Securing WebLogic Resources

Introduction and Roadmap

The following sections describe the content and organization of this document:

• Document Scope
• Guide to this Document
• Related Information
• New and Changed Features In This Release

 

---

Document Scope

This document describes how to use security roles and security polices to protect different types of WebLogic resources. It includes information about resource types, options for securing EJB and Web application resources, different types of security roles and policies, and the components of a role and policy.

This document should be used in conjunction with:

• Securing WebLogic Server to ensure that security is comprehensively configured for a WebLogic Server® deployment.
• Secure WebLogic Resources in Administration Console Online Help. Provides instructions for accessing and securing WebLogic resources using the WebLogic Server Administration Console.

 

---

Documentation Audience

This document is intended for the these audiences:

• Server Administrators—Administrators work closely with Application Architects to design a security scheme for the server and the applications running on the server, to identify potential security risks, and to propose configurations that prevent security problems. Related responsibilities may include maintaining critical production systems, configuring and managing security realms, implementing authentication and authorization schemes for server and application resources, upgrading security features, and maintaining security provider databases.
• Application Administrators—Administrators who work with Server Administrators to implement and maintain security configurations and authentication and authorization schemes, and to set up and maintain access to deployed application resources. Application Administrators have general knowledge of security concepts and the Java Security architecture. They understand Java, XML, deployment descriptors, and can identify security events in server and audit logs.

 

---

Guide to this Document

The document is organized as follows:

• Understanding WebLogic Resource Security, introduces some terms and concepts, provides a workflow summary, and outlines the main steps for securing WebLogic resources.
• Types of WebLogic Resources, describes the different types of WebLogic resources that can be secured using the WebLogic Server Administration Console.
• Options for Securing EJB and Web Application Resources,describes options for securing EJB and Web application resources using deployment descriptors and/or the WebLogic Server Administration Console.
• Users, Groups, And Security Roles, describes users and groups who access WebLogic resources, including WebLogic Server default groups. Also describes scoped security roles and global security roles, including WebLogic Server default global roles. A final section describes the components of a security role.
• Security Policies, describes security policies, including WebLogic Server default security policies. Also describes the components of a security policy.

Related Information

Other WebLogic Server documents that may be of interest to Server or Application Administrators wanting to secure WebLogic resources are:

• Understanding WebLogic Security—Summarizes the features of the WebLogic Security Service, including an overview of its architecture and capabilities. It is the starting point for understanding WebLogic security.
• Securing WebLogic Server—Explains how to configure security for WebLogic Server®, including information about security providers, identity and trust, SSL, and Compatibility security.

These documents provide additional information about specific resource types:

• Securing Web Applications, Securing Enterprise JavaBeans (EJBs) and Using Java Security to Protect WebLogic Resources in Programming WebLogic Security.
• Configure Access Control in Programming WebLogic jCOM (COM resources).
• Security in Programming WebLogic Resource Adapters (EIS resources).
• Configuring Security in Programming WebLogic Web Services (Web Services resources).

Tutorials and Samples

Additional security documents are listed on the Samples page.

 

---

New and Changed Features In This Release

WebLogic Server 9.0 introduces several changes to WebLogic Server resource security:

Resource Types

EJB and Web Application Resources

• Security Deployment Models—For each deployment, you can choose a model based on how you want to secure these resources; using the Administration Console, Deployment Descriptors, or a combination of descriptors and the console. You can still define a single model for all deployments in a security realm (now called the Advanced Model), which was the only option in the previous version. For more information, see Choose a Security Model.
• Limited Support for JAAC—If you are running servers within a WebLogic Server domain using JAAC (JSR-115) you are restricted to using the Deployment Descriptors security model.
• Combined Role Mapping—When you specify Deployment Descriptors for your security deployment model, WebLogic Server will ensure consistent behavior by combining application-defined role mappings with EJB and Web application role mappings. See Understanding the Combined Role Mapping Enabled Setting.

WorkContext

New resource type that can be secured using the Administration Console. See Work Context Resources.

Admin Resources

More methods (in addition to unlockUser) can be secured in the Administration Console. See Administrative Resources.

JDBC Resources

The list of Admin methods that can be accessed from the Administration Console has been updated. See Java DataBase Connectivity (JDBC) Resources.

Server Resources

Changes to methods that can be accessed and secured in the Administration Console: suspend and resume replace lock and unlock. See Server Resources.

Roles and Policies

Role and Policy Expressions

New built-in conditions are available for creating security role and policy expressions. See Components of a Security Role: Conditions, Expressions, and Statements and Components of a Security Policy: Conditions, Expressions, and Statements.

Role and Policy Management

Use the Roles and Policies tables to obtain a central listing of all security roles and policies in a security realm. See List Security Roles and List Security Policies in Administration Console Online Help.

New Default Group and Role

The AppTesters default group and AppTester global security role have been added. See Default Groups and Default Global Roles.

MBean Protections

The list of MBeans and methods secured by default global roles has been updated and expanded. See Protected MBean Attributes and Operations.