3-24 Programming Security for Oracle WebLogic Server
3.5.1.6.1 Used Within The web-resource-collection element is used within the
security-constraint element.
3.5.1.6.2 Example See
Example 3–11 for an example of how to use the
web-resource-collection element in a web.xml file.
3.5.2 weblogic.xml Deployment Descriptors
The following weblogic.xml security-related deployment descriptor elements are supported by WebLogic Server:
■
Section 3.5.2.1, externally-defined
■
Section 3.5.2.2, run-as-principal-name
■
Section 3.5.2.3, run-as-role-assignment
■
Section 3.5.2.4, security-permission
■
Section 3.5.2.5, security-permission-spec
■
Section 3.5.2.6, security-role-assignment For additional information on weblogic.xml deployment descriptors, see the section
XML Deployment Descriptors in Developing Applications for Oracle WebLogic Server. For additional information on the weblogic.xml elements, see weblogic.xml
Deployment Descriptor Elements in Developing Web Applications, Servlets, and JSPs for Oracle WebLogic Server.
3.5.2.1 externally-defined
The externally-defined element lets you explicitly indicate that you want the security roles defined by the role-name element in the web.xml deployment
descriptors to use the mappings specified in the Administration Console. The element gives you the flexibility of not having to specify a specific security role mapping for
each security role defined in the deployment descriptors for a particular Web application. Therefore, within the same security realm, deployment descriptors can be
used to specify and modify security for some applications while the Administration Console can be used to specify and modify security for others.
url-pattern Required
The mapping, or location, of the Web resource collection.
URL patterns must use the syntax defined in section 11.2 of JSR-000154, Java Servlet Specification Version
2.4 http:www.jcp.orgaboutJavacommunity
processfinaljsr154 .
The pattern url-patternurl-pattern applies the security constraint to the entire Web
application. http-method
Optional The HTTP methods to which the security constraint
applies when clients attempt to access the Web resource collection. If no HTTP methods are
specified, then the security constraint applies to all HTTP methods.
Table 3–7 Cont. web-resource-collection Element
Element Required
Optional
Description
Securing Web Applications 3-25
The role mapping behavior for a server depends on which security deployment model is selected on the Administration Console. For information on security deployment
models, see Options for Securing EJB and Web Application Resources in Securing Resources Using Roles and Policies for Oracle WebLogic Server.
3.5.2.1.1 Used Within The externally-defined element is used within the
security-role-assignment element.
3.5.2.1.2 Example
Example 3–12 and
Example 3–13 show by comparison how to use
the externally-defined element in the weblogic.xml file. In Example 3–13
, the specification of the webuser externally-defined element in the
weblogic.xml means that for security to be correctly configured on the getReceipts method, the principals for webuser will have to be created in the
Administration Console.
Example 3–12 Using the web.xml and weblogic.xml Files to Map Security Roles and
Principals to a Security Realm
web.xml entries: web-app
... security-role
role-namewebuserrole-name security-role
... web-app
weblogic.xml entries: weblogic-web-app
security-role-assignment role-namewebuserrole-name
principal-namemyGroupprincipal-name principal-nameBillprincipal-name
principal-nameMaryprincipal-name security-role-assignment
weblogic-web-app
Note: When specifying security role names, observe the following
conventions and restrictions:
■
The proper syntax for a security role name is as defined for an Nmtoken in the Extensible Markup Language XML
recommendation available on the Web at: http:www.w3.orgTRREC-xmlNT-Nmtoken
.
■
Do not use blank spaces, commas, hyphens, or any characters in this comma-separated list: \t, , , |, , ~, ?, , { }.
■
Security role names are case sensitive.
■
The suggested convention for security role names is that they be singular.
Note: If you need to list a significant number of principals, consider
specifying groups instead of users. There are performance issues if you specify too many users.
3-26 Programming Security for Oracle WebLogic Server
Example 3–13 Using the externally-defined tag in Web Application Deployment
Descriptors
web.xml entries: web-app
... security-role
role-namewebuserrole-name security-role
... web-app
weblogic.xml entries: weblogic-web-app
security-role-assignment role-namewebuserrole-name
externally-defined security-role-assignment
For information about how to use the Administration Console to configure security for Web applications, see Securing Resources Using Roles and Policies for Oracle WebLogic
Server.
3.5.2.2 run-as-principal-name