Security Fundamentals 3-27 ■ Set application-type security policies on EJBs and Resource Adapters. You use the Java security policy file to perform this task. ■ Set application-specific security policies on specific EJBs and Resource Adapters. You use the deployment descriptors weblogic.xml, weblogic-ejb-jar.xml, and rar.xml to perform this task. For more information on how to use the Java Security Manager to perform these tasks, see Using Java Security to Protect WebLogic Resources in Programming Security for Oracle WebLogic Server.

3.9.1.4 Java Cryptography Architecture and Java Cryptography Extensions JCE

Developed by Sun Microsystems, Inc., these security APIs provide a framework for accessing and developing cryptographic functionality for the Java platform and developing implementations for encryption, key generation and key agreement, and Message Authentication Code MAC algorithms. WebLogic Server fully supports these security APIs.

3.9.1.5 Java Authorization Contract for Containers JACC

JACC provides an alternate authorization mechanism for the EJB and Servlet containers in a WebLogic Server domain. When JACC is configured, the WebLogic Security Framework access decisions, adjudication, and role mapping functions are not used for EJB and Servlet authorization decisions. The JACC classes are used for role-to-principal mapping as well as for rendering access decisions. You cannot use the JACC framework in conjunction with the WebLogic Security Framework. The JACC classes used by WebLogic Server do not include an implementation of a Policy object for rendering decisions but instead rely on the J2SE 1.4 java.security.Policy object.

3.9.2 Common Secure Interoperability Version 2 CSIv2

WebLogic Server provides support for the Enterprise JavaBean EJB interoperability protocol that is based on Internet Inter-ORB IIOP GIOP version 1.2 and the CORBA Common Secure Interoperability version 2 CSIv2 specification. CSIv2 support in WebLogic Server: ■ Interoperates with the Java 2 Enterprise Edition J2EE version 1.4.1 reference implementation. ■ Allows WebLogic Server IIOP clients to specify a username and password in the same manner as T3 clients. ■ Supports Generic Security Services Application Programming Interface GSSAPI initial context tokens. For this release, only usernames and passwords and GSSUP Generic Security Services Username Password tokens are supported. The external interface to the CSIv2 implementation is a JAAS LoginModule that retrieves the username and password of the CORBA object. The JAAS LoginModule can be used in a WebLogic Java client or in a WebLogic Server instance that acts as a client to another Java EE application server. The JAAS LoginModule for the CSIv2 Note: The CSIv2 implementation in WebLogic Server passed Java 2 Enterprise Edition J2EE Compatibility Test Suite CTS conformance testing. 3-28 Understanding Security for Oracle WebLogic Server support is called UsernamePasswordLoginModule, and is located in the weblogic.security.auth.login package. Note: For information related to load balancing support for CSIv2 in a WebLogic Server cluster, see Server Affinity and IIOP Client Authentication Using CSIv2 in Using Clusters for Oracle WebLogic Server 4 Security Realms 4-1 4 Security Realms This section covers the following topics: ■ Section 4.1, Introduction to Security Realms ■ Section 4.2, Users ■ Section 4.3, Groups ■ Section 4.4, Security Roles ■ Section 4.5, Security Policies ■ Section 4.6, Security Providers

4.1 Introduction to Security Realms

A security realm comprises mechanisms for protecting WebLogic resources. Each security realm consists of a set of configured security providers, users, groups, security roles, and security policies see Figure 4–1 . A user must be defined in a security realm in order to access any WebLogic resources belonging to that realm. When a user attempts to access a particular WebLogic resource, WebLogic Server tries to authenticate and authorize the user by checking the security role assigned to the user in the relevant security realm and the security policy of the particular WebLogic resource. Figure 4–1 WebLogic Server Security Realm

4.2 Users

Users are entities that can be authenticated in a security realm, such as myrealm see Figure 4–1 . A user can be a person, such as application end user, or a software entity, such as a client application, or other instances of WebLogic Server. As a result of