Introduction

This document is intended for application developers who want to incorporate security into their WebLogic Server applications. It provides an overview of the WebLogic security APIs and describes how to use them.

Figure 1-1 illustrates how different types of users would interact with the software architecture of the BEA WebLogic Server security service. The new security architecture has benefits for three categories of users: application developers, third-party security service vendors, and administrators.

Application developers use the WebLogic.Security and Java 2 security application programming interfaces (APIs) to secure their applications. Therefore, this document provides instructions for using those APIs for securing Web applications, Java applications, and Enterprise JavaBeans (EJBs).

Security vendors use the Security Service Provider Interfaces (SSPIs) to develop custom security providers for use with WebLogic Server. Sophisticated application developers may be tasked with performing this function as well, however, this document does not address this task. For information on how to use the SSPIs to develop custom security providers, see Developing Security Providers for WebLogic Server.

While administrators typically use the Administration Console to deploy, configure, and manage applications when they put the applications into production, application developers may also use the Administration Console to test their applications before they are put into production. At a minimum, testing requires that applications be deployed and configured. While this document does mention some aspects of administration as it relates to security, it references Managing We bLogic Security, WebLogic Server Administration Guide, and other documents for descriptions of how to use the Administration Console to perform security tasks.

The procedures and code examples provided in this document assume that you are using the WebLogic security providers that are included in the WebLogic Server distribution, not custom security providers. The usage of the Weblogic security APIs does not change if you elect to use custom security providers, however, the management procedures of the custom security providers may be different.

Note: This document does not provide comprehensive instructions on how to configure WebLogic Security providers or custom security providers. For information on configuring WebLogic Security providers and custom security providers, see Managing WebLogic Security.

Security refers to techniques for ensuring that data stored in a computer or passed between computers is not compromised. Most security measures involve proof material and data encryption. Proof material is typically a secret word or phrase that gives a user access to a particular application or system. Data encryption is the translation of data into a form that cannot be interpreted.

Distributed applications, such as those used for electronic commerce (e-commerce), offer many access points at which malicious people can intercept data, disrupt operations, or generate fraudulent input. As a business becomes more distributed the probability of security breaches increases. Accordingly, as a business distributes its applications, it becomes increasingly important for the distributed computing software upon which such applications are built to provide security.

An application server resides in the sensitive layer between end users and your valuable data and resources. WebLogic Server provides authentication, authorization, and encryption services with which you can guard your resources. These services cannot provide protection, however, from an intruder who gains access by discovering and exploiting a weakness in your deployment environment.

Therefore, whether you deploy WebLogic Server on the Internet or on an intranet, it is a good idea to hire an independent security expert to go over your security plan and procedures, audit your installed systems, and recommend improvements.

Another good strategy is to read as much as possible about security issues. For the latest information about securing Web servers, BEA recommends reading the Security Improvement Modules, Security Practices, and Technical Implementations information available from the CERT^TM Coordination Center operated by Carnegie Mellon University.

BEA suggests that you apply the remedies recommended in our security advisories. In the event of a problem with a BEA product, BEA distributes an advisory and instructions with the appropriate course of action. If you are responsible for security related issues at your site, please register to receive future notifications. BEA has established an e-mail address (security-report@bea.com) to which you can send reports of any possible security issues in BEA products. In addition, you are advised to apply every Service Pack as they are released. Service Packs include a roll up of all bug fixes for each version of the product, as well as each of the previously released Service Packs.

Partner products that can also help you in your effort to secure the WebLogic Server production environment. For more information, see the BEA Partner's Page.

This section lists the Security packages and classes that are implemented and supported by WebLogic Server. Application programmers use these packages to secure interactions between WebLogic Server and client applications, Enterprise JavaBeans (EJBs), and Web applications. Table 1-1 lists the supported Sun Java security packages. Table 1-2 lists the supported WebLogic security packages.

Note: Several of the WebLogic security packages, classes, and methods are being deprecated in this release of WebLogic Server. For more detailed information on deprecated packages and classes, see the particular package, class, or method in WebLogic javadoc.

