3-24 Programming Security for Oracle WebLogic Server

3.5.1.6.1 Used Within The web-resource-collection element is used within the

security-constraint element.

3.5.1.6.2 Example See

Example 3–11 for an example of how to use the web-resource-collection element in a web.xml file.

3.5.2 weblogic.xml Deployment Descriptors

The following weblogic.xml security-related deployment descriptor elements are supported by WebLogic Server: ■ Section 3.5.2.1, externally-defined ■ Section 3.5.2.2, run-as-principal-name ■ Section 3.5.2.3, run-as-role-assignment ■ Section 3.5.2.4, security-permission ■ Section 3.5.2.5, security-permission-spec ■ Section 3.5.2.6, security-role-assignment For additional information on weblogic.xml deployment descriptors, see the section XML Deployment Descriptors in Developing Applications for Oracle WebLogic Server. For additional information on the weblogic.xml elements, see weblogic.xml Deployment Descriptor Elements in Developing Web Applications, Servlets, and JSPs for Oracle WebLogic Server.

3.5.2.1 externally-defined

The externally-defined element lets you explicitly indicate that you want the security roles defined by the role-name element in the web.xml deployment descriptors to use the mappings specified in the Administration Console. The element gives you the flexibility of not having to specify a specific security role mapping for each security role defined in the deployment descriptors for a particular Web application. Therefore, within the same security realm, deployment descriptors can be used to specify and modify security for some applications while the Administration Console can be used to specify and modify security for others. url-pattern Required The mapping, or location, of the Web resource collection. URL patterns must use the syntax defined in section 11.2 of JSR-000154, Java Servlet Specification Version 2.4 http:www.jcp.orgaboutJavacommunity processfinaljsr154 . The pattern url-patternurl-pattern applies the security constraint to the entire Web application. http-method Optional The HTTP methods to which the security constraint applies when clients attempt to access the Web resource collection. If no HTTP methods are specified, then the security constraint applies to all HTTP methods. Table 3–7 Cont. web-resource-collection Element Element Required Optional Description Securing Web Applications 3-25 The role mapping behavior for a server depends on which security deployment model is selected on the Administration Console. For information on security deployment models, see Options for Securing EJB and Web Application Resources in Securing Resources Using Roles and Policies for Oracle WebLogic Server.

3.5.2.1.1 Used Within The externally-defined element is used within the

security-role-assignment element.

3.5.2.1.2 Example

Example 3–12 and Example 3–13 show by comparison how to use the externally-defined element in the weblogic.xml file. In Example 3–13 , the specification of the webuser externally-defined element in the weblogic.xml means that for security to be correctly configured on the getReceipts method, the principals for webuser will have to be created in the Administration Console. Example 3–12 Using the web.xml and weblogic.xml Files to Map Security Roles and Principals to a Security Realm web.xml entries: web-app ... security-role role-namewebuserrole-name security-role ... web-app weblogic.xml entries: weblogic-web-app security-role-assignment role-namewebuserrole-name principal-namemyGroupprincipal-name principal-nameBillprincipal-name principal-nameMaryprincipal-name security-role-assignment weblogic-web-app Note: When specifying security role names, observe the following conventions and restrictions: ■ The proper syntax for a security role name is as defined for an Nmtoken in the Extensible Markup Language XML recommendation available on the Web at: http:www.w3.orgTRREC-xmlNT-Nmtoken . ■ Do not use blank spaces, commas, hyphens, or any characters in this comma-separated list: \t, , , |, , ~, ?, , { }. ■ Security role names are case sensitive. ■ The suggested convention for security role names is that they be singular. Note: If you need to list a significant number of principals, consider specifying groups instead of users. There are performance issues if you specify too many users. 3-26 Programming Security for Oracle WebLogic Server Example 3–13 Using the externally-defined tag in Web Application Deployment Descriptors web.xml entries: web-app ... security-role role-namewebuserrole-name security-role ... web-app weblogic.xml entries: weblogic-web-app security-role-assignment role-namewebuserrole-name externally-defined security-role-assignment For information about how to use the Administration Console to configure security for Web applications, see Securing Resources Using Roles and Policies for Oracle WebLogic Server.

3.5.2.2 run-as-principal-name