6-2 Oracle Fusion Middleware Application Security Guide For an overview of the development cycle, see Section 19.1.1, The Development Cycle. For details about the files in an EAR file relevant to application security management and configuration, such as web.xml and weblogic-application.xml, see Chapter 21, Manually Configuring Java EE Applications to Use OPSS.

6.1 Overview

The steps that lead to the deployment of an Oracle ADF application into a remote Oracle WebLogic Server are, typically, as follows: ■ Using Oracle JDeveloper, a developer develops an Oracle ADF application into which Oracle ADF security is included with the Oracle ADF Security Wizard. ■ Application users and groups, authorization policies, and credentials are copied by Oracle JDeveloper to the integrated WebLogic Server, into which the application is auto-deployed during the test cycles in that environment. ■ The developer creates an application EAR file which packs policies and credentials. ■ The domain administrator deploys the EAR file to a remote Oracle WebLogic Server using Fusion Middleware Control. This flow is illustrated in the following graphic:

6.2 Selecting the Tool for Deployment

The types of application we consider in this chapter are Java EE applications, which are further categorized into pure Java EE applications and Oracle Fusion Middleware ADF applications. The distinction of these two kinds of Java EE applications is explained in sections Section 1.5.1, Scenario 1: Enhancing Security in a Java EE Application, and Section 1.5.2, Scenario 2: Securing an Oracle ADF Application. Table 6–1 lists the tool used to deploy a developed application according to its type. Deploying Secure Applications 6-3

6.2.1 Deploying Java EE and Oracle ADF Applications with Fusion Middleware Control

This section focuses on the security configurations available when deploying an application that uses Oracle ADF security or a Java EE application that uses OPSS with Fusion Middleware Control on the WebLogic server. Specifically, it describes the options you find in the page Configure Application Security at the third stage of the deploy settings. The appearance of this page varies according to what is packaged in the EAR fie, as follows: ■ If the EAR file packages jazn-data.xml with application policies, the application policy migration section is shown. ■ If the EAR file packages credentials in cwallet.sso, the credential migration section is shown. ■ If the EAR file does not include any of the above, then the page displays the default Java EE security options. This page, showing the policy migration sections, is partially illustrated in the following graphic: Table 6–1 Tools to Deploy Applications after Development Application Type Tool to Use Pure Java EE Application Oracle WebLogic Administration Console, Fusion Middleware Control, WebSphere Application Server Administrator Console, WebSphere Application Server WASAdmin commands. The recommended tool is Oracle WebLogic Administration Console. Oracle ADF Application Fusion Middleware Control or OPSS script. The recommended tool is Fusion Middleware Control.