This chapter includes the following sections:
Security refers to techniques for ensuring that data stored in a computer or passed between computers is not compromised. Most security measures involve proof material and data encryption. Proof material is typically a secret word or phrase that gives a user access to a particular application or system. Data encryption is the translation of data into a form that cannot be interpreted without holding or supplying the same secret.
Distributed applications, such as those used for electronic commerce (e-commerce), offer many access points at which malicious people can intercept data, disrupt operations, or generate fraudulent input. As a business becomes more distributed the probability of security breaches increases. Accordingly, as a business distributes its applications, it becomes increasingly important for the distributed computing software upon which such applications are built to provide security.
An application server resides in the sensitive layer between end users and your valuable data and resources. WebLogic Server provides authentication, authorization, and encryption services with which you can guard these resources. These services cannot provide protection, however, from an intruder who gains access by discovering and exploiting a weakness in your deployment environment.
Therefore, whether you deploy WebLogic Server on the Internet or on an intranet, it is a good idea to hire an independent security expert to go over your security plan and procedures, audit your installed systems, and recommend improvements.
Another good strategy is to read as much as possible about security issues and appropriate security measures. The document Securing a Production Environment for Oracle WebLogic Server highlights essential security measures for you to consider before you deploy WebLogic Server into a production environment. The document Securing Resources Using Roles and Policies for Oracle WebLogic Server introduces the various types of WebLogic resources, and provides information that allows you to secure these resources using WebLogic Server. For the latest information about securing Web servers, Oracle also recommends reading the Security Improvement Modules, Security Practices, and Technical Implementations information (
http://www.cert.org/) available from the CERT™ Coordination Center operated by Carnegie Mellon University.
Oracle suggests that you apply the remedies recommended in our security advisories. In the event of a problem with an Oracle product, Oracle distributes an advisory and instructions with the appropriate course of action. If you are responsible for security related issues at your site, please register to receive future notifications.
With regard to security, you can use the WebLogic Server Administration Console to define and edit deployment descriptors for Web Applications, EJBs, Java EE Connectors, and Enterprise Applications. This document, Developing Applications with the WebLogic Security Service, does not describe how to use the WebLogic Server Administration Console to configure security. For information on how to use the WebLogic Server Administration Console to define and edit deployment descriptors, see Securing Resources Using Roles and Policies for Oracle WebLogic Server and Administering Security for Oracle WebLogic Server.
WebLogic Server supports the following security mechanisms:
Authentication is the mechanism by which callers and service providers prove that they are acting on behalf of specific users or systems. Authentication answers the question, "Who are you?" using credentials. When the proof is bidirectional, it is referred to as mutual authentication.
WebLogic Server supports username and password authentication and certificate authentication. For certificate authentication, WebLogic Server supports both one-way and two-way SSL (Secure Sockets Layer) authentication. Two-way SSL authentication is a form of mutual authentication.
In WebLogic Server, Authentication providers are used to prove the identity of users or system processes. Authentication providers also remember, transport, and make identity information available to various components of a system (via subjects) when needed. You can configure the Authentication providers using the Web application and EJB deployment descriptor files, or the WebLogic Server Administration Console, or a combination of both.
Authorization is the process whereby the interactions between users and WebLogic resources are controlled, based on user identity or other information. In other words, authorization answers the question, "What can you access?"
In WebLogic Server, a WebLogic Authorization provider is used to limit the interactions between users and WebLogic resources to ensure integrity, confidentiality, and availability. You can configure the Authorization provider using the Web application and EJB deployment descriptor files, or the WebLogic Server Administration Console, or a combination of both.
WebLogic Server also supports the use of programmatic authorization (also referred to in this document as programmatic security) to limit the interactions between users and WebLogic resources.
For implementation and use of user authentication and authorization, WebLogic Server utilizes the security services of the Java EE Development Kit. Like the other Java EE components, the security services are based on standardized, modular components. WebLogic Server implements these Java security service methods according to the standard, and adds extensions that handle many details of application behavior automatically, without requiring additional programming.
This section lists the Security packages and classes that are implemented and supported by WebLogic Server. You use these packages to secure interactions between WebLogic Server and client applications, Enterprise JavaBeans (EJBs), and Web applications.
Note:Several of the WebLogic security packages, classes, and methods are deprecated in this release of WebLogic Server. For more detailed information on deprecated packages and classes, see Appendix A, "Deprecated Security APIs".
The following topics are covered in this section:
You use Java APIs and WebLogic APIs to write client applications that use JAAS authentication.
The following topics are covered in this section:
You use the following Java APIs to write JAAS client applications. The APIs are available at
For information on how to use these APIs, see JAAS Authentication APIs.
You use Java and WebLogic APIs to write client applications that use SSL authentication:
The following topics are covered in this section:
You use the following Java APIs (available from
http://docs.oracle.com/javase/7/docs/api/index.html) to write SSL client applications:
WebLogic Server also supports the javax.net.SSL API (
http://docs.oracle.com/javase/7/docs/api/index.html), but Oracle recommends that you use the
weblogic.security.SSL package when you use SSL with WebLogic Server.
For information on how to use these APIs, see SSL Authentication APIs.
Additionally, you use the following APIs to develop WebLogic Server applications:
This API provides the
RoleMapper interface. If you implement the Java Authorization Contract for Containers (JACC), you can use this package with the javax.security.jacc package (
http://docs.oracle.com/javaee/7/api/javax/security/jacc/package-summary.html). See Using the Java Authorization Contract for Containers for information about the WebLogic JACC provider. See
http://docs.oracle.com/javaee/7/api/javax/security/jacc/package-frame.html for information on developing a JACC provider.
This API provides interfaces and classes that are used to implement network connection filters. Network connection filters allow or deny connections to WebLogic Server based on attributes such as the IP address, domain, or protocol of the initiator of the network connection. For more information about how to use this API, see Chapter 7, "Using Network Connection Filters".
This API provides interfaces and classes to build and validate certification paths. See Chapter 10, "Using CertPath Building and Validation" for information on using this API to build and validate certificate chains.
See the java.security.cert package (
http://docs.oracle.com/javase/7/docs/api/java/security/cert/package-summary.html) for additional information on certificates and certificate paths.
This API provides interfaces and classes that are used to perform mapping of user and group information to Security Assertion Markup Language (SAML) assertions, and to cache and retrieve SAML assertions.
SAML is an XML-based framework for exchanging security information. WebLogic Server supports SAML V2.0 and V1.1, including the Browser/Post and Browser/Artifact profiles. SAML authorization is not supported.
For more information about SAML, see
This API includes interfaces, classes, and exceptions that support security providers. The WebLogic Security Framework consists of interfaces, classes, and exceptions provided by this API. The interfaces, classes, and exceptions in this API should be used in conjunction with those in the
weblogic.security.spi package. For more information about how to use this API, see Developing Security Providers for Oracle WebLogic Server.
This API provides the server-side authentication class. This class is used to perform a local login to the server. It provides login methods that are used with CallbackHandlers to authenticate the user and return credentials using the default security realm.
This package provides the Security Service Provider Interfaces (SSPIs). It provides interfaces, classes, and exceptions that are used for developing custom security providers. In many cases, these interfaces, classes, and exceptions should be used in conjunction with those in the
weblogic.security.service API. You implement interfaces, classes, and exceptions from this package to create runtime classes for security providers. For more information about how to use the SSPIs, see Developing Security Providers for Oracle WebLogic Server.
This API provides a server-side API that supports programmatic authentication from within a servlet application. For more about how to use this API, see Using the Programmatic Authentication API.