This chapter includes the following sections:
This document contains information that is useful for security architects and security administrators who are designing a security strategy for resources within a WebLogic Server domain. It includes information about resource types, options for securing Web applications and EJBs, different types of security roles and policies, and the components of a role and policy.
It is assumed that the reader is familiar with Java EE security and the other features of the WebLogic Security Service.
The information in this document is relevant during the design and development phases of a software project. This document does not address production phase administration topics. For links to WebLogic Server documentation and resources related to these topics, see Related Information.
The document is organized as follows:
This chapter, Introduction and Roadmap, introduces the organization of this guide.
Understanding WebLogic Resource Security, introduces terms and concepts, provides a workflow summary, and outlines the main steps for securing WebLogic resources.
Resource Types You Can Secure with Policies, describes the different types of WebLogic resources that can be secured using the WebLogic Server Administration Console.
Options for Securing Web Application and EJB Resources, describes options for securing EJB and Web application resources using deployment descriptors and/or the WebLogic Server Administration Console.
Security Policies, describes security policies, including WebLogic Server default security policies. Also describes the components of a security policy.
Users, Groups, And Security Roles, describes users and groups who access WebLogic resources, including WebLogic Server default groups. Also describes scoped security roles and global security roles, including WebLogic Server default global roles. A final section describes the components of a security role.
Using XACML Documents to Secure WebLogic Resources, describes the eXtensible Access Control Markup Language (XACML), an XML language for expressing authorization policies and role assignments.
Reference for XACML on WebLogic Server, describes the extensions that you can use when writing XACML 2.0 documents to protect resources on WebLogic Server and the restrictions that WebLogic Server places on XACML.
Use the reference books as and when it is required for better understanding.
Other WebLogic Server documents that may be of interest to security administrators wanting to secure WebLogic resources are:
Understanding Security for Oracle WebLogic Server—Summarizes the features of the WebLogic Security Service, including an overview of its architecture and capabilities. It is the starting point for understanding WebLogic security.
Administering Security for Oracle WebLogic Server—Describes how to ensure that security is comprehensively configured for a WebLogic Server installation, including information about security providers, identity and trust and SSL.
Use roles and policies to secure resources in Oracle WebLogic Server Administration Console Online Help—Provides step-by-step instructions for using the WebLogic Server Administration Console to complete the tasks that this document describes.
These documents provide additional information about specific resource types:
Securing Web Applications, Securing Enterprise JavaBeans (EJBs) and Using Java Security to Protect WebLogic Resources in Developing Applications with the WebLogic Security Service
Configuring Access Control in Developing JCOM Applications for Oracle WebLogic Server (COM resources)
Security in Developing Resource Adapters for Oracle WebLogic Server (EIS resources)
Additional security documents are listed in Code Examples and Sample Applications in Understanding Oracle WebLogic Server.
For a comprehensive listing of the new WebLogic Server features introduced in this release, see What's New in Oracle WebLogic Server 12.2.1.3.0.