| products | dev2dev | support | askBEA
 Download Docs   Site Map   Glossary 

Managing WebLogic Security

 Previous Next Contents View as PDF  

Using the Java Security Manager

The Java security manager can be used with WebLogic Server to provide additional protection for resources running in a Java Virtual Machine (JVM). Using a Java Security Manager is an optional security step. The following sections describe how to use the Java security manager with WebLogic Server:


Setting Up the Java Security Manager

When you run WebLogic Server under Java 2 (JDK 1.2 or 1.3), WebLogic Server can use the Java security manager in Java 2 which prevents untrusted code from performing actions that are restricted by the Java security policy file.

The JVM has security mechanisms built into it that allow you to define restrictions to code through a Java security policy file. The Java security manager uses the Java security policy file to enforce a set of permissions granted to classes. The permissions allow specified classes running in that instance of the JVM to permit or not permit certain runtime operations. In many cases, where the threat model does not include malicious code being run in the JVM, the Java security manager is unnecessary. However, when third-parties use WebLogic Server and unknown classes are being run, the Java security manager may be useful.

To use the Java security manager with WebLogic Server, specify the argument when starting WebLogic Server. The argument specifies a filename (using a relative or fully-qualified pathname) that contains Java 2 security policies.

WebLogic Server provides sample Java security policy file, which you can edit and use. The file is located in WL_HOME\server\lib\weblogic.policy.

If you enable the Java security manager but do not specify a security policy file, the Java security manager uses the default security policies defined in the and java.policy files in the $JAVA_HOME/jre/lib/security directory.

Define security policies for the Java security manager in one of the following ways:

Modifying the weblogic.policy file for General Use

To use the Java security manager security policy file with your WebLogic Server deployment, set the following arguments on the Java command line when you start WebLogic Server:

For example:


Be sure to use == instead of = when specifying the argument so that only the weblogic.policy file is used by the Java security manager. The == causes the weblogic.policy file to override any default security policy. A single equal sign (=) causes the weblogic.policy file to be appended to an existing security policy.

If you have extra directories in your CLASSPATH or if you are deploying applications in extra directories, add specific permissions for those directories to your weblogic.policy file.

BEA recommends taking the following precautions:

Caution: The Java security manager is partially disabled during the booting of Administration and Managed Servers. During the boot sequence, the current Java security manager is disabled and replaced with a variation of the Java security manager that has the checkRead() method disabled. While disabling this method greatly improves the performance of the boot sequence, it also minimally diminishes security. The startup classes for WebLogic Server are run with this partially disabled Java security manager and therefore the classes need to be carefully scrutinized for security considerations involving the reading of files.

For more information about the Java security manager, see the Javadoc shipped with the JDK.

Setting Application-Type Security Policies

Note: You cannot modify security policies for Web applications.

Set default security policies for EJBs, and J2EE Connector Resource Adapters in the Java security policy. The default security policies for EJBs, and Resource Adapters are defined in the Java security policy file under the following codebases:

Note: These security policies apply to all EJBs, and Resource Adapters deployed in that particular instance of WebLogic Server.

Setting Application-Specific Security Policies

Note: You cannot modify security policies for Web applications.

Set security policies for a specific EJB, or Resource adapter by adding policies to their deployment descriptors. Deployment descriptors are defined in the following files:

Note: The security policies for Resource Adapters follow the J2EE standard while the security policies for EJBs follow the WebLogic Server extension to the J2EE standard.

Use the following syntax to add a security policy to a deployment descriptor:

//Protect foo operation
//Grant statements
grant {
permission java.lang.RuntimePermission("foo");
permission otherPermission;

Note: The security-permission-spec attribute cannot currently be added to a weblogic-application.xml file, you are limited to using this attribute within a weblogic-ejb-jar.xml or weblogic.xml file.

Variables are not supported in the security-permission-spec attribute.


Using the Recording Security Manager Utility

The Recording Security Manager utility can be used to detect permission problems that occur when starting and running WebLogic Server. The utility outputs permissions that can be added to your Java security policy file to resolve the permission problems that the utility finds. The Recording Security Manager is available at the BEA dev2dev Online.


Back to Top Previous Next