Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Securing WebLogic Server 12c
Securing WebLogic Server 12c

Securing WebLogic Server 12c: Learn to develop, administer and troubleshoot for WebLogic Server with this book and ebook.

eBook
Mex$344.99 Mex$492.99
Paperback
Mex$615.99
Subscription
Free Trial

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Table of content icon View table of contents Preview book icon Preview Book

Securing WebLogic Server 12c

Chapter 1. WebLogic Security Concepts

Security is a complex matter, and Java EE is not an exception to this rule. To make things even more complicated, WebLogic extends standard security with some important and useful features that will be explored in this chapter; they are as follows:

  • Identity Assertion

  • Credential Mappers

  • Java Authentication Service Provider Interface for Containers (JASPIC) and Java Authentication and Authorization Service (JAAS)

General concept of security in Java EE


Java standard security is implemented with the security manager and policy files, and is extended by the Java Enterprise Edition in a completely transparent way for the developer; like every other service offered by the platform.

If you are an Enterprise Bean developer, you can develop knowing that the container will take care of the sensitive task of securing your data in the same way it takes care of remoting, translating from HTTP protocol to servlet method call, and transaction management. Obviously, it is impossible for the container to be aware of the infrastructure in which it will be deployed, so there are a lot of standard ways to extend it in order to let it work with a new RDBMS: installing the Java Database Connectivity (JDBC) driver JAR files or a new transactional resource that implements the resource adapter contract.

This principle applies to security as well; but until Java EE 6 there were no standard methods of implementing a new Authentication Provider, or whatever is inherent to security. As we'll see, this new version makes it mandatory that containers implement JASPIC 1.0, but many of them implement it in parallel and WebLogic 12c is no exception. If you need to implement something that is not "simple", custom Providers with custom API are required.

In Java EE, the developer interacts with the container using declarative annotations or XML descriptors. When you need to secure a URL managed by a servlet, all you need to do is annotate that servlet with the @ServletSecurity annotation along with a list of allowed roles, as shown in the following code snippet:

@WebServlet("/mysecuredurl")
@ServletSecurity(@HttpConstraint(rolesAllowed={"myrole"}))
public class MySecuredServlet extends HttpServlet {
...
}

This single line of meta-code opens up the magic world of Java EE security, as explained in the following points:

  • If the user is not authenticated, the web container will ask him/her for his/her credentials; how the user will be asked depends on the configuration of the web application and the kind of client the user is using.

  • The user agent accepts the credentials and sends that information to the server. The server then tries to validate them using an Authentication Provider. If this is successful, a suitable container for user principals will be created (a Subject), and this will be mapped to the authenticating agent using a sort of session cookie.

  • Once the user principals are known, they are mapped to the application roles that are declared on the custom deployment descriptors of your application server.

  • If the servlet needs additional resources or needs to make a call to an EJB method, the security context will be "propagated" (see Java EE 6 specs, v.3.2, at http://www.oracle.com/technetwork/java/javaee/tech/index.html).

Every single step described here involves a bunch of very complex tasks, and all of them are free for the Java EE developer; they are made behind the curtain by the container.

WebLogic security architecture

WebLogic security architecture is based on a set of classes in the weblogic.security.* package in the WebLogic Security Framework (WSF), which are used to develop Security Providers that run under the auspices of WebLogic Security Service.

This runtime is the orchestrator that allows application components such as EJBs and servlets to communicate with server resources, with the intermediation of the Security Provider.

Here, we will review some basic concepts of WSF that we need to understand to develop custom providers.

Identifying – Subjects, Principals, and Credentials

WebLogic follows the JAAS architecture of Java SE for its security infrastructure: Subjects, Principals, and Credentials. These are explained as follows:

  • Subject: Information related to the entity that is requesting the secured resources, such as identities (principal) or attributes (credentials)

  • Principal: Identity associated with the authenticated entity, such as its full name, the username, a Lightweight Directory Access Protocol (LDAP) group, and everything that identifies it

  • Credentials: Attributes related to the entity that is authenticated; they may be security-related, such as a Kerberos ticket (sun.security.krb5.Credentials) or not security-related, such as attributes that are used by the application

In JAAS, when the login() method is called on the current LoginContext class, a new Subject object is created and the configured LoginModule is called in sequence to enrich that object with principals.

So, for instance, it is possible to configure a LoginModule interface that adds Kerberos credentials, another LoginModule, like WebLogic's UsernamePasswordLoginModule, that adds PasswordCredential. These are then used by WebLogic to access restricted resources.

