Introduction to WebLogic Security

Overview of the WebLogic Security Service

While other security documents in the BEA WebLogic Server^TM documentation set guide users through specific tasks—such as programming WebLogic® security, developing a custom security provider, or managing the WebLogic Security Service—this Introduction is intended for all users of the WebLogic Security Service. Thus, this document is the starting point for understanding the WebLogic Security Service.

Note: The WebLogic® Security Service involves many unique terms. Before reading this manual, familiarize yourself with the terms in Terminology.

The following sections introduce the WebLogic Security Service and its features:

Audience for This Guide

This document is intended for the following audiences:

Application Architects—Architects who, in addition to setting security goals and designing the overall security architecture for their organizations, evaluate WebLogic Server security features and determine how to best implement them. Application Architects have in-depth knowledge of Java programming, Java security, and network security, as well as knowledge of security systems and leading-edge, security technologies and tools.
Security Developers—Developers who focus on defining the system architecture and infrastructure for security products that integrate into WebLogic Server and on developing custom security providers for use with WebLogic Server. They work with Application Architects to ensure that the security architecture is implemented according to design and that no security holes are introduced, and work with Server Administrators to ensure that security is properly configured. Security Developers have a solid understanding of security concepts, including authentication, authorization, auditing (AAA), in-depth knowledge of Java (including Java Management eXtensions (JMX), and working knowledge of WebLogic Server and security provider functionality.
Application Developers—Developers who are Java programmers that focus on developing client applications, adding security to Web applications and Enterprise JavaBeans (EJBs), and working with other engineering, quality assurance (QA), and database teams to implement security features. Application Developers have in-depth/working knowledge of Java (including J2EE components such as servlets/JSPs and JSEE) and Java security.
Server Administrators—Administrators work closely with Application Architects to design a security scheme for the server and the applications running on the server, to identify potential security risks, and to propose configurations that prevent security problems. Related responsibilities may include maintaining critical production systems, configuring and managing security realms, implementing authentication and authorization schemes for server and application resources, upgrading security features, and maintaining security provider databases. Server Administrators have in-depth knowledge of the Java security architecture, including Web application and EJB security, Public Key security, and SSL.
Application Administrators—Administrators who work with Server Administrators to implement and maintain security configurations and authentication and authorization schemes, and to set up and maintain access to deployed application resources in defined security realms. Application Administrators have general knowledge of security concepts and the Java Security architecture. They understand Java, XML, deployment descriptors, and can identify security events in server and audit logs.

Introduction to the WebLogic Security Service

Deploying, managing, and maintaining security is a huge challenge for an information technology (IT) organization that is providing new and expanded services to customers using the Web. To serve a worldwide network of Web-based users, an IT organization must address the fundamental issues of maintaining the confidentiality, integrity and availability of the system and its data. Challenges to security involve every component of the system, from the network itself to the individual client machines. Security across the infrastructure is a complex business that requires vigilance as well as established and well-communicated security policies and procedures.

Beginning with release 7.0, WebLogic Server includes a completely redesigned security architecture that provides a unique and secure foundation for applications that are available via the Web. By taking advantage of the new security features in WebLogic Server, enterprises benefit from a comprehensive, flexible security infrastructure designed to address the security challenges of making applications available on the Web. WebLogic security can be used standalone to secure WebLogic Server applications or as part of an enterprise-wide, security management system that represents a best-in-breed, security management solution.

Features of the WebLogic Security Service

The open, flexible security architecture of WebLogic Server delivers advantages to all levels of users and introduces an advanced security design for application servers. Companies now have a unique application server security solution that, together with clear and well-documented security policies and procedures, can assure the confidentiality, integrity and availability of the server and its data.

The key features of the new WebLogic Security Service include:

A comprehensive and standards-based design.
End-to-end security for WebLogic Server-hosted applications, from the mainframe to the Web browser.
Legacy security schemes that integrate with WebLogic Server security, allowing companies to leverage existing investments.
Security tools that are integrated into a flexible, unified system to ease security management across the enterprise.
Easy customization of application security to business requirements through mapping of company business rules to security policies.
Easy updates to security policies.
Easy adaptability for customized security solutions.
A modularized architecture, so that security infrastructures can change over time to meet the requirements of a particular company.
Support for configuring multiple security providers, as part of a transition scheme or upgrade path.
A separation between security details and application infrastructure, making security easier to deploy, manage, maintain, and modify as requirements change.
Default, WebLogic security providers that provide you with a working security scheme out of the box.
Customization using WebLogic custom security providers
Unified management of security rules, security policies, and security providers through the WebLogic Server Administration Console.
Support for standard J2EE security technologies such as the Java Authentication and Authorization Service (JAAS), Java Secure Sockets Extensions (JSSE), and Java Cryptography Extensions (JCE).

