Contents

Title and Copyright Information

Preface

• Documentation Accessibility
• Conventions

1 Introduction and Roadmap

• Document Scope
• Audience for This Guide
• Guide to this Document
• Related Information
• Security Samples and Tutorials
  • Security Examples in the WebLogic Server Distribution
• New and Changed Security Features in This Release

2 WebLogic Security Programming Overview

• What Is Security?
• Administration Console and Security
• Types of Security Supported by WebLogic Server
  • Authentication
  • Authorization
  • Java EE Security
• Security APIs
  • JAAS Client Application APIs
    • Java JAAS Client Application APIs
    • WebLogic JAAS Client Application APIs
  • SSL Client Application APIs
    • Java SSL Client Application APIs
    • WebLogic SSL Client Application APIs
  • Other APIs

3 Securing Web Applications

• Authentication With Web Browsers
  • User Name and Password Authentication
  • Digital Certificate Authentication
• Multiple Web Applications, Cookies, and Authentication
  • Using Secure Cookies to Prevent Session Stealing
• Developing Secure Web Applications
  • Developing BASIC Authentication Web Applications
    • Using HttpSessionListener to Account for Browser Caching of Credentials
  • Understanding BASIC Authentication with Unsecured Resources
    • Setting the enforce-valid-basic-auth-credentials Flag
    • Using WLST to Check the Value of enforce-valid-basic-auth-credentials
  • Developing FORM Authentication Web Applications
  • Using Identity Assertion for Web Application Authentication
  • Using Two-Way SSL for Web Application Authentication
  • Providing a Fallback Mechanism for Authentication Methods
    • Configuration
  • Developing Swing-Based Authentication Web Applications
  • Deploying Web Applications
• Using Declarative Security With Web Applications
• Web Application Security-Related Deployment Descriptors
  • web.xml Deployment Descriptors
    • auth-constraint
    • security-constraint
    • security-role
    • security-role-ref
    • user-data-constraint
    • web-resource-collection
  • weblogic.xml Deployment Descriptors
    • externally-defined
    • run-as-principal-name
    • run-as-role-assignment
    • security-permission
    • security-permission-spec
    • security-role-assignment
• Using Programmatic Security With Web Applications
  • getUserPrincipal
  • isUserInRole
• Using the Programmatic Authentication API
  • Change the User's Session ID at Login

4 Using JAAS Authentication in Java Clients

• JAAS and WebLogic Server
• JAAS Authentication Development Environment
  • JAAS Authentication APIs
  • JAAS Client Application Components
  • WebLogic LoginModule Implementation
  • JVM-Wide Default User and the runAs() Method
• Writing a Client Application Using JAAS Authentication
• Using JNDI Authentication
• Java Client JAAS Authentication Code Examples

5 Using SSL Authentication in Java Clients

• JSSE and WebLogic Server
• Using JNDI Authentication
• SSL Certificate Authentication Development Environment
  • SSL Authentication APIs
  • SSL Client Application Components
• Writing Applications that Use SSL
  • Communicating Securely From WebLogic Server to Other WebLogic Servers
  • Writing SSL Clients
    • SSLClient Sample
    • SSLSocketClient Sample
  • Using Two-Way SSL Authentication
    • Two-Way SSL Authentication with JNDI
    • Writing a User Name Mapper
    • Using Two-Way SSL Authentication Between WebLogic Server Instances
    • Using Two-Way SSL Authentication with Servlets
  • Using a Custom Hostname Verifier
  • Using a Trust Manager
  • Using the CertPath Trust Manager
  • Using a Handshake Completed Listener
  • Using an SSLContext
  • Using URLs to Make Outbound SSL Connections
• SSL Client Code Examples

