Sunday, November 28, 2010

Securing Resources Using Roles and Policies for Oracle WebLogic Server

Securing Resources Using Roles and Policies for Oracle WebLogic Server
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13747/toc.htm

Securing Enterprise JavaBeans (EJBs)

http://download.oracle.com/docs/cd/E14571_01/web.1111/e13711/ejb_client.htm#SCPRG286


externally-defined

The externally-defined element lets you explicitly indicate that you want the security roles defined by the role-name element in the weblogic-ejb-jar.xml deployment descriptors to use the mappings specified in the Administration Console. The element gives you the flexibility of not having to specify a specific security role mapping for each security role defined in the deployment descriptors for a particular Web application. Therefore, within the same security realm, deployment descriptors can be used to specify and modify security for some applications while the Administration Console can be used to specify and modify security for others.

Defined in descriptor
ejb-jar.xml entries:
...
<assembly-descriptor>
<security-role>
<role-name>manger</role-name>
</security-role>
<security-role>
<role-name>east</role-name>
</security-role>
<method-permission>
<role-name>manager</role-name>
<role-name>east</role-name>
<method>
<ejb-name>accountsPayable</ejb-name>
<method-name>getReceipts</method-name>
</method>
</method-permission>
...
</assembly-descriptor>
...
weblogic-ejb-jar.xml entries:
<security-role-assignment>
<role-name>manager</role-name>
<principal-name>joe</principal-name>
<principal-name>Bill</principal-name>
<principal-name>Mary</principal-name>

...
</security-role-assignment>



Externally defined in Admin Console
ejb-jar.xml entries:
...
<assembly-descriptor>
<security-role>
<role-name>manger</role-name>
</security-role>
<security-role>
<role-name>east</role-name>
</security-role>
<method-permission>
<role-name>manager</role-name>
<role-name>east</role-name>
<method>
<ejb-name>accountsPayable</ejb-name>
<method-name>getReceipts</method-name>
</method>
</method-permission>
...
</assembly-descriptor>
...
weblogic-ejb-jar.xml entries:
<security-role-assignment>
<role-name>manager</role-name>
<externally-defined/>

...
</security-role-assignment>




Using run-as-role in case anonymous access is forbidden
In the ejb-jar.xml file:
// Beans "A_EJB_with_runAs_role_X" and "B_EJB_with_runAs_role_X"
// specify a security-identity run-as role-name "runAs_role_X".
// Bean "C_EJB_with_runAs_role_Y" specifies a security-identity
// run-as role-name "runAs_role_Y".
<ejb-jar>
<enterprise-beans>
<session>
<ejb-name>SecurityEJB</ejb-name>
<home>weblogic.ejb20.SecuritySLHome</home>
<remote>weblogic.ejb20.SecuritySL</remote>
<local-home>
weblogic.ejb20.SecurityLocalSLHome
</local-home>
<local>weblogic.ejb20.SecurityLocalSL</local>
<ejb-class>weblogic.ejb20.SecuritySLBean</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
</session>
<message-driven>
<ejb-name>SecurityEJB</ejb-name>
<ejb-class>weblogic.ejb20.SecuritySLBean</ejb-class>
<transaction-type>Container</transaction-type>
<security-identity>
<run-as>
<role-name>runAs_role_X</role-name>
</run-as>
</security-identity>
<security-identity>
<run-as>
<role-name>runAs_role_Y</role-name>
</run-as>
</security-identity>
</message-driven>
</enterprise-beans>
</ejb-jar>

weblogic-ejb-jar file:

<weblogic-ejb-jar>
<weblogic-enterprise-bean>
<ejb-name>A_EJB_with_runAs_role_X</ejb-name>
</weblogic-enterprise-bean>
<weblogic-enterprise-bean>
<ejb-name>B_EJB_with_runAs_role_X</ejb-name>
<run-as-principal-name>Joe</run-as-principal-name>
</weblogic-enterprise-bean>
<weblogic-enterprise-bean>
<ejb-name>C_EJB_with_runAs_role_Y</ejb-name>
</weblogic-enterprise-bean>
<security-role-assignment>
<role-name>runAs_role_Y</role-name>
<principal-name>Harry</principal-name>
<principal-name>John</principal-name>
</security-role-assignment>
<run-as-role-assignment>
<role-name>runAs_role_X</role-name>
<run-as-principal-name>Fred</run-as-principal-name>
</run-as-role-assignment>
</weblogic-ejb-jar>




If you see this error in logs/DefaultAuditRecorder.log when anonymous access to WLS JNDI tree is disabled

#### Audit Record Begin Nov 30, 2010 1:42:14 PM Severity =FAILURE Event Type = Authorization Audit Event V2 Subject: 0
ONCEjndi type= jndi , application=, path={weblogic}, action=lookup Audit Record End ####


you can disable internal WLS application
Async web service support is not fully configured. The async response web service /AsyncResponseServiceSoap12Https for this server was not fully deployed because the JMS reliability queue was not defined/deployed: weblogic.wsee.DefaultQueue. The server will periodically retry completing the deploy for the service. This message can usually be ignored unless there are async web service applications. To completely disable async web service support, thus avoiding this message, set -Dweblogic.wsee.skip.async.response=true

Internal WLS applications deployed on each server
./servers/ServerA1/tmp/_WL_internal/bea_wls_deployment_internal/voxsyv/war/WEB-INF/web.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls9_async_response/39a4jn/war/WEB-INF/webservices.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls9_async_response/39a4jn/war/WEB-INF/weblogic-webservices-policy.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls9_async_response/39a4jn/war/WEB-INF/AsyncResponseService.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls9_async_response/39a4jn/war/WEB-INF/web.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls9_async_response/39a4jn/war/WEB-INF/AsyncResponseService-annotation.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls9_async_response/39a4jn/war/WEB-INF/AsyncResponseServiceSoap12.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls9_async_response/39a4jn/war/WEB-INF/weblogic.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls9_async_response/39a4jn/war/WEB-INF/AsyncResponseServiceSoap12-annotation.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls9_async_response/39a4jn/war/WEB-INF/weblogic-webservices.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls_internal/hta2i5/war/WEB-INF/web.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls_internal/hta2i5/war/WEB-INF/weblogic.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls_cluster_internal/px8ma5/war/WEB-INF/web.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls_cluster_internal/px8ma5/war/WEB-INF/weblogic.xml

1 comment:

  1. Oracle fusion HCM Training from ERPTREE gives you the best results to learn your dream course and maintains sufficient knowledge on oracle. It provides training by self-paced videos which are very helpful for the users to watch at any time according to their schedule. It is globally accepted and having many users undergoing training every day.


    Oracle fusion HCM Online Training

    Oracle Fusion HCM Training

    ReplyDelete