Understanding
WebLogic Security

Overview of the WebLogic Security Service

The following sections introduce the WebLogic Security Service and its features:

Introduction to the WebLogic Security Service

Deploying, managing, and maintaining security is a huge challenge for an information technology (IT) organization that is providing new and expanded services to customers using the Web. To serve a worldwide network of Web-based users, an IT organization must address the fundamental issues of maintaining the confidentiality, integrity and availability of the system and its data. Challenges to security involve every component of the system, from the network itself to the individual client machines. Security across the infrastructure is a complex business that requires vigilance as well as established and well-communicated security policies and procedures.

WebLogic Server includes a security architecture that provides a unique and secure foundation for applications that are available via the Web. By taking advantage of the new security features in WebLogic Server, enterprises benefit from a comprehensive, flexible security infrastructure designed to address the security challenges of making applications available on the Web. WebLogic security can be used standalone to secure WebLogic Server applications or as part of an enterprise-wide, security management system that represents a best-in-breed, security management solution.

Features of the WebLogic Security Service

The open, flexible security architecture of WebLogic Server delivers advantages to all levels of users and introduces an advanced security design for application servers. Companies now have a unique application server security solution that, together with clear and well-documented security policies and procedures, can assure the confidentiality, integrity and availability of the server and its data.

The key features of the WebLogic Security Service include:

A comprehensive and standards-based design.
End-to-end security for WebLogic Server-hosted applications, from the mainframe to the Web browser.
Legacy security schemes that integrate with WebLogic Server security, allowing companies to leverage existing investments.
Security tools that are integrated into a flexible, unified system to ease security management across the enterprise.
Easy customization of application security to business requirements through mapping of company business rules to security policies.
A consistent model for applying security policies to J2EE and application-defined resources.
Easy updates to security policies. This release includes usability enhancements to the process of creating security policies as well as additional expressions that control access to WebLogic resources.
Easy adaptability for customized security solutions.
A modularized architecture, so that security infrastructures can change over time to meet the requirements of a particular company.
Support for configuring multiple security providers, as part of a transition scheme or upgrade path.
A separation between security details and application infrastructure, making security easier to deploy, manage, maintain, and modify as requirements change.
Default, WebLogic security providers that provide you with a working security scheme out of the box. This release supports additional authentication stores such as databases, and Windows NT account information.
Customization of security schemes using custom security providers
Unified management of security rules, security policies, and security providers through the WebLogic Server Administration Console.
Support for standard J2EE security technologies such as the Java Authentication and Authorization Service (JAAS), Java Secure Sockets Extensions (JSSE), Java Cryptography Extensions (JCE), and Java Authorization Contract for Containers (JACC).
A foundation for web services security including support for SAML.
Capabilities which allow WebLogic Server to participate in single sign-on (SSO) with Web sites, Web applications, and Desktop clients.
A framework for managing public keys which includes certificate lookup, verification, validation, and revocation as well as a certificate registry.
Improved performance of the Secure Sockets Layer (SSL) protocol and the LDAP Authentication providers.

Balancing Ease of Use and Customizability

The components and services of the WebLogic Security Service seek to strike a balance between ease of use, manageability (for end users and administrators), and customizability (for application developers and security developers). The following paragraphs highlight some examples:

Easy to use: For the end user, the secure WebLogic Server environment requires only a single sign-on for user authentication (ascertaining the user's identity). Users do not have to re-authenticate within the boundaries of the WebLogic Server domain that contains application resources. Single sign-on allows users to log on to the domain once per session rather than requiring them to log on to each resource or application separately.

For the developer and the administrator, WebLogic Server provides a new Domain Configuration Wizard to help with the creation of new domains with an administration server, managed servers, and optionally, a cluster, or with extending existing domains by adding individual severs. The Domain Configuration Wizard also automatically generates a config.xml file and start scripts for the server(s) you choose to add to the new domain.

Manageable: Administrators who configure and deploy applications in the WebLogic Server environment can use the WebLogic security providers included with the product. These default providers support all required security functions, out of the box. An administrator can store security data in the WebLogic Server-supplied, security store (an embedded, special-purpose, LDAP directory server) or use an external LDAP server, database, or user source. To simplify the configuration and management of security in WebLogic Server, a robust, default security configuration is provided.

Customizable: For application developers, WebLogic Server supports the WebLogic security API and J2EE security standards such as JAAS, JSS, JCE, and JACC. Using these APIs and standards, you can create a fine-grained and customized security environment for applications that connect to WebLogic Server.

For security developers, the WebLogic Server Security Service Provider Interfaces (SSPIs) support the development of custom security providers for the WebLogic Server environment.

New and Changed Features in This Release

The following features have been added to the WebLogic Security Service in this release.

