1-2 Programming Security for Oracle WebLogic Server design and that no security holes are introduced. They also work with WebLogic Server administrators to ensure that security is properly configured. Security developers have a solid understanding of security concepts, including authentication, authorization, auditing AAA, in-depth knowledge of Java including Java Management eXtensions JMX, and working knowledge of WebLogic Server and security provider functionality. Security developers use the Security Service Provider Interfaces SSPIs to develop custom security providers for use with WebLogic Server. This document does not address this task; for information on how to use the SSPIs to develop custom security providers, see Developing Security Providers for Oracle WebLogic Server ■ Server Administrators Administrators who work closely with application architects to design a security scheme for the server and the applications running on the server, to identify potential security risks, and to propose configurations that prevent security problems. Related responsibilities may include maintaining critical production systems, configuring and managing security realms, implementing authentication and authorization schemes for server and application resources, upgrading security features, and maintaining security provider databases. WebLogic Server administrators have in-depth knowledge of the Java security architecture, including Web application and EJB security, Public Key security, and SSL. ■ Application Administrators Administrators who work with WebLogic Server administrators to implement and maintain security configurations and authentication and authorization schemes, and to set up and maintain access to deployed application resources in defined security realms. Application administrators have general knowledge of security concepts and the Java Security architecture. They understand Java, XML, deployment descriptors, and can identify security events in server and audit logs. While administrators typically use the Administration Console to deploy, configure, and manage applications when they put the applications into production, application developers may also use the Administration Console to test their applications before they are put into production. At a minimum, testing requires that applications be deployed and configured. This document does not cover some aspects of administration as it relates to security, rather, it references Securing Oracle WebLogic Server, Securing Resources Using Roles and Policies for Oracle WebLogic Server, and Oracle WebLogic Server Administration Console Help for descriptions of how to use the Administration Console to perform security tasks.

1.3 Guide to this Document

This document is organized as follows: ■ Chapter 2, WebLogic Security Programming Overview discusses the need for security, and the WebLogic Security application programming Interfaces APIs. ■ Chapter 3, Securing Web Applications describes how to implement security in Web applications. ■ Chapter 4, Using JAAS Authentication in Java Clients describes how to implement JAAS authentication in Java clients. ■ Chapter 5, Using SSL Authentication in Java Clients describes how to implement SSL and digital certificate authentication in Java clients. Introduction and Roadmap 1-3 ■ Chapter 6, Securing Enterprise JavaBeans EJBs describes how to implement security in Enterprise JavaBeans. ■ Chapter 7, Using Network Connection Filters describes how to implement network connection filters. ■ Chapter 8, Using Java Security to Protect WebLogic Resources discusses using Java security to protect WebLogic resources. ■ Chapter 9, SAML APIs describes the WebLogic SAML APIs. ■ Chapter 10, Using CertPath Building and Validation describes how to build and validate certification paths. ■ Appendix A, Deprecated Security APIs provides a list of weblogic.security packages in which APIs have been deprecated.

1.4 Related Information

In addition to this document, Programming WebLogic Security, the following documents provide information on the WebLogic Security Service: ■ Understanding Security for Oracle WebLogic Server—This document summarizes the features of the WebLogic Security Service and presents an overview of the architecture and capabilities of the WebLogic Security Service. It is the starting point for understanding the WebLogic Security Service. ■ Securing a Production Environment for Oracle WebLogic Server— This document highlights essential security measures for you to consider before you deploy WebLogic Server into a production environment. ■ Developing Security Providers for Oracle WebLogic Server—This document provides security vendors and application developers with the information needed to develop custom security providers that can be used with WebLogic Server. ■ Securing Oracle WebLogic Server—This document explains how to configure security for WebLogic Server and how to use Compatibility security. ■ Securing Resources Using Roles and Policies for Oracle WebLogic Server—This document introduces the various types of WebLogic resources, and provides information that allows you to secure these resources using WebLogic Server. ■ Oracle WebLogic Server Administration Console Help—This document describes how to use the Administration Console to perform security tasks. ■ Javadocs for WebLogic Classes—This document includes reference documentation for the WebLogic security packages that are provided with and supported by the WebLogic Server software.

1.5 Security Samples and Tutorials