Programming WebLogic Security

Introduction and Roadmap

Document Scope

Guide to this Document

Related Information

Security Samples and Tutorials

Security Examples in the WebLogic Server Distribution

Additional Examples Available for Download

New and Changed Security Features in This Release

WebLogic Security Programming Overview

What Is Security?

Administration Console and Security

Types of Security Supported by WebLogic Server

Authentication

Authorization

J2EE Security

Security APIs

JAAS Client Application APIs

Java JAAS Client Application APIs

WebLogic JAAS Client Application APIs

SSL Client Application APIs

Java SSL Client Application APIs

WebLogic SSL Client Application APIs

Other APIs

Securing Web Applications

Authentication With Web Browsers

User Name and Password Authentication

Digital Certificate Authentication

Multiple Web Applications, Cookies, and Authentication

Using Secure Cookies to Prevent Session Stealing

Developing Secure Web Applications

Developing BASIC Authentication Web Applications

Using HttpSessionListener to Account for Browser Caching of Credentials

Developing FORM Authentication Web Applications

Using Identity Assertion for Web Application Authentication

Using Two-Way SSL for Web Application Authentication

Providing a Fallback Mechanism for Authentication Methods

Configuration

Developing Swing-Based Authentication Web Applications

Deploying Web Applications

Using Declarative Security With Web Applications

Web Application Security-Related Deployment Descriptors

web.xml Deployment Descriptors

auth-constraint

Used Within

Example

security-constraint

Example

security-role

Example

security-role-ref

Example

user-data-constraint

Used Within

Example

web-resource-collection

Used Within

Example

weblogic.xml Deployment Descriptors

externally-defined

Used Within

Example

run-as-principal-name

Used Within

Example

run-as-role-assignment

Example:

security-permission

Example

security-permission-spec

Used Within

Example

security-role-assignment

Example

Using Programmatic Security With Web Applications

getUserPrincipal

isUserInRole

Using the Programmatic Authentication API

Using JAAS Authentication in Java Clients

JAAS and WebLogic Server

JAAS Authentication Development Environment

JAAS Authentication APIs

JAAS Client Application Components

WebLogic LoginModule Implementation

JVM-Wide Default User and the runAs() Method

Writing a Client Application Using JAAS Authentication

Using JNDI Authentication

Java Client JAAS Authentication Code Examples

Using SSL Authentication in Java Clients

JSSE and WebLogic Server

Using JNDI Authentication

SSL Certificate Authentication Development Environment

SSL Authentication APIs

SSL Client Application Components

Writing Applications that Use SSL

Communicating Securely From WebLogic Server to Other WebLogic Servers

Writing SSL Clients

SSLClient Sample

SSLSocketClient Sample

Using Two-Way SSL Authentication

Two-Way SSL Authentication with JNDI

Writing a User Name Mapper

Using Two-Way SSL Authentication Between WebLogic Server Instances

Using Two-Way SSL Authentication with Servlets

Using a Custom Hostname Verifier

Using a Trust Manager

Using the CertPath Trust Manager

Using a Handshake Completed Listener

Using an SSLContext

Using URLs to Make Outbound SSL Connections

SSL Client Code Examples

Securing Enterprise JavaBeans (EJBs)

J2EE Architecture Security Model

Declarative Authorization

Programmatic Authorization

Declarative Versus Programmatic Authorization

Using Declarative Security With EJBs

EJB Security-Related Deployment Descriptors

ejb-jar.xml Deployment Descriptors

method

Used Within

Example

method-permission

Used Within

Example

role-name

Used Within

Example

run-as

Used Within

Example

security-identity

Used Within

Example

security-role

Used Within

Example

security-role-ref

Used Within

Example

unchecked

Used Within

Example

use-caller-identity

Used Within

Example

weblogic-ejb-jar.xml Deployment Descriptors

client-authentication

Example

client-cert-authentication

Example

confidentiality

Example

externally-defined

identity-assertion

Used Within

Example

iiop-security-descriptor

Example

integrity

Used Within

Example

principal-name

Used Within

Example

role-name

Used Within

Example

run-as-identity-principal

Used Within

Example

run-as-principal-name

Used Within

Example

run-as-role-assignment

Example

security-permission

Example

security-permission-spec

Used Within

Example

security-role-assignment

Example

transport-requirements

Used Within

Example

Using Programmatic Security With EJBs

getCallerPrincipal

isCallerInRole

Using Network Connection Filters

The Benefits of Using Network Connection Filters

Network Connection Filter API

Connection Filter Interfaces

ConnectionFilter Interface

ConnectionFilterRulesListener Interface

Connection Filter Classes

ConnectionFilterImpl Class

ConnectionEvent Class

Guidelines for Writing Connection Filter Rules

Connection Filter Rules Syntax

Types of Connection Filter Rules

How Connection Filter Rules are Evaluated

Configuring the WebLogic Connection Filter

Developing Custom Connection Filters

Connection Filter Examples

Using Java Security to Protect WebLogic Resources

Using J2EE Security to Protect WebLogic Resources

Using the Java Security Manager to Protect WebLogic Resources

Setting Up the Java Security Manager

Modifying the weblogic.policy file for General Use

Setting Application-Type Security Policies

Setting Application-Specific Security Policies

Using the Java Authorization Contract for Containers

Comparing the WebLogic JACC Provider with the WebLogic Authentication Provider

Enabling the WebLogic JACC Provider

SAML APIs

SAML API Description

Custom POST Form Parameter Names

Using CertPath Building and Validation

CertPath Building

Instantiate a CertPathSelector

Instantiate a CertPathBuilderParameters

Use the JDK CertPathBuilder Interface

Example Code Flow for Looking Up a Certificate Chain

CertPath Validation

Instantiate a CertPathValidatorParameters

Use the JDK CertPathValidator Interface

Example Code Flow for Validating a Certificate Chain

Deprecated Security APIs