Go to main content
1/15
Contents
Title and Copyright Information
Preface
Documentation Accessibility
Conventions
1
Introduction and Roadmap
1.1
Document Scope
1.2
Audience for This Guide
1.3
Guide to this Document
1.4
Related Information
1.5
Security Samples and Tutorials
1.5.1
Security Examples in the WebLogic Server Distribution
1.6
New and Changed Security Features in This Release
2
WebLogic Security Programming Overview
2.1
What Is Security?
2.2
Administration Console and Security
2.3
Types of Security Supported by WebLogic Server
2.3.1
Authentication
2.3.2
Authorization
2.3.3
Java EE Security
2.4
Security APIs
2.4.1
JAAS Client Application APIs
2.4.1.1
Java JAAS Client Application APIs
2.4.1.2
WebLogic JAAS Client Application APIs
2.4.2
SSL Client Application APIs
2.4.2.1
Java SSL Client Application APIs
2.4.2.2
WebLogic SSL Client Application APIs
2.4.3
Other APIs
3
Securing Web Applications
3.1
Authentication With Web Browsers
3.1.1
User Name and Password Authentication
3.1.2
Digital Certificate Authentication
3.2
Multiple Web Applications, Cookies, and Authentication
3.2.1
Using Secure Cookies to Prevent Session Stealing
3.2.1.1
Configuring the Session Cookie as a Secure Cookie
3.2.1.2
Using the AuthCookie _WL_AUTHCOOKIE_JSESSIONID
3.3
Developing Secure Web Applications
3.3.1
Developing BASIC Authentication Web Applications
3.3.1.1
Using HttpSessionListener to Account for Browser Caching of Credentials
3.3.2
Understanding BASIC Authentication with Unsecured Resources
3.3.2.1
Setting the enforce-valid-basic-auth-credentials Flag
3.3.2.2
Using WLST to Check the Value of enforce-valid-basic-auth-credentials
3.3.3
Developing FORM Authentication Web Applications
3.3.4
Using Identity Assertion for Web Application Authentication
3.3.5
Using Two-Way SSL for Web Application Authentication
3.3.6
Providing a Fallback Mechanism for Authentication Methods
3.3.6.1
Configuration
3.3.7
Developing Swing-Based Authentication Web Applications
3.3.8
Deploying Web Applications
3.4
Using Declarative Security With Web Applications
3.5
Web Application Security-Related Deployment Descriptors
3.5.1
web.xml Deployment Descriptors
3.5.1.1
auth-constraint
3.5.1.1.1
Used Within
3.5.1.1.2
Example
3.5.1.2
security-constraint
3.5.1.2.1
Example
3.5.1.3
security-role
3.5.1.3.1
Example
3.5.1.4
security-role-ref
3.5.1.4.1
Example
3.5.1.5
user-data-constraint
3.5.1.5.1
Used Within
3.5.1.5.2
Example
3.5.1.6
web-resource-collection
3.5.1.6.1
Used Within
3.5.1.6.2
Example
3.5.2
weblogic.xml Deployment Descriptors
3.5.2.1
externally-defined
3.5.2.1.1
Used Within
3.5.2.1.2
Example
3.5.2.2
run-as-principal-name
3.5.2.2.1
Used Within
3.5.2.2.2
Example
3.5.2.3
run-as-role-assignment
3.5.2.3.1
Example:
3.5.2.4
security-permission
3.5.2.4.1
Example
3.5.2.5
security-permission-spec
3.5.2.5.1
Used Within
3.5.2.5.2
Example
3.5.2.6
security-role-assignment
3.5.2.6.1
Example
3.6
Using Programmatic Security With Web Applications
3.6.1
getUserPrincipal
3.6.2
isUserInRole
3.7
Using the Programmatic Authentication API
3.7.1
Change the User's Session ID at Login
4
Using JAAS Authentication in Java Clients
4.1
JAAS and WebLogic Server
4.2
JAAS Authentication Development Environment
4.2.1
JAAS Authentication APIs
4.2.2
JAAS Client Application Components
4.2.3
WebLogic LoginModule Implementation
4.2.4
JVM-Wide Default User and the runAs() Method
4.3
Writing a Client Application Using JAAS Authentication
