After so many pages talking about security and how to implement it in WebLogic, the question is: why is all this custom-made and not regulated by Java EE?

Java EE 6 has the correct answer to this question: the JASPIC 1.0 specification, a message processing framework that is protocol-independent and that can do what an Authentication Provider does for us; that is, populate Subjects with Principals and therefore authenticate a remote user agent.

In a manner that is different from WebLogic Security Framework, where everything is inside a secure framework API because the message and the protocol are managed by the application server, this is done at the message level. In this way, it enforces the concept that security is something related to the protocol and the way information is exchanged.

In fact, currently we have three profiles that are part of the standard specification, one that is able to authenticate HTTP clients, another that works with SOAP messages, and a third profile that tries to bridge the new specification with the existing JAAS login module on the market.

This is the first implementation in WebLogic and its immaturity is apparent from the total lack of documentation and the fact that the configuration is not integrated into the custom deployment descriptors. So, consider using it only on noncritical systems.