WebLogic resources

Java EE 6 defines the security of components such as an EJB or a connection to an Enterprise Information System (EIS); WebLogic resources extend this level of security. The following is a quote defining resources from the official WebLogic 12c documentation:

A structured object used to represent an underlying WebLogic Server entity that can be protected from unauthorized access.

This means that a DataSource object can't be accessed directly but only through a JDBCResource object, and every resource is also represented as a hierarchy; if security is not specified for the leaf, its single parent can be inspected until a suitable configuration is found.

Suppose, for example, the container is checking if the user is allowed to access a certain method of an EJB, whose resource representation is as follows:

type=<ejb>, app=SecuredApp, module=EJBModule, ejb=VeryImportantEJB, method=callItSecure, methodInterface=Home, methodParams={String, int}

If the EJBResource class can't find a suitable policy for that method, it will ask its parent, the Enterprise Bean, which can verify if the user is allowed or not.

Writing custom providers – MBeans

Java Management Extensions (JMX) is a mandatory part of the Java EE 6 specification that defines standards for the monitoring and management of Enterprise applications in a dynamic and nonintrusive way. Using JMX, it is possible to query an arbitrary application for diagnostic information without knowing anything about the way it is being implemented, but only using a standard tool like JConsole or VisualVM. This is implemented in a structured way, where JMX defines the runtime, the way Management Beans are developed, and how to access that information. Implementation is straightforward; you only need to define what you want to, as follows:

@MXBean
public interface MyManagedProperties {
    public int getCached();
    public void callOperation();
}

And the implementation—in Java EE 6 it's really a few lines of code—is as follows:

@Singleton
@Startup
public class MyManagedPropertiesBean implements MyManagedProperties {
   private MBeanServer platformMBeanServer;
   private ObjectName objectName = null;
   @PostConstruct
   public void registerInJMX() {
      try {
        objectName = new ObjectName("MyMXBean :type=" + this.getClass().getName());
        InitialContext ctx = new InitialContext();
        platformMBeanServer = (MBeanServer) ctx.lookup("java:comp/env/jmx/runtime");
        ctx.close();
        platformMBeanServer.registerMBean(this, objectName);
        } catch (Exception e) {
        throw new IllegalStateException("Problem during registration of Monitoring into JMX:" + e);
      }
   }
   public int getCached() {//doSomething}
   public void callOperation() {//doSomething}

   @PreDestroy
   public void unregisterFromJMX() {
      try {
        platformMBeanServer.unregisterMBean(this.objectName);
        } catch (Exception e) {
        throw new IllegalStateException("Problem during unregistration of Monitoring into JMX:" + e);
      }
   }
}

An MXBean interface is implemented in the previous code; it is a Managed Bean that can be accessed by a JMX client, which doesn't need to know anything about our application. It is the duty of the agent to convert every domain-specific class to simple properties.

Unfortunately, developing MBeans for WebLogic is not that easy, because of a custom way to generate the MBeans that execute in the MBeanServer interface. It is necessary to write a custom XML file, called MBean Definition File (MDF), and then generate a JAR file that can be installed on the WebLogic server using WebLogic's MBeanMaker tool.

Authentication Providers


Developing an Authentication Provider is a fairly complex task with many concepts that need to be understood. Here, we will introduce the concepts regarding the composing parts of a provider and different kinds of authentication.

Authentication under WebLogic

Authentication is completely delegated to entities called Authentication Providers, which are a set of classes and configuration files that incorporate an MBean and a LoginModule interface. Every time you request a protected resource, every configured Provider is requested to add the principals extracted from the credentials provided.

This mechanism is very similar to the one configurable on the client with only JAAS (and jaas.config); the main difference is that it's done with the administration console. This console allows us to configure parameters visually, through the automatically-generated JSP page, without touching any XML file, as shown in the following screenshot:

MBean and JAAS

Under WebLogic Security Framework, everything is wrapped by MBeans. The standard JAAS security infrastructure is created and invoked using an MBean, which can be configured using the standard console. This makes sense because the console and every utility that runs under the WebLogic ecosystem has to be consistent and there are a lot of technologies around Java that have to be integrated.

So, if you need to implement your own LoginModule interface, remember that you need to "decorate" it with the correct MBean, which in turn is automatically generated for you by the WebLogic MBeanMaker tool.

