This script opens a new, small, floating window and puts TOC<name>.html and IX<name>.html files in it and sets a generic popup window code to enable the display of some viewlets in the WebLogic Platform Tour.

 Moving to Production Mode

Tutorial 17: Securing Application and URL (Web) Resources Using the Administration Console

This tutorial describes how to secure application and URL (Web) resources using the Administration Console. It includes step-by-step procedures for creating users, groups, and global security roles. It also provides procedures for creating security policies at various levels in the application and URL (Web) resource hierarchies.

The tutorial includes the following sections:

• Prerequisites
• Procedure
• Best Practices
• The Big Picture
• Related Reading

 

 

Prerequisites

Before starting this tutorial:

• Create MedRecDomain and MedRecServer, and start MedRecServer. See Tutorial 1: Creating a WebLogic Domain and Server Instance for Development.
• Deploy the enterprise application named MedRecEar. See Tutorial 15: Deploying the MedRec Package for Production.
• Read the following sections in Securing WebLogic Resources:

• Types of WebLogic Resources

• Techniques for Securing URL (Web) and EJB Resources

• Prerequisites for Securing URL (Web) and EJB Resources

• Types of Security Roles: Global Roles and Scoped Roles

 

 

Procedure

Follow these steps to secure application and URL (Web) resources using the Administration Console:

• Step 1: Specify security realm settings.
• Step 2: Create groups.
• Step 3: Create users and add the users to groups.
• Step 4: Create global roles and grant the global roles to the groups.
• Step 5: Secure the MedRecEAR application.
• Step 6: Attempt to access a JSP in the MedRecEAR application.
• Step 7: Secure the Patient Web Application.
• Step 8: Attempt to access a JSP in the PatientWAR.
• Step 9: Secure the medicalrecord.do page.
• Step 10: Attempt to access the medicalrecord.do page.

Step 1: Specify security realm settings.

1. Start a Web browser and type http://localhost:7101/console/.

2. Enter weblogic as the username and weblogic as the password, then click Sign In to sign in to the Administration Console for MedRecServer.

3. In the navigation tree at the left side of the Administration Console, expand Security->Realms.

4. Click the myrealm security realm.

5. On the General tab, from the Check Roles and Policies drop-down menu, select All Web Applications and EJBs.

   This setting means that the WebLogic Security Service will perform security checks on all URL (Web) and EJB resources. For more information, see Understanding How to Check Security Roles and Security Policies in Securing WebLogic Resources.

6. From the On Future Redeploys drop-down menu, select Ignore Roles and Policies From DD.

   This setting means that you will set security for Web Application and EJB resources in the Administration Console, not in deployment descriptors. For more information, see Understanding What to Do on Future Redeploys of the WebLogic Resource in Securing WebLogic Resources.

7. Click Apply to save your changes.

8. Restart MedRecServer. (See Starting and Stopping Servers: Quick Reference in Configuring and Managing WebLogic Server.)

Step 2: Create groups.

1. In the navigation tree at the left side of the Administration Console, expand Security->Realms->myrealm.

2. Click Groups.

   The Groups page displays all groups currently defined in the WebLogic Authentication provider's database.

3. Click the Configure a new Group link to display the Create Group page.

4. On the General tab, in the Name field, type MedRecAdmins.

5. In the Description field, type MedRecAdmins can log on to the MedRec Administrators website.

6. Click Apply to save your changes.

7. Repeat steps 4 - 7 to create a group named MedRecPatients, with a description of MedRecPatients can log on to the MedRec Patients website.

8. In the navigation tree, click Groups, and confirm that the groups have been added.

   The Groups page shows the groups added to the WebLogic Authentication provider's database.

Step 3: Create users and add the users to groups.

1. In the navigation tree, click Users.

   The Users page displays all users currently defined in the WebLogic Authentication provider's database.

2. Click the Configure a new User link to display the Create User page.

3. On the General tab, in the Name field, type admin@avitek.com.

4. In the Description field, type MedRec administrator.

5. In the Password and Confirm Password fields, type weblogic.

6. Click Apply to save your changes.

7. Select the Groups tab.

8. In the Possible Groups list box, highlight the MedRecAdmins group.

9. Click the highlighted arrow to move the MedRecAdmins group from the Possible Groups list box to the Current Groups list box.

10. Click Apply to save your changes.

11. Repeat steps 2 - 10 to create a user named larry@celtics.com, a MedRec patient who also uses the weblogic password and belongs in the MedRecPatients group.

12. In the navigation tree, click Users, and confirm that the users have been added.

    The Users page shows the users added to the WebLogic Authentication provider's database.

Step 4: Create global roles and grant the global roles to the groups.

1. In the navigation tree, click Global Roles.

   The Global Roles page displays all global roles currently defined in the WebLogic Role Mapping provider's database.

