Using the Combined Technique to Secure Your URL (Web) and Enterprise JavaBean (EJB) Resources

As described in Techniques for Securing URL (Web) and EJB Resources, you can combine the use of the WebLogic Server console and J2EE/WebLogic deployment descriptor techniques, and would typically do so for two reasons:

• To copy security configurations from deployment descriptors into the configured Authorization and Role Mapping providers' databases, upon initial deployment of URL and EJB resources. This process enables you to use the console for subsequent modifications to security roles and security policies.
• To reinitialize security configurations for URL and EJB resources to their original state, as specified in the deployment descriptors.

Notes: Use of the combined technique for other purposes is not recommended. Before continuing, be sure you have read Prerequisites for Securing URL (Web) and EJB Resources.

The following sections provide step-by-step instructions for using the combined technique to secure your URL (Web) and Enterprise JavaBean (EJB) resources:

• Copying Security Configurations
• Reinitializing Security Configurations

Note: You may also want to review Copying and Reinitializing Security Configurations" before performing these tasks.

 

 

Copying Security Configurations

These instructions are intended for administrators who presently secure URL (Web) and Enterprise JavaBean (EJB) resources using J2EE and WebLogic deployment descriptors, but want to exclusively use the WebLogic Server console from this point foward. Note that BEA does not recommend maintaining security configurations in both the deployment descriptors and the console.

Caution: When using the combined technique, it is possible to override security configurations for URL (Web) and EJB resources. Therefore, take extra care to ensure that the appropriate security configuration is in place. Follow these instructions carefully to prevent data loss and to ensure that your URL (Web) and EJB resources are secured properly.

The procedure for copying security configurations differs slightly, depending on the type of WebLogic resource. Use the appropriate instructions provided in the following sections:

• URL (Web) Resources
• Enterprise JavaBean (EJB) Resources

 

 

URL (Web) Resources

To copy security configurations for a URL (Web) resource so that you can use the WebLogic Server console for subsequent modifications, follow these steps:

• Step 1: Modify the Security Realm Settings and Deploy the webapp
• Step 2: Verify the Copied Security Policies (Optional)
• Step 3: Verify the Copied Security Roles (Optional)
• Step 4: Revert the On Future Redeploys Setting
• Step 5: Modify Security Roles and Security Policies Using the console (Optional)

 

Step 1: Modify the Security Realm Settings and Deploy the webapp

1. Using the navigation tree at the left side of the console, click the + sign next to Security, then Realms.
2. Click the name of your security realm (for example, myrealm).
3. On the General tab, select All webapps and EJBs as the value for the Check Roles and Policies drop-down menu.Note: Recall what this setting means: you are telling WebLogic Server that you want the WebLogic Security Service to perform security checks on all URL (Web) and EJB resources.
4. Select Initialize Roles and Polices From DD as the value for the On Future Redeploys drop-down menu. Note: Recall what this setting means: you are telling WebLogic Server to copy security for URL (Web) and EJB resources from the deployment descriptors into the configured Authorization and Role Mapping providers' databases each time you deploy the resource.
5. Click the Apply button to save your changes.
6. Restart the server. (For help, see Starting and Stopping WebLogic Servers: Quick Reference in the WebLogic Server Administration Guide.)
7. Deploy the Webapp module whose security configuration you want to copy, targeting it to the appropriate server.Note: For instructions about how to deploy Webapp modules, see Deploying WebLogic Server Applications .

 

Step 2: Verify the Copied Security Policies (Optional)

1. Open the web.xml deployment descriptor for the Webapp, and record the content of any <url-pattern> and <http-method> elements, as well as any <role-name> subelements of the <auth-constraint> element.
2. Using the navigation tree at the left side of the console, click the right mouse button on the name of the deployed Webapp. A menu of options appears.
3. Select the Define Security Policy... option. The General tab appears.
4. Click the hyperlinked URL pattern that corresponds to the content of a single <url-pattern> element you recorded in step 1.
5. Select a method from the Methods drop-down menu that corresponds to the content of a <http-method> element you recorded in step 1.

   The Caller is Granted the Role condition in the Policy Condition list box is highlighted, and the content of the Policy Statement list box corresponds to the content of the appropriate <role-name> element that you recorded in step 1. An example of this is shown in Figure  6-1 . Figure 6-1 Policy Editor Page

6. Repeat steps 2 - 5 to verify multiple security policies.

 

Step 3: Verify the Copied Security Roles (Optional)

1. Open the weblogic.xml deployment descriptor for the Webapp, and record the content of any <role-name> elements.
2. Using the navigation tree at the left side of the console, click the right mouse button on the name of the deployed Webapp module. A menu of options appears.
3. Select the Define Scoped Role... option. The General tab appears.
4. Click the hyperlinked URL pattern of /*.Note: Security roles obtained from deployment descriptors are always copied into the configured Role Mapping provider's database as scoped roles, with an URL pattern of /*.
5. Click the Define Scoped Role... button to proceed.

