3-26 Understanding Security for Oracle WebLogic Server

3.9.1 Java EE 6.0 Security Packages

WebLogic Server is compliant with and supports the following Java EE 6.0 security packages: ■ Section 3.9.1.1, The Java Secure Socket Extension JSSE ■ Section 3.9.1.2, Java Authentication and Authorization Services JAAS ■ Section 3.9.1.3, The Java Security Manager ■ Section 3.9.1.4, Java Cryptography Architecture and Java Cryptography Extensions JCE ■ Section 3.9.1.5, Java Authorization Contract for Containers JACC

3.9.1.1 The Java Secure Socket Extension JSSE

JSSE is a set of packages that support and implement the SSL and TLS v1 protocol, making those protocols and capabilities programmatically available. WebLogic Server provides Secure Sockets Layer SSL support for encrypting data transmitted across WebLogic Server clients, as well as other servers.

3.9.1.2 Java Authentication and Authorization Services JAAS

JAAS is a set of packages that provide a framework for user-based authentication and access control. WebLogic Server uses only the authentication classes of JAAS. JAAS is used as follows: ■ For remote Java client authentication ■ For authentication internally in instances of WebLogic Server in the Web and EJB containers and in the WebLogic Authentication and Identity Assertion providers. For more information on JAAS, see Section 3.2.2, Java Authentication and Authorization Service JAAS .

3.9.1.3 The Java Security Manager

Developed by Sun Microsystems, Inc., the Java Security Manager is the security manager for the Java Virtual Machine JVM. The security manager works with the Java API to define security boundaries through the java.lang.SecurityManager class. The SecurityManager class enables programmers to establish a custom security policy for their Java applications. The Java Security Manager can be used with WebLogic Server to provide additional protection for WebLogic resources running in the JVM. Use of the Java Security Manager to protect WebLogic resources in WebLogic Server is an optional security step. You can use the Java Security Manager to perform the following security tasks to protect WebLogic resources: ■ Modify the weblogic.policy file for general use. Note: There are security configuration settings in a WebLogic Server domain that can impact the use of JAAS authorization if needed in your environment. See Configuring a Domain to Use JAAS Authorization in Securing Oracle WebLogic Server for more information about when you might need to do this. Security Fundamentals 3-27 ■ Set application-type security policies on EJBs and Resource Adapters. You use the Java security policy file to perform this task. ■ Set application-specific security policies on specific EJBs and Resource Adapters. You use the deployment descriptors weblogic.xml, weblogic-ejb-jar.xml, and rar.xml to perform this task. For more information on how to use the Java Security Manager to perform these tasks, see Using Java Security to Protect WebLogic Resources in Programming Security for Oracle WebLogic Server.

3.9.1.4 Java Cryptography Architecture and Java Cryptography Extensions JCE