http://download.oracle.com/docs/cd/E14571_01/web.1111/e13747/toc.htm
Securing Enterprise JavaBeans (EJBs)
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13711/ejb_client.htm#SCPRG286
externally-defined
The externally-defined element lets you explicitly indicate that you want the security roles defined by the role-name element in the weblogic-ejb-jar.xml deployment descriptors to use the mappings specified in the Administration Console. The element gives you the flexibility of not having to specify a specific security role mapping for each security role defined in the deployment descriptors for a particular Web application. Therefore, within the same security realm, deployment descriptors can be used to specify and modify security for some applications while the Administration Console can be used to specify and modify security for others.
Defined in descriptor
ejb-jar.xml entries:
...
<assembly-descriptor>
<security-role>
<role-name>manger</role-name>
</security-role>
<security-role>
<role-name>east</role-name>
</security-role>
<method-permission>
<role-name>manager</role-name>
<role-name>east</role-name>
<method>
<ejb-name>accountsPayable</ejb-name>
<method-name>getReceipts</method-name>
</method>
</method-permission>
...
</assembly-descriptor>
...
weblogic-ejb-jar.xml entries:
<security-role-assignment>
<role-name>manager</role-name>
<principal-name>joe</principal-name>
<principal-name>Bill</principal-name>
<principal-name>Mary</principal-name>
...
</security-role-assignment>
Externally defined in Admin Console
ejb-jar.xml entries:
...
<assembly-descriptor>
<security-role>
<role-name>manger</role-name>
</security-role>
<security-role>
<role-name>east</role-name>
</security-role>
<method-permission>
<role-name>manager</role-name>
<role-name>east</role-name>
<method>
<ejb-name>accountsPayable</ejb-name>
<method-name>getReceipts</method-name>
</method>
</method-permission>
...
</assembly-descriptor>
...
weblogic-ejb-jar.xml entries:
<security-role-assignment>
<role-name>manager</role-name>
<externally-defined/>
...
</security-role-assignment>
Using run-as-role in case anonymous access is forbidden
In the ejb-jar.xml file:
// Beans "A_EJB_with_runAs_role_X" and "B_EJB_with_runAs_role_X"
// specify a security-identity run-as role-name "runAs_role_X".
// Bean "C_EJB_with_runAs_role_Y" specifies a security-identity
// run-as role-name "runAs_role_Y".
<ejb-jar>
<enterprise-beans>
<session>
<ejb-name>SecurityEJB</ejb-name>
<home>weblogic.ejb20.SecuritySLHome</home>
<remote>weblogic.ejb20.SecuritySL</remote>
<local-home>
weblogic.ejb20.SecurityLocalSLHome
</local-home>
<local>weblogic.ejb20.SecurityLocalSL</local>
<ejb-class>weblogic.ejb20.SecuritySLBean</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
</session>
<message-driven>
<ejb-name>SecurityEJB</ejb-name>
<ejb-class>weblogic.ejb20.SecuritySLBean</ejb-class>
<transaction-type>Container</transaction-type>
<security-identity>
<run-as>
<role-name>runAs_role_X</role-name>
</run-as>
</security-identity>
<security-identity>
<run-as>
<role-name>runAs_role_Y</role-name>
</run-as>
</security-identity>
</message-driven>
</enterprise-beans>
</ejb-jar>
weblogic-ejb-jar file:
<weblogic-ejb-jar>
<weblogic-enterprise-bean>
<ejb-name>A_EJB_with_runAs_role_X</ejb-name>
</weblogic-enterprise-bean>
<weblogic-enterprise-bean>
<ejb-name>B_EJB_with_runAs_role_X</ejb-name>
<run-as-principal-name>Joe</run-as-principal-name>
</weblogic-enterprise-bean>
<weblogic-enterprise-bean>
<ejb-name>C_EJB_with_runAs_role_Y</ejb-name>
</weblogic-enterprise-bean>
<security-role-assignment>
<role-name>runAs_role_Y</role-name>
<principal-name>Harry</principal-name>
<principal-name>John</principal-name>
</security-role-assignment>
<run-as-role-assignment>
<role-name>runAs_role_X</role-name>
<run-as-principal-name>Fred</run-as-principal-name>
</run-as-role-assignment>
</weblogic-ejb-jar>
If you see this error in logs/DefaultAuditRecorder.log when anonymous access to WLS JNDI tree is disabled
#### Audit Record Begin Nov 30, 2010 1:42:14 PM Severity =FAILURE Event Type = Authorization Audit Event V2 Subject: 0
ONCEjndi type= jndi , application=, path={weblogic}, action=lookup Audit Record End ####
you can disable internal WLS application
Async web service support is not fully configured. The async response web service /AsyncResponseServiceSoap12Https for this server was not fully deployed because the JMS reliability queue was not defined/deployed: weblogic.wsee.DefaultQueue. The server will periodically retry completing the deploy for the service. This message can usually be ignored unless there are async web service applications. To completely disable async web service support, thus avoiding this message, set -Dweblogic.wsee.skip.async.response=true
Internal WLS applications deployed on each server
./servers/ServerA1/tmp/_WL_internal/bea_wls_deployment_internal/voxsyv/war/WEB-INF/web.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls9_async_response/39a4jn/war/WEB-INF/webservices.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls9_async_response/39a4jn/war/WEB-INF/weblogic-webservices-policy.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls9_async_response/39a4jn/war/WEB-INF/AsyncResponseService.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls9_async_response/39a4jn/war/WEB-INF/web.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls9_async_response/39a4jn/war/WEB-INF/AsyncResponseService-annotation.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls9_async_response/39a4jn/war/WEB-INF/AsyncResponseServiceSoap12.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls9_async_response/39a4jn/war/WEB-INF/weblogic.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls9_async_response/39a4jn/war/WEB-INF/AsyncResponseServiceSoap12-annotation.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls9_async_response/39a4jn/war/WEB-INF/weblogic-webservices.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls_internal/hta2i5/war/WEB-INF/web.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls_internal/hta2i5/war/WEB-INF/weblogic.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls_cluster_internal/px8ma5/war/WEB-INF/web.xml
./servers/ServerA1/tmp/_WL_internal/bea_wls_cluster_internal/px8ma5/war/WEB-INF/weblogic.xml
Oracle fusion HCM Training from ERPTREE gives you the best results to learn your dream course and maintains sufficient knowledge on oracle. It provides training by self-paced videos which are very helpful for the users to watch at any time according to their schedule. It is globally accepted and having many users undergoing training every day.
ReplyDeleteOracle fusion HCM Online Training
Oracle Fusion HCM Training
Simply wish to say your article is as astonishing. The clarity in your post is simply great, and I could assume you are an expert on this subject. Same as your blog i found another one Oracle WebLogic .Actually I was looking for the same information on internet for Oracle WebLogic and came across your blog. I am impressed by the information that you have on this blog. Thanks a million and please keep up the gratifying work.
ReplyDeleteI feel really happy to have seen your webpage and look forward to so many more entertaining times reading here .Same as your blog i found another one Oracle Fusion HCM . Actually I was looking for the same information on internet for Oracle Fusion HCM and came across your blog. I am impressed by the information that you have on this blog. Thanks once more for all the details.
ReplyDeleteI feel really happy to have seen your webpage and look forward to so many more entertaining times reading here .Same as your blog i found another one Oracle Fusion HCM . Actually I was looking for the same information on internet for Oracle Fusion HCM and came across your blog. I am impressed by the information that you have on this blog. Thanks once more for all the details.
ReplyDelete