{"id":5001,"date":"2012-07-06T22:58:44","date_gmt":"2012-07-07T03:58:44","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=5001"},"modified":"2012-08-25T23:08:42","modified_gmt":"2012-08-26T04:08:42","slug":"1z1-102-security-concepts-and-configuration","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=5001","title":{"rendered":"WebLogic 11g Security Concepts and Configuration"},"content":{"rendered":"

<< Previous\n\n[toc depth=\"3\"]\n\n\n\n

Describe a WebLogic Server security realm<\/h2><\/span>\n

* Security Realms<\/a><\/p>\n

Overview<\/h3><\/span>\n
\"\"<\/a><\/h6><\/span>\n

* Security realm protects WL resources
\n* Each realm consists of a set of configured:
\n– security providers
\n– users: can be person or software entity
\n– groups: logically ordered set of users. Scoped to entire WLS domain.
\n– security roles:
\n~ privileges granted to user or group based on specific condition<\/strong>
\n~ are computed and granted dynamically
\n~ can be scoped to specific WL resources
\n– security policies:
\n~ an association between a WL resource and one or more users, groups, or security roles
\n~ protect against unauthorized access
\n* A user must be defined in sec realm in order to access any WL resources belonging to that realm<\/p>\n

Security Provider Database<\/h3><\/span>\n

* Contains:
\n– Users
\n– Groups
\n– Sec roles
\n– Sec policies
\n– Credentials
\n* Can be:
\n– Embedded LDAP
\n– A property file
\n– Database
\n* Need to be initialized with default:
\n– Groups
\n– Sec roles
\n– Sec policies
\n* RDBMS sec store is needed for:
\n– XACML authn and role mapping providers
\n– WL Credential Mapping provider
\n– PKI Credential Mapping providers
\n– SAML 1.1 Identity Assertion provider v2, SAML 1.1 Credential Mapping provider v2
\n– SAML 2.0 Identity Assertion provider, SAMl 2.0 Credential Mapping provider
\n– Default certificate registry<\/p>\n

Security Providers<\/h3><\/span>\n

* Modules that provide security services to applications
\n* See this post<\/a><\/p>\n

\"\"<\/a><\/h6><\/span>\n

Authentication Providers<\/h4><\/span>\n

* 1 or more per realm
\n* Supports:
\n– username\/password
\n– certificate
\n– digest
\n* An Identity Assertion provider is a special type of Authentication provider and handles perimeter authentication and multiple sec token types and protocols.
\n* Login Modules perform actual authentication of a user or system
\n* Uses Principal Validation provider for signing and verifying principal authenticity<\/p>\n

Identity Assertion Providers<\/h4><\/span>\n

* 1 or more per realm
\n* Establish client identity using client supplied tokens, i.e. validate and map a token to username
\n* Enable perimeter authentication and SSO
\n* Support multiple token types (one token type per provider): Digest, SPNEGO, and SAML (1.1, 2.0)
\n* Can handle multiple sec protocols: Kerberos, SOAP, IIOP-CSIv2<\/p>\n

Principal Validation Providers<\/h4><\/span>\n

* One Principal Validation provider per Authentication provider
\n* For Signing and verifying authenticity of principals
\n* Configured indirectly from the configuration of Authentication providers<\/p>\n

Authorization Providers<\/h4><\/span>\n

* 1 or more per realm
\n* Controls access to WL resources based on sec policies
\n* Achieved by Access Decision<\/strong>
\n* Bulk access versions:
\n– BulkAuthorizationProvider
\n– BulkAccessDecision
\n* Return
\n– PERMIT
\n– DENY
\n– ABSTAIN<\/p>\n

Adjudication Providers<\/h4><\/span>\n

* Needed only for multiple Authorization Providers
\n* Resolves authorization conflicts from multiple Authorization Providers
\n* Bulk access version:
\n– BulkAdjudicationProvider
\n– BulkAdjudicator<\/p>\n

Role Mapping Providers<\/h4><\/span>\n

* 1 or more per realm (if more than one, then results are merged)
\n* Support dynamic role associations based on
\n– Security roles from J2EE and WL deployment descriptor files
\n– Business logic and the current operation parameters
\n* Provides role information to Authentication providers
\n* Bulk operations:
\n– BulkRoleProvider
\n– BulkRoleMapper<\/p>\n

Audit Providers<\/h4><\/span>\n

* 0 or more per realm
\n* Collects, stores, distributes information about operating requests and their outcomes
\n* For non-repudiation
\n* Can write audit info to
\n– LDAP
\n– DB
\n– File<\/p>\n

