Securing Enterprise JavaBeans EJBs 6-11

6.3.2.2.1 Example For an example of how to use the

client-cert-authentication element, see Example 6–10 .

6.3.2.3 confidentiality

The confidentiality element specifies the transport confidentiality requirements for the EJB. Using the confidentiality element ensures that the data is sent between the client and server in such a way as to prevent other entities from observing the contents. The following table defines the possible settings.

6.3.2.3.1 Example For an example of how to use the confidentiality element, see

Example 6–10 .

6.3.2.4 externally-defined

The externally-defined element lets you explicitly indicate that you want the security roles defined by the role-name element in the weblogic-ejb-jar.xml deployment descriptors to use the mappings specified in the Administration Console. The element gives you the flexibility of not having to specify a specific security role mapping for each security role defined in the deployment descriptors for a particular Web application. Therefore, within the same security realm, deployment descriptors can be used to specify and modify security for some applications while the Administration Console can be used to specify and modify security for others. supported Client certificate authentication is supported, but not required. required Client certificate authentication is required. Table 6–6 confidentiality Element Setting Definition none Confidentiality is not supported. supported Confidentiality is supported, but not required. required Confidentiality is required. Note: Starting in version 9.0, the default role mapping behavior is to create empty role mappings when none are specified. In version 8.1, EJB required that role mappings be defined in the weblogic-ejb-jar.xml descriptor or deployment would fail. With 9.0, EJB and WebApp behavior are consistent in creating empty role mappings. For information on role mapping behavior and backward compatibility settings, see the section Understanding the Combined Role Mapping Enabled Setting in Securing Resources Using Roles and Policies for Oracle WebLogic Server. The role mapping behavior for a server depends on which security deployment model is selected on the Administration Console. For information on security deployment models, seeOptions for Securing EJB and Web Application Resources in Securing Resources Using Roles and Policies for Oracle WebLogic Server. Table 6–5 Cont. client-cert-authentication Element Setting Definition 6-12 Programming Security for Oracle WebLogic Server When specifying security role names, observe the following conventions and restrictions: ■ The proper syntax for a security role name is as defined for an Nmtoken in the Extensible Markup Language XML recommendation available on the Web at: http:www.w3.orgTRREC-xmlNT-Nmtoken . ■ Do not use blank spaces, commas, hyphens, or any characters in this comma-separated list: \t, , , |, , ~, ?, , { }. ■ Security role names are case sensitive. ■ The suggested convention for security role names is that they be singular. Example 6–4 and Example 6–5 show by comparison how to use the externally-defined element in the weblogic-ejb-jar.xml file. In Example 6–5 , the specification of the manager externally-defined element in the weblogic-ejb-jar.xml means that for security to be correctly configured on the getReceipts method, the principals for manager will have to be created in the Administration Console. Example 6–4 Using the ejb-jar.xml and weblogic-ejb-jar.xml Deployment Descriptors to Map Security Roles in EJBs ejb-jar.xml entries: ... assembly-descriptor security-role role-namemangerrole-name security-role security-role role-nameeastrole-name security-role method-permission role-namemanagerrole-name role-nameeastrole-name method ejb-nameaccountsPayableejb-name method-namegetReceiptsmethod-name method method-permission ... assembly-descriptor ... weblogic-ejb-jar.xml entries: security-role-assignment role-namemanagerrole-name principal-namejoeprincipal-name principal-nameBillprincipal-name principal-nameMaryprincipal-name ... security-role-assignment ... Example 6–5 Using the externally-defined Element in EJB Deployment Descriptors for Role Mapping ejb-jar.xml entries: ... assembly-descriptor security-role role-namemangerrole-name Securing Enterprise JavaBeans EJBs 6-13 security-role security-role role-nameeastrole-name security-role method-permission role-namemanagerrole-name role-nameeastrole-name method ejb-nameaccountsPayableejb-name method-namegetReceiptsmethod-name method method-permission ... assembly-descriptor ... weblogic-ejb-jar.xml entries: security-role-assignment role-namemanagerrole-name externally-defined ... security-role-assignment ... For more information on using the Administration Console to configure security for EJBs, see Securing Resources Using Roles and Policies for Oracle WebLogic Server.

6.3.2.5 identity-assertion