   The Select Roles page appears. This page displays all the scoped roles for this Webapp that are currently defined in the WebLogic Role Mapping provider's database, including the one from your deployment descriptor.

 

Step 4: Revert the On Future Redeploys Setting

Caution: You must perform this step. Failure to revert this setting may result in inconsistent security configurations when your URL (Web) resources are redeployed. Therefore, be sure to perform this step before you restart your server. If you do not perform this step or perform this step incorrectly, you will see the following message the next time you load the Policy Editor page: The information presented below may not be accurate. To ensure that you are viewing accurate information, you may need to delete and redeploy your WebLogic resources.

1. Using the navigation tree at the left side of the console, click the + sign next to Security, then Realms.
2. Click the name of your security realm (for example, myrealm).
3. On the General tab, select Ignore Roles and Polices From DD as the value for the On Future Redeploys drop-down menu. Note: Recall what this setting means: you are telling WebLogic Server that you will set security for URL (Web) and EJB resources using the console, not deployment descriptors.
4. Click the Apply button to save your changes.

 

Step 5: Modify Security Roles and Security Policies Using the console (Optional)

Follow the instructions in Modifying Security Roles and Modifying and Deleting Security Policies to modify your URL (Web) resource's security roles and security policies.

 

 

Enterprise JavaBean (EJB) Resources

To copy security configurations for an Enterprise JavaBean (EJB) resource so that you can use the WebLogic Server console for subsequent modifications, follow these steps:

• Step 1: Modify the Security Realm Settings and Deploy the webapp
• Step 2: Verify the Copied Security Policies (Optional)
• Step 3: Verify the Copied Security Roles (Optional)
• Step 4: Revert the On Future Redeploys Setting
• Step 5: Modify Security Roles and Security Policies Using the console (Optional)

 

Step 1: Modify the Security Realm Settings and Deploy the EJB

1. Using the navigation tree at the left side of the console, click the + sign next to Security, then Realms.
2. Click the name of your security realm (for example, myrealm).
3. On the General tab, select All webapps and EJBs as the value for the Check Roles and Policies drop-down menu.Note: Recall what this setting means: you are telling WebLogic Server that you want the WebLogic Security Service to perform security checks on all URL (Web) and EJB resources.
4. Select Initialize Roles and Polices From DD as the value for the On Future Redeploys drop-down menu. Note: Recall what this setting means: you are telling WebLogic Server to copy security for URL (Web) and EJB resources from the deployment descriptors into the configured Authorization and Role Mapping providers' databases each time you deploy the resource.
5. Click the Apply button to save your changes.
6. Restart the server. (For help, see Starting and Stopping WebLogic Servers: Quick Reference in the WebLogic Server Administration Guide.)
7. Deploy the EJB module whose security configuration you want to copy, targeting it to the appropriate server.Note: For instructions about how to deploy EJB modules, see Deploying WebLogic Server Applications.

 

Step 2: Verify the Copied Security Policies (Optional)

1. Open the ejb-jar.xml deployment descriptor for the EJB, and record the content of any <method-permission> elements, specifically focusing on the <role-name>, <ejb-name>, and <method-name> subelements.Note: If the deployment descriptor uses the <unchecked /> element where you would normally find a <role-name> element, security checks will not be performed on that method; therefore, no security data for that method will be copied.
2. Using the navigation tree at the left side of the console, click the right mouse button on the name of the deployed EJB module. A menu of options appears.
3. Select the Define Roles and Policies for Individual Beans... option. A table listing all the EJBs that are in the JAR file appears.
4. Click the [Define Security Policies] link for the EJB that corresponds to the <ejb-name> element you recorded in step 1. The Policy Editor page appears.
5. Select a method from the Methods drop-down menu that corresponds to the content of a <method-name> element you recorded in step 1.

   The Caller is Granted the Role condition in the Policy Condition list box is highlighted, and the content of the Policy Statement list box corresponds to the content of the corresponding <role-name> element that you recorded in step 1.

6. Repeat steps 2 - 5 to verify multiple security policies.

 

Step 3: Verify the Copied Security Roles (Optional)

1. Open the weblogic-ejb-jar.xml deployment descriptor for the EJB, and record the content of any <security-role-assignment> elements, specifically focusing on the <role-name> and <principal-name> subelements.
2. Using the navigation tree at the left side of the console, click the right mouse button on the name of the deployed EJB module. A menu of options appears.
3. Select the Define Scoped Role... option.

   The Select Roles page appears. This page displays all the scoped roles for this EJB that are currently defined in the WebLogic Role Mapping provider's database, including the ones from your deployment descriptor's <role-name> element. Note: Any global roles that are defined in the deployment descriptor will not appear here, as this page lists scoped roles only.

