Moving to Production

This tutorial describes how to create the users, groups, and global security roles that are required by the MedRec application.

After you finish this tutorial, you will be able to log in to all three MedRec Web applications as the appropriate type of user (administrator, patient, or physician) and start using the application.

Prerequisites

Procedure

To create the required users, groups, and security roles using the Administration Console:

Step 1: Specify security realm settings.

With MedRecServer running, open the Administration Console by navigating in a browser to:

http://host:7101/console

where host refers to the computer on which MedRecServer is running. If your browser is on the same computer as MedRecServer, you can use the URL http://localhost:7101/console.

Specify weblogic for both the username and password and click Log In.
If you have not already done so, click Lock & Edit, located in the upper left Change Center window of the Administration Console.
In the middle left-hand pane called Domain Structure, click MedRecDomainSecurity Realms.
In the Realms table in the right pane, click myrealm.
Select the ConfigurationGeneral tab.
Click the Advanced link.
From the Check Roles and Policies drop-down menu, select All Web Applications and EJBs.

This setting means that the WebLogic Security Service will perform security checks on all URL (Web) and EJB resources. For more information, see Understanding How to Check Security Roles and Security Policies in Securing WebLogic Resources.

In the When Deploying Web Applications or EJBs drop-down menu, select Ignore Roles and Policies From DD.

This setting indicates that you will set security for Web Application and EJB resources in the Administration Console, not in deployment descriptors. For more information, see Understanding the On Future Redeploys Setting in Securing WebLogic Resources.

Click Save.
In the Change Center, click Activate Changes to update the MedRec server configuration.
Restart MedRecServer. (See Starting and Stopping Servers: Quick Reference in Managing Server Startup and Shutdown.)

Step 2: Create groups.

In the left Domain Structure pane of the Administration Console, click MedRecDomainSecurity Realms.
In the Realms table in the right pane, click myrealm.
Select the Users and GroupsGroups tab.

The Groups table displays all groups currently defined in the WebLogic Authentication provider's database.

Click New.
In the Name field, enter MedRecAdmins.
In the Description field, enter MedRecAdmins can log on to the MedRec Administrators Web site.
In the Provider drop-down list, select DefaultAuthenticator (default value).
Click OK.
Repeat steps 4 - 8 to create a group named MedRecPatients, with a description of MedRecPatients can log on to the MedRec Patients Web site, and DefaultAuthenticator provider.
Repeat steps 4- 8 to create a group named MedRecPhysicians, with a description of MedRecPhysicians can log on to the MedRec Physician Web site, and DefaultAuthenticator provider.
In the Groups table, confirm that the three groups have been added.

Step 3: Create users and add the users to groups.

In the left Domain Structure pane of the Administration Console, click MedRecDomainSecurity Realms.
In the Realms table in the right pane, click myrealm.
Select the Users and GroupsUsers tab.

The Users table displays all users currently defined in the WebLogic Authentication provider’s database.

Click New.
In the Name field, enter admin@avitek.com.
In the Description field, enter MedRec administrator.
In the Provider drop-down list, select DefaultAuthenticator (default value).
In the Password and Confirm Password fields, enter weblogic.
Click OK to save your changes.
In the Users table, click admin@avitek.com.
Select the Groups tab.
In the Available choice box, highlight the MedRecAdmins group.
Click the highlighted arrow to move the MedRecAdmins group from the Available to the Chosen choice box.
Click Save.
Repeat steps 1 - 14 to create a user named mary@md.com, a MedRec physician who also uses the weblogic password and the DefaultAuthenticator provider, and belongs in the MedRecPhysicians group.
Repeat steps 1 - 14 to create a user named larry@bball.com, a MedRec patient who also uses the weblogic password and the DefaultAuthenticator provider, and belongs in the MedRecPatients group.
Repeat steps 1 - 14 to create a user named medrec_webservice_user, a MedRec Web Service User who also uses the weblogic password and the DefaultAuthenticator provider, and belongs in the MedRecPhysicians group.
Repeat steps 1 - 3 to navigate to the Users table of the myrealm security realm to confirm that the three users have been added.

