1 Introduction and Roadmap

This document explains how to configure WebLogic Server security, including settings for security realms, providers, identity and trust, SSL, and Compatibility security. See Related Information for a description of other WebLogic security documentation.

The following sections describe the contents and organization of this guide, Administering Security for Oracle WebLogic Server, as well as new and changed security features in this release.

Document Scope and Audience

This document is intended for the following audiences:

  • Application Architects—Architects who, in addition to setting security goals and designing the overall security architecture for their organizations, evaluate WebLogic Server security features and determine how to best implement them. Application Architects have in-depth knowledge of Java programming, Java security, and network security, as well as knowledge of security systems and leading-edge, security technologies and tools.

  • Security Developers—Developers who define the system architecture and infrastructure for security products that integrate with WebLogic Server and who develop custom security providers for use with WebLogic Server. They work with Application Architects to ensure that the security architecture is implemented according to design and that no security holes are introduced, and work with Server Administrators to ensure that security is properly configured. Security Developers have a solid understanding of security concepts, including authentication, authorization, auditing (AAA), in-depth knowledge of Java (including Java Management eXtensions (JMX)), and working knowledge of WebLogic Server and security provider functionality.

  • Application Developers—Java programmers who focus on developing client applications, adding security to Web applications and Enterprise JavaBeans (EJBs), and working with other engineering, quality assurance (QA), and database teams to implement security features. Application Developers have in-depth/working knowledge of Java (including Java EE components such as servlets/JSPs and JSEE) and Java security.

  • Server Administrators—Administrators work closely with Application Architects to design a security scheme for the server and the applications running on the server; to identify potential security risks; and to propose configurations that prevent security problems. Related responsibilities may include maintaining critical production systems; configuring and managing security realms, implementing authentication and authorization schemes for server and application resources; upgrading security features; and maintaining security provider databases. Server Administrators have in-depth knowledge of the Java security architecture, including Web services, Web application and EJB security, Public Key security, SSL, and Security Assertion Markup Language (SAML).

  • Application Administrators—Administrators who work with Server Administrators to implement and maintain security configurations and authentication and authorization schemes, and to set up and maintain access to deployed application resources in defined security realms. Application Administrators have general knowledge of security concepts and the Java Security architecture. They understand Java, XML, deployment descriptors, and can identify security events in server and audit logs.

Guide to This Document

This document is organized as follows:

Related Information

The following Oracle Oracle Fusion Middleware documents contain information that is relevant to the WebLogic Security Service:

Security Samples and Tutorials

In addition to the documents listed in Related Information, Oracle provides a variety of code samples for developers, some packaged with WebLogic Server and others available at the Oracle Technology Network (OTN) at http://www.oracle.com/technetwork/indexes/samplecode/weblogic-sample-522121.html.

Security Examples in the WebLogic Server Distribution

WebLogic Server optionally installs API code examples in EXAMPLES_HOME\wl_server\examples\src\examples\security, where EXAMPLES_HOME represents the directory in which the WebLogic Server code examples are configured. For more information about the WebLogic Server code examples, see "Sample Applications and Code Examples" in Understanding Oracle WebLogic Server.

The following examples are included to illustrate WebLogic security features:

  • Java Authentication and Authorization Service

  • Outbound and Two-way SSL

Additional Examples Available for Download

Additional WebLogic Server security examples are available for download at the Oracle Technology Network (OTN) at http://www.oracle.com/technetwork/indexes/samplecode/weblogic-sample-522121.html. These examples are distributed as .zip files that you can unzip into an existing WebLogic Server samples directory structure.

You build and run the downloadable examples in the same manner as you would an installed WebLogic Server example. See the download pages of individual examples for more information.

New and Changed Security Features

In this release, WebLogic Server includes support for the Oracle OPSS Keystore Service. For more information, see Chapter 13, "Configuring Oracle OPSS Keystore Service."

For a comprehensive listing of the new WebLogic Server features introduced in this release, see What's New in Oracle WebLogic Server.