Credential Mapping Providers<\/h4><\/span>\n

* 1 or more per realm (if more, results are combined)
\n* Maps WL credentials to legacy\/remote credentials
\n* Allow WL to login legacy\/remote systems on behalf of WL authenticated subjects
\n* Can handle different types of credentials
\n– username\/password
\n– SAML
\n– PKI certificates<\/p>\n

Certificate Lookup and Validation Providers<\/h4><\/span>\n

* 1 or more per realm (if more, need to pass all)
\n* Validate certificate chains
\n* Two CLS types:
\n– CertPath Builder: receives cert, cert chain, or cert ref from web service or application code, looks up and validates certificates in the chain
\n– CertPath Validator: receives cert chain from SSL protocol, web servicie, app code and perform extra <\/strong>validation such as revocation checking.<\/p>\n

Keystore Providers<\/h4><\/span>\n

* Creates and manages password protected stores of private keys and trusted certs
\n* Deprecated, use JKS <\/strong>(Java Key Store) instead<\/p>\n

Realm Adapter Providers<\/h4><\/span>\n

* Provides backward compatibility with WL 6.x realms<\/p>\n

Migrate provider data using the admin console<\/h2><\/span>\n

* See Migrating Security Data<\/a><\/p>\n

Overview<\/h3><\/span>\n

* Can only migrate using the same format
\n– A format is a data format that specifies how security data should be exported or imported
\n* Constraints are key\/value pairs that specify import and export options. For example:
\n– passwords=cleartext
\n* Use passwords=cleartext<\/em> to allow exporting password in clear text (does not work if passwords are one way hashed)
\n* Can use Admin Console or WLST
\n– WLST Example:<\/p>\n