4.4
Using JNDI Authentication
4.5
Java Client JAAS Authentication Code Examples
5
Using SSL Authentication in Java Clients
5.1
JSSE and WebLogic Server
5.2
Using JNDI Authentication
5.3
SSL Certificate Authentication Development Environment
5.3.1
SSL Authentication APIs
5.3.2
SSL Client Application Components
5.4
Writing Applications that Use SSL
5.4.1
Communicating Securely From WebLogic Server to Other WebLogic Servers
5.4.2
Writing SSL Clients
5.4.2.1
SSLClient Sample
5.4.2.2
SSLSocketClient Sample
5.4.3
Using Two-Way SSL Authentication
5.4.3.1
Two-Way SSL Authentication with JNDI
5.4.3.2
Writing a User Name Mapper
5.4.3.3
Using Two-Way SSL Authentication Between WebLogic Server Instances
5.4.3.4
Using Two-Way SSL Authentication with Servlets
5.4.4
Using a Custom Hostname Verifier
5.4.5
Using a Trust Manager
5.4.6
Using the CertPath Trust Manager
5.4.7
Using a Handshake Completed Listener
5.4.8
Using an SSLContext
5.4.9
Using URLs to Make Outbound SSL Connections
5.5
SSL Client Code Examples
6
Securing Enterprise JavaBeans (EJBs)
6.1
Java EE Architecture Security Model
6.1.1
Declarative Security
6.1.1.1
Declarative Authorization Via Annotations
6.1.2
Programmatic Security
6.1.3
Declarative Versus Programmatic Authorization
6.2
Using Declarative Security With EJBs
6.2.1
Implementing Declarative Security Via Metadata Annotations
6.2.1.1
Security-Related Annotation Code Examples
6.2.2
Implementing Declarative Security Via Deployment Descriptors
6.3
EJB Security-Related Deployment Descriptors
6.3.1
ejb-jar.xml Deployment Descriptors
6.3.1.1
method
6.3.1.1.1
Used Within
6.3.1.1.2
Example
6.3.1.2
method-permission
6.3.1.2.1
Used Within
6.3.1.2.2
Example
6.3.1.3
role-name
6.3.1.3.1
Used Within
6.3.1.3.2
Example
6.3.1.4
run-as
6.3.1.4.1
Used Within
6.3.1.4.2
Example
6.3.1.5
security-identity
6.3.1.5.1
Used Within
6.3.1.5.2
Example
6.3.1.6
security-role
6.3.1.6.1
Used Within
6.3.1.6.2
Example
6.3.1.7
security-role-ref
6.3.1.7.1
Used Within
6.3.1.7.2
Example
6.3.1.8
unchecked
6.3.1.8.1
Used Within
6.3.1.8.2
Example
6.3.1.9
use-caller-identity
6.3.1.9.1
Used Within
6.3.1.9.2
Example
6.3.2
weblogic-ejb-jar.xml Deployment Descriptors
6.3.2.1
client-authentication
6.3.2.1.1
Example
6.3.2.2
client-cert-authentication
6.3.2.2.1
Example
6.3.2.3
confidentiality
6.3.2.3.1
Example
6.3.2.4
externally-defined
6.3.2.5
identity-assertion
6.3.2.5.1
Used Within
6.3.2.5.2
Example
6.3.2.6
iiop-security-descriptor
6.3.2.6.1
Example
6.3.2.7
integrity
6.3.2.7.1
Used Within
6.3.2.7.2
Example
6.3.2.8
principal-name
6.3.2.8.1
Used Within
6.3.2.8.2
Example
6.3.2.9
role-name
6.3.2.9.1
Used Within
6.3.2.9.2
Example
6.3.2.10
run-as-identity-principal
6.3.2.10.1
Used Within
6.3.2.10.2
Example
6.3.2.11
run-as-principal-name
6.3.2.11.1
Used Within
6.3.2.11.2
Example
6.3.2.12
run-as-role-assignment
6.3.2.12.1
Example
6.3.2.13
security-permission
6.3.2.13.1
Example
6.3.2.14
security-permission-spec
6.3.2.14.1
Used Within
6.3.2.14.2
Example
6.3.2.15
security-role-assignment
6.3.2.15.1
Example
6.3.2.16
transport-requirements
6.3.2.16.1
Used Within
6.3.2.16.2
Example
6.4
Using Programmatic Security With EJBs
6.4.1
getCallerPrincipal
6.4.2
isCallerInRole
7
Using Network Connection Filters
7.1
The Benefits of Using Network Connection Filters
7.2
Network Connection Filter API
7.2.1
Connection Filter Interfaces
7.2.1.1
ConnectionFilter Interface
7.2.1.2
ConnectionFilterRulesListener Interface
