3-28 Programming Security for Oracle WebLogic Server permission java.net.SocketPermission , resolve; }; security-permission-spec security-permission weblogic-web-app In Example 3–15 , permission java.net.SocketPermission is the permission class name, represents the target name, and resolve indicates the action resolve hostIP name service lookups.

3.5.2.6 security-role-assignment

The security-role-assignment element declares a mapping between a security role and one or more principals in the WebLogic Server security realm.

3.5.2.6.1 Example

Example 3–16 shows how to use the security-role-assignment element to assign principals to the PayrollAdmin role. Example 3–16 security-role-assignment Element Example weblogic-web-app security-role-assignment role-namePayrollAdminrole-name principal-nameTanyaprincipal-name principal-nameFredprincipal-name principal-namesystemprincipal-name security-role-assignment weblogic-web-app

3.6 Using Programmatic Security With Web Applications

You can write your servlets to access users and security roles programmatically in your servlet code. To do this, use the following methods in your servlet code: javax.servlet.http.HttpServletRequest.getUserPrincipal and javax.servlet.http.HttpServletRequest.isUserInRoleString role methods.

3.6.1 getUserPrincipal

You use the getUserPrincipal method to determine the current user of the Web application. This method returns a WLSUser Principal if one exists in the current user. In the case of multiple WLSUser Principals, the method returns the first in the ordering defined by the Subject.getPrincipals.iterator method. If there are no WLSUser Principals, then the getUserPrincipal method returns Note: For information on using the security-role-assignment element in a weblogic-application.xml deployment descriptor for an enterprise application, see Enterprise Application Deployment Descriptor Elements in Developing Applications for Oracle WebLogic Server. Note: If you need to list a significant number of principals, consider specifying groups instead of users. There are performance issues if you specify too many users. Securing Web Applications 3-29 the first non-WLSGroup Principal. If there are no Principals or all Principals are of type WLSGroup, this method returns null. This behavior is identical to the semantics of the weblogic.security.SubjectUtils.getUserPrincipal method. For more information about how to use the getUserPrincipal method, see http:java.sun.comjavaeetechnologiesjavaee5.jsp .

3.6.2 isUserInRole

The javax.servlet.http.HttpServletRequest.isUserInRoleString role method returns a boolean indicating whether the authenticated user is granted the specified logical security role. If the user has not been authenticated, this method returns false. The isUserInRole method maps security roles to the group names in the security realm. Example 3–17 shows the elements that are used with the servlet element to define the security role in the web.xml file. Example 3–17 IsUserInRole web.xml and weblogic.xml Elements Begin web.xml entries: ... servlet security-role-ref role-nameuser-rolenamerole-name role-linkrolename-linkrole-link security-role-ref servlet security-role role-namerolename-linkrole-name security-role ... Begin weblogic.xml entries: ... security-role-assignment role-namerolename-linkrole-name principal-namegroupnameprincipal principal-nameusernameprincipal security-role-assignment ... The string role is mapped to the name supplied in the role-name element, which is nested inside the security-role-ref element of a servlet declaration in the web.xml deployment descriptor. The role-name element defines the name of the security role or principal the user or group that is used in the servlet code. The role-link element maps to a role-name defined in the security-role-assignment element in the weblogic.xml deployment descriptor. 3-30 Programming Security for Oracle WebLogic Server For example, if the client has successfully logged in as user Bill with the security role of manager, the following method would return true: request.isUserInRolemanager Example 3–18 provides an example. Example 3–18 Example of Security Role Mapping Servlet code: out.printlnIs the user a Manager? + request.isUserInRolemanager; web.xml entries: servlet . . . role-namemanagerrole-name role-linkmgrrole-link . . . servlet security-role role-namemgrrole-name security-role weblogic.xml entries: security-role-assignment role-namemgrrole-name principal-namebostonManagersprincipal-name principal-nameBillprincipal-name principal-nameRalphprincipal-name security-role-ref

3.7 Using the Programmatic Authentication API