Secure a Domain Using Identity Cloud Service

Use Oracle Identity Cloud Service to protect applications and restrict administrative access for an Oracle WebLogic Server domain that you created with Oracle WebLogic Server for Oracle Cloud Infrastructure.

By default, a domain is configured to use the local WebLogic Server identity store to maintain administrators, application users, groups, and roles. These security elements are used to authenticate users, and to also authorize access to your applications and to tools like the WebLogic Server Administration Console.

When you create a domain running WebLogic Server 12c, you can also choose to enable Oracle Identity Cloud Service for authentication. The following diagram illustrates this configuration.

Description of architecture_idcs_diagram.png follows
Description of the illustration architecture_idcs_diagram.png

See About Oracle Identity Cloud Service Concepts in Administering Oracle Identity Cloud Service.

Create WebLogic Administrator Groups

Create groups in Oracle Identity Cloud Service to grant users administrative access to your domain.

Global roles in WebLogic Server control the administrative operations that a user can perform in the domain. For example, users with the Deployer role can deploy Java applications to the domain. By default, these roles are assigned to group names like Deployers. After creating these groups in Oracle Identity Cloud Service, you can add users to them.

When you create a domain, you specify a default administrative user. This user is configured in the default WebLogic Server identity store. You can use standard WebLogic Server tools like the Administration Console in order to modify this user or to change its password.

  1. From the Identity Cloud Service console, expand the Navigation Drawer, and then click Groups.
  2. Create the following groups.
    • Administrators
    • Deployers
    • Operators
    • Monitors

    By default, members of these groups will have administrative access to all domains that you create with Oracle WebLogic Server for Oracle Cloud Infrastructure and that you configure to use Oracle Identity Cloud Service.

  3. Optional: Create groups to control administrative access to a specific domain.
    For example:
    • MyDomain_Administrators
    • MyDomain_Deployers
    • MyDomain_Operators
    • MyDomain_Monitors

See these topics in Administering Oracle Identity Cloud Service:

Update WebLogic Administrator Roles

Map groups in Oracle Identity Cloud Service to the administrator roles in your domain.

By default, the global administrator roles in a domain are mapped to these groups.

  • Administrators
  • Deployers
  • Operators
  • Monitors

If you do not modify the administrator roles in a domain, members of these groups in Oracle Identity Cloud Service will have access to all domains that you create with Oracle WebLogic Server for Oracle Cloud Infrastructure and that you configure to use Oracle Identity Cloud Service.

Sign in to the WebLogic Server Administration Console for your domain. See Access the WebLogic Console.

  1. From the WebLogic Server Administration Console, click Security Realms.
  2. Click the default realm.
  3. Click the Roles and Policies tab.
  4. From the Roles table, expand Global Roles, and then expand Roles.
  5. Click View Role Conditions for the Admin role.
  6. Click the group name assigned to this role. The default is Administrators.
  7. Enter the name of the Oracle Identity Cloud Service group to which you want to map to this role.
  8. Click OK, and then click Save.
  9. From the breadcrumb links at the top of the page, click Realm Roles.
  10. Repeat from step 4 for each administrator role that you want to update.

Update Protected Application Resources

Configure the URL patterns that Oracle Identity Cloud Service uses to determine which application requests require authentication for your domain.

Oracle WebLogic Server for Oracle Cloud Infrastructure provisions each compute instance in the domain with the App Gateway software appliance. The App Gateway acts as a reverse proxy, intercepts HTTP requests to the domain, and ensures that the users are authenticated with Oracle Identity Cloud Service.

Oracle WebLogic Server for Oracle Cloud Infrastructure also creates an enterprise application in Oracle Identity Cloud Service for the domain. The enterprise application defines which resources require the user to be authenticated, and which resources don't require authentication.

By default, all requests whose URI begins with /__protected (two underscore characters followed by the word "protected") are protected. For example, a client request to the URL https://<lb_host>/__protected/myapp/doaction requires authentication, while a request to https://<lb_host>/myapp/doaction does not.

  1. From the Identity Cloud Service console, expand the Navigation Drawer, and then click Applications.
  2. Click the enterprise application associated with your domain.

    The name of the application is <stack>_enterprise_idcs_app_<timestamp>. For example, myweblogic_enterprise_idcs_app_2019-08-01T01:02:01.123456.

  3. Click the SSO Configuration tab.
  4. Expand Resources.
  5. Add, remove, or update the resources in this application.

    You can use regular expressions (regex) to define the protected URL patterns.

    For example, suppose the Java applications deployed to this domain are configured to use the context roots store and marketplace. To protect all requests to the marketplace application, and also requests to the path /store/cart, add the following resources:

    • /marketplace/.*
    • /store/cart/.*
  6. Expand Authentication Policy.
  7. Under Managed Resources, add, remove, or update the policy for each resource.

    You can also change the order in which the policies are evaluated.

    Set a policy's Authentication Method to Public if you want the specified resource to be visible to anyone.

See About Enterprise Applications in Administering Oracle Identity Cloud Service.

Update Application Deployment Descriptors

Secure a Java application that's deployed to your domain by updating the application’s context path, security constraints, and role assignments.

Oracle WebLogic Server supports the Java Enterprise Edition declarative model for securing web applications with XML deployment descriptors.

  1. Update the value of context-root in the application’s weblogic.xml file. Prefix the current value with one of the protected resource URLs that are defined in the Oracle Identity Cloud Service enterprise application for this domain.

    By default, the only protected context root is /__protected (two underscore characters followed by the word "protected"). For example:

    <context-root>/__protected/store</context-root>
  2. Create one or more security-role elements in the application’s web.xml file.

    Simply list the user roles for your application. For example:

    <security-role>
      <role-name>HRAdmin</role-name>
    </security-role>
    
  3. Create one or more security-constraint elements in the application’s web.xml file.

    Each security constraint grants access to one or more URL patterns in your application, and to specific roles. For example:

    <security-constraint>
      <web-resource-collection>
        <web-resource-name>AdminPages</web-resource-name>
        <url-pattern>/admin/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
        <role-name>HRAdmin</role-name>
      </auth-constraint>
    </security-constraint>
    

    Do not include the context root path in the URL patterns.

  4. Create one or more security-role-assignment elements in the application’s weblogic.xml file.

    Map your application roles to specific users and/or groups found in Oracle Identity Cloud Service. For example:

    
    <security-role-assigment>
      <role-name>HRAdmin</role-name>
      <principal-name>HRManagersGroup</principal-name>
    </security-role-assigment>
    
  5. Redeploy your application for these changes to take effect.
    For example, use the WebLogic Server Administration Console.