Terminology

Key terms that you will encounter throughout the WebLogic Server security documentation include the following:

access control list (ACL)

In WebLogic 6.x, a data structure used to guard, or control, access to computer resources. Each entry on the access control list (ACL) contains a set of permissions associated with a particular principal that represents an individual user or a group of users. Entries can be positive or negative. An entry is positive if it grants permission and negative if it denies permission. In this release of WebLogic Server, security policies replace the use of ACLs. ACLS are deprecated in this release of WebLogic Server, therefore, to continue to protect WebLogic resources with ACLs, you should use Compatibility security. See also permission (only used in Compatibility security), group, principal, security policy, user, WebLogic resource.

Access Decision

Code that determines whether a subject has permission to perform a given operation on a WebLogic resource, with specific parameters in an application. The result of an Access Decision is to permit, deny, or abstain from making a decision. An Access Decision is a component of an Authorization provider. See also Authorization provider, subject, WebLogic resource.

Adjudication provider and Adjudicator

A security provider that tallies the results that multiple Access Decisions return, and determines the final PERMIT or DENY decision. The Adjudicator is a component of the Adjudication provider. It resolves conflicts between multiple Access Decisions by tallying each Access Decision and returning a final result. See also Access Decision, security provider.

asymmetric key cryptography

A key-based cryptography that uses an encryption algorithm in which different keys, private and public, are used to encrypt and decrypt the data. Asymmetric key cryptography is also called public key cryptography. See also private key, public key, symmetric key cryptography.

auditing

Process whereby information about operating requests and the outcome of those requests is collected, stored, and distributed for the purposes of non-repudiation. Auditing provides an electronic trail of computer activity. See also Auditing provider.

Auditing provider

A security provider that provides auditing services. See also auditing, security provider.

authentication

Process whereby the identity of users or system processes are proved or verified. Authentication also involves remembering, transporting, and making identity information available to various components of a system when that information is needed. Authentication is typically done using username/password combinations, but may also be done using tokens. See also Authentication provider, LoginModule, Identity Assertion, perimeter authentication, token, user.

Authentication provider

A security provider that enables WebLogic Server to establish trust by validating a user. The WebLogic Server security architecture supports Authentication providers that perform: username/password authentication; certificate-based authentication directly with WebLogic Server; and HTTP certificate-based authentication proxied through an external Web server. See also authentication, digital certificate, security provider, user.

authorization

Process whereby the interactions between users and WebLogic resources are limited to ensure integrity, confidentiality, and availability. Authorization controls access to WebLogic resources based on user identity or other information. In this release of WebLogic Server, access to protected WebLogic resources is based on the context and target of the business request. See also Authorization provider, security policy, user, WebLogic resource.

Authorization provider

A security provider that controls access to WebLogic resources based on user identity or other information. The WebLogic security architecture supports several types of authorization including parametric authorization, permissions-based authorization, and capabilities-based authorization. See also capabilities-based authorization, parametric authorization, permissions-based authorization, security provider, user, WebLogic resource.

Caching realm

A WebLogic Server 6.x feature. A Caching realm is a temporary location in memory that contains frequently called ACLs, users, groups, etc. from the primary realm. A Caching realm is provided because in WebLogic Server 6.x, users, groups, and ACL objects are stored in a file (the filerealm.properties file) and reading from a file can be very slow. The Caching realm sits as a communication layer on top of the primary realm and, by default, lookups are always done using the Caching realm first. If the Caching realm lookup fails, a lookup is performed on the primary realm. The Caching realm is only used in this release of WebLogic Server when you use Compatibility security. The use of the Caching realm is deprecated in this release. See also access control list (ACL), Compatibility security, group, user.

capabilities-based authorization

An arrangement whereby explicit permissions are given to a user (as in permissions-based authorization), but the objects and operations on those objects are also specified. For example, a user can be given permission to access a particular method of an Enterprise JavaBean (EJB). Thus, permissions may be specified at a high or low level. An example of capabilities-based authorization is the use of roles. See also Authorization provider, permissions-based authorization, security role, user.

certificate authority (CA)

Well-known and trusted entity that issues public key certificates. A certificate authority attests to a user's real-world identity, much as a notary public does. See also digital certificate, entity, public key.

