What do you get with Print?

Instant access to your digital eBook copy whilst your Print order is Shipped

Paperback book shipped to your preferred address

Download this book in EPUB and PDF formats

Access this title in our online reader with advanced features

DRM FREE - Read whenever, wherever and however you want

Securing WebLogic Server 12c

Chapter 1. WebLogic Security Concepts

Security is a complex matter, and Java EE is not an exception to this rule. To make things even more complicated, WebLogic extends standard security with some important and useful features that will be explored in this chapter; they are as follows:

Identity Assertion
Credential Mappers
Java Authentication Service Provider Interface for Containers (JASPIC) and Java Authentication and Authorization Service (JAAS)

General concept of security in Java EE

Java standard security is implemented with the security manager and policy files, and is extended by the Java Enterprise Edition in a completely transparent way for the developer; like every other service offered by the platform.

If you are an Enterprise Bean developer, you can develop knowing that the container will take care of the sensitive task of securing your data in the same way it takes care of remoting, translating from HTTP protocol to servlet method call, and transaction management. Obviously, it is impossible for the container to be aware of the infrastructure in which it will be deployed, so there are a lot of standard ways to extend it in order to let it work with a new RDBMS: installing the Java Database Connectivity (JDBC) driver JAR files or a new transactional resource that implements the resource adapter contract.

This principle applies to security as well; but until Java EE 6 there were no standard methods of implementing a new Authentication Provider, or whatever is inherent to security. As we'll see, this new version makes it mandatory that containers implement JASPIC 1.0, but many of them implement it in parallel and WebLogic 12c is no exception. If you need to implement something that is not "simple", custom Providers with custom API are required.

In Java EE, the developer interacts with the container using declarative annotations or XML descriptors. When you need to secure a URL managed by a servlet, all you need to do is annotate that servlet with the @ServletSecurity annotation along with a list of allowed roles, as shown in the following code snippet:

@WebServlet("/mysecuredurl")
@ServletSecurity(@HttpConstraint(rolesAllowed={"myrole"}))
public class MySecuredServlet extends HttpServlet {
...
}

This single line of meta-code opens up the magic world of Java EE security, as explained in the following points:

If the user is not authenticated, the web container will ask him/her for his/her credentials; how the user will be asked depends on the configuration of the web application and the kind of client the user is using.
The user agent accepts the credentials and sends that information to the server. The server then tries to validate them using an Authentication Provider. If this is successful, a suitable container for user principals will be created (a Subject), and this will be mapped to the authenticating agent using a sort of session cookie.
Once the user principals are known, they are mapped to the application roles that are declared on the custom deployment descriptors of your application server.
If the servlet needs additional resources or needs to make a call to an EJB method, the security context will be "propagated" (see Java EE 6 specs, v.3.2, at http://www.oracle.com/technetwork/java/javaee/tech/index.html).

Every single step described here involves a bunch of very complex tasks, and all of them are free for the Java EE developer; they are made behind the curtain by the container.

WebLogic security architecture

WebLogic security architecture is based on a set of classes in the weblogic.security.* package in the WebLogic Security Framework (WSF), which are used to develop Security Providers that run under the auspices of WebLogic Security Service.

This runtime is the orchestrator that allows application components such as EJBs and servlets to communicate with server resources, with the intermediation of the Security Provider.

Here, we will review some basic concepts of WSF that we need to understand to develop custom providers.

Identifying – Subjects, Principals, and Credentials

WebLogic follows the JAAS architecture of Java SE for its security infrastructure: Subjects, Principals, and Credentials. These are explained as follows:

Subject: Information related to the entity that is requesting the secured resources, such as identities (principal) or attributes (credentials)
Principal: Identity associated with the authenticated entity, such as its full name, the username, a Lightweight Directory Access Protocol (LDAP) group, and everything that identifies it
Credentials: Attributes related to the entity that is authenticated; they may be security-related, such as a Kerberos ticket (sun.security.krb5.Credentials) or not security-related, such as attributes that are used by the application

In JAAS, when the login() method is called on the current LoginContext class, a new Subject object is created and the configured LoginModule is called in sequence to enrich that object with principals.

So, for instance, it is possible to configure a LoginModule interface that adds Kerberos credentials, another LoginModule, like WebLogic's UsernamePasswordLoginModule, that adds PasswordCredential. These are then used by WebLogic to access restricted resources.

WebLogic resources

Java EE 6 defines the security of components such as an EJB or a connection to an Enterprise Information System (EIS); WebLogic resources extend this level of security. The following is a quote defining resources from the official WebLogic 12c documentation:

A structured object used to represent an underlying WebLogic Server entity that can be protected from unauthorized access.