2. Click the Configure a new Global Role link to display the Create Global Role page.

3. On the General tab, in the Name field, type MedRecAdmin.

4. Click Apply to save your changes.

5. Select the Conditions tab.

6. In the Role Condition list box, highlight Caller is a Member of the Group.

7. Click Add to display the Groups window.

8. In the Enter Group Name field, type MedRecAdmins.

9. Click Add, then click OK.

   The Groups window closes. The Role Statement list box reads:

   Caller is a Member of the Group

   MedRecAdmins

10. Click Apply to save your changes.

11. Repeat steps 2 - 11 to create a global role named MedRecPatient and to grant this global role to the MedRecPatients group.

12. In the navigation tree, click Global Roles, and confirm that the global roles have been added.

    The Global Roles page shows the global roles added to the WebLogic Role Mapping provider's database.

Step 5: Secure the MedRecEAR application.

1. In the navigation tree, expand Deployments->Applications.

2. Right-click MedRecEAR.

3. From the menu, select Define Security Policy to display the Policy Editor page.

   Selecting this option enables you to create a security policy that will encompass all components in the deployed Enterprise Application.

4. In the Policy Condition list box, highlight Caller is Granted the Role.

5. Click Add to display the Roles window.

6. In the Enter Role Name field, type MedRecAdmin.

7. Click Add, then click OK.

   The Roles window closes. The Policy Statement list box reads:

   Caller is Granted the Role

   MedRecAdmin

8. Click Apply to save your changes.

Step 6: Attempt to access a JSP in the MedRecEAR application.

1. Open a new Web browser and type http://localhost:7101/start.jsp.

   The browser prompts you for a username and password.

2. In the username field, type larry@celtics.com, and in the password field, type weblogic, then click OK.

   The browser re-prompts you for a username and password.

3. In the username field, type admin@avitek.com, and in the password field, type weblogic, then click OK.

   The browser displays the page shown in Figure  1.

   Figure 1: Avitek Medical Records Start Page

   

   
    

   User larry@celtics.com was denied access because you previously secured all components of MedRecEAR (including start.jsp, part of MainWAR) with a security policy based on the global security role MedRecAdmin, which user admin@avitek.com is granted but user larry@celtics.com is not.

Step 7: Secure the Patient Web Application.

1. In the navigation tree at the left side of the Administration Console, expand Deployments->Applications->MedRecEAR, then right-click on the patient Web Application.

2. From the menu, select Define Security Policy to display the General tab.

   Selecting this option enables you to create a security policy for this particular Web Application or a particular component within the Web Application.

3. In the URL Pattern field, type: /*

   The URL pattern of /* will secure all components, including JSPs and servlets.

4. Click the Define Security Policy button to display the Policy Editor page.

5. In the Policy Condition list box, highlight Caller is Granted the Role.

   Do not modify the value shown in the Methods drop-down menu. (It should read: ALL.)

6. Click Add to display the Roles window.

7. In the Enter Role Name field, type Anonymous.

   Unlike the MedRecAdmin and MedRecPatient global roles you created and used in previous steps, the Anonymous role is a default global role that is predefined in WebLogic Server.

8. Click Add, then click OK.

   The Roles window closes. The Policy Statement list box reads:

   Caller is Granted the Role

   Anonymous

   By defining this security policy on PatientWAR, you are overriding the security policy that has already been defined for all components of the MedRecEAR in Step 5: Secure the MedRecEAR application.. Specifically, you are overriding the inherited policy statement of:

   Caller is Granted the Role
   

         MedRecAdmin
   

   that is shown in the Inherited Policy Statements list box.

   By overriding the security policy to grant access to users in the Anonymous global role (rather than the MedRecAdmin global role), you are actually making access on these pages less restrictive. (All users are granted the Anonymous global role.)

9. Click Apply to save your changes.

Step 8: Attempt to access a JSP in the PatientWAR.

Open a new Web browser and type http://localhost:7101/patient/login.do.

The browser displays the page shown in Figure  2:

Figure 2: Patient Login Page

 

This page is displayed because you secured all components of PatientWAR with a security policy based on the global security role Anonymous, a security role that all users are granted. Therefore, no login is required to access the login.do page. (The user name and password fields are shown because of the login.do page's design.)

Step 9: Secure the medicalrecord.do page.

1. In the navigation tree at the left side of the Administration Console, right-click on the patient Web Application.

2. From the menu, select Define Security Policy to display the General tab.

   Selecting this option enables you to create a security policy for this particular Web Application or a particular component within the Web application.

   Notice that the URL pattern you typed in Step 7: Secure the Patient Web Application. appears as a link under the title: Already Defined URL Patterns. This allows you to modify existing security policies more easily.