Compatibility realm

Security realm that is the default (active) security realm if you are using Compatibility security. The Compatibility realm uses your existing Authentication and Authorization providers and allows you to migrate to the providers in this release of WebLogic Server. The only security realm available in Compatibility security is the Compatibility realm. See also default realm, security provider, security realm, WebLogic security provider.

Compatibility security

Compatibility security refers to the capability to run security configurations from WebLogic Server 6.x in this release of WebLogic Server. In Compatibility security, you configure 6.x security realms, define users, groups, and ACLs, manage the protection of user accounts, and install custom auditing providers. The only security realm available in Compatibility security is the Compatibility realm. The Realm Adapter providers in the Compatibility realm allow backward compatibility to the authentication and authorization services in 6.x security realms. See also access control list (ACL), Auditing provider, group,user, Compatibility realm, security realm, Realm Adapter Authentication provider, Realm Adapter Authorization provider.

connection filter

A programmable filter that WebLogic Server uses to determine whether the server should allow incoming connections from network clients. Security policies allow you to secure WebLogic resources using some characteristic of a user, however, you can add an additional layer of security by using connection filters to filter network connections. See also security policy, user, WebLogic resource.

connector

See resource adapter

context handler

A high-performing WebLogic class that allows a variable number of arguments to be passed as strings to a method. The ContextHandler interface provides a way for an internal WebLogic container to pass additional information to a WebLogic Security Framework call, so that a

security provider can obtain additional context information beyond what is provided by the arguments to a particular method. A context handler is essentially a name/value list and, as such, it requires a security provider to know what names to look for (that is, use of a context handler requires close cooperation between the WebLogic container and a security provider). See also security provider, WebLogic container, WebLogic Security Framework.

credential

Security-related attribute of a subject, which may contain information used to authenticate the subject to new services. Types of credentials include username/password combinations, Kerberos tickets, and public key certificates. See also credential mapping, Credential Mapping provider, digital certificate, public key, subject.

credential mapping

Used by WebLogic Server for credentials used by a legacy or any remote system (for example, PeopleSoft, or Oracle). See also credential, Credential Mapping provider, resource.

Credential Mapping provider

A security provider that is used to provide credential mapping services and bring new types of credentials into the WebLogic Server environment. See also credential, credential mapping, security provider.

Cross-Domain Single Sign-on

A feature that allows users to authenticate once but access multiple applications, even if these applications reside in different DNS domains. This feature provides the ability to construct a network of affiliates or partners that can participate in a Single Sign-On domain.

CSIv2 protocol

A protocol that is based on IIOP (GIOP 1.2) and the CORBA Common Secure Interoperability version 2 (CSIv2) CORBA specification. The secure interoperability requirements for EJB2.0 and other J2EE1.3 containers correspond to Conformance Level 0 of the CSIv2 specification. The CORBA Security Attribute Service (SAS) is the protocol that is used in CSIv2. See http://www.omg.org/technology/documents/formal/omg_security.htm for more information.

custom security provider

Security provider written by a third-party security vendor or security developer that does not come with WebLogic Server. See also security provider, WebLogic security provider.

Custom security realm

In WebLogic Sever 6.x, if you wanted to customize authentication, you could write you own security realm and integrate it into the WebLogic Server environment. Additionally, in WebLogic Server 6.x, a security realm applied to a domain and you could only have one security realm in a domain. In this release of WebLogic Server, Custom security realms are only supported in Compatibility security.

database delegator

Intermediary class that mediates initialization calls between a security provider and the security provider's database. See also security provider database.

declarative security

Security that is defined, or declared, using the application deployment descriptors. For Web applications, you define the deployment descriptors in the web.xml and weblogic.xml files. For EJBs, you define the deployment descriptors in the ejb-jar.xml and weblogic-ejb-jar.xml files.

default realm

The active security realm. In this release of WebLogic Server, you can configure multiple security realms in a WebLogic Server domain, however, only one can be the default (active) security realm. See also Custom security realm, WebLogic Server domain.

digital certificate

Digital statement that associates a particular public key with a name or other attributes. The statement is digitally signed by a certificate authority (CA). By trusting that authority to sign only true statements, you can trust that the public key belongs to the person named in the certificate. See also certificate authority (CA), digital signature, public key, trusted (root) CA.

digital signature

String of bits used to protect the security of data being exchanged between two entities by verifying the identities of those entities. Specifically, this string is used to verify that the data came from the sending entity of record and was not modified in transit. A digital signature is computed from an entity's signed data and private key. It can be trusted only to the extent that the public key used to verify it can be trusted. See also entity, private key, public key.

