WebLogic Server offers a choice of models for securing each Web application or EJB. You choose a model when you deploy the Web application or EJB, and your choice is immutable for the life time of the deployment. To change the model, you must delete the Web application or EJB and re-install it.
Note: If you are implementing security using JACC (Java Authorization Contract for Containers as defined in JSR 115), you must use the DD Only security model. Other WebLogic Server models are not available and the security functions for Web applications and EJBs in the Administration Console are disabled. See Using the Java Authorization Contract for Containers.
To manage security for Web applications and EJBs, do one of the following:
Use the Install Application Assistant to deploy the Web application or EJB. When the assistant prompts you to choose a security model, select DDOnly.
The Policy Conditions page states which role can access the protected resource. See Create policies for resource instances.