Table 1-1 Supported Java Security Packages and Classes

Package or Class	Description
java.security.cert	Provides classes and interfaces for parsing and managing certificates, certificate revocation lists (CRLs), and certification paths. It contains support for X.509 v3 certificates and X.509 v2 CRLs.
java.security.KeyStore	This class represents an in-memory collection of keys and certificates. It is used to manage two types of keystore entries: Key and Trusted Certificate.
java.security.PrivateKey	A private key. Private keys are used by entities for self-authentication.
java.security.Provider	This class represents a "Cryptographic Service Provider" for the Java Security API, where a provider implements some or all parts of Java Security. To supply implementations of cryptographic services, a team of developers writes the implementation code and creates a subclass of the Provider class.
javax.crypto	Provides the classes and interfaces for cryptographic operations. The cryptographic operations defined in this package include encryption, key generation and key agreement, and Message Authentication Code (MAC) generation. Support for encryption includes symmetric, asymmetric, block, and stream ciphers. This package also supports secure streams and sealed objects. Many classes provided in this package are provider-based (see the java.security.Provider class). The class itself defines a programming interface to which applications may write. The implementations themselves may then be written by independent third-party vendors and plugged in seamlessly as needed. Therefore, application developers may take advantage of any number of provider-based implementations without having to add or rewrite code.
javax.naming	Provides the classes and interfaces for accessing naming services.
javax.net	Provides classes for networking applications. These classes include factories for creating sockets. Using socket factories you can encapsulate socket creation and configuration behavior.
javax.net.SSL	The classes and interfaces in this package are supported by WebLogic Server, but BEA recommends that you use the weblogic.security.SSL package when you use SSL with WebLogic Server.
javax.security.cert	Provides classes for public key certificates.
javax.servlet	Contains classes and interfaces that describe and define the contracts between a servlet class and the runtime environment provided for an instance of such a class by a conforming servlet container.
javax.servlet.http	Contains classes and interfaces that describe and define the contracts between a servlet class running under the HTTP protocol and the runtime environment provided for an instance of such a class by a conforming servlet container.
javax.security.auth	Provides classes for performing JAAS-style LoginContext and Subject based authentication. This package provides a framework for authentication. The framework allows authentication to be performed in pluggable fashion. Different authentication modules can be plugged in for use with an application without requiring modifications to the application itself. Note: WebLogic Server provides full container support for JAAS authentication and supports full use of JAAS authentication and authorization in application code.

Table 1-2 Supported WebLogic Security Packages

Package	Description
weblogic.security	Several classes deprecated in this release of WebLogic Server. Provides interfaces and classes for mapping digital certificates sent from Web browsers and Java clients to WebLogic Server. This class makes it unnecessary for a user with a valid digital certificate to enter a username and password when accessing resources in WebLogic Server. Note: Several classes in this package are deprecated in this release of WebLogic Server; instead, the WebLogic security infrastructure and default WebLogic security providers are used to enforce security in WebLogic Server.
weblogic.security.acl	Provides interfaces and classes for creating custom security realms to access WebLogic Server users, groups, or ACLs from an external store. In addition, this package is used to test custom ACLs in server-side programs. Note: The use of ACLs is deprecated in this release of WebLogic Server; instead, security policies and a default WebLogic security Authorization provider are used to control access to server resources in WebLogic Server.
weblogic.security.audit	Provides interfaces and classes for auditing security events. WebLogic Server calls the Audit class with information about authentication and authorization requests. The package can be used to filter the authorization and authentication requests and direct them to a log file or other administrative facility. Note: This package is being deprecated in this release of WebLogic Server. It is replaced by the new security infrastructure which includes a WebLogic security Auditing provider.
weblogic.security.auth	Provides an authorization programming interface. Note: This package is being deprecated in this release of WebLogic Server. It is replaced by the new security infrastructure which includes a WebLogic security Authorization provider.
weblogic.security.net	Provides interfaces and classes that are used to examine connections to WebLogic Server and allow or deny the connections based on attributes such as the IP address, domain, or protocol of the initiator of the network connection.
weblogic.net.http. HTTPsURLConnection	Provides a class to represent an HTTPS connection to a remote object. This class is used to make an outbound SSL connection from a WebLogic Server acting as a client to another WebLogic Server.
weblogic.security.SSL	Provides classes for the secure socket package. Using these classes, you can communicate using SSL to reliably detect any errors introduced into the network byte stream and to optionally encrypt the data and/or authenticate the communicating peers. Note: Some interfaces and classes in this package are deprecated in this release of WebLogic Server; instead the WebLogic security infrastructure and the Administration Console are used to configure SSL in WebLogic Sever.
weblogic.security.service	Provides the ContextHandler and ContextElement classes for developing custom security providers.
weblogic.security.services	Provides server-side authentication class.