This means that a DataSource object can't be accessed directly but only through a JDBCResource object, and every resource is also represented as a hierarchy; if security is not specified for the leaf, its single parent can be inspected until a suitable configuration is found.

Suppose, for example, the container is checking if the user is allowed to access a certain method of an EJB, whose resource representation is as follows:

type=<ejb>, app=SecuredApp, module=EJBModule, ejb=VeryImportantEJB, method=callItSecure, methodInterface=Home, methodParams={String, int}

If the EJBResource class can't find a suitable policy for that method, it will ask its parent, the Enterprise Bean, which can verify if the user is allowed or not.

Writing custom providers – MBeans

Java Management Extensions (JMX) is a mandatory part of the Java EE 6 specification that defines standards for the monitoring and management of Enterprise applications in a dynamic and nonintrusive way. Using JMX, it is possible to query an arbitrary application for diagnostic information without knowing anything about the way it is being implemented, but only using a standard tool like JConsole or VisualVM. This is implemented in a structured way, where JMX defines the runtime, the way Management Beans are developed, and how to access that information. Implementation is straightforward; you only need to define what you want to, as follows:

@MXBean
public interface MyManagedProperties {
    public int getCached();
    public void callOperation();
}

And the implementation—in Java EE 6 it's really a few lines of code—is as follows:

@Singleton
@Startup
public class MyManagedPropertiesBean implements MyManagedProperties {
   private MBeanServer platformMBeanServer;
   private ObjectName objectName = null;
   @PostConstruct
   public void registerInJMX() {
      try {
        objectName = new ObjectName("MyMXBean :type=" + this.getClass().getName());
        InitialContext ctx = new InitialContext();
        platformMBeanServer = (MBeanServer) ctx.lookup("java:comp/env/jmx/runtime");
        ctx.close();
        platformMBeanServer.registerMBean(this, objectName);
        } catch (Exception e) {
        throw new IllegalStateException("Problem during registration of Monitoring into JMX:" + e);
      }
   }
   public int getCached() {//doSomething}
   public void callOperation() {//doSomething}

   @PreDestroy
   public void unregisterFromJMX() {
      try {
        platformMBeanServer.unregisterMBean(this.objectName);
        } catch (Exception e) {
        throw new IllegalStateException("Problem during unregistration of Monitoring into JMX:" + e);
      }
   }
}

An MXBean interface is implemented in the previous code; it is a Managed Bean that can be accessed by a JMX client, which doesn't need to know anything about our application. It is the duty of the agent to convert every domain-specific class to simple properties.

Unfortunately, developing MBeans for WebLogic is not that easy, because of a custom way to generate the MBeans that execute in the MBeanServer interface. It is necessary to write a custom XML file, called MBean Definition File (MDF), and then generate a JAR file that can be installed on the WebLogic server using WebLogic's MBeanMaker tool.

Authentication Providers

Developing an Authentication Provider is a fairly complex task with many concepts that need to be understood. Here, we will introduce the concepts regarding the composing parts of a provider and different kinds of authentication.

Authentication under WebLogic

Authentication is completely delegated to entities called Authentication Providers, which are a set of classes and configuration files that incorporate an MBean and a LoginModule interface. Every time you request a protected resource, every configured Provider is requested to add the principals extracted from the credentials provided.

This mechanism is very similar to the one configurable on the client with only JAAS (and jaas.config); the main difference is that it's done with the administration console. This console allows us to configure parameters visually, through the automatically-generated JSP page, without touching any XML file, as shown in the following screenshot:

MBean and JAAS

Under WebLogic Security Framework, everything is wrapped by MBeans. The standard JAAS security infrastructure is created and invoked using an MBean, which can be configured using the standard console. This makes sense because the console and every utility that runs under the WebLogic ecosystem has to be consistent and there are a lot of technologies around Java that have to be integrated.

So, if you need to implement your own LoginModule interface, remember that you need to "decorate" it with the correct MBean, which in turn is automatically generated for you by the WebLogic MBeanMaker tool.

Multipart Authentication Provider

Every Provider has only one chance to contribute to the authentication process: it receives Credentials and eventually adds Principals to the current Subject. This scenario of security has very limited potentialities if interaction with the user agent is required. For example, for negotiating an authentication mechanism, redirecting to a remote login site, or even implementing a challenge/response handshake, this is a suitable task for servlet filters, but if they are configured for a protected resource they are not called until you are authenticated.