Domain Configuration Wizard

An interactive, graphical user interface (GUI) that facilitates the creation of a new WebLogic Server domain. The wizard can create WebLogic Server domain configurations for stand-alone servers, Administration Servers with Managed Servers, and clustered servers. You can use it to create the appropriate directory structure for your WebLogic Server domain, a basic config.xml file, and scripts that you can use to start the servers in your domain.

dynamic role computation

Late binding of principals to roles at runtime, which occurs just prior to an access decision for a protected WebLogic resource. See also Access Decision, authorization, principal, security role, WebLogic resource.

embedded LDAP server

A server that contains user, group, role, security policy and credential information. The WebLogic Authentication, Authorization, Role Mapping, and Credential Mapping providers use the embedded LDAP server as their security provider databases. See also credential, group, security role, security policy.

entity

Something that exists independently.

File realm

In WebLogic Server 6.x, a realm, which stores users, groups, encrypted passwords, and ACLs in a file. In this release, a File realm is used when running Compatibility security.

firewall

A protective perimeter against unauthorized access for a company's network that is connected to the Internet. Firewalls are also used within company networks to prevent unauthorized access. Firewalls protect information on computers and information that is being carried over the network. Firewalls use various types of filters to prevent access including limiting the types of protocols allowed and restricting access from network nodes by IP addresses and DNS node names.

global role

A security role that applies to all WebLogic resources within a security realm. For example, if the WebLogic Role Mapping provider is being used in the default security realm, global roles can be defined in terms of user, group, and hours of access. See also Role Mapping provider, scoped role, security realm, WebLogic resource.

group

Collection of users that share some characteristics. Giving permission to a group is the same as giving the permission to each user who is a member of the group. See also user.

host name verification

The process of verifying that the name of the host to which an SSL connection is made is the intended or authorized party. See also Host Name Verifier, Secure Sockets Layer (SSL).

Host Name Verifier

Code that validates that the host to which an SSL connection is made is the intended or authorized party. A Host Name Verifier is useful when a WebLogic client or a WebLogic Server acts as an SSL client to another application server. It helps prevent man-in-the-middle attacks. By default, WebLogic Server, as a function of the SSL handshake, compares the common name in the SubjectDN of the SSL server's digital certificate with the host name of the SSL server used to initiate the SSL connection. If these names do not match, the SSL connection is dropped. See also digital certificate, host name verification, Secure Sockets Layer (SSL).

Identity Assertion

Special type of authentication whereby a client's identity is established through the use of client-supplied tokens that are generated from an outside source. Identity is asserted when these tokens are mapped to usernames. For example, the client's identity can be established by generating a token from a digital certificate, and that token can be passed around the system so that users are not asked to sign on more than once. Thus, identity assertion can be used to enable single sign-on. See also authentication, digital certificate, Identity Assertion provider, SSL tunneling, token.

Identity Assertion provider

A security provider that performs perimeter authentication—a special type of authentication using tokens. Identity Assertion providers also allow WebLogic Server to establish trust by validating a user. Thus, the function of an Identity Assertion provider is to validate and map a token to a username. See also perimeter authentication, security provider, token, user.

Java Authentication and Authorization Service (JAAS)

Set of packages that enable services to authenticate and enforce access controls upon users. It implements a Java version of the standard Pluggable Authentication Module (PAM) framework, and supports user-based authorization. WebLogic Server only implements the authentication portion of JAAS. See also authentication, authorization, user.

JAAS control flag

If a security realm has multiple Authentication providers configured, the Control Flag determines how the login sequence uses the Authentication provider. See also Authentication provider.