3. In the URL Pattern field, type medicalrecord.do.

   Because you are creating the security policy on PatientWAR, the context path of /patient is implied in the URL pattern. (WebLogic Server obtains this context path from the Web Application's deployment descriptor.)

4. Click the Define Security Policy button to display the Policy Editor page.

5. In the Policy Condition list box, highlight Caller is Granted the Role.

   Do not modify the value shown in the Methods drop-down menu. (It should read ALL.)

6. Click Add to display the Roles window.

7. In the Enter Role Name field, type MedRecPatient.

8. Click Add, then click OK.

   The Roles window closes. The Policy Statement list box reads:

   Caller is Granted the Role

   MedRecPatient

   By defining this security policy on medicalrecord.do, you are overriding the security policy that has already been defined for all components within PatientWAR in Step 7: Secure the Patient Web Application.. Specifically, you are overriding the inherited policy statement of:

   Caller is Granted the Role
   

         Anonymous
   

   that is shown in the Inherited Policy Statements list box.

9. Click Apply to save your changes.

Step 10: Attempt to access the medicalrecord.do page.

1. Open a new Web browser and type http://localhost:7101/patient/medicalrecord.do.

   The browser redirects you to the login page shown in Figure  2:. This result occurs because only users who are granted the MedRecPatient global role can access the medicalrecord.do page, but all users (who are granted the Anonymous global role) can still access login.do.

2. In the username field, type admin@avitek.com, and in the password field, type weblogic, then click Login.

   The browser redisplays the login page shown in Figure  2: and indicates that you have entered an invalid username and/or password. This result occurs because only users who are granted the MedRecPatient global role can access the medicalrecord.do page, and user admin@avitek.com is granted the global role MedRecAdmin.

3. In the username field, type larry@celtics.com, and in the password field, type weblogic, then click Login.

   The browser redirects you to Larry's Medical Records page, shown in Figure  3:. This result occurs because user larry@celtics.com is granted the MedRecPatient global role, which is required to access the medicalrecord.do page.

   Figure 3: Larry's Medical Records Page

   

   
    

 

 

Best Practices

• The security realm settings are extremely important. If you want to secure URL (Web) resources using the WebLogic Server Administration Console rather than deployment descriptors, you must use the Check Roles and Policies/On Future Redeploys combination specified in Step 1: Specify security realm settings..
• If you have deployed an application (or module) with the On Future Redeploys drop-down menu set to Ignore Roles and Policies From DD one or more times before setting it to Initialize Roles and Policies From DD, you can still set security policies and security roles using the Administration Console. These changes will override any security specified in deployment descriptors.
• Do not use blank spaces, commas, hyphens, or any characters in this comma-separated list for user, group, or security role names: \t, < >, #, |, &, ~, ?, ( ), { }. User, group, and security role names are case sensitive. The proper syntax for a security role name is as defined for an Nmtoken in the Extensible Markup Language (XML) recommendation. The BEA convention is that group names are plural, and security role names are singular.
• BEA recommends assigning users to groups, then creating role statements using the Caller is a Member of the Group role condition. Individual users could also be granted a security role, but this is a less typical practice.
• BEA recommends using security roles (rather than users or groups) to secure WebLogic resources. Following this process makes it more efficient for administrators who work with large numbers of users.
• Create policy statements based on your organization's established business procedures.
• When creating new security policies, look for policy statements in the Inherited Policy Statement box of the Policy Editor page. If inherited policy statements exist, you will be overriding them.
• Remember that more-specific security policies override less-specific security policies. For example, a security policy on a specific URL pattern in a Web application overrides a security policy on the Web application. Take care when overriding with less restrictive security policies (that is, giving a wider set of users access to a smaller set of components or WebLogic resources).
• Take care to ensure that you understand the security policies and the security role mappings on each URL pattern. If there are any URL patterns that you do not expect, be sure to investigate.
• Be sure you understand the precedence of servlet mappings to URL patterns as specified in Chapter 11 of the Servlet 2.3 specification. This describes which URL pattern will have precedence when an URL matches multiple URL patterns.
• You can delete all security settings for an application (or module) by deleting it entirely from the WebLogic Server domain and then redeploying it.

 

 

The Big Picture

This tutorial shows you how to secure application and various URL (Web) resources using some examples. These examples may or may not be different from those used in the full MedRec application. However, the full MedRec application uses these same principles (as well as programmatic security) to secure URL (Web) resources for both MedRec administrators and patients.

 

 

Related Reading

• Securing WebLogic Resources
• Tutorial 18: Securing Enterprise JavaBean (EJB) Resources Using the Administration Console
• Tutorial 19: Copying and Reinitializing Security Configurations

 

Contact BEA    Site Map    Feedback    Privacy    © 2004 BEA Systems