Securing Enterprise JavaBeans EJBs 6-11
6.3.2.2.1 Example For an example of how to use the
client-cert-authentication element, see Example 6–10
.
6.3.2.3 confidentiality
The confidentiality element specifies the transport confidentiality requirements for the EJB. Using the confidentiality element ensures that the data is sent
between the client and server in such a way as to prevent other entities from observing the contents.
The following table defines the possible settings.
6.3.2.3.1 Example For an example of how to use the confidentiality element, see
Example 6–10 .
6.3.2.4 externally-defined
The externally-defined element lets you explicitly indicate that you want the security roles defined by the role-name element in the weblogic-ejb-jar.xml
deployment descriptors to use the mappings specified in the Administration Console. The element gives you the flexibility of not having to specify a specific security role
mapping for each security role defined in the deployment descriptors for a particular Web application. Therefore, within the same security realm, deployment descriptors
can be used to specify and modify security for some applications while the Administration Console can be used to specify and modify security for others.
supported Client certificate authentication is supported, but not
required. required
Client certificate authentication is required.
Table 6–6 confidentiality Element
Setting Definition
none Confidentiality is not supported.
supported Confidentiality is supported, but not
required. required
Confidentiality is required.
Note: Starting in version 9.0, the default role mapping behavior is to
create empty role mappings when none are specified. In version 8.1, EJB required that role mappings be defined in the weblogic-ejb-jar.xml
descriptor or deployment would fail. With 9.0, EJB and WebApp behavior are consistent in creating empty role mappings.
For information on role mapping behavior and backward compatibility settings, see the section Understanding the Combined
Role Mapping Enabled Setting in Securing Resources Using Roles and Policies for Oracle WebLogic Server. The role mapping behavior for a
server depends on which security deployment model is selected on the Administration Console. For information on security deployment
models, seeOptions for Securing EJB and Web Application Resources in Securing Resources Using Roles and Policies for Oracle WebLogic Server.
Table 6–5 Cont. client-cert-authentication Element
Setting Definition
6-12 Programming Security for Oracle WebLogic Server
When specifying security role names, observe the following conventions and restrictions:
■
The proper syntax for a security role name is as defined for an Nmtoken in the Extensible Markup Language XML recommendation available on the Web at:
http:www.w3.orgTRREC-xmlNT-Nmtoken .
■
Do not use blank spaces, commas, hyphens, or any characters in this comma-separated list: \t, , , |, , ~, ?, , { }.
■
Security role names are case sensitive.
■
The suggested convention for security role names is that they be singular. Example 6–4
and Example 6–5
show by comparison how to use the externally-defined element in the weblogic-ejb-jar.xml file. In
Example 6–5 , the specification of the manager externally-defined element in
the weblogic-ejb-jar.xml means that for security to be correctly configured on the getReceipts method, the principals for manager will have to be created in the
Administration Console.
Example 6–4 Using the ejb-jar.xml and weblogic-ejb-jar.xml Deployment Descriptors to
Map Security Roles in EJBs
ejb-jar.xml entries: ...
assembly-descriptor security-role
role-namemangerrole-name security-role
security-role role-nameeastrole-name
security-role method-permission
role-namemanagerrole-name role-nameeastrole-name
method ejb-nameaccountsPayableejb-name
method-namegetReceiptsmethod-name method
method-permission ...
assembly-descriptor ...
weblogic-ejb-jar.xml entries: security-role-assignment
role-namemanagerrole-name principal-namejoeprincipal-name
principal-nameBillprincipal-name principal-nameMaryprincipal-name
... security-role-assignment
...
Example 6–5 Using the externally-defined Element in EJB Deployment Descriptors for
Role Mapping
ejb-jar.xml entries: ...
assembly-descriptor security-role
role-namemangerrole-name
Securing Enterprise JavaBeans EJBs 6-13
security-role security-role
role-nameeastrole-name security-role
method-permission role-namemanagerrole-name
role-nameeastrole-name method
ejb-nameaccountsPayableejb-name method-namegetReceiptsmethod-name
method method-permission
... assembly-descriptor
... weblogic-ejb-jar.xml entries:
security-role-assignment role-namemanagerrole-name
externally-defined ...
security-role-assignment ...
For more information on using the Administration Console to configure security for EJBs, see Securing Resources Using Roles and Policies for Oracle WebLogic Server.
6.3.2.5 identity-assertion