3-20 Programming Security for Oracle WebLogic Server
Which of these three methods is used is defined by the JACC flags and the security model. Security models are described in Options for Securing EJB and Web
Application Resources in Securing Resources Using Roles and Policies for Oracle WebLogic Server.
To implement declarative security in Web applications, you can use deployment descriptors web.xml and weblogic.xml to define security requirements. The
deployment descriptors map the applications logical security requirements to its runtime definitions. And at runtime, the servlet container uses the security definitions
to enforce the requirements. For a discussion of using deployment descriptors, see
Section 3.3, Developing Secure Web Applications .
For information about how to use deployment descriptors and the externally-defined element to configure security in Web applications
declaratively, see Section 3.5.2.1, externally-defined
. For information about how to use the Administration Console to configure security in
Web applications, see Securing Resources Using Roles and Policies for Oracle WebLogic Server.
3.5 Web Application Security-Related Deployment Descriptors
The following topics describe the deployment descriptor elements that are used in the web.xml and weblogic.xml files to define security requirements in Web
applications:
■
Section 3.5.1, web.xml Deployment Descriptors
■
Section 3.5.2, weblogic.xml Deployment Descriptors
3.5.1 web.xml Deployment Descriptors
The following web.xml security-related deployment descriptor elements are supported by WebLogic Server:
■
Section 3.5.1.1, auth-constraint
■
Section 3.5.1.2, security-constraint
■
Section 3.5.1.3, security-role
■
Section 3.5.1.4, security-role-ref
■
Section 3.5.1.5, user-data-constraint
■
Section 3.5.1.6, web-resource-collection
3.5.1.1 auth-constraint
The optional auth-constraint element defines which groups or principals have access to the collection of Web resources defined in this security constraint.
The following table describes the elements you can define within an auth-constraint element.
Table 3–2 auth-constraint Element
Element Required
Optional
Description
description Optional
A text description of this security constraint.
Securing Web Applications 3-21
3.5.1.1.1 Used Within The auth-constraint element is used within the
security-constraint element.
3.5.1.1.2 Example See
Example 3–11 for an example of how to use the
auth-constraint element in a web.xml file.
3.5.1.2 security-constraint
The security-constraint element is used in the web.xml file to define the access privileges to a collection of resources defined by the web-resource-collection
element.
The following table describes the elements you can define within a security-constraint element.
3.5.1.2.1 Example
Example 3–11 shows how to use the security-constraint
element to defined security for the SecureOrdersEast resource in a web.xml file.
Example 3–11 Security Constraint Example
web.xml entries: security-constraint
web-resource-collection web-resource-nameSecureOrdersEastweb-resource-name
description Security constraint for
resources in the orderseast directory description
url-patternorderseasturl-pattern http-methodPOSThttp-method
http-methodGEThttp-method web-resource-collection
role-name Optional
Defines which security roles can access resources defined in this security-constraint. Security
role names are mapped to principals using the security-role-ref element. See
Section 3.5.1.4, security-role-ref .
Table 3–3 security-constraint Element
Element Required
Optional
Description
web-resource-collec tion
Required Defines the components of the Web Application to
which this security constraint is applied. For more information, see .
Section 3.5.1.6, web-resource-collection
auth-constraint Optional
Defines which groups or principals have access to the collection of web resources defined in this
security constraint.For more information, see Section 3.5.1.1, auth-constraint
. user-data-constrain
t Optional
Defines defines how data communicated between the client and the server should be protected. For
more information, see Section 3.5.1.5,
user-data-constraint .
Table 3–2 Cont. auth-constraint Element
Element Required
Optional
Description
3-22 Programming Security for Oracle WebLogic Server
auth-constraint description
constraint for east coast sales description
role-nameeastrole-name role-namemanagerrole-name
auth-constraint user-data-constraint
descriptionSSL not requireddescription transport-guaranteeNONEtransport-guarantee
user-data-constraint security-constraint
...
3.5.1.3 security-role