envelope/}AccountNumber
| Note: | You can specify only those elements that have already been configured to be digitally signed in the WS-Policy of the Web Service. For details, see Configuring Message-Level Security in Securing WebLogic Web Services. |
When you use any of the date and time conditions, the security policy grants access to all users for the date or time you specify, unless you further restrict the users by adding one of the other conditions. The date and time policy conditions available in this release of WebLogic Server are:
Access occurs between specified hours—Allows access during a specified time period. For example, you might create a condition granting access to users only during business hours. Access occurs after—Allows access after a specified time. For example, you might create a condition that grants access to users after the business opens or after a certain date and time.Access occurs before—Allows access before a specified time. For example, you might create a condition that grants access to users before the business closes or before a certain date and time.Access occurs on specified days of the week—Allows access on specified days. For example, you might create a condition that grants access to users on week days.Access occurs on the specified day of the month—Allows access on an ordinal day of the month. For example, you might create a condition that grants access to users only the first day of each month. Access occurs after the specified day of the month—Allows access after an ordinal day in the month. For example, you might create a condition indicating that grants access to users after the 15th day of the month.Access occurs before the specified day of the month—Allows access before an ordinal day in the month. For example, you might create a condition that grants access to users before the 15th day of the month.You can use the context element conditions to create security policies based on the value of HTTP Servlet Request attributes, HTTP Session attributes, and EJB method parameters. WebLogic Server retrieves this information from the ContextHandler object and allows you to defined policy conditions based on the values. When using any of these conditions, it is your responsibility to ensure that the attribute or parameter/value pairs apply to the context in which you are using them. For more information, see “ContextHandlers and WebLogic Resources” in Developing Security Providers for WebLogic Server.
The context element role conditions available in this release of WebLogic Server are:
Context element defined—Allows access based on the existence of a specified attribute or parameter.Context element’s value equals a numeric constant—Allows access based on a specified attribute or parameter’s number value (or string representing a double number) being equal to a specified double number.Context element’s value is greater than a numeric constant—Allows access based on a specified attribute or parameter’s number value (or string representing a double number) being greater than a specified double number.Context element’s value is less than a numeric constant—Allows access based on a specified attribute or parameter’s number value (or string representing a double number) being less than a specified double numberContext element’s value equals a string constant—Allows access based on a specified attribute or parameter’s string value being equal to a specified string.
The WebLogic Server Administration Console, the WebLogic Scripting Tool (WLST), and MBean APIs are secured using the default security policies, which are based on the default global roles and default groups described in Table 6-2. Therefore, to use the Administration Console, a user must belong to one of these default groups or be granted one of these global roles. Additionally, administrative operations that require interaction with MBeans are secured using the MBean protections described in Maintaining a Consistent Security Scheme. Therefore, interaction with the following protected public interfaces typically must satisfy both security schemes.
For information about using this public interface, see the The WebLogic Server Administration Console in Administration Console Online Help.
weblogic.management.NoAccessRuntimeException, which developers can catch explicitly in their programs. The server sends this exception to its log file, but you can also configure the server to send exceptions to standard out. For information about using this public interface, see WebLogic Scripting Tool.
| Note: | WLST is a convenience utility that abstracts the interaction with the MBean APIs (described next). Therefore, for any administrative task you can perform using WLST, you can also perform using the MBean APIs. |
weblogic.management.NoAccessRuntimeException, which developers can catch explicitly in their programs. The server sends this exception to its log file, but you can also configure the server to send exceptions to standard out. For information about using these APIs, see Understanding WebLogic Server MBeans in Developing Custom Management Utilities with JMX.
| Note: | This section describes the features and functions that are available in security realms that are using the WebLogic Authorization provider or the WebLogic XACML Authorization provider. If your security realm uses a third-party Authorization provider, refer to the third-party documentation for information on how to add polices to the provider database. |
You can use the WebLogic Administration Console to access WebLogic resources for creating and modifying security policies. For more information, see Manage security policies in Administration Console Online Help.
|