Multipart Authentication Provider

Every Provider has only one chance to contribute to the authentication process: it receives Credentials and eventually adds Principals to the current Subject. This scenario of security has very limited potentialities if interaction with the user agent is required. For example, for negotiating an authentication mechanism, redirecting to a remote login site, or even implementing a challenge/response handshake, this is a suitable task for servlet filters, but if they are configured for a protected resource they are not called until you are authenticated.

WebLogic Security Framework gives developers a chance to return an array of filters that are executed on behalf of the standard Authentication mechanism, but not under the application component's security context.

Perimeter Authentication

Perimeter Authentication usually uses Identity Assertion and security filters to authenticate users. This will be elaborated later.

Identity Assertion


A lot of organizations have heterogeneous systems that need security services, and many of these systems interact with users that have already declared who they are, for example, during the login phase of their workstation at the beginning of their working day.

This is the basis to introduce the concept of a Perimeter, where authentication is made once and then always trusted during the day. The same happens when you use your badge to enter into your company; you are trusted to be allowed into the buildings, with the need to expose the badge to express that you are an employee. In case of Perimeter Authentication, a token released by a third party is used to extract who the user is, by performing an Identity Assertion and not full authentication.

This means that when developing LoginModule interfaces for Identity Assertion providers, Credentials are used not to decide if the user is authenticated, but simply to populate the Subject with the Principals that can be found using the token.

Credential Mapper


Prior to Java EE 6 and the introduction of the SecurityContext interface in Java EE Connector Architecture (JCA) 1.6 specification (see the SecurityContext interface in JCA 1.6 specifications at http://jcp.org/en/jsr/detail?id=322), there were no standard ways to map the current SecurityContext security object to the ConnectionSpec interface of a resource adapter.

This could mean the following two things:

  • No end-to-end Single Sign-On from the user to the EIS

  • Code into application components that implement mapping of credentials

WebLogic Security Framework supports the mapping of credentials from the current authenticated user to a format that can be understood by the resource adapter/EIS.

The implementation is really straightforward. Before calling the execute()method on the interaction in the ConnectionSpec interface, the Mapper is asked to convert the current Credentials stored into the Subject into one or more Credentials valid for the remote system.

Currently, if BasicPassword is the current authentication mechanism type and PasswordCredential is the interface that has to be used for the communication, it's sufficient for the developer of the custom Credentials Mapping provider to write a function that maps the local security space to that of the called EIS.

Conceptually, this is not much different from what is done with Identity Assertion and Perimeter Authentication; but this time the trust is between WebLogic and an external system, with the former responsible for security. Of course, there may also be Mappings that are able to make full authentication, but in both cases the weak link is the Java Application Server that has the chance to authenticate users to a remote system.

JASPIC and Java EE


After so many pages talking about security and how to implement it in WebLogic, the question is: why is all this custom-made and not regulated by Java EE?

Java EE 6 has the correct answer to this question: the JASPIC 1.0 specification, a message processing framework that is protocol-independent and that can do what an Authentication Provider does for us; that is, populate Subjects with Principals and therefore authenticate a remote user agent.

In a manner that is different from WebLogic Security Framework, where everything is inside a secure framework API because the message and the protocol are managed by the application server, this is done at the message level. In this way, it enforces the concept that security is something related to the protocol and the way information is exchanged.

In fact, currently we have three profiles that are part of the standard specification, one that is able to authenticate HTTP clients, another that works with SOAP messages, and a third profile that tries to bridge the new specification with the existing JAAS login module on the market.

This is the first implementation in WebLogic and its immaturity is apparent from the total lack of documentation and the fact that the configuration is not integrated into the custom deployment descriptors. So, consider using it only on noncritical systems.

JACC


Java Authorization Contract for Containers (JACC) is an extension of the standard policy-based security of the JVM for role mapping and authorization of servlets and EJBs. The working of this policy-based security is shown in the following screenshot:

Although it is implemented by WebLogic, Oracle itself discourages its use because of the lack of features and flexibility compared to custom providers, and also because of performance issues. For these reasons, JACC will not be covered in this book.

Summary


This chapter was a quick introduction to WebLogic security fundamentals learning theory that will be used later when a custom provider will be developed or configured inside our domain using the WebLogic console.

It started from Java EE security and then declined to the WebLogic Security Framework, from MBeans to resources.

Finally, two Java Specification Requests (JSR) specs were covered, JASPIC and JACC, to show how limited they are compared to custom providers.