WebLogic Security Framework gives developers a chance to return an array of filters that are executed on behalf of the standard Authentication mechanism, but not under the application component's security context.

Perimeter Authentication

Perimeter Authentication usually uses Identity Assertion and security filters to authenticate users. This will be elaborated later.

Key benefits

Discover Authentication providers

Configure security for WebLogic applications and develop your own security providers

Step by step guide to administer and configure WebLogic security providers

Quick guide to security configuration in WebLogic realm

Description

Security is a must in modern Enterprise architecture, and WebLogic implements a very complete and complex architecture for configuration and implementation, and we need to deeply know in technologies, terminology and how the security process works between all actors. Transparent security of your applications and Weblogic infrastructure need a good knowledge of the issues you can incur in this long and error prone configuration process. "Securing WebLogic Server 12c" will simplify a complex world like WebLogic Security, helping the reader to implement and configure. It's the only fast guide that will let you develop and deploy in a production system with best practices both from the development world and the operation world. This book will try to make a clear picture of Java EE Security with clean and simple step-by-step examples that will guide the reader to security implementation and configuration From the concepts of Java EE Security to the development of secure application, from the configuration of a realm to the setup of Kerberos Single Sign on, every concept is expressed in simple terms and surrounded by examples and pictures. Finally, also a way to develop WebLogic Security Providers with Maven, so that you can add the security part of your infrastructure to your enterprise best practices.

What you will learn

Setup your development environment for WebLogic with Maven

Develop applications with Maven using fast split-deployment

Configure your applications to take advantage of Java EE Security

Understand how to integrate with WebLogic security

Configure a Security Realm from scratch

Integrate with your enterprise security systems

Detailed how-to Kerberos single-sign-on configuration with a little, but userful, knowledge base to solve some typical issue

What do you get with Print?

Instant access to your digital eBook copy whilst your Print order is Shipped

Paperback book shipped to your preferred address

Download this book in EPUB and PDF formats

Access this title in our online reader with advanced features

DRM FREE - Read whenever, wherever and however you want

Frequently bought together

Oracle WebLogic Server 12c Advanced Administration Cookbook

$54.99

$29.99

Getting Started with Oracle WebLogic Server 12c: Developer's Guide

$60.99

Total $ 145.97

Edwin Biemond Jan 06, 2013

This small book shortly explains all the parts which are involved by the WebLogic Security Framework. It describes how to use the internal weblogic and an external LDAP server as authentication provider. Plus a maven example howto develop, deploy a web application which uses security. Another maven example howto develop or configure a custom provider. And the last chapter explains Microsoft Active Directory SSO with WebLogic. I Did not see many new 12c features and most of this information should also work on WebLogic 10.3. I liked the small part about programmatic security with WebLogic XACML provider. But I hoped to learn more about WebLogic 12c and Java EE 6 like the JASPIC,JACC specifications and how this works with WebLogic plus why they are limited compared to weblogic custom providers. The maven part is great for testing the examples but it does not add any value to this content.

Amazon Verified review

Jayaprakash Aug 12, 2016

One of the Useless book i have buy it sofar.Security in Java/JEE and in weblogic is one of the most beautiful concept.But this book was explained in a ugly fashion.I don't understand why Author choose to write this topic without providing any intro and technical stuff ,only by writing theory.It is waste of money ,time and expectations to invest on this book.

Securing WebLogic Server 12c: Learn to develop, administer and troubleshoot for WebLogic Server with this book and ebook.

What do you get with Print?

Securing WebLogic Server 12c

Chapter 1. WebLogic Security Concepts

General concept of security in Java EE

WebLogic security architecture

Identifying – Subjects, Principals, and Credentials

WebLogic resources

Writing custom providers – MBeans

Authentication Providers

Authentication under WebLogic

MBean and JAAS

Multipart Authentication Provider

Perimeter Authentication

Identity Assertion

Credential Mapper

JASPIC and Java EE

JACC

Summary

Page 1 of 8

Key benefits

Description

Who is this book for?

What you will learn

Product Details

What do you get with Print?

Product Details

Frequently bought together

Table of Contents

Recommendations for you

Customer reviews

People who bought this also bought

FAQs

Securing WebLogic Server 12c: Learn to develop, administer and troubleshoot for WebLogic Server with this book and ebook.

What do you get with Print?

Contact Details

Shipping Address

Billing Address

Key benefits

Description

Who is this book for?

What you will learn

Product Details

What do you get with Print?

Contact Details

Shipping Address

Billing Address

Product Details

Packt Subscriptions

Frequently bought together

Table of Contents

Recommendations for you

Customer reviews

People who bought this also bought

FAQs