7.2.2
Connection Filter Classes
7.2.2.1
ConnectionFilterImpl Class
7.2.2.2
ConnectionEvent Class
7.3
Guidelines for Writing Connection Filter Rules
7.3.1
Connection Filter Rules Syntax
7.3.2
Types of Connection Filter Rules
7.3.3
How Connection Filter Rules are Evaluated
7.4
Configuring the WebLogic Connection Filter
7.5
Developing Custom Connection Filters
8
Using Java Security to Protect WebLogic Resources
8.1
Using Java EE Security to Protect WebLogic Resources
8.2
Using the Java Security Manager to Protect WebLogic Resources
8.2.1
Setting Up the Java Security Manager
8.2.1.1
Modifying the weblogic.policy file for General Use
8.2.1.2
Setting Application-Type Security Policies
8.2.1.3
Setting Application-Specific Security Policies
8.2.2
Using Printing Security Manager
8.2.2.1
Printing Security Manager Startup Arguments
8.2.2.2
Starting WebLogic Server With Printing Security Manager
8.2.2.3
Writing Output Files
8.3
Using the Java Authorization Contract for Containers
8.3.1
Comparing the WebLogic JACC Provider with the WebLogic Authentication Provider
8.3.2
Enabling the WebLogic JACC Provider
9
SAML APIs
9.1
SAML API Description
9.2
Custom POST Form Parameter Names
9.3
Creating Assertions for Non-WebLogic SAML 1.1 Relying Parties
9.3.1
Overview of Creating a Custom SAML Name Mapper
9.3.2
Do You Need Multiple SAMLCredentialAttributeMapper Implementations?
9.3.3
Classes, Interfaces, and Methods
9.3.3.1
SAMLAttributeStatementInfo Class
9.3.3.1.1
SAMLAttributeInfo Class
9.3.3.2
SAMLCredentialAttributeMapper Interface
9.3.3.2.1
New Methods for SAMLNameMapperInfo Class
9.3.4
Example Custom SAMLCredentialAttributeMapper Class
9.3.5
Make the Custom SAMLCredentialAttributeMapper Class Available in the Console
9.4
Configuring SAML SSO Attribute Support
9.4.1
What Are SAML SSO Attributes?
9.4.2
New API's for SAML Attributes
9.4.3
SAML 2.0 Basic Attribute Profile Required
9.4.4
Passing Multiple Attributes to SAML Credential Mappers
9.4.5
How to Implement SAML Attributes
9.4.6
Examples of the SAML 2.0 Attribute Interfaces
9.4.6.1
Example Custom SAML 2.0 Credential Attribute Mapper
9.4.6.2
Custom SAML 2.0 Identity Asserter Attribute Mapper
9.4.7
Examples of the SAML 1.1 Attribute Interfaces
9.4.7.1
Example Custom SAML 1.1 Credential Attribute Mapper
9.4.7.2
Custom SAML 1.1 Identity Asserter Attribute Mapper
9.4.8
Make the Custom SAML Credential Attribute Mapper Class Available in the Console
9.4.9
Make the Custom SAML Identity Asserter Class Available in the Console
10
Using CertPath Building and Validation
10.1
CertPath Building
10.1.1
Instantiate a CertPathSelector
10.1.2
Instantiate a CertPathBuilderParameters
10.1.3
Use the JDK CertPathBuilder Interface
10.1.4
Example Code Flow for Looking Up a Certificate Chain
10.2
CertPath Validation
10.2.1
Instantiate a CertPathValidatorParameters
10.2.2
Use the JDK CertPathValidator Interface
10.2.3
Example Code Flow for Validating a Certificate Chain
11
Using JASPIC for a Web Application
11.1
Overview of Java Authentication Service Provider Interface for Containers (JASPIC)
11.2
Do You Need to Implement an Authentication Configuration Provider?
11.3
Do You Need to Implement a Principal Validation Provider?
11.4
Implement a SAM
11.5
Configure JASPIC for the Deployed Web Application
A
Deprecated Security APIs
Scripting on this page enhances content navigation, but does not change the content in any way.