6 Deploying Secure Applications 6-1 6 Deploying Secure Applications An application can be deployed to an Oracle WebLogic Server using any of the following tools: the Oracle WebLogic Server Administration Console, Oracle Enterprise Manager Fusion Middleware Control, Oracle JDeveloper, or the WebSphere Application Server console. An application can also be started by setting the its bits in a location known to the WebLogic server, without the need to restart the server; this kind of application start is known as hot deployment. The recommended way to deploy an application depends on the platform, the application type, and whether the application is in the developing phase or in a post-development phase. For example, in the post-development phase, typically, the appliction is started in a production environment by means of a hot deployment. The recommendations stated in this chapter apply to Oracle ADF applications and to Java EE applications using OPSS. During development, the application is typically deployed with Oracle JDeveloper to the embedded Oracle WebLogic Server. Once the application transitions to test or production environments, it is typically deployed with Fusion Middleware Control or the Oracle WebLogic Server Administration Console or by a hot deployment. This chapter focuses on administrative tasks performed at deployment of an Oracle ADF or pure Java EE application. The last section explains the packaging requirements to secure Java EE applications, a topic relevant only when the application is packaged manually. This chapter is divided into the following sections: ■ Overview ■ Selecting the Tool for Deployment ■ Deploying Oracle ADF Applications to a Test Environment ■ Deploying Standard Java EE Applications ■ Migrating from a Test to a Production Environment Additional Documentation For further details about deployment, see Chapter 8, Deploying Applications, in Oracle Fusion Middleware Administrators Guide. For an overview of the entire security life-cycle of an application, from development to production, see Oracle Fusion Middleware Security Overview. For details about securing an Oracle ADF application during development, see Oracle Fusion Middleware Fusion Developers Guide for Oracle Application Development Framework. 6-2 Oracle Fusion Middleware Application Security Guide For an overview of the development cycle, see Section 19.1.1, The Development Cycle. For details about the files in an EAR file relevant to application security management and configuration, such as web.xml and weblogic-application.xml, see Chapter 21, Manually Configuring Java EE Applications to Use OPSS.

6.1 Overview

The steps that lead to the deployment of an Oracle ADF application into a remote Oracle WebLogic Server are, typically, as follows: ■ Using Oracle JDeveloper, a developer develops an Oracle ADF application into which Oracle ADF security is included with the Oracle ADF Security Wizard. ■ Application users and groups, authorization policies, and credentials are copied by Oracle JDeveloper to the integrated WebLogic Server, into which the application is auto-deployed during the test cycles in that environment. ■ The developer creates an application EAR file which packs policies and credentials. ■ The domain administrator deploys the EAR file to a remote Oracle WebLogic Server using Fusion Middleware Control. This flow is illustrated in the following graphic:

6.2 Selecting the Tool for Deployment

The types of application we consider in this chapter are Java EE applications, which are further categorized into pure Java EE applications and Oracle Fusion Middleware ADF applications. The distinction of these two kinds of Java EE applications is explained in sections Section 1.5.1, Scenario 1: Enhancing Security in a Java EE Application, and Section 1.5.2, Scenario 2: Securing an Oracle ADF Application. Table 6–1 lists the tool used to deploy a developed application according to its type.