2-2 Programming Security for Oracle WebLogic Server available from the CERT™ Coordination Center operated by Carnegie Mellon University. Oracle suggests that you apply the remedies recommended in our security advisories. In the event of a problem with an Oracle product, Oracle distributes an advisory and instructions with the appropriate course of action. If you are responsible for security related issues at your site, please register to receive future notifications.

2.2 Administration Console and Security

With regard to security, you can use the Administration Console to define and edit deployment descriptors for Web Applications, EJBs, Java EE Connectors, and Enterprise Applications. This document, Programming WebLogic Security, does not describe how to use the Administration Console to configure security. For information on how to use the Administration Console to define and edit deployment descriptors, see Securing Resources Using Roles and Policies for Oracle WebLogic Server and Securing Oracle WebLogic Server.

2.3 Types of Security Supported by WebLogic Server

WebLogic Server supports the following security mechanisms: ■ Section 2.3.1, Authentication ■ Section 2.3.2, Authorization ■ Section 2.3.3, Java EE Security

2.3.1 Authentication

Authentication is the mechanism by which callers and service providers prove that they are acting on behalf of specific users or systems. Authentication answers the question, Who are you? using credentials. When the proof is bidirectional, it is referred to as mutual authentication. WebLogic Server supports username and password authentication and certificate authentication. For certificate authentication, WebLogic Server supports both one-way and two-way SSL Secure Sockets Layer authentication. Two-way SSL authentication is a form of mutual authentication. In WebLogic Server, Authentication providers are used to prove the identity of users or system processes. Authentication providers also remember, transport, and make identity information available to various components of a system via subjects when needed. You can configure the Authentication providers using the Web application and EJB deployment descriptor files, or the Administration Console, or a combination of both.

2.3.2 Authorization

Authorization is the process whereby the interactions between users and WebLogic resources are controlled, based on user identity or other information. In other words, authorization answers the question, What can you access? In WebLogic Server, a WebLogic Authorization provider is used to limit the interactions between users and WebLogic resources to ensure integrity, confidentiality, and availability. You can configure the Authorization provider using the Web application and EJB deployment descriptor files, or the Administration Console, or a combination of both. WebLogic Security Programming Overview 2-3 WebLogic Server also supports the use of programmatic authorization also referred to in this document as programmatic security to limit the interactions between users and WebLogic resources.

2.3.3 Java EE Security

For implementation and use of user authentication and authorization, WebLogic Server utilizes the security services of the Java EE Development Kit 6.0 JDK 6.0. Like the other Java EE components, the security services are based on standardized, modular components. WebLogic Server implements these Java security service methods according to the standard, and adds extensions that handle many details of application behavior automatically, without requiring additional programming.

2.4 Security APIs