4. Click the hyperlinked name of the scoped role.
5. Click the Conditions tab. The Role Statement list box contains a Role Statement based on the content of your deployment descriptor's corresponding <principal-name> element.Note: Because principals can be users or groups, the Role Statement list box will show two expressions: one using the contents of the <principal-name> element in the User Name of the Caller Role Condition, the other using it in a Caller is a Member of the Group Role Condition, linked by an or statement. The console presumes that a user or group of the name used in the deployment descriptor already exists. If they do not, you will need to create them.
6. Repeat steps 2 - 5 to verify multiple scoped roles.

 

Step 4: Revert the On Future Redeploys Setting

Caution: You must perform this step. Failure to revert this setting may result in inconsistent security configurations when your URL (Web) resources are redeployed. Therefore, be sure to perform this step before you restart your server. If you do not perform this step or perform this step incorrectly, you will see the following message the next time you load the Policy Editor page: The information presented below may not be accurate. To ensure that you are viewing accurate information, you may need to delete and redeploy your WebLogic resources.

1. Using the navigation tree at the left side of the console, click the + sign next to Security, then Realms.
2. Click the name of your security realm (for example, myrealm).
3. On the General tab, select Ignore Roles and Polices From DD as the value for the On Future Redeploys drop-down menu. Note: Recall what this setting means: you are telling WebLogic Server that you will set security for URL (Web) and EJB resources using the console, not deployment descriptors.
4. Click the Apply button to save your changes.

 

Step 5: Modify Security Roles and Security Policies Using the console (Optional)

Follow the instructions in Modifying Security Roles and Modifying and Deleting Security Policies to modify your EJB resource's security roles and security policies.

 

 

Reinitializing Security Configurations

To reinitialize security configurations for URL (Web) and Enterprise JavaBean (EJB) resources to their original state as specified in their deployment descriptors, follow these steps:

• Step 1: Modify the Security Realm Settings and Redeploy the WebLogic Resource
• Step 2: Verify the Reinitialized Security Policies and Security Roles (Optional)
• Step 3: Revert the On Future Redeploys Setting
• Step 4: Modify Security Roles and Security Policies Using the console (Optional)

 

Step 1: Modify the Security Realm Settings and Redeploy the WebLogic Resource

1. Using the navigation tree at the left side of the console, click the + sign next to Security, then Realms.
2. Click the name of your security realm (for example, myrealm).
3. On the General tab, select All webapps and EJBs as the value for the Check Roles and Policies drop-down menu.Note: Recall what this setting means: you are telling WebLogic Server that you want the WebLogic Security Service to perform security checks on all URL (Web) and EJB resources.
4. Select Initialize Roles and Polices From DD as the value for the On Future Redeploys drop-down menu. Note: Recall what this setting means: you are telling WebLogic Server to copy security for URL (Web) and EJB resources from the deployment descriptors into the configured Authorization and Role Mapping providers' databases each time you deploy the resource.
5. Click the Apply button to save your changes.
6. Using the navigation tree at the left side of the console, click the + sign next to Deployments, then click either:
   • webapp Modules - for URL (Web) resources, or
   • EJB Modules - for Enterprise JavaBean (EJB) resources.
7. Click the name of the Webapp or EJB.
8. In the main panel of the console, click the Deploy tab.
9. Click the Stop button that corresponds to the server to which you targeted the URL (Web) or EJB resource. Figure  6-2 highlights the appropriate button for the examplesServer.Note: Clicking the Redeploy button will not have the same effect as performing steps 9 and 10, because nothing has changed in the deployed components. Figure 6-2 console : Deployment Status by Target

   
   

10. Click the Deploy button that corresponds to the server to which you targeted the URL (Web) or EJB resource.

 

Step 2: Verify the Reinitialized Security Policies and Security Roles (Optional)

For URL (Web) resources, follow steps 2 and 3 in URL (Web) Resources. For Enterprise JavaBean (EJB) resources, follow steps 2 and 3 in Enterprise JavaBean (EJB) Resources.

 

Step 3: Revert the On Future Redeploys Setting

Caution: You must perform this step. Failure to revert this setting may result in inconsistent security configurations when your URL (Web) resources are redeployed. Therefore, be sure to perform this step before you restart your server. If you do not perform this step or perform this step incorrectly, you will see the following message the next time you load the Policy Editor page: The information presented below may not be accurate. To ensure that you are viewing accurate information, you may need to delete and redeploy your WebLogic resources.

1. Using the navigation tree at the left side of the console, click the + sign next to Security, then Realms.
2. Click the name of your security realm (for example, myrealm).
3. On the General tab, select Ignore Roles and Polices From DD as the value for the On Future Redeploys drop-down menu. Note: Recall what this setting means: you are telling WebLogic Server that you will set security for URL (Web) and EJB resources using the console, not deployment descriptors.
4. Click the Apply button to save your changes.

 

Step 4: Modify Security Roles and Security Policies Using the console (Optional)

Follow the instructions in Modifying Security Roles and Modifying and Deleting Security Policies to modify your URL (Web) or EJB resource's security roles and security policies.