Support for Additional Security Standards

Support for the Java Authorization Contract for Containers (JACC) Standard has been added in this release of WebLogic Server. JACC can be used as a replacement for the EJB and Servlet container deployment and authorization provided by WebLogic Server.

When JACC is configured for use in a WebLogic Server domain, EJB and servlet authorization decisions are made by the classes in the JACC framework. All other authorization decisions within WebLogic Server are still determined by the WebLogic Security Framework.

Single Sign-On Capabilities

Single sign-on (SSO) is the ability to require a user to sign on to an application only once and gain access to many different application components, even though these components may have their own authentication schemes. This release of WebLogic Server supports SSO with web browsers, HTTP clients, and Desktop clients.

SSO with web browsers and HTTP clients can be achieved through the use of the Security Assertion Markup Language (SAML). WebLogic Server provides a SAML Inter-site Transfer Service (ITS), an Assertion Consumer Service (ACS), and an Assertion Retrieval Service (ARS) which allow WebLogic Server to support the SAML POST and Artifact profiles. The SAML capabilities in WebLogic Server allow SSO between WebLogic domains as well as between WebLogic Server and other vendor's SAML-capable servers or between applications in a single WebLogic domain. WebLogic Server uses a SAML Credential Mapping and a SAML Identity Assertion provider to generate and consume the assertions used by the SSO profiles. This release of WebLogic Server supports SAML 1.1.

WebLogic Web services supports the SAML Token profile, both as a web services client and a web services server.

SSO with Desktop clients is possible using HTTP and Kerberos-based authentication in conjunction with WebLogic Server. SSO is achieved by implementing the Negotiate behavior of native Windows-to-Windows authentication services. SSO is accomplished through the use of a servlet authentication filter that handles the header manipulation required by the Simple and Protected Negotiate (SPNEGO) and a Negotiate Identity Assertion provider handles identity assertion based on SPNEGO tokens.

Support for Certificate Lookup and Validation

The WebLogic Security service now provides a framework that finds and validates X509 certificate chains for inbound 2-way SSL, outbound SSL, application code, and WebLogic Web services. The framework extends and completes the JDK CertPath functionality. The functionality is exposed through the WebLogic CertPath provider and the Certificate Registry which can be configured through the WebLogic Administration Console.

New SSL Features

The following SSL features have been added:

SSL attributes for network channels which allow you to specify identity certificates and private key information and one- and two-way SSL options for individual channels. In previous releases, network channels used the SSL attributes defined for the SSL port of the server.
Dynamic SSL attributes for the server. Changes made to the SSL attributes for a particular server through the WebLogic Server Administration Console will now take effect without rebooting the server. In addition, SSL server channels can now be restarted using the WebLogic Server Administration Console. This feature is intended for circumstances when changes were not made through the console. For example, specifying the keystore used by the server.

New Security Providers

The following sections describe the new security providers available in this release.

Authentication Providers

A set of Database Base Management System (DBMS) authentication providers that access user, password, group, and group membership information stored in databases for authentication purposes. Optionally, WebLogic Server can be used to manage the user, password, group, and group membership information. The DBMS Authentication providers can be used to upgrade from the RDBMS security realm.

The following DBMS Authentication providers are available:

SQL Authentication provider—A manageable authentication provider that supports the listing and editing of user, password, group, and group membership information.
Read-only SQL Authentication provider—An authentication provider that supports authentication of users in a database and the listing of the contents of the database through the WebLogic Server Administration Console. The authentication provider requires a specific set of SQL statements so it might not meet all customer needs.
Custom DBMS Authentication provider—A run-time authentication provider that only supports authentication. This provider require customer-written code that handles querying the database to obtain authentication information.This authentication provider is a flexible alternative that allows customer to adapt a DBMS Authentication provider to meet their special database needs.

A Windows NT Authentication provider that enables the use of Windows NT users and groups for authentication purposes. The Windows NT Authentication provider is the upgrade path for the Window NT security realm. The Windows NT users and groups are displayed through the WebLogic Server Administration Console however, they cannot be managed through the console.

Identity Assertion Providers

An LDAP X509 Identity Assertion provider which receives an X509 certificate, looks up the LDAP object for the user associated with that certificate, ensures that the certificate in the LDAP object matches the presented certificate, and then retrieves the name of the user from the LDAP object for the purpose of authentication.
The Negotiate Identity Assertion provider decodes SPNEGO tokens to obtain Kerberos tokens, validates the Kerberos tokens, and maps Kerberos tokens to WebLogic users. The Negotiate Identity Assertion provider utilizes the Java Generic Security Service (GSS) Application Programming Interface (API) to accept the GSS security context via Kerberos.The Negotiate Identity Assertion provider is for Windows NT Integrated Login.
The SAML Identity Assertion provider validates SAML 1.1 assertions and verifies the issuer is trusted. If so, identity is asserted based on the AuthenticationStatement contained in the assertion.

