WebLogic Security Programming Overview

What Is Security?

Security refers to techniques for ensuring that data stored in a computer or passed between computers is not compromised.Most security measures involve proof material and data encryption. Proof material is typically a secret word or phrase that gives a user access to a particular application or system. Data encryption is the translation of data into a form that cannot be interpreted without holding or supplying the same secret.

Distributed applications, such as those used for electronic commerce (e-commerce), offer many access points at which malicious people can intercept data, disrupt operations, or generate fraudulent input. As a business becomes more distributed the probability of security breaches increases. Accordingly, as a business distributes its applications, it becomes increasingly important for the distributed computing software upon which such applications are built to provide security.

An application server resides in the sensitive layer between end users and your valuable data and resources. Oracle WebLogic Server provides authentication, authorization, and encryption services with which you can guard these resources. These services cannot provide protection, however, from an intruder who gains access by discovering and exploiting a weakness in your deployment environment.

Therefore, whether you deploy WebLogic Server on the Internet or on an intranet, it is a good idea to hire an independent security expert to go over your security plan and procedures, audit your installed systems, and recommend improvements.

Another good strategy is to read as much as possible about security issues and appropriate security measures. The document Securing a Production Environment for Oracle WebLogic Serverhighlights essential security measures for you to consider before you deploy WebLogic Server into a production environment. The document Securing Resources Using Roles and Policies for Oracle WebLogic Serverintroduces the various types of WebLogic resources, and provides information that allows you to secure these resources using WebLogic Server. For the latest information about securing Web servers, Oracle also recommends reading the Security Improvement Modules, Security Practices, and Technical Implementations information (http://www.cert.org/) available from the CERT™ Coordination Center operated by Carnegie Mellon University.

Oracle suggests that you apply the remedies recommended in our security advisories. In the event of a problem with an Oracle product, Oracle distributes an advisory and instructions with the appropriate course of action. If you are responsible for security related issues at your site, please register to receive future notifications.

Administration Console and Security

You can use the WebLogic Server Administration Console to define and edit deployment descriptors for Web Applications, EJBs, Java EE Connectors, and Enterprise Applications.This document, Developing Applications with the WebLogic Security Service, does not describe how to use the WebLogic Server Administration Console to configure security. For information on how to use the WebLogic Server Administration Console to define and edit deployment descriptors, see Securing Resources Using Roles and Policies for Oracle WebLogic Server and Administering Security for Oracle WebLogic Server.

Types of Security Supported by WebLogic Server

WebLogic Server supports security mechanisms such as authentication, authorization, and Java EE security in deployed applications.

Authentication

Authentication is the mechanism by which callers and service providers prove that they are acting on behalf of specific users or systems. Authentication answers the question, "Who are you?" using credentials. When the proof is bidirectional, it is referred to as mutual authentication.

WebLogic Server supports username and password authentication and certificate authentication. For certificate authentication, WebLogic Server supports both one-way and two-way SSL (Secure Sockets Layer) authentication. Two-way SSL authentication is a form of mutual authentication.

In WebLogic Server, Authentication providers are used to prove the identity of users or system processes. Authentication providers also remember, transport, and make identity information available to various components of a system (via subjects) when needed. You can configure the Authentication providers using the Web application and EJB deployment descriptor files, or the WebLogic Server Administration Console, or a combination of both.

Authorization

Authorization is the process whereby the interactions between users and WebLogic resources are controlled, based on user identity or other information. In other words, authorization answers the question, "What can you access?"

In WebLogic Server, a WebLogic Authorization provider is used to limit the interactions between users and WebLogic resources to ensure integrity, confidentiality, and availability. You can configure the Authorization provider using the Web application and EJB deployment descriptor files, or the WebLogic Server Administration Console, or a combination of both.

WebLogic Server also supports the use of programmatic authorization (also referred to in this document as programmatic security) to limit the interactions between users and WebLogic resources.

Java EE Security

For implementation and use of user authentication and authorization, WebLogic Server utilizes the security services of the Java EE Development Kit. Like the other Java EE components, the security services are based on standardized, modular components. WebLogic Server implements these Java security service methods according to the standard, and adds extensions that handle many details of application behavior automatically, without requiring additional programming.

WebLogic Server supports the Java EE Security API 1.0 (JSR 375) specification (https://www.jcp.org/en/jsr/detail?id=375) , which defines portable, plug-in interfaces for HTTP authentication and identity stores, and an injectable SecurityContext interface that provides an API for programmatic security. You can use the built-in implementations of the plug-in SPIs, or write custom implementations.

