You can manage security data and supported security providers for your domain in the Security Data tree perspective.
You must be logged in as a user with the Admin role and have the WebLogic Remote Console extension installed to access this perspective. See Install the WebLogic Remote Console for instructions.
Any changes you make within the Security Data perspective are immediate - you don’t need to commit or restart the server to apply your changes.
You can easily manage the WebLogic Server users and groups that are configured as part of the default authentication provider (WebLogic Authentication Provider) within a security realm. Only the default authentication provider is supported. If you’re not using the default authentication provider, you’ll need to manage its users and groups through its own external tools.
Deleting a group will not delete the users within that group.
Use security policies to manage who can access a resource in a WebLogic Server domain.
A resource is an entity (such as a Web Service or a server instance) or an action (such as a method in a Web Service or the act of shutting down a server instance). For a list of resource types, see Resource Types You Can Secure with Policies.
A security policy specifies which users, groups, or roles can access the resource according to a set of conditions. Whenever possible, you should use security roles to determine access control. A security role, like a security group, grants an identity to a user. Unlike a group, however, membership in a role can be based on a set of conditions that are evaluated at runtime.
For most types of WebLogic resources, you can use the WebLogic Remote Console to define the security policies and roles that restrict access. However, for Web application and EJB resources, you can also use deployment descriptors.
The general process to secure a WebLogic resource is:
For more information, see Securing Resources Using Roles and Policies for Oracle WebLogic Server.
A security role is an identity granted to users or groups based on specific conditions. Multiple users or groups can be granted the same security role and a user or group can be in more than one security role. Security roles are used by policies to determine who can access a WebLogic resource.
WebLogic Server provides a default set of roles that you can use with any policy (global roles). You can create your own global roles or create roles that can be used by policies only for a specific resource (scoped roles). For example, you can place all of your system administrators in WebLogic Server’s Admin role. You can then create a scoped role for a specific EJB that contains highly sensitive business logic. When you create a policy for the EJB, you can specify that only the scoped role can access the EJB.
If two roles conflict, the role of a narrower scope overrides the role of the broader scope. For example, a scoped role for an EJB resource overrides a global role or a scoped role for the enterprise application that contains the EJB.
Security roles are created within a security realm, and the roles can be used only when the realm is active.
For more information, see Overview of Security Roles.
Before creating a new global security role, review the Global Security Roles in Securing Resources Using Roles and Policies for Oracle WebLogic Server to assess if an existing role is sufficient for your needs.
After the role is created, you can build a policy that uses conditions to determine which users or groups it encompasses. We recommend that whenever possible you use the Group condition which grants the security role to all members of the specified group. See Edit a policy for more details on how you can edit conditions.
For a description of conditions in the Predicate List, see Security Role Conditions
Scoped roles can only be used with policies that apply to specific resources.
After the role is created, you can build a policy that uses conditions to determine which users or groups it encompasses. We recommend that whenever possible you use the Group condition which grants the security role to all members of a specified group. See Edit a policy for more details on how you can edit conditions.
For a description of conditions in the Predicate List, see Security Role Conditions
A security policy specifies the conditions that users, groups, or roles must meet to access a resource. Policies must have one or more conditions and you can combine conditions to create complex policies for more dynamic access control.
Root level policies apply to all instances of a specific resource type, for example, all JMS resources in your domain. All default security policies are root level policies.
You can also create policies that only apply to a specific resource instance. If the instance contains other resources, the policy will apply to the included resource as well. For example, you can create a policy for an entire JMS system resource, or for a particular queue or topic within that resource.
The policy of a narrower scope overrides policy of a broader scope. For example, if you create a security policy for a JMS system resource and a policy for a JMS queue within that system resource, the JMS queue will be protected by its own policy and will ignore the policy for the system resource.
For more information, see Security Policies in Securing Resources Using Roles and Policies for Oracle WebLogic Server.
It’s recommended that you use the Role condition where possible. Basing conditions on security roles lets you create one security policy that takes into account multiple users or groups, and is a more efficient method of management.
See Security Policy Conditions in Securing Resources Using Roles and Policies for Oracle WebLogic Server to learn more.
You can create a security policy that only applies to a specific resource instance. If the instance contains other resources, the policy will apply to the included resources as well.
You can add more conditions to the policy to increase its complexity.
You can edit a policy by modifying a condition’s arguments or by modifying the relationships between conditions in the policy.
Conditions have three different types of relationships: AND, OR, and Combination.
By default, a new condition is added as a simple condition at the top of the list of conditions. To insert a new condition elsewhere, select an existing condition and then click Add Condition. You’ll get a dropdown list with options to add the new condition either above or below the selected condition. The order of conditions is not meaningful to how the policy is interpreted.
A policy can contain multiple simple or compound conditions or a mix of simple and compound conditions. You can also nest compound conditions.
Why should you use compound conditions? Consider this scenario: a resource exists where you want Administrators to always have access, but Deployers to only have access between 9 am and 5 pm. The following policy would address both requirements.