6 Securing Enterprise JavaBeans (EJBs)

• Java EE Architecture Security Model
  • Declarative Authorization
    • Declarative Authorization Via Annotations
  • Programmatic Authorization
  • Declarative Versus Programmatic Authorization
• Using Declarative Security With EJBs
  • Implementing Declarative Security Via Metadata Annotations
    • Security-Related Annotation Code Examples
  • Implementing Declarative Security Via Deployment Descriptors
• EJB Security-Related Deployment Descriptors
  • ejb-jar.xml Deployment Descriptors
    • method
    • method-permission
    • role-name
    • run-as
    • security-identity
    • security-role
    • security-role-ref
    • unchecked
    • use-caller-identity
  • weblogic-ejb-jar.xml Deployment Descriptors
    • client-authentication
    • client-cert-authentication
    • confidentiality
    • externally-defined
    • identity-assertion
    • iiop-security-descriptor
    • integrity
    • principal-name
    • role-name
    • run-as-identity-principal
    • run-as-principal-name
    • run-as-role-assignment
    • security-permission
    • security-permission-spec
    • security-role-assignment
    • transport-requirements
• Using Programmatic Security With EJBs
  • getCallerPrincipal
  • isCallerInRole

7 Using Network Connection Filters

• The Benefits of Using Network Connection Filters
• Network Connection Filter API
  • Connection Filter Interfaces
    • ConnectionFilter Interface
    • ConnectionFilterRulesListener Interface
  • Connection Filter Classes
    • ConnectionFilterImpl Class
    • ConnectionEvent Class
• Guidelines for Writing Connection Filter Rules
  • Connection Filter Rules Syntax
  • Types of Connection Filter Rules
  • How Connection Filter Rules are Evaluated
• Configuring the WebLogic Connection Filter
• Developing Custom Connection Filters

8 Using Java Security to Protect WebLogic Resources

• Using Java EE Security to Protect WebLogic Resources
• Using the Java Security Manager to Protect WebLogic Resources
  • Setting Up the Java Security Manager
    • Modifying the weblogic.policy file for General Use
    • Setting Application-Type Security Policies
    • Setting Application-Specific Security Policies
  • Using Printing Security Manager
    • Printing Security Manager Startup Arguments
    • Starting WebLogic Server With Printing Security Manager
    • Writing Output Files
  • Using the Java Authorization Contract for Containers
    • Comparing the WebLogic JACC Provider with the WebLogic Authentication Provider
    • Enabling the WebLogic JACC Provider

9 SAML APIs

• SAML API Description
• Custom POST Form Parameter Names
• Creating Assertions for Non-WebLogic SAML 1.1 Relying Parties
  • Overview of Creating a Custom SAML Name Mapper
  • Do You Need Multiple SAMLCredentialAttributeMapper Implementations?
  • Classes, Interfaces, and Methods
    • SAMLAttributeStatementInfo Class
    • SAMLCredentialAttributeMapper Interface
  • Example Custom SAMLCredentialAttributeMapper Class
  • Make the Custom SAMLCredentialAttributeMapper Class Available in the Console
• Configuring SAML SSO Attribute Support
  • What Are SAML SSO Attributes?
  • New API's for SAML Attributes
  • SAML 2.0 Basic Attribute Profile Required
  • Passing Multiple Attributes to SAML Credential Mappers
  • How to Implement SAML Attributes
  • Examples of the SAML 2.0 Attribute Interfaces
    • Example Custom SAML 2.0 Credential Attribute Mapper
    • Custom SAML 2.0 Identity Asserter Attribute Mapper
  • Examples of the SAML 1.1 Attribute Interfaces
    • Example Custom SAML 1.1 Credential Attribute Mapper
    • Custom SAML 1.1 Identity Asserter Attribute Mapper
  • Make the Custom SAML Credential Attribute Mapper Class Available in the Console
  • Make the Custom SAML Identity Asserter Class Available in the Console

10 Using CertPath Building and Validation

• CertPath Building
  • Instantiate a CertPathSelector
  • Instantiate a CertPathBuilderParameters
  • Use the JDK CertPathBuilder Interface
  • Example Code Flow for Looking Up a Certificate Chain
• CertPath Validation
  • Instantiate a CertPathValidatorParameters
  • Use the JDK CertPathValidator Interface
  • Example Code Flow for Validating a Certificate Chain

A Deprecated Security APIs