| products | dev2dev | support | askBEA
 Download Docs   Site Map   Glossary 

Developing Web Applications for WebLogic Server

 Previous Next Contents Index View as PDF  

Configuring Security in Web Applications

The following sections describe how to configure security in Web Applications:

To see overview, upgrade, and new information about WebLogic Server security, see Programming WebLogic Security.


Overview of Configuring Security in Web Applications

You can secure a Web Application by using authentication, by restricting access to certain resources in the Web Application, or by using security calls in your servlet code. At runtime, the WebLogic Server active security realm applies the Web application security constraints to the specified Web Application resources. For more information, see Programming WebLogic Security. Note that a security realm is shared across multiple virtual hosts.


Setting Up Authentication for Web Applications

To configure authentication for a Web Application, use the <login-config> element of the web.xml deployment descriptor. In this element you define the security realm containing the user credentials, the method of authentication, and the location of resources for authentication.

On application deployment, WebLogic Server reads role information from the weblogic.xml file. This information is used to populate the Authorization provider configured for the security realm. Once the role information is in the Authorization provider, changes made through the WebLogic Server Administration Console are not persisted to the weblogic.xml file.

Before you redeploy the application (which occurs when you redeploy it through the Console, modify it on disk, or restart WebLogic Server), you must enable the Ignore security data in deployment descriptors attribute on the Security Realm > General tab. Otherwise, the old data in the weblogic.xml file will overwrite any changes made using the WebLogic Server Administration Console.

To set up authentication for Web Applications:

  1. Open the web.xml deployment descriptor in a text editor or using WebLogic Builder. For more information, see Web Application Developer Tools.
  2. Specify the authentication method using the <auth-method> element. The available options are:


    Basic authentication uses the Web Browser to display a username/password dialog box. This username and password is authenticated against the realm.


    Form-based authentication requires that you return an HTML page, JSP, or servlet form that renders a login screen. The fields returned from the form elements must be: j_username and j_password, and the action attribute must be j_security_check. Here is an example of the HTML coding for using FORM authentication:

Listing 6-1 Example FORM Authentication

		<title>My Web Application</title>
		<p>Welcome to my Web application! Please log in </p>
		<form method="POST" action="j_secuirty_check">
		<p>Password: <input type="password" 
		<p><input type="submit" name="Submit" 

The resource used to generate the HTML form may be an HTML page, a JSP, or a servlet. You define this resource with the <form-login-page> element.

The HTTP session object is created when the login page is served. Therefore, the session.isNew() method returns FALSE when called from pages served after successful authentication.


Uses client certificates to authenticate the request. For more information, see Configuring the SSL Protocol

  1. If you choose FORM authentication, also define the location of the resource used to generate the HTML page, JSP, or servlet with the <form-login-page> element and the resource that responds to a failed authentication with the <form-error-page> element. For instructions on configuring form authentication, see form-login-config.
  2. Specify a realm for authentication using the <realm-name> element. If you do not specify a particular realm, the realm defined with the Auth Realm Name field on the Web Application—> Configuration—>Other tab of the Administration Console is used. For more information, see form-login-config.
  3. If you want to define a separate login for a Web Application, see Multiple Web Applications, Cookies, and Authentication. Otherwise, all Web Applications that use the same cookie use a single sign-on for authentication.


Multiple Web Applications, Cookies, and Authentication

By default, WebLogic Server assigns the same cookie name (JSESSIONID) to all Web Applications. When you use any type of authentication, all Web Applications that use the same cookie name use a single sign-on for authentication. Once a user is authenticated, that authentication is valid for requests to any Web Application that uses the same cookie name. The user is not prompted again for authentication.

If you want to require separate authentication for a Web Application, you can specify a unique cookie name or cookie path for the Web Application. Specify the cookie name using the CookieName parameter and the cookie path with the CookiePath parameter, defined in the WebLogic-specific deployment descriptor weblogic.xml, in the <session-descriptor> element. For more information, see jsp-descriptor.

If you want to retain the cookie name and still require independent authentication for each Web Application, you can set the cookie path parameter (CookiePath) differently for each Web Application.


Restricting Access to Resources in a Web Application

To restrict access to specified resources (servlets, JSPs, or HTML pages) in your Web Application, apply security constraints to those resources.

To configure a security constraint:

  1. Open the web.xml and weblogic.xml deployment descriptors in a text editor or in the Administration Console. For more information, see Web Application Developer Tools.
  2. In the WebLogic-specific deployment descriptor, weblogic.xml, define a role that is mapped to one or more principals in a security realm. Define roles with the security-role. Then map these roles to principals in your realm with the security-role-assignment.
  3. In web.xml, define which resources in the Web Application the security constraint applies to by using the <url-pattern> element that is nested inside the <web-resource-collection> element. The <url-pattern> can refer to a directory, filename, or a <servlet-mapping>.

    Alternatively, to apply the security constraint to the entire Web Application, use the following entry:


  4. In web.xml, define the HTTP method(s) (GET or POST) that the security constraint applies to by defining the <http-method> element that is nested inside the <web-resource-collection> element. Use separate <http-method> elements for each HTTP method.
  5. In web.xml, define whether to use SSL for communication between client and server using the <transport-guarantee> element nested inside of the <user-data-constraint> method.

Listing 6-2 Sample Security Constraint

web.xml entries:
             Security constraint for
             resources in the orders/east directory
           constraint for east coast sales
          <description>SSL not required</description>


Using Users and Roles Programmatically in Servlets

You can write your servlets to access users and roles programmatically in your servlet code using the method javax.servlet.http.HttpServletRequest.isUserInRole(String role). The string role is mapped to the name supplied in the <role-name> element nested inside the <security-role-ref> element of a <servlet> declaration in the Web Application deployment descriptor. The <role-link> element maps to a <role-name> defined in the <security-role> element of the Web Application deployment descriptor.

The following listing provides an example.

Listing 6-3 Example of Security Role Mapping

Servlet code: 
web.xml entries:
. . .
. . .
weblogic.xml entries:


Back to Top Previous Next