Overview of the WebLogic Security Service

The following sections introduce the WebLogic Security Service and its features:

Introduction to the WebLogic Security Service

Deploying, managing, and maintaining security is a huge challenge for an information technology (IT) organization that is providing new and expanded services to customers using the Web. To serve a worldwide network of Web-based users, an IT organization must address the fundamental issues of maintaining the confidentiality, integrity and availability of the system and its data. Challenges to security involve every component of the system, from the network itself to the individual client machines. Security across the infrastructure is a complex business that requires vigilance as well as established and well-communicated security policies and procedures.

WebLogic Server includes a security architecture that provides a unique and secure foundation for applications that are available via the Web. By taking advantage of the new security features in WebLogic Server, enterprises benefit from a comprehensive, flexible security infrastructure designed to address the security challenges of making applications available on the Web. WebLogic security can be used standalone to secure WebLogic Server applications or as part of an enterprise-wide, security management system that represents a best-in-breed, security management solution.

Features of the WebLogic Security Service

The open, flexible security architecture of WebLogic Server delivers advantages to all levels of users and introduces an advanced security design for application servers. Companies now have a unique application server security solution that, together with clear and well-documented security policies and procedures, can assure the confidentiality, integrity and availability of the server and its data.

A comprehensive and standards-based design.
End-to-end security for WebLogic Server-hosted applications, from the mainframe to the Web browser.
Legacy security schemes that integrate with WebLogic Server security, allowing companies to leverage existing investments.
Security tools that are integrated into a flexible, unified system to ease security management across the enterprise.
Easy customization of application security to business requirements through mapping of company business rules to security policies.
A consistent model for applying security policies to J2EE and application-defined resources.
Easy updates to security policies. This release includes usability enhancements to the process of creating security policies as well as additional expressions that control access to WebLogic resources.
Easy adaptability for customized security solutions.
A modularized architecture, so that security infrastructures can change over time to meet the requirements of a particular company.
Support for configuring multiple security providers, as part of a transition scheme or upgrade path.
A separation between security details and application infrastructure, making security easier to deploy, manage, maintain, and modify as requirements change.
Default, WebLogic security providers that provide you with a working security scheme out of the box. This release supports additional authentication stores such as databases, and Windows NT account information.
Customization of security schemes using custom security providers
Unified management of security rules, security policies, and security providers through the WebLogic Server Administration Console.
Support for standard J2EE security technologies such as the Java Authentication and Authorization Service (JAAS), Java Secure Sockets Extensions (JSSE), Java Cryptography Extensions (JCE), and Java Authorization Contract for Containers (JACC).
A foundation for web services security including support for SAML.
Capabilities which allow WebLogic Server to participate in single sign-on (SSO) with Web sites, Web applications, and Desktop clients.
A framework for managing public keys which includes certificate lookup, verification, validation, and revocation as well as a certificate registry.
Improved performance of the Secure Sockets Layer (SSL) protocol and the LDAP Authentication providers.

Balancing Ease of Use and Customizability

The components and services of the WebLogic Security Service seek to strike a balance between ease of use, manageability (for end users and administrators), and customizability (for application developers and security developers). The following paragraphs highlight some examples:

Easy to use: For the end user, the secure WebLogic Server environment requires only a single sign-on for user authentication (ascertaining the user's identity). Users do not have to re-authenticate within the boundaries of the WebLogic Server domain that contains application resources. Single sign-on allows users to log on to the domain once per session rather than requiring them to log on to each resource or application separately.

For the developer and the administrator, WebLogic Server provides a new Domain Configuration Wizard to help with the creation of new domains with an administration server, managed servers, and optionally, a cluster, or with extending existing domains by adding individual severs. The Domain Configuration Wizard also automatically generates a config.xml file and start scripts for the server(s) you choose to add to the new domain.

Manageable: Administrators who configure and deploy applications in the WebLogic Server environment can use the WebLogic security providers included with the product. These default providers support all required security functions, out of the box. An administrator can store security data in the WebLogic Server-supplied, security store (an embedded, special-purpose, LDAP directory server) or use an external LDAP server, database, or user source. To simplify the configuration and management of security in WebLogic Server, a robust, default security configuration is provided.

Customizable: For application developers, WebLogic Server supports the WebLogic security API and J2EE security standards such as JAAS, JSS, JCE, and JACC. Using these APIs and standards, you can create a fine-grained and customized security environment for applications that connect to WebLogic Server.

For security developers, the WebLogic Server Security Service Provider Interfaces (SSPIs) support the development of custom security providers for the WebLogic Server environment.

New and Changed Features in This Release

This section describes features that have been added to the WebLogic Server in this release.

Bulk Access Versions of Authorization, Adjudication, and Role Mapping Providers

Version 9.2 of WebLogic Server includes bulk access versions of the following Authorization, Adjudication, and Role Mapping provider SSPI interfaces:

BulkAuthorizationProvider
BulkAccessDecision
BulkAdjudicationProvider
BulkAdjudicator
BulkRoleProvider
BulkRoleMapper

The bulk access SSPI interfaces allow Authorization, Adjudication, and Role Mapping providers to receive multiple decision requests in one call rather than through multiple calls, typically in a 'for' loop. The intent of the bulk SSPI variants is to allow provider implementations to take advantage of internal performance optimizations, such as detecting that many of the passed-in Resource objects are protected by the same policy and will generate the same decision result.

Policy and Role Consumer SSPI

WebLogic Server implements a policy consumer for JMX (MBean) default policies and WebService annotations, and a role consumer for WebService annotations. This release of WebLogic Server includes an SSPI that Authorization and Role Mapping providers can use to obtain the policy and role collections.

The PolicyConsumer and RoleConsumer SSPI is optional; only those Authorization and Role Mapping providers that implement the SSPI are called to consume a policy or role collection.

The SSPI supports both the delivery of initial policy and role collections and the delivery of updated policy and role collections.

If you want your custom Authorization provider to support the delivery of policy collections, you must implement three interfaces:

weblogic.security.providers.spi.PolicyConsumerFactory
weblogic.security.providers.spi.PolicyConsumer
weblogic.security.providers.spi.PolicyCollectionHandler

If you want your custom Role Mapping provider to support the delivery of role collections, you must implement three interfaces:

weblogic.security.providers.spi.RoleConsumerFactory
weblogic.security.providers.spi.RoleConsumer
weblogic.security.providers.spi.RoleCollectionHandler

See the Policy Consumer and Role Consumer sections in Developing WebLogic Security Providers for additional information.

PolicyStoreMBean

WebLogic Server version 9.2 includes support for a new PolicyStoreMBean MBean (weblogic.management.security.authorization.PolicyStoreMBean) that allows for standard management (add, delete, get, list, modify, read) of administrator-generated XACML policies and policy sets. An Authorization or Role Mapping provider MBean can optionally implement this MBean interface.

The PolicyStoreMBean methods allow security administrators to manage policy in the server as XACML documents. This includes creating and managing a domain that uses the default XACML provider, as well as managing XACML documents that the administrator has created. The administrator can then use WLST to manage these XACML policies in WebLogic Server.

WebLogic Server includes an implementation of this MBean for use with the out-of-the-box XACML providers, and you can write your own implementation of this MBean for use with your own custom Authorization or Role Mapping providers.