\r\ndomainRuntime() \r\ncd('DomainServices\/DomainRuntimeService\/DomainConfiguration\/mydomain\/SecurityConfiguration\/mydomain\/DefaultRealm\/myrealm\/path-to-MBean\/mbeanname')\r\ncmo.importData(format,filename,constraints) \r\n<\/pre>\n
Export data from security realms<\/h3><\/span>\n
* Export page:<\/p>\n
\"\"<\/a><\/h6><\/span>\n
* Exported files:<\/p>\n
\"\"<\/a><\/h6><\/span>\n
Import data into security realms<\/h3><\/span>\n
* Import page:<\/p>\n
\"\"<\/a><\/h6><\/span>\n
Export data from a security provider<\/h3><\/span>\n
* Export page:<\/p>\n
\"\"<\/a><\/h6><\/span>\n
* Exported file:<\/p>\n
\"\"<\/a><\/h6><\/span>\n
\"\"<\/a><\/h6><\/span>\n
Import data from a security provider<\/h3><\/span>\n
* Import page:<\/p>\n
\"\"<\/a><\/h6><\/span>\n
Create users and groups via the admin console<\/h2><\/span>\n
* See Manage users and groups<\/a><\/p>\n
Create User<\/h3><\/span>\n
\"\"<\/a><\/h6><\/span>\n
\"\"<\/a><\/h6><\/span>\n
\"\"<\/a><\/h6><\/span>\n
Create Group<\/h3><\/span>\n
\"\"<\/a><\/h6><\/span>\n
\"\"<\/a><\/h6><\/span>\n
\"\"<\/a><\/h6><\/span>\n
Add User to Group<\/h3><\/span>\n
\"\"<\/a><\/h6><\/span>\n
Configure roles and policies via the admin console<\/h2><\/span>\n
* See Manage security roles<\/a><\/p>\n
Role Types<\/h3><\/span>\n
* Global roles
\n* Scoped roles: applies to a specific instance of a WebLogic resource (such as a method on an EJB or a branch of a JNDI tree)<\/p>\n
Create Global Role<\/h3><\/span>\n
\"\"<\/a><\/h6><\/span>\n
\"\"<\/a><\/h6><\/span>\n
\"\"<\/a><\/h6><\/span>\n
\"\"<\/a><\/h6><\/span>\n
Edit Global Roles<\/h3><\/span>\n
\"\"<\/a><\/h6><\/span>\n
\"\"<\/a><\/h6><\/span>\n
\"\"<\/a><\/h6><\/span>\n
\"\"<\/a><\/h6><\/span>\n
\"\"<\/a><\/h6><\/span>\n
\"\"<\/a><\/h6><\/span>\n
Remove Global Roles<\/h3><\/span>\n
* Global Roles can not be removed (?) but Conditions can be removed.<\/p>\n
Create Policies<\/h3><\/span>\n
\"\"<\/a>
\n\"\"<\/a>
\n\"\"<\/a>
\n\"\"<\/a>
\n\"\"<\/a>
\n<\/h6>\n
Remove Policies<\/h3><\/span>\n
\"\"<\/a><\/h6><\/span>\n
Web App and EJB Sec Models<\/a><\/h2><\/span>\n
Deployment Descriptor (DD) Only Model<\/h3><\/span>\n
* J2EE standard
\n* Uses only roles\/policies defined in both J2EE DDs and WebLogic DDs
\n* WLS security admins verify existence of principals in WLS sec realm
\n* Changes recognized by WLS when redeployed<\/p>\n
Custom Roles Model<\/h3><\/span>\n
* Uses policies defined in J2EE DDs
\n* Ignores principal mappings in WLS DDs
\n* WLS sec admins use Admin Console to complete role mappings<\/p>\n
Custom Roles and Policies Model<\/h3><\/span>\n
* Unified and dynamic sec management
\n* Uses roles and policies created by sec admins
\n* Ignores all roles\/policies defined in DDs
\n* Good for securing entire web apps or EJBs
\n* Not appropriate from fine grained control of large numbers of URL patterns and EJB methods<\/p>\n
Advanced Model<\/h3><\/span>\n
* Backward compatibility with WLS 9<\/p>\n
Configure roles and policies using application descriptors<\/h2><\/span>\n
Configure Web application authentication using descriptors<\/h2><\/span>\n
* See Web Application Security-Related Deployment Descriptors<\/a><\/p>\n
web.xml<\/h3><\/span>\n
* Example:<\/p>\n
\r\n\r\n    \r\n        SecureOrdersEast<\/web-resource-name>\r\n        \r\n            Security constraint for\r\n            resources in the orders\/east directory\r\n        <\/description>\r\n        \/orders\/east\/*<\/url-pattern>\r\n        POST<\/http-method>\r\n        GET<\/http-method>\r\n    <\/web-resource-collection>\r\n    \r\n        \r\n            constraint for east coast sales\r\n        <\/description>\r\n        east<\/role-name>\r\n        manager<\/role-name>\r\n        <\/auth-constraint>\r\n    \r\n        SSL not required<\/description>\r\n        NONE<\/transport-guarantee>\r\n    <\/user-data-constraint>\r\n<\/security-constraint>\r\n<\/pre>\n
security-constraint<\/h4><\/span>\n
* web-resource-collection
\n– required
\n– defines components of the web app to which this security constraint is applied
\n*auth-constraint
\n– optional
\n– defines which groups or principals have access to the collection of Web resources defined in this security constraint.
\n* user-data-constraint
\n– optional
\n– defines how data communication between client and server should be protected (e.g. SSL)<\/p>\n
security-role<\/h4><\/span>\n
* Contains the definition of a security role
\n* Sample web.xml:<\/p>\n
\r\n  \r\n    SnoopServlet<\/servlet-name>\r\n    extra.SnoopServlet<\/servlet-class>\r\n    \r\n      runasrole<\/role-name>\r\n    <\/run-as>\r\n  <\/servlet>\r\n  \r\n    runasrole<\/role-name>\r\n  <\/security-role>\r\n<\/pre>\n
* Sample weblogic.xml:<\/p>\n
\r\n  \r\n     \r\n       runasrole<\/role-name>\r\n       joe<\/run-as-principal-name>\r\n     <\/run-as-role-assignment>\r\n  <\/weblogic-web-app>\r\n<\/pre>\n
security-role-ref<\/h4><\/span>\n
* Links a security role name defined by <security-role> to an alternative role name that is hard-coded<\/strong> in the servlet logic.
