Securing Servlets on WebLogic

This section describes how to restrict access to a web resource for a single server configuration of PIA. When in production, a multi server configuration would be used to perform these steps to your managed server instances of PIA, PIA1, PIA2, and so on. WebLogic Server provides an optional level of security to restrict access to resources on the web server.

The following steps describe how to restrict access to the PeopleSoft Portal servlet using a WebLogic ID and password. This, for example, could be applied to the report repository servlet.

To restrict access to a servlet:

  1. Start the PIA server.

  2. Open the Administration Console.

  3. Change the security model to "Custom Roles And Policies":

    1. In the Domain Structure section select Security Realms, myrealm.

    2. Click Lock and Edit.

    3. For the Security Model Default field, select Custom Roles And Policies option from the drop down list.

    4. Click Save.

    5. Click Activate Changes.

    6. Select the default security model for the application to Custom Roles and Policies.

  4. Enable security policy checks for web applications.

    1. Edit config.xml under PIA_HOME\webserv\<domain>\config.

      Note: Backup the file before you make any changes.

    2. Find the <app-deployment> section and add the following line in all of the <app-deployment> (or application deployment) sections:

      <security-dd-model>CustomRolesAndPolicies</security-dd-model>

      For example, one of the sections will look similar to the following:

      <app-deployment>
    <name>peoplesoft</name>
    <target>PIA</target>
    <module-type>ear</module-type>
    <source-path>applications/peoplesoft</source-path>
    <deployment-order>1</deployment-order>
    <security-dd-model>CustomRolesAndPolicies</security-dd-model>
    <staging-mode>nostage</staging-mode>
</app-deployment>

    3. Save the file and restart the server so that the changes will take effect.

  5. (Optional) Define the WebLogic users that you want to use.

    If you want to use one of the provided WebLogic user accounts (system, operator, or monitor) you can skip this step. Otherwise, create a new WebLogic user account:

    1. Under Domain Structure, select Security Realms, myrealm.

    2. Click Users and Groups tab.

    3. Under the Users tab, click New to create a new user.

    4. Enter user name and password and click OK.

  6. (Optional) Create a user group, and add user(s).

    If you want to create a user group, add your users to that group and in the following steps select Caller is Member of group instead of User name of caller. To create a group:

    1. Under Domain Structure, select Security Realms, myrealm.

    2. Click the Users and Groups tab.

    3. Under the Groups tab, click New to create a new group.

    4. Enter the name of the group and description. Click OK.

    5. Select the Users tab, select your new user, and then click the Groups tab.

    6. Move the appropriate group from the Available box to the Chosen box.

  7. Define a security policy for the PeopleSoft Portal web application.

    To restrict access to the Portal web application, perform the following in the navigation window on the left:

    1. Under Domain Structure, select Deployments, and select peoplesoft from the list of applications.

    2. Under Overview tab, select the portal module which appears as “/” in the Modules and Components table.

    3. Click the Security tab.

    4. Define a new URL pattern for this web module. Select New and enter the URL pattern as “/*” or specify the URL requiring authentication, and click OK.

    5. Select the URL pattern that you just created from the table and enter a security policy for this URL pattern.

    6. Add the condition to give access to the particular user you want to have access to this URL or any other conditions by clicking Add Conditions.

    7. To restrict access to a specific user, select the policy condition of User name of caller, click Add, and when prompted specify the user name. Repeat this step for additional users, groups, or access times. For access times, the server's local time is used.

    8. Click Finish and go back to the policy page and click Save.

      This action does not require a server reboot.

  8. Test the configuration.

    Test your new security policy by accessing the URL you defined. If the security policy is active, you'll be prompted to sign in using a user ID that you added.