Programming WebLogic Security

      

Introduction and Roadmap

Document Scope

Guide to this Document

Related Information

Security Samples and Tutorials

 

Security Examples in the WebLogic Server Distribution

New and Changed Security Features in This Release

WebLogic Security Programming Overview

What Is Security?

Administration Console and Security

Types of Security Supported by WebLogic Server

 

Authentication

 

Authorization

 

Java EE Security

Security APIs

 

JAAS Client Application APIs

Java JAAS Client Application APIs

WebLogic JAAS Client Application APIs

 

SSL Client Application APIs

Java SSL Client Application APIs

WebLogic SSL Client Application APIs

 

Other APIs

Securing Web Applications

Authentication With Web Browsers

 

User Name and Password Authentication

 

Digital Certificate Authentication

Multiple Web Applications, Cookies, and Authentication

 

Using Secure Cookies to Prevent Session Stealing

Developing Secure Web Applications

 

Developing BASIC Authentication Web Applications

Using HttpSessionListener to Account for Browser Caching of Credentials

 

Understanding BASIC Authentication with Unsecured Resources

Setting the enforce-valid-basic-auth-credentials Flag

Using WLST to Check the Value of enforce-valid-basic-auth-credentials

 

Developing FORM Authentication Web Applications

 

Using Identity Assertion for Web Application Authentication

 

Using Two-Way SSL for Web Application Authentication

 

Providing a Fallback Mechanism for Authentication Methods

Configuration

 

Developing Swing-Based Authentication Web Applications

 

Deploying Web Applications

Using Declarative Security With Web Applications

Web Application Security-Related Deployment Descriptors

 

web.xml Deployment Descriptors

auth-constraint

Used Within

Example

security-constraint

Example

security-role

Example

security-role-ref

Example

user-data-constraint

Used Within

Example

web-resource-collection

Used Within

Example

 

weblogic.xml Deployment Descriptors

externally-defined

Used Within

Example

run-as-principal-name

Used Within

Example

run-as-role-assignment

Example:

security-permission

Example

security-permission-spec

Used Within

Example

security-role-assignment

Example

Using Programmatic Security With Web Applications

 

getUserPrincipal

isUserInRole

Using the Programmatic Authentication API

Using JAAS Authentication in Java Clients

JAAS and WebLogic Server

JAAS Authentication Development Environment

 

JAAS Authentication APIs

 

JAAS Client Application Components

 

WebLogic LoginModule Implementation

 

JVM-Wide Default User and the runAs() Method

Writing a Client Application Using JAAS Authentication

Using JNDI Authentication

Java Client JAAS Authentication Code Examples

Using SSL Authentication in Java Clients

JSSE and WebLogic Server

Using JNDI Authentication

SSL Certificate Authentication Development Environment

 

SSL Authentication APIs

 

SSL Client Application Components

Writing Applications that Use SSL

 

Communicating Securely From WebLogic Server to Other WebLogic Servers

 

Writing SSL Clients

SSLClient Sample

SSLSocketClient Sample

 

Using Two-Way SSL Authentication

Two-Way SSL Authentication with JNDI

Writing a User Name Mapper

Using Two-Way SSL Authentication Between WebLogic Server Instances

Using Two-Way SSL Authentication with Servlets

 

Using a Custom Hostname Verifier

 

Using a Trust Manager

 

Using the CertPath Trust Manager

 

Using a Handshake Completed Listener

 

Using an SSLContext

 

Using URLs to Make Outbound SSL Connections

SSL Client Code Examples

Securing Enterprise JavaBeans (EJBs)

Java EE Architecture Security Model

 

Declarative Authorization

 

Programmatic Authorization

 

Declarative Versus Programmatic Authorization

Using Declarative Security With EJBs

EJB Security-Related Deployment Descriptors

 

ejb-jar.xml Deployment Descriptors

method

Used Within

Example

method-permission

Used Within

Example

role-name

Used Within

Example

run-as

Used Within

Example

security-identity

Used Within

Example

security-role

Used Within

Example

security-role-ref

Used Within

Example

unchecked

Used Within

Example

use-caller-identity

Used Within

Example

 

weblogic-ejb-jar.xml Deployment Descriptors

client-authentication

Example

client-cert-authentication

Example

confidentiality

Example

externally-defined

identity-assertion

Used Within

Example

iiop-security-descriptor

Example

integrity

Used Within

Example

principal-name

Used Within

Example

role-name

Used Within

Example

run-as-identity-principal

Used Within

Example

run-as-principal-name

Used Within

Example

run-as-role-assignment

Example

security-permission

Example

security-permission-spec

Used Within

Example

security-role-assignment

Example

transport-requirements

Used Within

Example

Using Programmatic Security With EJBs

 

getCallerPrincipal

isCallerInRole

Using Network Connection Filters

The Benefits of Using Network Connection Filters

Network Connection Filter API

 

Connection Filter Interfaces

ConnectionFilter Interface

ConnectionFilterRulesListener Interface

 

Connection Filter Classes

ConnectionFilterImpl Class

ConnectionEvent Class

Guidelines for Writing Connection Filter Rules

 

Connection Filter Rules Syntax

 

Types of Connection Filter Rules

 

How Connection Filter Rules are Evaluated

Configuring the WebLogic Connection Filter

Developing Custom Connection Filters

Using Java Security to Protect WebLogic Resources

Using Java EE Security to Protect WebLogic Resources

Using the Java Security Manager to Protect WebLogic Resources

 

Setting Up the Java Security Manager

Modifying the weblogic.policy file for General Use

Setting Application-Type Security Policies

Setting Application-Specific Security Policies

 

Using the Java Authorization Contract for Containers

Comparing the WebLogic JACC Provider with the WebLogic Authentication Provider

Enabling the WebLogic JACC Provider

SAML APIs

SAML API Description

Custom POST Form Parameter Names

Using CertPath Building and Validation

CertPath Building

 

Instantiate a CertPathSelector

 

Instantiate a CertPathBuilderParameters

 

Use the JDK CertPathBuilder Interface

 

Example Code Flow for Looking Up a Certificate Chain

CertPath Validation

 

Instantiate a CertPathValidatorParameters

 

Use the JDK CertPathValidator Interface

 

Example Code Flow for Validating a Certificate Chain

Deprecated Security APIs


  Back to Top       Previous