\n* This extra layer of abstraction allows the servlet to be configured at deployment without changing servlet code.<\/p>\n
\r\nServlet code: \r\nout.println(\"Is the user a Manager? \" +\r\n                 request.isUserInRole(\"manager\"));\r\nweb.xml entries:\r\n\r\n. . .\r\n   manager<\/role-name>\r\n   mgr<\/role-link>\r\n. . .\r\n<\/servlet>\r\n\r\n   mgr<\/role-name>\r\n<\/security-role>\r\nweblogic.xml entries:\r\n\r\n   mgr<\/role-name>\r\n   bostonManagers<\/principal-name>\r\n   Bill<\/principal-name>\r\n   Ralph<\/principal-name>\r\n<\/security-role-ref>\r\n<\/pre>\n
weblogic.xml<\/h3><\/span>\n
externally-defined<\/h4><\/span>\n
* Explicitly indicate that you want the security roles defined by the role-name<\/em> element in the web.xml deployment descriptors to use the mappings specified in the Administration Console
\n* Exmaple (webuser has to be defined in WLS realm)<\/p>\n
\r\nweb.xml entries:\r\n\r\n           ...\r\n           \r\n               webuser<\/role-name>\r\n           <\/security-role>\r\n           ...\r\n<\/web-app>\r\nweblogic.xml entries:\r\n\r\n     \r\n         webuser<\/role-name>\r\n         \r\n     <\/security-role-assignment>\r\n<\/pre>\n
run-as-principal-name<\/h4><\/span>\n
* specifies the name of a principal to use for a security role defined by a run-as<\/em> element in the companion web.xml file.<\/p>\n
\r\nweb.xml:\r\n  \r\n    SnoopServlet<\/servlet-name>\r\n    extra.SnoopServlet<\/servlet-class>\r\n    \r\n      runasrole<\/role-name>\r\n    <\/run-as>\r\n  <\/servlet>\r\n  \r\n    runasrole<\/role-name>\r\n  <\/security-role>\r\nweblogic.xml:\r\n  \r\n     \r\n       runasrole<\/role-name>\r\n       joe<\/run-as-principal-name>\r\n     <\/run-as-role-assignment>\r\n  <\/weblogic-web-app>\r\n<\/pre>\n
security-permission<\/h4><\/span>\n
* Specifies a security permission that is associated with a Java EE Sandbox.<\/p>\n
\r\n\r\n   \r\n     Optional explanation goes here<\/description>\r\n     \r\n\r\n      grant {\r\n      permission java.net.SocketPermission \"*\", \"resolve\";\r\n      };\r\n     <\/security-permission-spec>\r\n   <\/security-permission>\r\n<\/weblogic-web-app>\r\n<\/pre>\n
security-role-assignment<\/h4><\/span>\n
* declares a mapping between a security role and one or more principals in the WebLogic Server security realm.
\n* Example<\/p>\n
\r\n\r\n  \r\n        PayrollAdmin<\/role-name>\r\n       Tanya<\/principal-name>\r\n       Fred<\/principal-name>\r\n       system<\/principal-name>\r\n  <\/security-role-assignment>\r\n<\/weblogic-web-app>\r\n<\/pre>\n
Using Programmatic Security With Web Applications<\/h3><\/span>\n
* javax.servlet.http.HttpServletRequest.getUserPrincipal()
\n* javax.servlet.http.HttpServletRequest.isUserInRole(String role)<\/p>\n
Using the Programmatic Authentication API<\/h3><\/span>\n
* weblogic.servlet.security.ServletAuthentication
\n* weblogic.security.SimpleCallbackHandler<\/p>\n
\r\nCallbackHandler handler = new SimpleCallbackHandler(username,\r\n                                                               password);\r\nSubject mySubject =\r\n        weblogic.security.services.Authentication.login(handler);\r\nweblogic.servlet.security.ServletAuthentication.runAs(mySubject, request);\r\n\/\/ Where request is the httpservletrequest object.\r\n<\/pre>\n
* weblogic.security.URLCallbackHandler<\/p>\n
\r\nCallbackHandler handler = new URLCallbackHandler(username,\r\n                                                           password);\r\nSubject mySubject =\r\n        weblogic.security.services.Authentication.login(handler);\r\nweblogic.servlet.security.ServletAuthentication.runAs(mySubject, request);\r\n\/\/ Where request is the httpservletrequest object.\r\n<\/pre>\n
Configure the embedded LDAP authentication provider<\/h2><\/span>\n
* See Configuring LDAP Authentication Providers<\/a><\/p>\n
DefaultAuthenticator<\/h3><\/span>\n
* Uses embedded LDAP server
\n* Supports any v2 or v3 compliant LDAP servers
\n* User names must be unique<\/p>\n
Configuring LDAP Authentication Providers<\/h3><\/span>\n
Next<\/a> >><\/p>\n
[mv_include id=’3268′]<\/p>\n","protected":false},"excerpt":{"rendered":"
grant { permission java.net.SocketPermission “*”, “resolve”; }; > [mv_include id=’3268′]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[107,104],"tags":[588,576,590],"class_list":["post-5001","post","type-post","status-publish","format-standard","hentry","category-certification","category-weblogic11g","tag-11g","tag-security","tag-weblogic"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-1iF","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/5001","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5001"}],"version-history":[{"count":21,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/5001\/revisions"}],"predecessor-version":[{"id":5711,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/5001\/revisions\/5711"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5001"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5001"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5001"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}