3-28 Programming Security for Oracle WebLogic Server
permission java.net.SocketPermission , resolve; };
security-permission-spec security-permission
weblogic-web-app
In Example 3–15
, permission java.net.SocketPermission is the permission class name, represents the target name, and resolve indicates the action resolve hostIP
name service lookups.
3.5.2.6 security-role-assignment
The security-role-assignment element declares a mapping between a security role and one or more principals in the WebLogic Server security realm.
3.5.2.6.1 Example
Example 3–16 shows how to use the
security-role-assignment element to assign principals to the PayrollAdmin role.
Example 3–16 security-role-assignment Element Example
weblogic-web-app security-role-assignment
role-namePayrollAdminrole-name principal-nameTanyaprincipal-name
principal-nameFredprincipal-name principal-namesystemprincipal-name
security-role-assignment weblogic-web-app
3.6 Using Programmatic Security With Web Applications
You can write your servlets to access users and security roles programmatically in your servlet code. To do this, use the following methods in your servlet code:
javax.servlet.http.HttpServletRequest.getUserPrincipal and javax.servlet.http.HttpServletRequest.isUserInRoleString role
methods.
3.6.1 getUserPrincipal
You use the getUserPrincipal method to determine the current user of the Web application. This method returns a WLSUser Principal if one exists in the current
user. In the case of multiple WLSUser Principals, the method returns the first in the ordering defined by the Subject.getPrincipals.iterator method. If
there are no WLSUser Principals, then the getUserPrincipal method returns
Note: For information on using the security-role-assignment element
in a weblogic-application.xml deployment descriptor for an enterprise application, see Enterprise Application Deployment Descriptor
Elements in Developing Applications for Oracle WebLogic Server.
Note:
If you need to list a significant number of principals, consider specifying groups instead of users. There are performance issues if
you specify too many users.
Securing Web Applications 3-29
the first non-WLSGroup Principal. If there are no Principals or all Principals are of type WLSGroup, this method returns null. This behavior is identical to the
semantics of the weblogic.security.SubjectUtils.getUserPrincipal method.
For more information about how to use the getUserPrincipal method, see http:java.sun.comjavaeetechnologiesjavaee5.jsp
.
3.6.2 isUserInRole
The javax.servlet.http.HttpServletRequest.isUserInRoleString role method returns a boolean indicating whether the authenticated user is granted
the specified logical security role. If the user has not been authenticated, this method returns false.
The isUserInRole method maps security roles to the group names in the security realm.
Example 3–17 shows the elements that are used with the servlet element
to define the security role in the web.xml file.
Example 3–17 IsUserInRole web.xml and weblogic.xml Elements
Begin web.xml entries: ...
servlet security-role-ref
role-nameuser-rolenamerole-name role-linkrolename-linkrole-link
security-role-ref servlet
security-role role-namerolename-linkrole-name
security-role ...
Begin weblogic.xml entries: ...
security-role-assignment role-namerolename-linkrole-name
principal-namegroupnameprincipal principal-nameusernameprincipal
security-role-assignment ...
The string role is mapped to the name supplied in the role-name element, which is nested inside the security-role-ref element of a servlet declaration in
the web.xml deployment descriptor. The role-name element defines the name of the security role or principal the user or group that is used in the servlet code. The
role-link element maps to a role-name defined in the security-role-assignment element in the weblogic.xml deployment
descriptor.
3-30 Programming Security for Oracle WebLogic Server
For example, if the client has successfully logged in as user Bill with the security role of manager, the following method would return true:
request.isUserInRolemanager Example 3–18
provides an example.
Example 3–18 Example of Security Role Mapping
Servlet code: out.printlnIs the user a Manager? +
request.isUserInRolemanager; web.xml entries:
servlet . . .
role-namemanagerrole-name role-linkmgrrole-link
. . . servlet
security-role role-namemgrrole-name
security-role weblogic.xml entries:
security-role-assignment role-namemgrrole-name
principal-namebostonManagersprincipal-name principal-nameBillprincipal-name
principal-nameRalphprincipal-name security-role-ref
3.7 Using the Programmatic Authentication API