Step 4: Create global roles and grant the global roles to the groups.

In the left Domain Structure pane of the Administration Console, click MedRecDomainSecurity Realms.
In the Realms table in the right pane, click myrealm.
Select the Roles and PoliciesRealm Roles tab.

The Roles table displays all global and scoped roles currently defined in the WebLogic Role Mapping provider's database.

In the Roles table, expand Global Roles and click Roles.

The Global Roles table displays all global roles currently defined in the WebLogic Role Mapping provider's database.

Click New.
In the Name field, enter MedRecAdmin.

Leave the Provider Name field to the default value: XACMLRoleMapper.

Click OK.
In the Global Roles table, click MedRecAdmin.
In the Global Role Conditions page, click Add Conditions.
In the Choose a Predicate page, select Group for the Predicate List.
Click Next.
In the Group Argument Name field, enter MedRecAdmins.
Click Add.
Click Finish.

The Role Conditions table includes the following entry:

Group MedRecAdmins

Click Save.
Repeat steps 1 - 15 to create a global role named MedRecPatient and to grant this global role to the MedRecPatients group.
Repeat steps 1 - 15 to create a global role named MedRecPhysician and to grant this global role to the MedRecPhysicians group.
Repeat steps 1 - 4 to view the Global Roles table and confirm that the three new global roles have been added.

Step 5: Log in to and use the MedRec applications.

Now that you have created all the required users, groups, and roles, you can actually log in to the various MedRec Web applications and start using them. First navigate to the following start page in a browser:

In the preceding URL, host refers to the computer that hosts MedRecServer. If your browser is on the same computer as MedRecServer, you can use localhost; for example: http://localhost:7101/start.jsp.

The main MedRec application page appears. Click on the links to log in in to the different Web applications, using the following username/passwords:

Best Practices

The security realm settings are extremely important. If you want to secure URL (Web) resources using the WebLogic Server Administration Console rather than deployment descriptors, you must use the Check Roles and Policies/On Future Redeploys combination specified in Step 1: Specify security realm settings.
If you have deployed an application (or module) with the On Future Redeploys drop-down menu set to Ignore Roles and Policies From DD one or more times before setting it to Initialize Roles and Policies From DD, you can still set security policies and security roles using the Administration Console. These changes will override any security specified in deployment descriptors.
Do not use blank spaces, commas, hyphens, or any characters in this comma-separated list for user, group, or security role names: \t, < >, #, |, &, ~, ?, ( ), { }. User, group, and security role names are case sensitive. The proper syntax for a security role name is as defined for an Nmtoken in the Extensible Markup Language (XML) recommendation. The BEA convention is that group names are plural, and security role names are singular.
BEA recommends assigning users to groups, then creating role statements using the Group role condition. Individual users could also be granted a security role, but this is a less typical practice.
BEA recommends using security roles (rather than users or groups) to secure WebLogic resources. Following this process makes it more efficient for administrators who work with large numbers of users.

The Big Picture

The MedRec application has been coded such that only certain roles are allowed to access certain modules, in particular login to Web Applications such as patient, physician, and admin. This tutorial showed you first how to create groups to represent patients, administrators, and physicians, then how to create individual users and assign them to a particular group, and finally, how to map a group to a role. Once this security configuration is in place, you can log in to the applications using the appropriate user.

You might have noticed, however, that in Step 3: Create users and add the users to groups., you did not create an actual patient user. This is because patients, along with their personal information, are stored in the PointBase database and are authenticated using a Custom DBMS Authenticator. The database also stores the group to which the user is assigned. You must, however, use the Administration Console to create the MedRecPatients group and the MedRecPatient role, and then map the group to the role.

The next tutorials show how to secure specific resources, such as Web applications and EJBs.

Avitek Medical Records Development Tutorials