WebLogic Resource Security

Markus Eisele
Yesterday a coworker dropped in and asked me about the Weblogic security concept. He was trying to deploy the JEE example applikation Dukes Bank on the 10.x version and got in trouble with the changed resource protection.
The webapplication has a single web.xml DD and a separate weblogic.xml DD is missing. If you have something like this in your web.xml


Than you need to tweek the default behaviour of the Weblogic Server to get this up and running. You have different options in wls to secure your resources:

  • Deployment Descriptor Only (Java EE standard)

  • Custom Roles

  • Custom Roles and Policies

  • Advanced

If you choose the first option, you need a weblogic.xml DD to define the roles to principle/group mapping.
If you choose the Custom Roles you can configure the role mappings from a role mapping provider that you configure for the security realm. You can use the Administration Console to configure the provider. Any role mappings in the deployment descriptors are ignored. The model uses the policies that are defined in the web.xml and ejb-jar.xml deployment descriptors.
If you choose Custom Roles and Rolicies, you configure a role mapping provider and an authorization provider for your security realm. You can use the Administration Console to configure the providers. Any role mappings or policies in the deployment descriptors are ignored.
If you want to import the basic information from the DD and configure Roles and Policies on this basis, you need to choose Advanced.

First step is to configure your realm:

Don't forget to
a) Disable the Combined Role Mapping and
b) change the "Check Roles and Policies" to "All Web applications and EJBs". If you are finished, you defenetely need a server restart. Even if the wls is happy and working.

After this, you have to install your deployment.
Carefull: You can override the realm settings during deployment time. So, don't change anything here.
If the deployment is installed, you can browse with the admin console to your deployment and have a look at the security settings. In this case, you can see, that the security2.war has a resource Role "webuser" assigned to the URL Pattern "/".

The only thing left to do, is to create the needed user or group. The role condition inported from the DD states, that a "webuser" could be a "Group : webuser" or a "User : webuser". Therefore you have to go back to your realm and add whatever fits your plans.
a) a User with the name "webuser" or
b) a Group with the name "webuser" and don't forget to assign some users to the group

And after this, you are done with the show and see the welcome screen:

If you like, you can download the sample ear file for your configuration tests.

Post a Comment


Post a Comment (0)