Security APIs

WebLogic Server supports and implements several security packages and classes. You use these packages to secure interactions between WebLogic Server and client applications, Enterprise JavaBeans (EJBs), and Web applications.

The following topics are covered in this section:

Note:

Several of the WebLogic security packages, classes, and methods are deprecated in this release of WebLogic Server. For more detailed information on deprecated packages and classes, see Deprecated Security APIs.

JAAS Client Application APIs

You use Java APIs and WebLogic APIs to write client applications that use JAAS authentication.

The following topics are covered in this section:

Java JAAS Client Application APIs

You use the following Java APIs to write JAAS client applications. The APIs are available at https://docs.oracle.com/javase/8/docs/api/index.html.

javax.naming
javax.security.auth
javax.security.auth.callback
javax.security.auth.login
javax.security.auth.spi

For information on how to use these APIs, see JAAS Authentication APIs.

WebLogic JAAS Client Application APIs

You use the following WebLogic APIs to write JAAS client applications:

For information on how to use these APIs, see JAAS Authentication APIs.

SSL Client Application APIs

You use Java and WebLogic APIs to write client applications that use SSL authentication:

The following topics are covered in this section:

Java SSL Client Application APIs

You use the following Java APIs (available from http://docs.oracle.com/javase/8/docs/api/index.html) to write SSL client applications:

java.security
java.security.cert
javax.crypto
javax.naming
javax.net
javax.security
javax.servlet
javax.servet.http

WebLogic Server also supports the javax.net.SSL API (http://docs.oracle.com/javase/8/docs/api/index.html), but Oracle recommends that you use the weblogic.security.SSL package when you use SSL with WebLogic Server.

For information on how to use these APIs, see SSL Authentication APIs.

WebLogic SSL Client Application APIs

You use the following WebLogic APIs to write SSL client applications.

For information on how to use these APIs, see SSL Authentication APIs.

Other APIs

Additionally, you use the following APIs to develop WebLogic Server applications:

weblogic.security.jacc

This API provides the RoleMapper interface. If you implement the Java Authorization Contract for Containers (JACC), you can use this package with the javax.security.jacc package. For information about the WebLogic JACC provider, see Using the Java Authorization Contract for Containers. For information about developing a JACC provider, see the javax.security.jacc package Javadoc at https://javaee.github.io/javaee-spec/javadocs/javax/security/jacc/package-summary.html.
weblogic.security.net

This API provides interfaces and classes that are used to implement network connection filters. Network connection filters allow or deny connections to Oracle WebLogic Server based on attributes such as the IP address, domain, or protocol of the initiator of the network connection. For more information about how to use this API, see Using Network Connection Filters.
weblogic.security.pk

This API provides interfaces and classes to build and validate certification paths. See Using CertPath Building and Validation for information on using this API to build and validate certificate chains.

See the java.security.cert package (http://docs.oracle.com/javase/8/docs/api/java/security/cert/package-summary.html) for additional information on certificates and certificate paths.
weblogic.security.providers.saml

This API provides interfaces and classes that are used to perform mapping of user and group information to Security Assertion Markup Language (SAML) assertions, and to cache and retrieve SAML assertions.

SAML is an XML-based framework for exchanging security information. WebLogic Server supports SAML V2.0 and V1.1, including the Browser/Post and Browser/Artifact profiles. SAML authorization is not supported.

For more information about SAML, see http://www.oasis-open.org.
weblogic.security.service

This API includes interfaces, classes, and exceptions that support security providers. The WebLogic Security Framework consists of interfaces, classes, and exceptions provided by this API. The interfaces, classes, and exceptions in this API should be used in conjunction with those in the weblogic.security.spi package. For more information about how to use this API, see Security Providers and WebLogic Resources in Developing Security Providers for Oracle WebLogic Server.
weblogic.security.services

This API provides the server-side authentication class. This class is used to perform a local login to the server. It provides login methods that are used with CallbackHandlers to authenticate the user and return credentials using the default security realm.
weblogic.security.spi

This package provides the Security Service Provider Interfaces (SSPIs). It provides interfaces, classes, and exceptions that are used for developing custom security providers. In many cases, these interfaces, classes, and exceptions should be used in conjunction with those in the weblogic.security.service API. You implement interfaces, classes, and exceptions from this package to create runtime classes for security providers. For more information about how to use the SSPIs, see Security Services Provider Interfaces (SSPIs) in Developing Security Providers for Oracle WebLogic Server.
weblogic.servlet.security

This API provides a server-side API that supports programmatic authentication from within a servlet application. For more about how to use this API, see Using the Programmatic Authentication API.