Understanding WebLogic Resource Security 2-3 5. At runtime, the WebLogic Security Service uses the security policy to determine whether access to the protected WebLogic resource should be granted. Only users who are members of the group that is granted the security role can access the WebLogic resource. In Figure 2–1 , User 3 and User 6 can access the protected WebLogic resource because they are members of Group 2, and Group 2 is granted the necessary security role.

2.1.1 Using Policies to Protect Multiple Resources

WebLogic Server provides two techniques for using a single policy to protect a collection of resources: ■ Section 2.1.1.1, Protecting Policies by Type ■ Section 2.1.1.2, Protecting a Hierarchy of Resources

2.1.1.1 Protecting Policies by Type

You can create a policy that protects all resources of a specific type. Such policies are called root-level policies. For example, you can create a root-level policy for the Web Service type. All Web Services that you deploy in the domain for which you have defined this root-level policy will be protected by the root-level policy. If you define a policy for a specific Web Service, then the Web Service will be protected by its own policy and will ignore the root-level policy.

2.1.1.2 Protecting a Hierarchy of Resources

All of the resources within a Java EE application or module that you deploy exist within a hierarchy, and policies on resources higher in the hierarchy act as default policies for resources lower in the same hierarchy. Policies lower in a hierarchy always override policies higher in the hierarchy. For example, EnterpriseApp1contains EJB ModuleA along with a Web application and a JDBC module see Figure 2–2 . You create a policy for EnterpriseApp1 and for method Y within EJB ModuleA. When an EJB client attempts to invoke method Y, the WebLogic Security Service enforces the specific policy and ignores the policy for the enterprise application. When a client requests access to EJB method X which is not protected by its own policy, the WebLogic Security Service asks: 1. Is there a policy for this EJB method? No, therefore go to the next higher level in the hierarchy. 2. Is there a policy for the EJB that contains this method? No, therefore go to the next higher level in the hierarchy. 3. Is there a policy for the EJB module that contains the methods parent EJB? No, therefore go to the next higher level in the hierarchy. 4. Is there a policy for the enterprise application that contains this URL pattern? Yes, use it. If there were no such policy, the Security Service would have used the default root-level policy for EJBs. 2-4 Securing Resources Using Roles and Policies for Oracle WebLogic Server Figure 2–2 Hierarchy of Resources and Policies You can see a visual representation of resource and policy hierarchies in the Administration Console on the security realms Roles and Policies: Policies page. For information about accessing this page, see Create policies for resource instances in the Oracle WebLogic Server Administration Console Help.

2.2 Designing Roles and Policies for WebLogic Resources: Main Steps