Securing Web Applications 3-27
Example 3–14 run-as-role-assignment Element Example
web.xml: servlet
servlet-nameSnoopServletservlet-name servlet-classextra.SnoopServletservlet-class
run-as role-namerunasrolerole-name
run-as servlet
security-role role-namerunasrolerole-name
security-role weblogic.xml:
weblogic-web-app run-as-role-assignment
role-namerunasrolerole-name run-as-principal-namejoerun-as-principal-name
run-as-role-assignment weblogic-web-app
3.5.2.4 security-permission
The security-permission element specifies a security permission that is associated with a Java EE Sandbox.
3.5.2.4.1 Example For an example of how to used the security-permission
element, see Example 3–15
.
3.5.2.5 security-permission-spec
The security-permission-spec element specifies a single security permission based on the Security policy file syntax. Refer to the following URL for Suns implementation of
the security permission specification:
http:java.sun.comjavase6docstechnotesguidessecurityPoli cyFiles.htmlFileSyntax
3.5.2.5.1 Used Within The security-permission-spec element is used within the
security-permission element.
3.5.2.5.2 Example
Example 3–15 shows how to use the security-permission-spec
element to grant permission to the java.net.SocketPermission class.
Example 3–15 security-permission-spec Element Example
weblogic-web-app security-permission
descriptionOptional explanation goes heredescription security-permission-spec
-- A single grant statement following the syntax of
http:java.sun.comj2se1.5.0docsguidesecurityPolicyFiles.htmlFileSyntax, without the codebase and signedBy clauses, goes here. For example:
-- grant {
Note: Disregard the optional codebase and signedBy clauses.
3-28 Programming Security for Oracle WebLogic Server
permission java.net.SocketPermission , resolve; };
security-permission-spec security-permission
weblogic-web-app
In Example 3–15
, permission java.net.SocketPermission is the permission class name, represents the target name, and resolve indicates the action resolve hostIP
name service lookups.
3.5.2.6 security-role-assignment
The security-role-assignment element declares a mapping between a security role and one or more principals in the WebLogic Server security realm.
3.5.2.6.1 Example
Example 3–16 shows how to use the
security-role-assignment element to assign principals to the PayrollAdmin role.
Example 3–16 security-role-assignment Element Example
weblogic-web-app security-role-assignment
role-namePayrollAdminrole-name principal-nameTanyaprincipal-name
principal-nameFredprincipal-name principal-namesystemprincipal-name
security-role-assignment weblogic-web-app
3.6 Using Programmatic Security With Web Applications
You can write your servlets to access users and security roles programmatically in your servlet code. To do this, use the following methods in your servlet code:
javax.servlet.http.HttpServletRequest.getUserPrincipal and javax.servlet.http.HttpServletRequest.isUserInRoleString role
methods.
3.6.1 getUserPrincipal
You use the getUserPrincipal method to determine the current user of the Web application. This method returns a WLSUser Principal if one exists in the current
user. In the case of multiple WLSUser Principals, the method returns the first in the ordering defined by the Subject.getPrincipals.iterator method. If
there are no WLSUser Principals, then the getUserPrincipal method returns
Note: For information on using the security-role-assignment element
in a weblogic-application.xml deployment descriptor for an enterprise application, see Enterprise Application Deployment Descriptor
Elements in Developing Applications for Oracle WebLogic Server.
Note:
If you need to list a significant number of principals, consider specifying groups instead of users. There are performance issues if
you specify too many users.