Securing WebLogic Resources Using Roles and Policies

      

Security Policies

A security policy specifies who can access a WebLogic Server resource. You can create simple policies, such as “allow access if user is in Admin role,” or more complex policies, such as “between the hours of 8 and 5, allow access if user is in Admin role.”

The following sections describe the features and functions of security policies:

For information on using security policies to protect multiple resources, see Using Policies to Protect Multiple Resources.

 


Security Policy Storage and Prerequisites for Use

Security policies for all resources other than Web Application resources and EJB resources are always stored in the security provider database of the Authorization provider that is configured in the default (active) security realm. The security realm that WebLogic Server provides stores policies in the embedded LDAP server.

For Web Application resources and EJB resources, the location of policies depends on the following:

See Options for Securing Web Application and EJB Resources.

Each user or group that you add to a security policy must be defined in the security provider database of the Authentication provider that is configured in the active security realm. Each role that you add must be defined in the security provider database of the Role Mapping provider that is configured in the active security realm. The security realm that WebLogic Server provides is configured to use the WebLogic Authentication and WebLogic XACML Role Mapping providers, which store users, groups, and roles in the embedded LDAP server.

For more information about the WebLogic Authentication, Authorization, and Role Mapping providers, see “WebLogic security providers” in Understanding WebLogic Security.

 


Default Root Level Security Policies

A root level policy is inherited by all instances of a specific resource type. Table 5-1 describes the default root level policies that are defined in the security realm that WebLogic Server installs. For information about the roles and groups that are named in these policies, see Users, Groups, And Security Roles.

You can access root level policies in the Administration Console. See Create root level policies in Administration Console Online Help.

Table 5-1 Default Security Policies for WebLogic Resources
WebLogic Resource Security Policy
Administrative resources Default global role: Admin
Application resources None
EIS (Resource Adapter) resources Default group: Everyone
EJB resources Default group: Everyone
COM resources None
JDBC resources Default group: Everyone
JNDI resources Default group: Everyone
JMS resources Default group: Everyone
Server resources Default global roles:

  • Admin

  • Operator
Work Context Default group: Everyone
URL resources Default group: Everyone
Web Services resources Default group: Everyone

Caution: Do not modify the default root level policies for Administrative and Server resources to make them more restrictive. Eliminating some of the existing security roles might negatively impact the functioning of WebLogic Server. However, if you like, you can make the default security policies more inclusive (for example, by adding new security roles). See Maintaining a Consistent Security Scheme.

 


Security Policy Conditions

To determine who can access a resource, a policy contains one or more conditions. The most basic policy simply contains the name of a security role or a principal. For example, a basic policy might simply name the “Admin” global role. At runtime, the WebLogic Security Service interprets this policy as “allow access if user is in Admin role.” You can create more complex conditions and combine them using the logical operators AND and OR (which is an inclusive OR). You can also negate any condition, which would prohibit access under the specified condition.

The WebLogic Server Authorization providers display three kinds of built-in policy conditions in the Administration Console:

These sections describe the conditions that are available in realms that use the WebLogic Authorization provider or the WebLogic XACML Authorization provider. If your security realm uses a third-party Authorization provider, refer to the third-party documentation for information on its capabilities.

Basic Policy Conditions

The basic policy conditions that are available in this release of WebLogic Server are:

Date and Time Policy Conditions

When you use any of the date and time conditions, the security policy grants access to all users for the date or time you specify, unless you further restrict the users by adding one of the other conditions. The date and time policy conditions available in this release of WebLogic Server are:

Context Element Policy Conditions

You can use the context element conditions to create security policies based on the value of HTTP Servlet Request attributes, HTTP Session attributes, and EJB method parameters. WebLogic Server retrieves this information from the ContextHandler object and allows you to defined policy conditions based on the values. When using any of these conditions, it is your responsibility to ensure that the attribute or parameter/value pairs apply to the context in which you are using them. For more information, see “ContextHandlers and WebLogic Resources” in Developing security providers for WebLogic Server.

The context element role conditions available in this release of WebLogic Server are:

 


Protected Public Interfaces

The WebLogic Server Administration Console, the WebLogic Scripting Tool (WLST), and MBean APIs are secured using the default security policies, which are based on the default global roles and default groups described in Table 6-2. Therefore, to use the Administration Console, a user must belong to one of these default groups or be granted one of these global roles. Additionally, administrative operations that require interaction with MBeans are secured using the MBean protections described in Maintaining a Consistent Security Scheme. Therefore, interaction with the following protected public interfaces typically must satisfy both security schemes.

 


Using the Administration Console to Manage Security Policies

This section describes the features and functions that are available in security realms that are using the WebLogic Authorization provider or the WebLogic XACML Authorization provider. If your security realm uses a third-party Authorization provider, refer to the third-party documentation for information on how to add polices to the provider database.

You can use the WebLogic Administration Console to access WebLogic resources for creating and modifying security policies. For more information, see Manage security policies in Administration Console Online Help.