Balancing Ease of Use and Customizability

The components and services of the WebLogic Security Service seek to strike a balance between ease of use, manageability (for end users and administrators), and customizability (for application developers and security developers). The following paragraphs highlight some examples:

Easy to use: For the end user, the secure WebLogic Server environment requires only a single sign-on for user authentication (ascertaining the user's identity). Users do not have to re-authenticate within the boundaries of the WebLogic Server domain that contains application resources. Single sign-on allows users to log on to the domain once per session rather than requiring them to log on to each resource or application separately.

For the developer and the administrator, WebLogic Server provides a new Domain Configuration Wizard to help with the creation of new domains with an administration server, managed servers, and optionally, a cluster, or with extending existing domains by adding individual severs. The Domain Configuration Wizard also automatically generates a config.xml file and start scripts for the server(s) you choose to add to the new domain.

Manageable: Administrators who configure and deploy applications in the WebLogic Server environment can use the WebLogic security providers included with the product. These default providers support all required security functions, out of the box. An administrator can store security data in the WebLogic Server-supplied, security store (an embedded, special-purpose, LDAP directory server). To simplify the configuration and management of security in WebLogic Server, a robust, default security configuration is provided.

Customizable: For application developers, WebLogic Server supports the WebLogic security API and J2EE security standards such as Java Authentication and Authorization (JAAS) and Java Secure Sockets Extensions (JSSE). Using these APIs and standards, you can create a fine-grained and customized security environment for applications that connect to WebLogic Server.

For security developers, the WebLogic Server Security Service Provider Interfaces (SSPIs) support the development of custom security providers for the WebLogic Server environment.

What Changed in WebLogic Security

Many security features have changed with respect to the security offered in WebLogic Server version 6.x.

Table 1-1 summarizes the differences.

Table 1-1 Changes in WebLogic Security Features

WebLogic Server Version 6.x	WebLogic Server 8.1
Security APIs	Many of the existing security APIs are deprecated in this release. BEA encourages you to use the corresponding J2EE standard interfaces to implement similar functionality in your application. For a complete list of deprecated APIs, see Security APIs in Programming WebLogic Security.
JAAS authentication	JAAS authentication has been enhanced to provide LoginModules for IIOP and T3 clients.
Auditing	You no longer have to create an implementation of the `weblogic.security.Audit` interface to add auditing to your WebLogic Server deployment. The WebLogic Auditing provider included with the product allows you to customize the data you want to record.
Defining security requirements in the `weblogic.xml,` `weblogic-ejb-jar.xml,` and `weblogic-ra.xml` files.	The functionality is enhanced so that security requirements can also be specified through the WebLogic Server Administration Console.
System password	There is no specific `system` account in this release of WebLogic Server.
Access Control Lists (ACLs)	The ACLs used in releases prior to WebLogic Server 7.0 are deprecated in this release. ACLs are replaced by security policies in WebLogic 7.0.
Users and Groups	Users and groups are still used; however, instead of assigning ACLs to a resource, you now create a security policy that grants users, groups, or security roles access to a WebLogic resource.
6.x Security Realms (File realm, Caching realm, LDAP, Windows NT, UNIX, and RDBMS security realms)	The security realms used in releases prior to WebLogic Server 7.0 are deprecated in this release. The WebLogic Authentication and Authorization providers provide the same functionality offered by the File realm, the Caching realm, and the LDAP security realms. The Realm Adapter providers are available to allow you to continue to use the existing Windows NT, UNIX, and RDBMS security realms as you migrate to the new Authentication/Authorization scheme.
This feature was not available in releases prior to WebLogic Server 7.0.	Support for multiple security providers.
SSL	The SSL support in WebLogic Server has been updated to support the JSSE standard and the Transport Layer Security (TLS) v1 protocol.
This feature was not available in releases prior to WebLogic Server 7.0.	Support for J2EE Java KeyStores (JKS).