Securing Oracle Weblogic applications

Configuring Security for Web applications

Configuring security for Oracle WLS Web applications is done in two separate points:

  1. Inside the standard web application configuration file (web.xml) you will define the authorized Roles, the secured URL Pattern and the Authorization method.
  2. Inside the weblogic.xml you will map these roles to actual principals defined in the WebLogic Server security realm.

Let’s define at first in your web.xml how to apply security constraints using BASIC authentication:

<security-constraint>

              <web-resource-collection>

                            <web-resource-name>SecureArea</web-resource-name>

                            <description>Our Secure Area</description>

                            <url-pattern>/*</url-pattern>

              </web-resource-collection>

              <auth-constraint>

                            <description>Constraints for secure area</description>

                            <role-name>admin</role-name>

                            <role-name>poweruser</role-name>

              </auth-constraint>

              <user-data-constraint>

                            <description>SSL is not required</description>

                            <transport-guarantee>NONE</transport-guarantee>

              </user-data-constraint>

</security-constraint>

<login-config>

              <auth-method>              BASIC</auth-method>

              <realm-name>myrealm</realm-name>

</login-config>   

We have restricted access to all Web Context resources so that only users with the role admin and poweruser can access them, but we are not requiring the use of SSL transport for access.

Setting the <transport-guarantee> to CONFIDENTIAL or INTEGRAL would further restrict access to only those users in one of the specified roles who are using SSL to access the page.

If we stopped here, WebLogic Server would try to map these roles to principals (either users or groups) with the same name, as defined in the active security realm’s authentication provider. In most cases, you don’t actually want this, so you need to define the mapping from these roles to actual principals defined in the WebLogic Server security realm.

In order to map these roles to principals in the underlying security realm, you use the <security-role-assignment> element in the weblogic.xml deployment descriptor. In the following example, we are mapping the “admin” role to the “webuser” user and the “poweruser” role to “john”.

<wls:weblogic-web-app>

  <wls:security-role-assignment>

        <wls:role-name>admin</wls:role-name>

        <wls:principal-name>webuser</wls:principal-name>

  </wls:security-role-assignment>

  <wls:security-role-assignment>

        <wls:role-name>poweruser</wls:role-name>

        <wls:principal-name>john</wls:principal-name>

  </wls:security-role-assignment>

</wls:weblogic-web-app>

Configuring Security for EJB applications

Configuring security for EJB applications is similar to Web applications; just it is uses different files.

Inside your Java EE’s ejb-jar.xml deployment descriptor, define your access control policy by using the <security-role> and <method-permission> elements. In the following example, we restrict access to the SecuredEJB’s getData method to users which are granted the admin role:

<assembly-descriptor>

              <security-role>

                            <role-name>admin</role-name>

              </security-role>

              <method-permission>

                            <role-name>admin</role-name>

                            <method>

                                          <ejb-name>SecuredEJB</ejb-name>

                                          <method-name>getData</method-name>

                            </method>

              </method-permission>

</assembly-descriptor>

EJB 3.0 and later also allows for declaration of EJB security constraints through annotations found in the javax.annotations.security package, as in the following example:

@Stateless(name="SecuredEJB")

@DeclaredRoles(value={"admin"})

public class SecuredEJB {

  @RolesAllowed(value={"admin"})

  public Data getData() { ... } }

Next, configure into weblogic-ejb-jar.xml the actual mapping data. The following example maps the admin role to ejbuser user. Additionally, you can use the <externally-defined> element to force a role to be defined in the role mapping security provider.

<security-role-assignment>

              <role-name>admin</role-name>

              <principal-name>ejbuser</principal-name>

</security-role-assignment>

<security-role-assignment>

              <role-name>ejb-admin</role-name>

              <externally-defined />

</security-role-assignment>

Francesco Google+