This document explains how to use the WebLogic Server security programming features.
This document is intended for the following audiences:
Java programmers who focus on developing client applications, adding security to Web applications and Enterprise JavaBeans (EJBs). They work with other engineering, Quality Assurance (QA), and database teams to implement security features. Application developers have in-depth/working knowledge of Java (including Java Platform, Enterprise Edition (Java EE) components such as servlets/JSPs and JSEE) and Java security.
Application developers use the WebLogic security and Java security application programming interfaces (APIs) to secure their applications. Therefore, this document provides instructions for using those APIs for securing Web applications, Java applications, and Enterprise JavaBeans (EJBs).
Developers who focus on defining the system architecture and infrastructure for security products that integrate into WebLogic Server and on developing custom security providers for use with WebLogic Server. They work with application architects to ensure that the security architecture is implemented according to design and that no security holes are introduced. They also work with WebLogic Server administrators to ensure that security is properly configured. Security developers have a solid understanding of security concepts, including authentication, authorization, auditing (AAA), in-depth knowledge of Java (including Java Management eXtensions (JMX), and working knowledge of WebLogic Server and security provider functionality.
Security developers use the Security Service Provider Interfaces (SSPIs) to develop custom security providers for use with WebLogic Server. This document does not address this task; for information on how to use the SSPIs to develop custom security providers, see Overview of the Development Process in Developing Security Providers for Oracle WebLogic Server.
Administrators who work closely with application architects to design a security scheme for the server and the applications running on the server, to identify potential security risks, and to propose configurations that prevent security problems. Related responsibilities may include maintaining critical production systems, configuring and managing security realms, implementing authentication and authorization schemes for server and application resources, upgrading security features, and maintaining security provider databases. WebLogic Server administrators have in-depth knowledge of the Java security architecture, including Web application and EJB security, Public Key security, and SSL.
Administrators who work with WebLogic Server administrators to implement and maintain security configurations and authentication and authorization schemes, and to set up and maintain access to deployed application resources in defined security realms. Application administrators have general knowledge of security concepts and the Java Security architecture. They understand Java, XML, deployment descriptors, and can identify security events in server and audit logs.
While administrators typically use the WebLogic Server Administration Console to deploy, configure, and manage applications when they put the applications into production, application developers may also use the WebLogic Server Administration Console to test their applications before they are put into production. At a minimum, testing requires that applications be deployed and configured. This document does not cover some aspects of administration as it relates to security, rather, it references Administering Security for Oracle WebLogic Server, Securing Resources Using Roles and Policies for Oracle WebLogic Server, and Oracle WebLogic Server Administration Console Online Help for descriptions of how to use the WebLogic Server Administration Console to perform security tasks.
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at
Access to Oracle Support
Oracle customers that have purchased support have access to electronic support through My Oracle Support. For information, visit
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.
Diversity and Inclusion
Oracle is fully committed to diversity and inclusion. Oracle respects and values having a diverse workforce that increases thought leadership and innovation. As part of our initiative to build a more inclusive culture that positively impacts our employees, customers, and partners, we are working to remove insensitive terms from our products and documentation. We are also mindful of the necessity to maintain compatibility with our customers' existing technologies and the need to ensure continuity of service as Oracle's offerings and industry standards evolve. Because of these technical constraints, our effort to remove insensitive terms is ongoing and will take time and external cooperation.
In addition to this document, Developing Applications with the WebLogic Security Service, the following documents provide information on the WebLogic Security Service:
Understanding Security for Oracle WebLogic Server—This document summarizes the features of the WebLogic Security Service and presents an overview of the architecture and capabilities of the WebLogic Security Service. It is the starting point for understanding the WebLogic Security Service.
Securing a Production Environment for Oracle WebLogic Server— This document highlights essential security measures for you to consider before you deploy WebLogic Server into a production environment.
Developing Security Providers for Oracle WebLogic Server—This document provides security vendors and application developers with the information needed to develop custom security providers that can be used with WebLogic Server.
Administering Security for Oracle WebLogic Server—This document explains how to configure security for WebLogic Server.
Securing Resources Using Roles and Policies for Oracle WebLogic Server—This document introduces the various types of WebLogic resources, and provides information that allows you to secure these resources using WebLogic Server.
Oracle WebLogic Server Administration Console Online Help—This document describes how to use the WebLogic Server Administration Console to perform security tasks.
Java API Reference for Oracle WebLogic Server —This document includes reference documentation for the WebLogic security packages that are provided with and supported by the WebLogic Server software.
Security Samples and Tutorials
In addition to the documents listed in Related Information, Oracle provides a variety of code samples for developers.
Security Examples in the WebLogic Server Distribution
WebLogic Server optionally installs API code examples in the
\src\examples directory, where
EXAMPLES_HOME represents the directory in which the WebLogic Server code examples are configured. By default, this directory is
ORACLE_HOME\wlserver\samples\server. For more information about the WebLogic Server code examples, see Sample Applications and Code Examples in Understanding Oracle WebLogic Server.
The following examples illustrate WebLogic security features:
Java Authentication and Authorization Service
SAML 2.0 For Web SSO Scenario
Outbound and Two-way SSL
The WebLogic Server installation also includes an example demonstrating the use of the built-in database identity store functionality provided by the JSR 375 Java EE Security API. This example is located in the
The security tasks and code examples provided in this document assume that you are using the WebLogic security providers that are included in the WebLogic Server distribution, not custom security providers. The usage of the WebLogic security APIs does not change if you elect to use custom security providers, however, the management procedures of your custom security providers may be different.
This document does not provide comprehensive instructions on how to configure WebLogic Security providers or custom security providers. For information on configuring WebLogic security providers and custom security providers, see Configuring Security Providers in Administering Security for Oracle WebLogic Server.
New and Changed WebLogic Server Features
For a comprehensive listing of the new WebLogic Server features introduced in this release, see What's New in Oracle WebLogic Server.
The following text conventions are used in this document:
Boldface type indicates graphical user interface elements associated with an action, or terms defined in text or the glossary.
Italic type indicates book titles, emphasis, or placeholder variables for which you supply particular values.
Monospace type indicates commands within a paragraph, URLs, code in examples, text that appears on the screen, or text that you enter.