Skip navigation.

Introduction to WebLogic Security

  Previous Next vertical dots separating previous/next from contents/index/pdf Contents View as PDF   Get Adobe Reader

Overview of the WebLogic Security Service

While other security documents in the BEA WebLogic ServerTM documentation set guide users through specific tasks—such as programming WebLogic® security, developing a custom security provider, or managing the WebLogic Security Service—this Introduction is intended for all users of the WebLogic Security Service. Thus, this document is the starting point for understanding the WebLogic Security Service.

Note: The WebLogic® Security Service involves many unique terms. Before reading this manual, familiarize yourself with the terms in Terminology.

The following sections introduce the WebLogic Security Service and its features:


Audience for This Guide

This document is intended for the following audiences:


Introduction to the WebLogic Security Service

Deploying, managing, and maintaining security is a huge challenge for an information technology (IT) organization that is providing new and expanded services to customers using the Web. To serve a worldwide network of Web-based users, an IT organization must address the fundamental issues of maintaining the confidentiality, integrity and availability of the system and its data. Challenges to security involve every component of the system, from the network itself to the individual client machines. Security across the infrastructure is a complex business that requires vigilance as well as established and well-communicated security policies and procedures.

Beginning with release 7.0, WebLogic Server includes a completely redesigned security architecture that provides a unique and secure foundation for applications that are available via the Web. By taking advantage of the new security features in WebLogic Server, enterprises benefit from a comprehensive, flexible security infrastructure designed to address the security challenges of making applications available on the Web. WebLogic security can be used standalone to secure WebLogic Server applications or as part of an enterprise-wide, security management system that represents a best-in-breed, security management solution.


Features of the WebLogic Security Service

The open, flexible security architecture of WebLogic Server delivers advantages to all levels of users and introduces an advanced security design for application servers. Companies now have a unique application server security solution that, together with clear and well-documented security policies and procedures, can assure the confidentiality, integrity and availability of the server and its data.

The key features of the new WebLogic Security Service include:


Balancing Ease of Use and Customizability

The components and services of the WebLogic Security Service seek to strike a balance between ease of use, manageability (for end users and administrators), and customizability (for application developers and security developers). The following paragraphs highlight some examples:

Easy to use: For the end user, the secure WebLogic Server environment requires only a single sign-on for user authentication (ascertaining the user's identity). Users do not have to re-authenticate within the boundaries of the WebLogic Server domain that contains application resources. Single sign-on allows users to log on to the domain once per session rather than requiring them to log on to each resource or application separately.

For the developer and the administrator, WebLogic Server provides a new Domain Configuration Wizard to help with the creation of new domains with an administration server, managed servers, and optionally, a cluster, or with extending existing domains by adding individual severs. The Domain Configuration Wizard also automatically generates a config.xml file and start scripts for the server(s) you choose to add to the new domain.

Manageable: Administrators who configure and deploy applications in the WebLogic Server environment can use the WebLogic security providers included with the product. These default providers support all required security functions, out of the box. An administrator can store security data in the WebLogic Server-supplied, security store (an embedded, special-purpose, LDAP directory server). To simplify the configuration and management of security in WebLogic Server, a robust, default security configuration is provided.

Customizable: For application developers, WebLogic Server supports the WebLogic security API and J2EE security standards such as Java Authentication and Authorization (JAAS) and Java Secure Sockets Extensions (JSSE). Using these APIs and standards, you can create a fine-grained and customized security environment for applications that connect to WebLogic Server.

For security developers, the WebLogic Server Security Service Provider Interfaces (SSPIs) support the development of custom security providers for the WebLogic Server environment.


What Changed in WebLogic Security

Many security features have changed with respect to the security offered in WebLogic Server version 6.x.

Table 1-1 summarizes the differences.

Table 1-1 Changes in WebLogic Security Features

WebLogic Server Version 6.x

WebLogic Server 8.1

Security APIs

Many of the existing security APIs are deprecated in this release. BEA encourages you to use the corresponding J2EE standard interfaces to implement similar functionality in your application.

For a complete list of deprecated APIs, see Security APIs in Programming WebLogic Security.

JAAS authentication

JAAS authentication has been enhanced to provide LoginModules for IIOP and T3 clients.


You no longer have to create an implementation of the interface to add auditing to your WebLogic Server deployment. The WebLogic Auditing provider included with the product allows you to customize the data you want to record.

Defining security requirements in the weblogic.xml, weblogic-ejb-jar.xml, and weblogic-ra.xml files.

The functionality is enhanced so that security requirements can also be specified through the WebLogic Server Administration Console.

System password

There is no specific system account in this release of WebLogic Server.

Access Control Lists (ACLs)

The ACLs used in releases prior to WebLogic Server 7.0 are deprecated in this release. ACLs are replaced by security policies in WebLogic 7.0.

Users and Groups

Users and groups are still used; however, instead of assigning ACLs to a resource, you now create a security policy that grants users, groups, or security roles access to a WebLogic resource.

6.x Security Realms (File realm, Caching realm, LDAP, Windows NT, UNIX, and RDBMS security realms)

The security realms used in releases prior to WebLogic Server 7.0 are deprecated in this release. The WebLogic Authentication and Authorization providers provide the same functionality offered by the File realm, the Caching realm, and the LDAP security realms.

The Realm Adapter providers are available to allow you to continue to use the existing Windows NT, UNIX, and RDBMS security realms as you migrate to the new Authentication/Authorization scheme.

This feature was not available in releases prior to WebLogic Server 7.0.

Support for multiple security providers.


The SSL support in WebLogic Server has been updated to support the JSSE standard and the Transport Layer Security (TLS) v1 protocol.

This feature was not available in releases prior to WebLogic Server 7.0.

Support for J2EE Java KeyStores (JKS).



Skip navigation bar  Back to Top Previous Next