WebLogic Security

The AdminConsole security in version 1.0 will be a FORM based authentication and authorization using container based security model. The following document outline the security model configuration with Weblogic 12c.

Weblogic Server provides a standard security model for securing web-application deployed in Weblogic.Weblogic comes with variety of security models for application resources. Some of the common options available are:

  • DD Only: Use only roles and policies that are defined in the deployment descriptors.
  • Custom Roles: Use roles that are defined in the Administration Console; use policies that are defined in the deployment descriptor.
  • Custom Roles and Policies: Use only roles and policies that are defined in the Administration Console.
  • Advanced: Use a custom model that you have configured on the realm's configuration page.

For AdminConsole I we will be implementing default security model with Deployment Descriptor configuration out of the box, and clients can override the security model (Roles, Policies) using Advanced (custom) security model.

Before, we dive in to the details of Security model configuration and details. Let's define some of the key concepts, that will be used in this document for reference.

RBAC is made of four elements:

  • Roles - Bring Users, Groups, Policies together. Roles define what users can do with a resource.
  • Users - Principal that is requesting access to a resource.
  • Policies - List of rules that defines access to a resource.
  • Resources - Things you want to grant access to.

Role Definition for Admin Console

The roles defined for AdminConsole will be per service rather than per resource. Roles by service means that each service will define roles required to access that particular service. For instance, a Policy Service will define roles that will be used by Segments and Roles within that policy. The roles are not defined by resources or entities. Since segments and policy roles can not be accessed outside the context of a policy.

ACADMIN:

ACCYCLE:

Create Group in Weblogic Security Realm

  1. Navigate to <Domain>/Security Realms/myrealm/Users and Groups/Groups

    2. Settings for myrealm

  2. Click New option, the Create a New group page appears.
  3. Enter AC_ADMIN group in Name text box, and enter the description for the new group in the Description text box (Admin Console Admin) Group.


    4. New Group Creation
  4. Click OK option, a Group created successfully message appears.


    5. Group created successfully

Create User in Weblogic Security Realm

  1. Navigate to <Domain>/Security Realms/myrealm/Users and Groups/Users

    2. Settings for myrealm
  2. Click New option, the Create a New User page appears
  3. Enter acadmin group in Name text box, and enter the description for the new group in the Description text box (AdminConsole Admin) Group.

    4. Create a new User called acadmin (AdminConsole Admin ) User
  4. Click OK option, a User created successfully message appears

    5. User created successfully
  5. Select the newly created user acadmin and navigate to Groups tab
  6. Add the group AC_ADMIN from available groups to chosen groups and click Save option

    7. Add the group AC_ADMIN from available groups to chosen groups and SAVE
    Settings updated successfully

Create Global Roles in Weblogic Realm

    1. Navigate to <Domain>/Security Realms/myrealm/Roles and Policies/Realm Roles
    2. Expand Global Roles and click Roles link from the roles grid, then the Global Roles page appears
      3. Global Roles page
    3. Click New option to add a new Global Role called AC_ADMIN role and click OK option
      4. Click New to add a new Global Role called AC_ADMIN role and click OK.

      Global Roles Screen

      Global Roles screen
    4. Select AC_ADMIN the newly created role.

      5. Click on newly created role AC_ADMIN
    5. To add role conditions, click Add Conditions option.
      6. Add role conditions by clicking on the Add Conditions button
    6. Select Group from the Predicate list and click Next
    7. In the Group Argument Name, enter AC_ADMIN the group name and click Add option
    8. Click Finish to complete the process
      9. Click Finish to complete the process.
      9. Click Save.
      Click Save to complete the process.
    9. In the Edit Global Role associate AC_ADMIN group with AC_ADMIN global Role. Note that both group name and role name are identical to depict the mapping between them. The group name and role name can be different. The role name must match the name defined in the deployment descriptor file of the application (web.xml and weblogic.xml). Group name could be any given name.
    10. Click Save.
    11. Now, deploy the application. Once application is deployed and active, restart the admin and managed server instances, for changes to take effect.
Role Name Role Description Role Privilege Role Association
AC_ADMIN Admin Console Administrator Permit All All Services
AC_CYCLE Cycle Read Access GET cycle