Security Realms 4-3

4.5 Security Policies

A security policy is an association between a WebLogic resource and one or more users, groups, or security roles. Security policies protect the WebLogic resource against unauthorized access. A WebLogic resource has no protection until you create a security policy for it. A policy condition is a condition under which a security policy will be created. WebLogic Server provides a set of default policy conditions. WebLogic Server includes policy conditions that access the HTTP Servlet Request and Session attributes and EJB method parameters. Date and Time policy conditions are included in the Policy Editor.

4.6 Security Providers

Security providers are modules that provide security services to applications to protect WebLogic resources see Figure 4–1 . You can use the security providers that are provided as part of the WebLogic Server product, purchase custom security providers from third-party security vendors, or develop your own custom security providers. For information on how to develop custom security providers, see Developing Security Providers for WebLogic Server. The following topics are discussed in this section. ■ Section 4.6.1, Security Provider Databases ■ Section 4.6.2, Types of Security Providers ■ Section 4.6.3, Security Providers and Security Realms

4.6.1 Security Provider Databases

The following sections explain what a security provider database is and describe how security realms affect the use of security provider databases: ■ Section 4.6.1.1, What Is a Security Provider Database? ■ Section 4.6.1.2, Security Realms and Security Provider Databases ■ Section 4.6.1.3, Embedded LDAP Server ■ Section 4.6.1.4, RDBMS Security Store 4.6.1.1 What Is a Security Provider Database? A security provider database contains the users, groups, security roles, security policies, and credentials used by some types of security providers to provide security services see Figure 4–1 . For example: an Authentication provider requires information about users and groups; an Authorization provider requires information about security policies; a Role Mapping provider requires information about security roles, and a Credential Mapping provider requires information about credentials to be Note: In WebLogic Server 6.x, security roles applied to Web applications and Enterprise JavaBeans EJBs only. In subsequent releases, the use of security roles is expanded to include all of the defined WebLogic resources. Note: Security policies replace the access control lists ACLs that were used to protect WebLogic resources in WebLogic Server 6.x. 4-4 Understanding Security for Oracle WebLogic Server used to remote applications. These security providers need this information to be available in a database in order to function properly. The security provider database can be the embedded LDAP server as used by the WebLogic security providers, a properties file as used by the sample custom security providers, available on the Web, or a production-quality, customer-supplied database that you may already be using. The security provider database should be initialized the first time security providers are used. That is, before the security realm containing the security providers is set as the default active security realm. This initialization can be done: ■ When a WebLogic Server instance boots. ■ When a call is made to one of the security providers MBeans. At minimum, the security provider database is initialized with the default groups, security roles, security policies provided by WebLogic Server. For more information, see Security Providers and WebLogic Resources in Developing Security Providers for Oracle WebLogic Server.

4.6.1.2 Security Realms and Security Provider Databases