It's all about Weblogic..!!

July 4, 2010

Introduction to Security ( secmanager document )

Filed under: Uncategorized — streethawkz @ 3:54 pm

Security Realms in WebLogic Server :

  • Security realms act as a scoping mechanism.
  • Each security realm consists of a set of configured security providers, users, groups, security roles, and security policies.
  • You can configure multiple security realms in a domain; however, only one can be the active security realm.
  • WebLogic Server provides two default security realms:
  1. myrealm—Has the WebLogic Adjudication, Authentication, Identity Assertion, Authorization, Role Mapping, and Credential Mapping providers configured by default.
  2. CompatibilityRealm—Provides backward compatibility for 6.x security configurations. You can access an existing 6.x security configuration through the CompatibilityRealm.

Security Providers :

  • Security providers are modular components that handle specific aspects of security, such as authentication and authorization.
  • The WebLogic Security Service supports the following types of security providers :
  1. Authentication:
  • Process whereby the identity of users or system processes are proved or verified.
  • Types of authentication:
  • –       Username and password authentication
  • –       Certificate-based authentication directly with WebLogic Server
  • –       HTTP certificate-based authentication proxied through an external Web server.

2.  Identity Assertion :

  • It is an Authentication provider that performs perimeter authentication (authentication using tokens).
  • It involves establishing a client’s identity through the use of client-supplied tokens.
  • Function of an Identity Assertion provider is to validate and map a token to a username
  • Once this mapping is complete, an Authentication provider’s LoginModule can be used to convert the username to a principal (an authenticated user, group, or system process).

3. Authorization :

  • Once a user’s identity has been established by an authentication provider, authorization is responsible for determining    whether access to WebLogic resources should be permitted for that user.
  • An Authorization provider supplies these services

4. Role Mapping :

  • One or more roles can be assigned to multiple users.
  • Access rights can be set to a user having a particular role.
  • Role mapping providers get the information about the set of roles granted to a requestor for a given resource.
  • Role Mapping providers supply Authorization providers with this information so that the Authorization provider can answer the “is access allowed?” question for WebLogic resources that use role-based security

5. Adjudication :

  • When multiple Authorization providers are configured in a security realm, each may return a different answer to the “is access allowed” question for a given resource.
  • Adjudication providers resolve authorization conflicts by weighing each Authorization provider’s answer and returning a final access decision.

6. Credential Mapping :

  • Credential Mapping Providers allows the weblogic server to access remote systems with the credentials that are already authenticated in weblogic.
  • i.e. Credential Mapping Providers help an authorized subject in weblogic server to access a remote systems by mapping his credentials.

7.  Keystore :

  • It is a password protected store of private keys and certificates for trusted certificate authorities. E.g.: trust.jks, identity.jks

8.  Certificate Lookup and Validation (CLV) :

  • X.509 certificates need to be located and validated for purposes of identity and trust.
  • CLV providers receive certificates, certificate chains, or certificate references, complete the certificate path (if necessary),   and validate all the certificates in the path.
  • There are two types of CLV :
  • –          CertPath Builder       –> looks up and optionally completes the certificate path and validates the certificates
  • –          CertPath Validator  –> looks up and optionally completes the certificate path, validates the certificates,and performs extra validation (for example, revocation checking).

9.  Certificate Registry :

  • The registry stores a list of valid certificates.
  • Only registered certificates are valid.
  • A certificate is revoked by removing it from the certificate registry.
  • The registry is stored in the embedded LDAP server.
  • The Certificate Registry is both a CertPath Builder and a CertPath Validator.