JAAS LoginModule

Responsible for authenticating users within the security realm and for populating a subject with the necessary principals (users/groups). A LoginModule is a required component of an Authentication provider, and can be a component of an Identity Assertion provider if you want to develop a separate LoginModule for perimeter authentication. LoginModules that are not used for perimeter authentication also verify the proof material submitted (for example, a user's password). See also authentication, group, Identity Assertion provider, perimeter authentication, principal, security realm, subject.

Java Cryptography Architecture

A framework for accessing and developing cryptographic functionality for the Java platform. See http://java.sun.com/j2se/1.3/docs/guide/security/CryptoSpec.html#Introduction for a description of JCA provided by Sun Microsystems, Inc. See also Java Cryptography Extensions (JCE)

Java Cryptography Extensions (JCE)

Extends the Java Cryptography Architecture API to include APIs for encryption, key exchange, and Message Authentication Code (MAC). See http://java.sun.com/j2se/1.3/docs/guide/security/CryptoSpec.html#Introduction for a description of JCE provided by Sun Microsystems, Inc. See also Java Cryptography Architecture.

Java Security Manager

A Java 2 security feature that prevents untrusted code from performing actions that are restricted by the Java security policy file. WebLogic Server supports the use of the Java Security Manager. The Java virtual machine (JVM) has security mechanisms built into it that allow you to define restrictions to code through a Java security policy file. The Java Security Manager uses the Java security policy file to enforce a set of permissions granted to classes. The permissions allow specified classes running in that instance of the JVM to permit or not permit certain runtime operations. See also Java security policy file, permission (only used in Compatibility security).

Java security policy file

The Java Virtual Machine (JVM) has security mechanisms built into it that allow you to define restrictions to code through a Java security policy file. The Java Security Manager uses the Java security policy file to enforce a set of permissions granted to classes. The permissions allow specified classes running in that instance of the JVM to permit or not permit certain runtime operations. See also Java Security Manager, permission (only used in Compatibility security).

keystore

A repository that contains a list of trusted certificate authorities and your private key and certificate pairs. The information is stored in PKCS12 format and is protected by a "passphrase." In this release, the keystool utility is supported, however, server certificates must also be stored in, and accessed from, a flat file because accessing certificates from the keystore is not supported. See also private key, trusted (root) CA.

LDAP Authentication provider

Authentication provider that utilizes an LDAP server to access user and group information, for example, iPlanet's Active Directory and Novell's OpenLDAP. See also group, user.

LDAP security realm

A WebLogic Server 6.x security realm. In WebLogic Server 6.x, security realms provide authentication and authorization services. You can choose from the File realm or a set of alternative security realms including the Lightweight Data Access Protocol (LDAP), Windows NT, Unix, or RDBMS realms. The LDAP security realm provides authentication through a Lightweight Directory Access Protocol (LDAP) server. This server allows you to manage all the users for your organization in one place: the LDAP directory. The LDAP security realm supports Open LDAP, Netscape iPlanet, Microsoft Site Server, and Novell NDS. In this release, you can only use the LDAP security realm when using Compatibility security. See also authentication, authorization, Compatibility security, File realm, security realm, user.

LoginModule

See JAAS LoginModule.

MBean

Short for "managed bean," a Java object that represents a Java Management eXtensions (JMX) manageable resource. MBeans are instances of MBean types. MBeans are used to configure and manage your security providers. See also MBean type, security provider.

MBean Definition File (MDF)

XML file used by the WebLogic MBeanMaker to generate files for an MBean type. See also MBean type, WebLogic MBeanMaker.

MBean implementation file

One of several intermediate Java files generated by the WebLogic MBeanMaker utility to create an MBean type for a custom security provider. You edit this file to supply your specific method implementations. See also MBean information file, MBean interface file, MBean type, WebLogic MBeanMaker.

MBean information file

One of several intermediate Java files generated by the WebLogic MBeanMaker utility to create an MBean type for a custom security provider. This file contains mostly metadata and therefore requires no editing. See also MBean implementation file, MBean interface file, MBean type, WebLogic MBeanMaker.

MBean interface file

One of several intermediate Java files generated by the WebLogic MBeanMaker utility to create an MBean type for a custom security provider. This file is the client-side API to the MBean that your runtime class or your MBean implementation will use to obtain configuration data, and requires no editing. See also MBean implementation file, MBean information file, MBean type, runtime class, WebLogic MBeanMaker.

MBean JAR File (MJF)

JAR file that contains the runtime classes and MBean types for a security provider. MJFs are created by the WebLogic MBeanMaker and are installed into WebLogic Server. See also MBean type, runtime class, security provider, WebLogic MBeanMaker.

MBean type

Factory for creating the MBeans used to configure and manage security providers. MBean types are created by the WebLogic MBeanMaker. See also MBean, security provider, WebLogic MBeanMaker.

message digest (comment: needs more work)

A digitally created hash, or fingerprint, from which it was created. Message digests are very useful in helping to prevent man-in-the-middle attacks. Because there is only one digest for any given plain text, the digest can be used to verify the authenticity of the message. See also message digest algorithm (comment: needs more work).

message digest algorithm (comment: needs more work)

An algorithm that is used to produce a message digest of the bulk text of a message. Once a message digest is produced, other security mechanisms are used to encrypt and convey the digest. This process results in a digital signature of the message, which is used to provide non-repudiation and integrity services. See also message digest (comment: needs more work).

mutual authentication

Authentication that requires that both the client and the server present proof of identity. Two-way SSL authentication is a form of mutual authentication. See also authentication, digital certificate, trusted (root) CA, Secure Sockets Layer (SSL), two-way SSL authentication.

non-repudiation

Irrefutable evidence that a security event occurred.

one-way SSL authentication

SSL authentication can be one-way or two-way. With one-way SSL authentication, which WebLogic Server enables by default, the server is required to present a certificate to the client, but the client is not required to present a certificate to the server. To successfully negotiate an SSL connection, the client must authenticate the server, but the server will accept any client into the connection. See also mutual authentication.

parametric authorization

Authorization whereby access decisions on protected WebLogic resources take into account the context and target of the business request. See also authorization, WebLogic resource.

perimeter authentication

Authentication that occurs outside of the application server. Perimeter authentication is typically accomplished by the remote user specifying an asserted identity and some form of corresponding proof material, normally in the form of a pass phase, which is used to perform the verification. The authentication agent, the entity that actually vouches for the identity, can take many forms, such as a Virtual Private Network (VPN), the firewall, an enterprise authentication service, or some other form of global identity service. Each of these forms of authentication agents has a common characteristic: they all perform an authentication process that results in an artifact or token that must be presented to determine information about the authenticated user at a later time. The WebLogic Server security architecture supports Identity Assertion providers that perform perimeter authentication (Web server, firewall, VPN) and handle multiple security token types/protocols (SOAP, IIOP-CSIv2). See also authentication, Identity Assertion.

permission (only used in Compatibility security)

In WebLogic Server 6.x, the means used by ACLs to grant or deny users and groups access to WebLogic resources. In this release of WebLogic Server, ACLs are used only when Compatibility security is used and when not using Compatibility security, roles are used instead of permissions to define who has permission to access a WebLogic resource and under what conditions. See also access control list (ACL), Compatibility security, WebLogic resource.

permissions-based authorization

Authorization whereby explicit permissions are given to a user via security policies. Java 2 Enterprise Edition (J2EE) security uses this type of authorization by obtaining data from the weblogic.policy file. Although deprecated in this release of WebLogic Server, access control lists (ACLs) are an example of permissions-based authorization. See also access control list (ACL), Authorization provider, security policy.

policy statement

An expression that specifies the users, groups, or roles on which the security policy is based.

principal

The identity assigned to a user, group, or system process as a result of authentication. A principal can consist of any number of users and groups. Principals are typically stored within subjects. See also authentication, group, subject, user.

principal validation

The act of signing and later verifying that a principal has not been altered since it was signed. Principal validation establishes trust of principals. See also principal.

private key

An encryption/decryption key known only to the party or parties that exchange secret messages. See also public key.

