1
Introduction and Roadmap 1-1
1
Introduction and Roadmap
The following sections describe the contents and organization of this guide—Programming WebLogic Security:
■
Section 1.1, Document Scope
■
Section 1.2, Audience for This Guide
■
Section 1.3, Guide to this Document
■
Section 1.4, Related Information
■
Section 1.5, Security Samples and Tutorials
■
Section 1.6, New and Changed Security Features in This Release
1.1 Document Scope
This document explains how to use the WebLogic Server security programming features.
See Section 1.4, Related Information
for a description of other WebLogic Server security documentation.
1.2 Audience for This Guide
This document is intended for the following audiences:
■
Application Developers Java programmers who focus on developing client applications, adding security to
Web applications and Enterprise JavaBeans EJBs. They work with other engineering, Quality Assurance QA, and database teams to implement security
features. Application developers have in-depthworking knowledge of Java including Java Platform, Enterprise Edition Java EE Version 5 components such
as servletsJSPs and JSEE and Java security.
Application developers use the WebLogic security and Java 2 security application programming interfaces APIs to secure their applications. Therefore, this
document provides instructions for using those APIs for securing Web applications, Java applications, and Enterprise JavaBeans EJBs.
■
Security Developers Developers who focus on defining the system architecture and infrastructure for
security products that integrate into WebLogic Server and on developing custom security providers for use with WebLogic Server. They work with application
architects to ensure that the security architecture is implemented according to
1-2 Programming Security for Oracle WebLogic Server
design and that no security holes are introduced. They also work with WebLogic Server administrators to ensure that security is properly configured. Security
developers have a solid understanding of security concepts, including authentication, authorization, auditing AAA, in-depth knowledge of Java
including Java Management eXtensions JMX, and working knowledge of WebLogic Server and security provider functionality.
Security developers use the Security Service Provider Interfaces SSPIs to develop custom security providers for use with WebLogic Server. This document does not
address this task; for information on how to use the SSPIs to develop custom security providers, see Developing Security Providers for Oracle WebLogic Server
■
Server Administrators Administrators who work closely with application architects to design a security
scheme for the server and the applications running on the server, to identify potential security risks, and to propose configurations that prevent security
problems. Related responsibilities may include maintaining critical production systems, configuring and managing security realms, implementing authentication
and authorization schemes for server and application resources, upgrading security features, and maintaining security provider databases. WebLogic Server
administrators have in-depth knowledge of the Java security architecture, including Web application and EJB security, Public Key security, and SSL.
■
Application Administrators Administrators who work with WebLogic Server administrators to implement and
maintain security configurations and authentication and authorization schemes, and to set up and maintain access to deployed application resources in defined
security realms. Application administrators have general knowledge of security concepts and the Java Security architecture. They understand Java, XML,
deployment descriptors, and can identify security events in server and audit logs.
While administrators typically use the Administration Console to deploy, configure, and manage applications when they put the applications into
production, application developers may also use the Administration Console to test their applications before they are put into production. At a minimum, testing
requires that applications be deployed and configured. This document does not cover some aspects of administration as it relates to security, rather, it references
Securing Oracle WebLogic Server, Securing Resources Using Roles and Policies for Oracle WebLogic Server, and Oracle WebLogic Server Administration Console Help for
descriptions of how to use the Administration Console to perform security tasks.
1.3 Guide to this Document