Credential Mapping Providers

The PKI (Public Key Infrastructure) Credential Mapping provider included in WebLogic Server maps a WebLogic Server subject (the initiator) and target resource (and an optional credential action) to a public/private key pair or public certificate that should be used by the application when using the targeted resource. This provider can also map an alias to a public/private key pair or public certificate. The PKI Credential Mapping provider uses the subject and resource name, or the alias, to retrieve the corresponding credential from the keystore.
The SAML Credential Mapping provider generates SAML 1.1 assertions for authenticated subjects based on a target site or resource. If the requested target has not been configured and no defaults are set, an assertion will not be generated. User information and group membership (if configured as such) are put in the AttributeStatement.

Certificate Lookup and Validation Providers

WebLogic CertPath provider supports the Certificate lookup and validation framework. This provider completes certificate paths and validates the certificates using the trusted CA configured for a particular server instance.

The WebLogic CertPath provider also checks the signatures in the chain, ensures that the chain has not expired, and checks that one of the certificates in the chain is issued by one of the trusted CAs configured for the server. If any of these checks fail, the chain is not valid.
Finally, the provider checks that the each certificate's basic constraints (that is, the ability of the certificate to issue other certificates) are correct.
The WebLogic CertPath provider can be used as the CertPath Builder and CertPath Validator in a security realm or it can be used only as the CertPath Builder.

The Certificate Registry also supports the Certificate lookup and validation framework. The registry allows the system administrator to explicitly configure a list of trusted CA certificates that are allowed access to the server. The Certificate Registry provides an inexpensive mechanism for performing revocation checking. An administrator revokes a certificate by removing it from the certificate registry. The registry is stored in the embedded LDAP server.

The Certificate Registry is both a CertPath Builder and a CertPath Validator.

When it is configured as the CertPath Builder in a security realm, the Certificate Registry it is used as a builder and a validator. In this circumstance, the Certificate Registry completes the certificate chain and validates the certificates in the chain against the trusted CA certificates stored in the registry.
When configured as the CertPath Validator in a security realm, the Certificate Registry ensures that the client's certificate is stored in the registry.

Enhancements to WebLogic Security Providers

The following enhancements have been made to the WebLogic security providers:

The WebLogic Auditing provider can now be configured to audit data for many types of ContextElements. A set of supported context elements (such as HTTP servlet requests or EJB parameters) have been defined. The WebLogic Auditing provider lists the ContextElement that is supports and that are enabled. Once configured, the WebLogic Auditing provider writes the generated data out to the audit log.

In addition, the WebLogic Auditing provider supports a new mixin management interface, weblogic.management.security.audit.ContextHandler, which indicates whether or not the WebLogic Auditing provider supports auditing context elements. Custom auditing providers can also implement this interface.

The WebLogic Credential Mapping provider stores, retrieves, and manages credentials based on an alias and credential type.
The WebLogic Authentication provider now supports Web Services security username and password digests.The provider stores this digest in encrypted form. This enhancement allows WebLogic Web services to specify a username and password via the UsernameToken element. Note this element does not support HTTP username and password digest.
The WebLogic Identity Assertion provider supports a Digest token type.
The WebLogic Authorization provider supports new default security predicates for accessing HTTP Servlet requests, HTTP Session attributes, and any element passed to the provided in the ContextHandler.In addition, new Date and Time predicates are available.
Attributes which optimize the performance of the WebLogic Authentication provider and LDAP Authentication providers are now available. Performance can be improved in the following ways:

Configure the Active Directory Authentication provider to perform group membership lookups using the tokenGroups attribute. The tokenGroups attribute holds the entire flattened group membership for a user as an array of SID values. The SID values are specially indexed in the Active Directory and yield extremely fast lookup response.
Optimize the configuration the group membership caches used by the WebLogic and LDAP Authentication providers.
Expose the internal PrincipalValidator cache and increase its thresholds.

Enhancements to the Security Service Programming Interfaces (SSPIs)

The following enhancements were made to the SSPIs:

Additional context handler support

A context handler that contains additional context and container-specific information from the resource container, and provides that information to the security provider making the access or role mapping decision. Context handler support is now available for the following methods:

Adjudicator.adjudicate()
LoginModule.login()
IdentityAsserter.assertIdentity()
AuditAtnEvent
CredentialMapper.getCredentials()

Servlet authentication filters

Servlet authentication filters are a new provider type that perform pre and post processing for identity assertion and authentication functions. Filters provide the ability to encapsulate recurring tasks in reusable units and can be used to transform the response from a servlet or JSP page.