private key algorithm

The algorithm used to decode, or decrypt ciphertext. It is called private because it must be kept secret from everyone but the user. See also private key, public key, public key algorithm.

programmatic security

Application security that is defined in servlets and EJBs using Java methods.

public key

Value provided by some designated authority as an encryption key that, combined with a private key derived from the public key, can be used to effectively encrypt messages and digital signatures. The key is called public because it can be made available to anyone. Public key cryptography is also called asymmetric cryptography because different keys are used to encrypt and decrypt the data. See also private key.

public key cryptography

See asymmetric key cryptography.

public key algorithm

The algorithm used to encode, or encrypt, plain text. Only the private key can decrypt the ciphertext. See also private key, private key algorithm, public key.

RDBMS security realm

A WebLogic Server 6.x security realm. In WebLogic Server 6.x, security realms provided authentication and authorization services. You can choose from the File realm or a set of alternative security realms including the Lightweight Data Access Protocol (LDAP), Windows NT, Unix, or RDBMS realms. The RDBMS Security realm is a BEA-provided custom security realm that stores Users, Groups and ACLs in a relational database. In this release of WebLogic Server, you can only use the RDMS security realm when using Compatibility security. See also access control list (ACL), authentication, authorization, Compatibility security, group, security realm, user.

Realm Adapter Auditing provider

To be supplied.

Realm Adapter provider

Type of security provider used to access WebLogic Server 6.x security services when using Compatibility security in this release of WebLogic Server.

Realm Adapter Authentication provider

Authentication provider in the Compatibility realm that allows backward compatibility to the authentication services in 6.x security realms. You must run Compatibility security in order to access the Compatibility realm and the Realm Adapter providers through the WebLogic Server Administration Console.

Realm Adapter Authorization provider

Authorization provider in the Compatibility realm that allows backward compatibility to the authorization services in 6.x security realms. You must run Compatibility security in order to access the Compatibility realm and the Realm Adapter providers through the WebLogic Server Administration Console.

resource

See WebLogic resource.

resource adapter

System-level software driver (also called a connector) used by an application server such as WebLogic Server to connect to an enterprise information system (EIS).

role mapping

Process whereby the groups and/or principals recognized by the EJB or Web container are associated with the security roles specified in a deployment descriptor. See also group, principal, security role.

Role Mapping provider

A security provider that determines what roles apply to the principals stored in a subject when the subject is attempting to perform an operation on a WebLogic resource. Because this operation usually involves gaining access to the WebLogic resource, Role Mapping providers are typically used with Authorization providers. See also Authorization provider, principal, security role, subject, WebLogic resource.

runtime class

Java class that implements a Security Service Provider Interface (SSPI) and contains the actual security-related behavior for a security provider. See also security provider, Security Service Provider Interface (SSPI).

scoped role

A role that applies to a specific WebLogic resource in a security realm. See also global role, security role, Role Mapping provider, security realm.

secret key cryptography

See symmetric key cryptography.

Security Assertion Markup Language (SAML)

An XML-based framework for exchanging security information. SAML provides a standard way to profile information in XML documents and to define authentication and authorization. SAML implementations provide an interoperable XML-based security solution, where user information and corresponding authentication or authorization information can be exchanged by collaborating services irrespective of their existing security implementations. SAML is the key to enabling single sign-on in Web services. For a discussion of SAML, see http://xml.coverpages.org/saml.html. You can develop custom Identity Assertion providers for WebLogic Server that support different token types, including SAML. See also authentication, authorization, Identity Assertion, perimeter authentication, user.