Condition 1 (simple): Role: Admin
Condition 2 (compound): Role: Deployer AND access occurs between 09:00:00 and 17:00:00 GMT -7:00
Use the actions on the Policy page to edit a policy.
Action | Description |
---|---|
Add Condition | Adds a new condition to the policy. You can choose to add the new condition above or below another condition. |
Combine | When multiple conditions are selected, you can combine them to create a compound condition. |
Uncombine | When a compound condition is selected, you can break it into independent conditions. |
Remove | Deletes a simple or compound condition from the policy. When there are no conditions in a policy, the default policy will apply. |
Negate | Reverses the meaning of a condition. The criteria to access a resource becomes the opposite of the original condition. |
Reset | Reverts the policy to its last saved change, not the last change. It’s recommended that you save your policy frequently or you may unintentionally lose several changes using the Reset action. |
You can also edit a policy from its Advanced tab where the policy is expressed as string. Any changes made to a policy in the Advanced tab are reflected in the main Policy tab, and vice versa.
Before you delete a policy, make sure that the default security policy for the resource instance will provide adequate access control.
A Credential Mapping provider lets WebLogic Server map a WebLogic resource to a set of credentials in an external system so that the WebLogic resource can log into that external system on behalf of a subject that has already been authenticated. You can map multiple WebLogic resources (of the same type) to the same external system (and even to the same subject within that system).
You can manage the credential mappings for the default credential mapper provider (WebLogic Credential Mapping Provider) within a security realm. Only the default credential mapping provider is supported.
The general process for mapping credentials remains the same across WebLogic resources:
You can create credential mappings for the following WebLogic resources:
The first time you add a reference to an EJB component, you’ll also create a credential mapping for that EJB component.
A reference to the EJB component is added under the EJBs node. The name of the EJB component is generated by the properties of the application and those you set when adding the EJB component.
For information on how to manage the credential mappings, see Credential Mappings.
You cannot delete a reference to an EJB component with multiple credential mappings. To delete an EJB component reference, you must delete all of the credential mappings first - which will then delete the EJB component reference automatically - or delete all but one of the credential mappings and then follow these steps:
You can only add credential mappings for JDBC applications, not manage the JDBC applications themselves.
For information on how to manage the credential mappings, see Credential Mappings.
The first time you add a reference to a JDBC module, you’ll also create a credential mapping for that JDBC module.
For information on how to manage the credential mappings, see Credential Mappings.
You cannot delete a reference to a JDBC module with multiple credential mappings. To delete a JDBC module reference, you must delete all of the credential mappings first - which will then delete the JDBC module reference automatically - or delete all but one of the credential mappings and then follow these steps:
The first time you add a reference to a resource adapter, you’ll also create a credential mapping for that resource adapter.
A reference to a resource adapter is added under the Remote Adapters node. The name of the resource adapter is generated by combining its property values.
For information on how to manage the credential mappings, see Credential Mappings.
You cannot delete a reference to a resource adapter with multiple credential mappings. To delete a resource adapter reference, you must delete all of the credential mappings first - which will then delete the resource adapter reference automatically - or delete all but one of the credential mappings and then follow these steps:
You can only add credential mappings for data sources, not manage the data sources themselves. You can manage data sources in the Edit tree perspective.
For information on how to manage the credential mappings, see Credential Mappings.
The first time you add a reference to a remote resource, you’ll also create a credential mapping for that remote resource.
If you add a remote resource with the cross-domain protocol enabled, it will create a WebLogic Server user named cross-domain. Only the cross-domain user can be used to create credential mappings. While the WebLogic Remote Console will let you add other WebLogic Server users and credential mappings within the remote resource, the mappings will not work and will not provide access to the remote resource.
A reference to a remote resource is added under the remote resources node. The name of the remote resource is generated by combining its property values.
For information on how to manage the credential mappings, see Credential Mappings.
You cannot delete a reference to a remote resource with multiple credential mappings. To delete a remote resource reference, you must delete all of the credential mappings first - which will then delete the remote resource reference automatically - or delete all but one of the credential mappings and then follow these steps:
You can add a new credential mapping to associate another WebLogic resource to a remote user.
The credential mappings and credentials for each WebLogic resource appear under the resource’s node.
You can edit a credential mapping to associate a WebLogic user for a WebLogic resource to a different remote user. The WebLogic Remote Console must already be aware of the remote user before you can remap the WebLogic Server user. If you want to remap the WebLogic resource to a new remote user, you must first add it to the WebLogic Remote Console.
When you delete a credential mapping, the remote user that the WebLogic resource was previously associated with is also deleted if it was the only credential mapping using that remote user.
After you have added the first set of credentials for a remote system to a WebLogic resource, you can add more users from that remote system.
You can now map a WebLogic user for the WebLogic resource to the new set of credentials.
If the password of the remote user changes, you’ll need to update it in the WebLogic Remote Console or the mapping will break and prevent the WebLogic resource from logging into the remote system.
Each WebLogic resource has its own set of credentials Removing a credential from the WebLogic Remote Console will not affect the user in the remote system.
You cannot delete a credential that currently has a WebLogic resource mapped to it.