Contents

Title and Copyright Information

Preface

• Documentation Accessibility
• Conventions

1 Introduction and Roadmap

• Document Scope and Audience
• Guide to This Document
• Related Information
  • Tutorials and Samples
• New and Changed Features for This Release

2 Understanding WebLogic Resource Security

• Overview of Securing WebLogic Resources
  • Using Policies to Protect Multiple Resources
    • Protecting Policies by Type
    • Protecting a Hierarchy of Resources
• Designing Roles and Policies for WebLogic Resources: Main Steps
  • Best Practices: Conditionalize Policies or Conditionalize Roles
  • Best Practices: Configure Entitlements Caching When Using WebLogic Providers

3 Resource Types You Can Secure with Policies

• Administrative Resources
• Application Resources
• COM Resources
• EJB Resources
• Enterprise Information Systems (EIS) Resources
• Java DataBase Connectivity (JDBC) Resources
  • JDBC Operations
• Java Messaging Service (JMS) Resources
  • JMS Operations
• Java Naming and Directory Interface (JNDI) Resources
  • JNDI Operations
• JMX Resources
  • Maintaining a Consistent Security Scheme
• Server Resources
  • Permissions for the weblogic.Server Command and the Node Manager
    • Permissions for Using the weblogic.Server Command
    • Permissions for Using the Node Manager
• URL Resources
• Web Service Resources
• Work Context Resources

4 Options for Securing Web Application and EJB Resources

• Deployment Descriptors Not Required
• Comparison of Security Models for Web Applications and EJBs
  • Discussion of Each Model
    • Metadata Annotations
    • Deployment Descriptor Only Model
    • Custom Roles Model
    • Custom Roles and Policies Model
    • Advanced Model
• Understanding the Advanced Security Model
  • Understanding the Check Roles and Policies Setting
  • Understanding the When Deploying Web Applications or EJBs Setting
  • How the Check Roles and Policies and When Deploying Web Applications or EJBs Settings Interact
  • Understanding the Combined Role Mapping Enabled Setting
    • Usage Examples
• Securing Web Applications and EJBs

5 Security Policies

• Security Policy Storage and Prerequisites for Use
• Default Root Level Security Policies
• Security Policy Conditions
  • Basic Policy Conditions
  • Date and Time Policy Conditions
  • Context Element Policy Conditions
• Protected Public Interfaces
• Using the Administration Console to Manage Security Policies

6 Users, Groups, And Security Roles

• Overview of Users and Groups
• Default Groups
  • Runtime Groups
  • Best Practices: Add a User To the Administrators Group
• Overview of Security Roles
• Types of Security Roles: Global Roles and Scoped Roles
• Default Global Roles
• Security Role Conditions
  • Basic Role Conditions
  • Date and Time Role Conditions
  • Context Element Role Conditions
• Using the Administration Console to Manage Users, Groups, and Roles

7 Using XACML Documents to Secure WebLogic Resources

• Prerequisites
• Adding a XACML Role or Policy to a Realm: Main Steps
  • Caution: Indeterminate Results Can Lock Out All Users
  • Determine Which Resource to Secure
  • Get the ID of the Resource to Secure
  • Create XACML Documents
    • Example: Defining Role Assignments
    • Example: Defining Authorization Policies
  • Use WebLogic Scripting Tool to Add the Role or Policy to the Realm
  • Verify That Your Roles and Policies Are in the Realm
• Creating Roles and Polices for Custom MBeans
  • Determine the Resource IDs for a Custom MBean
• Exporting Roles and Policies to XACML Documents

A Reference for XACML on WebLogic Server

• Comparison of WebLogic Server and XACML Security Models
  • Comparison of Terminology
  • Description of Data Types
• Action Identifiers
  • Examples
• Environment Identifiers
  • Examples
• Policy and PolicySet Identifiers
  • Examples
• Resource Identifiers
  • Examples
• Subject Identifiers
  • Examples
• WebLogic Server Functions for XACML
  • Custom Data Type Variants
  • Examples
  • Miscellaneous Functions
  • Example
  • Time/Date Conversions
  • Arithmetic Conversions and Functions
  • Object Type Conversions
  • Object Comparisons
  • String Comparisons and Manipulations
• Rule and Policy-Combining Algorithm