Secure Sockets Layer (SSL)

Secure Sockets Layer (SSL) implements cryptography on the Web. SSL supports the use of public key cryptography to provide authentication, and secret key cryptography and digital signatures to provide for privacy and data integrity. Generally, the SSL provides (1) a mechanism that the applications can use to authenticate each other's identity and (2) encryption of the data exchanged by the applications. See also authentication, digital signature, public key cryptography, symmetric key cryptography.

security policy

In the previous releases of WebLogic Server, ACLs were used to protect WebLogic resources. In this release of WebLogic Server, security policies are used instead of ACLs in protecting WebLogic resources. A security policy is created when you define an association between a WebLogic resource and one or more users, groups, or roles. A security policy may also include time constraints, that is, periods of time when the resource may be accessed. A WebLogic resource has no protection until you assign it a security policy. You assign security policies to an individual WebLogic resource or components of the WebLogic resource. See also access control list (ACL), group, security role, user, WebLogic resource.

security provider

Modules that can be "plugged into" a WebLogic Server security realm to provide security services (such as authentication, authorization, auditing, and credential mapping) to applications. A security provider consists of runtime classes and MBeans, which are created from SSPIs and MBean types, respectively. Security providers may be categorized as WebLogic security providers and custom security providers. See also custom security provider, Security Service Provider Interface (SSPI), MBean, MBean type, runtime class, WebLogic security provider.

security provider database

Database that contains the users, groups, security policies, roles, and credentials used by some types of security providers to provide security services. The security provider database can be the embedded LDAP server (as used by the WebLogic security providers), a properties file (as used by the sample security providers), or a production-quality database that you may already be using. See also credential, embedded LDAP server, group, security role, security policy, WebLogic security provider.

security realm

In WebLogic Server 6.x, security realms provided authentication and authorization services. You chose from the File realm or a set of alternative security realms including the Lightweight Data Access Protocol (LDAP), Windows NT, Unix, or RDBMS realms. If you wanted to customize authentication, you could write you own security realm and integrate it into the WebLogic Server environment. A security realm applied to a domain and you could not have multiple security realms in a domain. See also File realm.

In this release of WebLogic Server, security realms act as a scoping mechanism. Each security realm consists of a set of configured security providers, users, groups, roles, and security policies. You can configure multiple security realms in a domain, however, only one can be the default (active) security realm. WebLogic Server provides two default security realms: myrealm and Compatibility realm. You can access an existing 6.x security configuration through the Compatibility realm. You can no longer write a custom security realm using the application programming interfaces in this release of WebLogic Server; rather, you configure a new security realm to provide the security services you want and then set the new security realm as the default security realm. See also Compatibility realm, default realm, Domain Configuration Wizard, security provider, WebLogic resource.

security role

Abstract, logical collections of users similar to a group. The difference between groups and roles is that a group is a static identity that a server administrator assigns, while membership in a role is dynamically calculated based on data such as user name, group membership, or the time of day. Roles are granted to individual users or to groups, and multiple roles can be used to create security policies for a WebLogic resource. Once you create a role, you define an association between the role and a WebLogic resource. This association (called a security policy) specifies who has what access to the WebLogic resource. See also dynamic role computation, global role, group, scoped role, security policy, user, WebLogic resource.

Security Service Provider Interface (SSPI)

Interfaces implemented by security providers, both BEA and custom providers. The WebLogic Security Framework calls methods in these interfaces to perform the security operation. See also security provider, WebLogic Security Framework.

single sign-on

Ability to require a user to sign on to an application only once and gain access to many different application components, even though these components may have their own authentication schemes. Single sign-on is achieved using identity assertion, LoginModules, and tokens. See also authentication, Identity Assertion, LoginModule, token, user.

SSL hardware accelerator

A peripheral Secure Socket Layer (SSL) platform that attaches to a Web switch with the express purpose of improving SSL performance for a client. For example, the Alteon SSL Accelerator can be used with WebLogic Server. This accelerator performs a TCP handshake with the client (in this case, WebLogic Server) through a Web switch and performs all the SSL encryption and decryption for the session.

SSL tunneling

Tunneling Secure Socket Layer (SSL) over an IP-based protocol. Tunneling means that each SSL record is encapsulated and packaged with the headers needed to send the record over another protocol.