Left arrow icon Right arrow icon

Key benefits

  • Discover Authentication providers
  • Configure security for WebLogic applications and develop your own security providers
  • Step by step guide to administer and configure WebLogic security providers
  • Quick guide to security configuration in WebLogic realm

Description

Security is a must in modern Enterprise architecture, and WebLogic implements a very complete and complex architecture for configuration and implementation, and we need to deeply know in technologies, terminology and how the security process works between all actors. Transparent security of your applications and Weblogic infrastructure need a good knowledge of the issues you can incur in this long and error prone configuration process. "Securing WebLogic Server 12c" will simplify a complex world like WebLogic Security, helping the reader to implement and configure. It's the only fast guide that will let you develop and deploy in a production system with best practices both from the development world and the operation world. This book will try to make a clear picture of Java EE Security with clean and simple step-by-step examples that will guide the reader to security implementation and configuration From the concepts of Java EE Security to the development of secure application, from the configuration of a realm to the setup of Kerberos Single Sign on, every concept is expressed in simple terms and surrounded by examples and pictures. Finally, also a way to develop WebLogic Security Providers with Maven, so that you can add the security part of your infrastructure to your enterprise best practices.

Who is this book for?

If you are a WebLogic Server administrator looking forward to a step by step guide to administer and configure WebLogic security, then this is the guide for you. Working knowledge of WebLogic is required.

What you will learn

  • Setup your development environment for WebLogic with Maven
  • Develop applications with Maven using fast split-deployment
  • Configure your applications to take advantage of Java EE Security
  • Understand how to integrate with WebLogic security
  • Configure a Security Realm from scratch
  • Integrate with your enterprise security systems
  • Detailed how-to Kerberos single-sign-on configuration with a little, but userful, knowledge base to solve some typical issue

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Nov 23, 2012
Length: 100 pages
Edition : 1st
Language : English
ISBN-13 : 9781849687799
Vendor :
Oracle
Concepts :

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
OR
Modal Close icon
Payment Processing...
tick Completed

Billing Address

Product Details

Publication date : Nov 23, 2012
Length: 100 pages
Edition : 1st
Language : English
ISBN-13 : 9781849687799
Vendor :
Oracle
Concepts :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just Mex$85 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just Mex$85 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total Mex$ 2,996.97
Oracle WebLogic Server 12c Advanced Administration Cookbook
Mex$1128.99
Securing WebLogic Server 12c
Mex$615.99
Getting Started with Oracle WebLogic Server 12c: Developer's Guide
Mex$1251.99
Total Mex$ 2,996.97 Stars icon

Table of Contents

5 Chapters
WebLogic Security Concepts Chevron down icon Chevron up icon
WebLogic Security Realm Chevron down icon Chevron up icon
Java EE Security with WebLogic Chevron down icon Chevron up icon
Creating Custom Authentication Providers with Maven Chevron down icon Chevron up icon
Integrating with Kerberos SPNEGO Identity Assertion Chevron down icon Chevron up icon

Customer reviews

Rating distribution
Full star icon Full star icon Empty star icon Empty star icon Empty star icon 2
(2 Ratings)
5 star 0%
4 star 0%
3 star 50%
2 star 0%
1 star 50%
Edwin Biemond Jan 06, 2013
Full star icon Full star icon Full star icon Empty star icon Empty star icon 3
This small book shortly explains all the parts which are involved by the WebLogic Security Framework. It describes how to use the internal weblogic and an external LDAP server as authentication provider. Plus a maven example howto develop, deploy a web application which uses security. Another maven example howto develop or configure a custom provider. And the last chapter explains Microsoft Active Directory SSO with WebLogic. I Did not see many new 12c features and most of this information should also work on WebLogic 10.3. I liked the small part about programmatic security with WebLogic XACML provider. But I hoped to learn more about WebLogic 12c and Java EE 6 like the JASPIC,JACC specifications and how this works with WebLogic plus why they are limited compared to weblogic custom providers. The maven part is great for testing the examples but it does not add any value to this content.
Amazon Verified review Amazon
Jayaprakash Aug 12, 2016
Full star icon Empty star icon Empty star icon Empty star icon Empty star icon 1
One of the Useless book i have buy it sofar.Security in Java/JEE and in weblogic is one of the most beautiful concept.But this book was explained in a ugly fashion.I don't understand why Author choose to write this topic without providing any intro and technical stuff ,only by writing theory.It is waste of money ,time and expectations to invest on this book.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see www.packtpub.com/support and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to www.packtpub.com/account
  • To contact us directly if a problem is not resolved, use www.packtpub.com/contact-us
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.