10.  Auditing :

  • Auditing provides an electronic trail of computer activity.
  • It is the process whereby information about security requests and the outcome of those security requests is collected, stored, and distributed for the purpose of non-repudiation

Security Policies and WebLogic Resources

  • WebLogic Server uses security policies to protect WebLogic resources.
  • Security policies answer the question “who has access” to a WebLogic resource.
  • Note: Role mapping providers get the information about the set of roles granted to a requestor for a given resource.
  • It supplies this information to the Authorization providers.
  • Adjudication Providers resolve the conflicts between Authorization Providers (if multiple authorization providers are configured in a security realm) and help them answers the “is access allowed” question for a given resource.
  • A security policy is created when you define an association between a WebLogic resource and a user, group, or security role.
  • A WebLogic resource has no protection until you assign it a security policy.
  • WebLogic Server defines the following resources:
  1. Administrative resources
  2. Application resources
  3. Component Object Model (COM) resources
  4. Enterprise Information System (EIS) resources
  5. Enterprise JavaBean (EJB) resources
  6. Java DataBase Connectivity (JDBC) resources
  7. Java Naming and Directory Interface (JNDI) resources.
  8. Java Messaging Service (JMS) resources.
  9. Server resources
  10. URL resources
  11. Web Services resources
  12. Remote resources.

Deployment Descriptors and the WebLogic Server Administration Console

  • The WebLogic Security Service can use information defined in deployment descriptors to grant security roles and define security policies for Web applications and EJBs.
  • When WebLogic Server is booted for the first time, security role and security policy information stored in web.xml, weblogic.xml, ejb-jar.xml, or weblogic-ejb-jar.xml deployment descriptors is loaded into theAuthorization and Role Mapping providers configured in the default security realm.
  • To use information in deployment descriptors, at least one Authorization and Role Mapping provider in then security realm must implement the DeployableAuthorizationProvider and DeployableRoleProvider Security Service Provider Interface (SSPI).
  • This SSPI allows the providers to store (rather than retrieve) information from deployment descriptors.
  • By default, the WebLogic Authorization and Role Mapping providers implement this SSPI.

Methods of Configuring Security

  • When you manage security realms, you must use two different MBean servers depending on your task:
  • · To set the value of a security MBean attribute, you must use the Edit MBean Server.
  • · To add users, groups, roles, and policies, or to invoke other operations in a security provider MBean, you must use a Runtime MBean Server or the Domain Runtime MBean Server.


  • Secure Socket Layer

Public Key Cryptography :

  • In public key cryptography, an individual or organization has two complimentary keys, one called a public key, and one called a private key.
  • Any information encrypted using the private key can only be decrypted using the public key.
  • Conversely, any information encrypted using the public key can only be decrypted using the private key.

For example:
Bob has two complimentary keys
What one key encrypts on the other key can decrypt
Bob keeps one key private (Private Key)
Bob makes one key available to the public (Public Key)
If Alice needs to send Bob a message
Bob sends Alice a copy of his public key
Alice encrypts a message with Bob’s public key
Bob decrypts the message with his private key

  • In Public Key Cryptography, if Alice wants to send a secret message to Bob, she must obtain a copy of his public key. Before doing so, however, she needs to make sure that the public key really belongs to Bob
  • Certificate addresses the above problem; it is an electronic document that binds a public key to a particular individual or organization.
  • Certificates are issued by a trusted third party, called a Certification Authority (CA).
  • CA’s issue certificate that contains the organization’s public key.
  • All digital certificates are “signed” with the Certificate Authority’s private key to ensure authenticity. The Certificate Authority’s Public Key is widely distributed.

SSL Certificate will contain the following information:
Your organization’s common name (e.g.,
Additional identifying information (e.g., IP and physical address)
Your public key
Expiration date of the public key
Name of the CA that issued the ID (i.e., VeriSign)
A unique serial number
VeriSign’s digital signature

Certificate Formats

The primary certificate types are:

  • PEM – Can contain all of private keys (RSA and DSA), public keys (RSA and DSA) and (x509) certificates. It stores data Base64 encoded DER format, surrounded by ASCII headers, so is suitable for text mode transfers between systems.
  • DER – Distinguished Encoding Rules (DER) can contain all of private keys, public keys and certificates. It is the default format for most browsers, and is stored according to the ASN1 DER format. It is headerless — PEM is text header wrapped DER.
  • PKCS#12 – Public Key Cryptography Standards #12 (PKCS#12) can contain all private keys, public keys, and certificates. It stores in a binary format, and is also known as PFX files.

< References >

Link :


Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Create a free website or blog at

%d bloggers like this: