4-2 Understanding Security for Oracle WebLogic Server authentication, a user is assigned an identity, or principal. Each user is given a unique identity within the security realm. Users may be placed into groups that are associated with security roles, or be directly associated with security roles. When users want to access WebLogic Server, they present proof material for example, a password or a digital certificate typically through a JAAS LoginModule to the Authentication provider configured in the security realm. If WebLogic Server can verify the identity of the user based on that username and credential, WebLogic Server associates the principal assigned to the user with a thread that executes code on behalf of the user. Before the thread begins executing code, however, WebLogic Server checks the security policy of the WebLogic resource and the principal that the user has been assigned to make sure that the user has the required permissions to continue. When you use the WebLogic Authentication provider and you define a user, you also define a password for that user. WebLogic Server hashes all passwords. Subsequently, when WebLogic Server receives a client request, the password presented by the client is hashed and WebLogic Server compares it to the already hashed password to see if it matches.

4.3 Groups

Groups are logically ordered sets of users see Figure 4–1 . Usually, group members have something in common. For example, a company may separate its sales staff into two groups, Sales Representatives and Sales Managers. Companies may do this because they want their sales personnel to have different levels of access to WebLogic resources, depending on their job functions. Managing groups is more efficient than managing large numbers of users individually. For example, an administrator can specify permissions for 50 users at one time by placing the users in a group, assigning the group to a security role, and then associating the security role with a WebLogic resource via a security policy. All user names and groups must be unique within a security realm.

4.4 Security Roles

A security role is a privilege granted to users or groups based on specific conditions see Figure 4–1 . Like groups, security roles allow you to restrict access to WebLogic resources for several users at once. However, unlike groups, security roles: ■ Are computed and granted to users or groups dynamically, based on conditions such as user name, group membership, or the time of day. ■ Can be scoped to specific WebLogic resources within a single application in a WebLogic Server domain unlike groups, which are always scoped to an entire WebLogic Server domain. Granting a security role to a user or a group confers the defined access privileges to that user or group, as long as the user or group is in the security role. Multiple users or groups can be granted a single security role. Note: All user names and groups must be unique within a security realm. Security Realms 4-3

4.5 Security Policies

A security policy is an association between a WebLogic resource and one or more users, groups, or security roles. Security policies protect the WebLogic resource against unauthorized access. A WebLogic resource has no protection until you create a security policy for it. A policy condition is a condition under which a security policy will be created. WebLogic Server provides a set of default policy conditions. WebLogic Server includes policy conditions that access the HTTP Servlet Request and Session attributes and EJB method parameters. Date and Time policy conditions are included in the Policy Editor.

4.6 Security Providers