1/14
Contents
Title and Copyright Information
Preface
Documentation Accessibility
Conventions
1
Introduction and Roadmap
Document Scope
Audience for This Guide
Guide to this Document
Related Information
Security Samples and Tutorials
Security Examples in the WebLogic Server Distribution
New and Changed Security Features in This Release
2
WebLogic Security Programming Overview
What Is Security?
Administration Console and Security
Types of Security Supported by WebLogic Server
Authentication
Authorization
Java EE Security
Security APIs
JAAS Client Application APIs
Java JAAS Client Application APIs
WebLogic JAAS Client Application APIs
SSL Client Application APIs
Java SSL Client Application APIs
WebLogic SSL Client Application APIs
Other APIs
3
Securing Web Applications
Authentication With Web Browsers
User Name and Password Authentication
Digital Certificate Authentication
Multiple Web Applications, Cookies, and Authentication
Using Secure Cookies to Prevent Session Stealing
Developing Secure Web Applications
Developing BASIC Authentication Web Applications
Using HttpSessionListener to Account for Browser Caching of Credentials
Understanding BASIC Authentication with Unsecured Resources
Setting the enforce-valid-basic-auth-credentials Flag
Using WLST to Check the Value of enforce-valid-basic-auth-credentials
Developing FORM Authentication Web Applications
Using Identity Assertion for Web Application Authentication
Using Two-Way SSL for Web Application Authentication
Providing a Fallback Mechanism for Authentication Methods
Configuration
Developing Swing-Based Authentication Web Applications
Deploying Web Applications
Using Declarative Security With Web Applications
Web Application Security-Related Deployment Descriptors
web.xml Deployment Descriptors
auth-constraint
security-constraint
security-role
security-role-ref
user-data-constraint
web-resource-collection
weblogic.xml Deployment Descriptors
externally-defined
run-as-principal-name
run-as-role-assignment
security-permission
security-permission-spec
security-role-assignment
Using Programmatic Security With Web Applications
getUserPrincipal
isUserInRole
Using the Programmatic Authentication API
4
Using JAAS Authentication in Java Clients
JAAS and WebLogic Server
JAAS Authentication Development Environment
JAAS Authentication APIs
JAAS Client Application Components
WebLogic LoginModule Implementation
JVM-Wide Default User and the runAs() Method
Writing a Client Application Using JAAS Authentication
Using JNDI Authentication
Java Client JAAS Authentication Code Examples
5
Using SSL Authentication in Java Clients
JSSE and WebLogic Server
Using JNDI Authentication
SSL Certificate Authentication Development Environment
SSL Authentication APIs
SSL Client Application Components
Writing Applications that Use SSL
Communicating Securely From WebLogic Server to Other WebLogic Servers
Writing SSL Clients
SSLClient Sample
SSLSocketClient Sample
Using Two-Way SSL Authentication
Two-Way SSL Authentication with JNDI
Writing a User Name Mapper
Using Two-Way SSL Authentication Between WebLogic Server Instances
Using Two-Way SSL Authentication with Servlets
Using a Custom Hostname Verifier
Using a Trust Manager
Using the CertPath Trust Manager
Using a Handshake Completed Listener
Using an SSLContext
Using URLs to Make Outbound SSL Connections
SSL Client Code Examples
6
Securing Enterprise JavaBeans (EJBs)
Java EE Architecture Security Model
Declarative Authorization
Programmatic Authorization
Declarative Versus Programmatic Authorization
Using Declarative Security With EJBs
EJB Security-Related Deployment Descriptors
ejb-jar.xml Deployment Descriptors
method
method-permission
role-name
run-as
security-identity
security-role
security-role-ref
unchecked
use-caller-identity
weblogic-ejb-jar.xml Deployment Descriptors
client-authentication
client-cert-authentication
confidentiality
externally-defined
identity-assertion
iiop-security-descriptor
integrity
principal-name
role-name
run-as-identity-principal
run-as-principal-name
run-as-role-assignment
security-permission
security-permission-spec
security-role-assignment
transport-requirements
Using Programmatic Security With EJBs
getCallerPrincipal
isCallerInRole
7
Using Network Connection Filters
The Benefits of Using Network Connection Filters
Network Connection Filter API
Connection Filter Interfaces
ConnectionFilter Interface
ConnectionFilterRulesListener Interface
Connection Filter Classes
ConnectionFilterImpl Class
ConnectionEvent Class
Guidelines for Writing Connection Filter Rules
Connection Filter Rules Syntax
Types of Connection Filter Rules
How Connection Filter Rules are Evaluated
Configuring the WebLogic Connection Filter
Developing Custom Connection Filters
8
Using Java Security to Protect WebLogic Resources
Using Java EE Security to Protect WebLogic Resources
Using the Java Security Manager to Protect WebLogic Resources
Setting Up the Java Security Manager
Modifying the weblogic.policy file for General Use
Setting Application-Type Security Policies
Setting Application-Specific Security Policies
Using Printing Security Manager
Printing Security Manager Startup Arguments
Starting WebLogic Server With Printing Security Manager
Writing Output Files
Using the Java Authorization Contract for Containers
Comparing the WebLogic JACC Provider with the WebLogic Authentication Provider
Enabling the WebLogic JACC Provider
9
SAML APIs
SAML API Description
Custom POST Form Parameter Names
Creating Assertions for Non-WebLogic SAML 1.1 Relying Parties
Overview of Creating a Custom SAML Name Mapper
Do You Need Multiple SAMLCredentialAttributeMapper Implementations?
Classes, Interfaces, and Methods
SAMLAttributeStatementInfo Class
SAMLCredentialAttributeMapper Interface
Example Custom SAMLCredentialAttributeMapper Class
Make the Custom SAMLCredentialAttributeMapper Class Available in the Console
Configuring SAML SSO Attribute Support
What Are SAML SSO Attributes?
New API's for SAML Attributes
SAML 2.0 Basic Attribute Profile Required
Passing Multiple Attributes to SAML Credential Mappers
How to Implement SAML Attributes
Examples of the SAML 2.0 Attribute Interfaces
Example Custom SAML 2.0 Credential Attribute Mapper
Custom SAML 2.0 Identity Asserter Attribute Mapper
Examples of the SAML 1.1 Attribute Interfaces
Example Custom SAML 1.1 Credential Attribute Mapper
Custom SAML 1.1 Identity Asserter Attribute Mapper
Make the Custom SAML Credential Attribute Mapper Class Available in the Console
Make the Custom SAML Identity Asserter Class Available in the Console
10
Using CertPath Building and Validation
CertPath Building
Instantiate a CertPathSelector
Instantiate a CertPathBuilderParameters
Use the JDK CertPathBuilder Interface
Example Code Flow for Looking Up a Certificate Chain
CertPath Validation
Instantiate a CertPathValidatorParameters
Use the JDK CertPathValidator Interface
Example Code Flow for Validating a Certificate Chain
A
Deprecated Security APIs
Scripting on this page enhances content navigation, but does not change the content in any way.