Weblogic Container Security

Create Group in Weblogic Security Realm

User created in Application server realm should be same as user created in the Rules Palette for application security.

For example, user with access to search or create policy in OIPA, can perform the CRUD operation (GET/POST/PUT/DELETE) on /policies API.

Similarly user with only search access for OIPA application can perform GET operation on /policies API (Applies to all the API's supported for the current release).

Though user has access to ADMIN role (i.e. SL_ADMIN) in the application server realm, the API will return response as Unauthorized if the user does not have authorization from the palette for a specific entity.

1. Navigate to <Domain>/Security Realms/myrealm/Users and Groups/Groups.

WL Users and Groups

2. Click on New.

3. Create a new Group called SL_ADMIN (Service Layer Admin) Group.

SL Admin Group

4. Group created successfully.

WebLogic Admin Group Creation Confirmation

Create User in WebLogic Security Realm

1. Navigate to <Domain>/Security Realms/myrealm/Users and Groups/Users.

Create Users and Groups

2. Click on New.

3. Create a new User called sladmin (Service Layer Admin ) User.

Create SlAdmin

4. User created successfully…

User created successfully

5. Click on the newly created user sladmin and navigate to Groups tab.

6. Add the group SL_ADMIN from available groups to chosen groups and SAVE.

Add the group SL_ADMIN

Create Global Roles in Weblogic Realm

1. Navigate to <Domain>/Security Realms/myrealm/Roles and Policies/Realm Roles

2. Expand Global Roles

3. Click on Roles link from the roles grid.

Roles link

4. Global Roles page will open…

Global Roles page

5. Click New to add a new Global Role called SL_ADMIN role and click OK.

Add SL_ADMIN Global Role

6. Click on newly created role SL_ADMIN

SL_ADMIN Role Screen

7. Add role conditions by clicking on the Add Conditions button

Add role conditions

8. Select Group from the Predicate list and click Next.

Predicate list

9. In the Group Argument Name, enter SL_ADMIN the group name and click Add button.

10. Click Finish to complete the process.

Associate SL_ADMIN group with SL_ADMIN global Role

11. The next screen will associate SL_ADMIN group with SL_ADMIN global Role. Please note that both group name and role name are identical to depict the mapping between them. The group name and role name can be different. The role name must match the name defined in the deployment descriptor file of the application (web.xml and weblogic.xml). Group name could be any given name.

12. Click SAVE to save the changes.

Deployment descriptor file of the application

13. Now, deploy the application. Once application is deployed and active restart the admin, and managed server instances for changes to take effect.