SSPI MBean

Interfaces used by BEA to generate MBean types for the WebLogic security providers, and from which you generate MBean types for custom security providers. SSPI MBeans may be required (for configuration) or optional (for management). See also MBean type, custom security provider, WebLogic security provider.

subject

Container for authentication information, including principals, as specified by the Java Authentication and Authorization Service (JAAS). Both users and groups can be used as principals by application servers like WebLogic Server. A subject can contain any number of principals. See also authentication, group, Java Authentication and Authorization Service (JAAS), principal, user.

symmetric key cryptography

A key-based cryptography that uses an encryption algorithm in which the same key is used both to encrypt and decrypt the data. Symmetric key cryptography is also called secret key cryptography. See also asymmetric key cryptography.

token

Artifact used as part of the authentication process. When using Identify Assertion, a token must be presented to determine whether the user has been authenticated. Tokens come in many different types, including Kerberos and SAML. See also authentication, Identity Assertion, SSL tunneling, user.

Trust Manager

An interface that enables you to override validation errors in a peer's digital certificate and continue the SSL handshake. You can also use the interface to discontinue an SSL handshake by performing additional validation on a server's digital certificate chain.

trusted (root) CA

A trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The function of the trusted ceritificate authority (CA) is similar to that of a Notory Republic: to guarantee the identify of the individual or organization presenting the certificate. Thus, trusted CAs issue certificates that are used to sign other certificates. CAs are rerferred to as root CAs because their authority is recognized and, therefore, they do not need anyone to validate their identity. Trusted (root) CA certificates are installed into applications that authenticate certificates. For example, Web browsers are usually distributed with several common trusted (root) CAs certificates pre-installed. See also private key, public key.

two-way SSL authentication

Authentication that requires both the client and server present a certificate before the connection thread is enabled between the two. With two-way SSL authentication, WebLogic Server not only authenticates itself to the client (which is the minimum requirement for certificate authentication), it also requires authentication from the requesting client. Clients are required to submit digital certificates issued by a trusted certificate authority. This type of authentication is useful when you must restrict access to trusted clients only. Two-way SSL authentication is a form of mutual authentication. See also authentication, digital certificate, mutual authentication, trusted (root) CA, Secure Sockets Layer (SSL).

user

Entities that use WebLogic Server, such as application end users, client applications, and other instances of WebLogic Server. Users may be placed into groups that are associated with roles, or be directly associated with roles. See also entity, group, security role.

UNIX security realm

A WebLogic Server 6.x security realm. In WebLogic Server 6.x, security realms provided authentication and authorization services. You can choose from the File realm or a set of alternative security realms including the Lightweight Data Access Protocol (LDAP), Windows NT, Unix, or RDBMS realms. The UNIX security realm executes a small native program, wlauth, to look up Users and Groups and to authenticate users on the basis of their UNIX login names and passwords. The wlauth program uses PAM (Pluggable Authentication Modules), which allows you to configure authentication services in the operating system without altering applications that use the service. In this release of WebLogic Server, you can only use the UNIX security realm when using Compatibility security. See also authentication, authorization, Compatibility security, group, security realm.

WebLogic container

To be supplied.

WebLogic MBeanMaker

Command-line utility that takes an MBean Definition File (MDF) as input and outputs files for an MBean type. See also MBean Definition File (MDF), MBean type.

WebLogic resource

Entities that are accessible from WebLogic Server, such as events, servlets, JDBC connection pools, JMS destinations, JNDI contexts, connections, sockets, files, and enterprise applications and resources, such as databases. See also entity.

WebLogic Security Framework

Interfaces in the weblogic.security.service package that unify security enforcement and present security as a service to other WebLogic Server components. Security providers call into the WebLogic Security Framework on behalf of applications requiring security services. See also security provider.

WebLogic security provider

A security provider supplied by BEA Systems as part of the WebLogic Server product. See also custom security provider, security provider.

WebLogic Server domain

A collection of servers, services, interfaces, machines, and associated WebLogic resource managers defined by a single configuration file. See also WebLogic resource.

Windows NT security realm

A WebLogic Server 6.x security realm. In WebLogic Server 6.x, security realms provided authentication and authorization services. You can choose from the File realm or a set of alternative security realms including the Lightweight Data Access Protocol (LDAP), Windows NT, Unix, or RDBMS realms. The Windows NT Security realm uses account information defined for a Windows NT domain to authenticate Users and Groups. In this release of WebLogic Server, you can only use the Windows NT security realm when using Compatibility security. See also authentication, authorization, Compatibility security, group, security realm, user.