Programming WebLogic Security

Using Java Security to Protect WebLogic Resources

This section discusses the following topics:

Using J2EE Security to Protect WebLogic Resources

WebLogic Server supports the use of J2EE security to protect URL (Web), Enterprise JavaBeans (EJBs), and Connector components. In addition, WebLogic Server extends the connector model of specifying additional security policies in the deployment descriptor to the URL and EJB components.

Note: J2EE has requirements for Java 2 security default permissions for different application types (see the J2EE 1.4 specification) as does the J2EE Connector Architecture specification. These specifications are available at http://java.sun.com/j2ee/download.html#platformspec.

The connector specification provides for deployment descriptors to specify additional security policies using the <security-permission> tag (see Listing 8-1):

Listing 8-1 Security-Permission Tag Sample

<security-permission>
<description> Optional explanation goes here </description>
<security-permission-spec>
<!—
A single grant statement following the syntax of http://java.sun.com/j2se/1.4.2/docs/guide/security/PolicyFiles.html#FileSyntax without the "codebase" and "signedBy" clauses goes here. For example:
-->
grant {
permission java.net.SocketPermission "*", "resolve";
};
</security-permission-spec>
</security-permission>

Besides support of the <security-permission> tag in the rar.xml file, WebLogic Server adds the <security-permission> tag to the weblogic.xml and weblogic-ejb-jar.xml files. This extends the connector model to the two other application types, Web applications and EJBs, provides a uniform interface to security policies across all component types, and anticipates future J2EE specification changes.

Using the Java Security Manager to Protect WebLogic Resources

The Java Security Manager can be used with WebLogic Server to provide additional protection for resources running in a Java Virtual Machine (JVM). Using a Java Security Manager is an optional security step. The following sections describe how to use the Java Security Manager with WebLogic Server:

For more information on Java Security Manager, see the Java Security Web page at http://java.sun.com/j2se/1.5.0/docs/guide/security/index.html.

Setting Up the Java Security Manager

When you run WebLogic Server under Java 2 (SDK 1.2 or later), WebLogic Server can use the Java Security Manager in Java 2, which prevents untrusted code from performing actions that are restricted by the Java security policy file.

The JVM has security mechanisms built into it that allow you to define restrictions to code through a Java security policy file. The Java Security Manager uses the Java security policy file to enforce a set of permissions granted to classes. The permissions allow specified classes running in that instance of the JVM to permit or not permit certain runtime operations. In many cases, where the threat model does not include malicious code being run in the JVM, the Java Security Manager is unnecessary. However, when untrusted third-parties use WebLogic Server and untrusted classes are being run, the Java Security Manager may be useful.

To use the Java Security Manager with WebLogic Server, specify the -Djava.security.policy and -Djava.security.manager arguments when starting WebLogic Server. The -Djava.security.policy argument specifies a filename (using a relative or fully-qualified pathname) that contains Java 2 security policies.

WebLogic Server provides a sample Java security policy file, which you can edit and use. The file is located at WL_HOME\server\lib\weblogic.policy.

If you enable the Java Security Manager but do not specify a security policy file, the Java Security Manager uses the default security policies defined in the java.policy file in the $JAVA_HOME\jre\lib\security directory.

Define security policies for the Java Security Manager in one of the following ways:

Modifying the weblogic.policy file for General Use

To use the Java Security Manager security policy file with your WebLogic Server deployment, you must specify the location of the weblogic.policy file to the Java Security Manager when you start WebLogic Server. To do this, you set the following arguments on the Java command line you use to start the server:

java.security.manager tells the JVM to use a Java security policy file.
java.security.policy tells the JVM the location of the Java security policy file to use. The argument is the fully qualified name of the Java security policy, which in this case is weblogic.policy.

For example:

java...-Djava.security.manager \
   -Djava.security.policy==c:\weblogic\weblogic.policy

Note: Be sure to use == instead of = when specifying the java.security.policy argument so that only the weblogic.policy file is used by the Java Security Manager. The == causes the weblogic.policy file to override any default security policy. A single equal sign (=) causes the weblogic.policy file to be appended to an existing security policy.

If you have extra directories in your CLASSPATH or if you are deploying applications in extra directories, add specific permissions for those directories to your weblogic.policy file.

BEA recommends taking the following precautions when using the weblogic.policy file:

Make a backup copy of the weblogic.policy file and put the backup copy in a secure location.
Set the permissions on the weblogic.policy file via the operating system such that the administrator of the WebLogic Server deployment has write and read privileges and no other users have access to the file.

Caution: The Java Security Manager is partially disabled during the booting of Administration and Managed Servers. During the boot sequence, the current Java Security Manager is disabled and replaced with a variation of the Java Security Manager that has the checkRead() method disabled. While disabling this method greatly improves the performance of the boot sequence, it also minimally diminishes security. The startup classes for WebLogic Server are run with this partially disabled Java Security Manager and therefore the classes need to be carefully scrutinized for security considerations involving the reading of files.

For more information about the Java Security Manager, see the Javadoc for the java.lang.SecurityManager class.

Setting Application-Type Security Policies

Set default security policies for Servlets, EJBs, and J2EE Connector Resource Adapters in the Java security policy file. The default security policies for Servlets, EJBs, and Resource Adapters are defined in the Java security policy file under the following codebases:

Servlets—"file:/weblogic/application/defaults/Web"
EJBs—"file:/weblogic/application/defaults/EJB"
Resource Adapters—"file:/weblogic/application/defaults/Connector"

Note: These security policies apply to all Servlets, EJBs, and Resource Adapters deployed in the particular instance of WebLogic Server.

Setting Application-Specific Security Policies

Set security policies for a specific Servlet, EJB, or Resource Adapter by adding security policies to their deployment descriptors. Deployment descriptors are defined in the following files:

Servlets—weblogic.xml
EJBs—weblogic-ejb-jar.xml
Resource Adapters—rar.xml

Note: The security policies for Resource Adapters follow the J2EE standard while the security policies for Servlets and EJBs follow the WebLogic Server extension to the J2EE standard.

Listing 8-2 shows the syntax for adding a security policy to a deployment descriptor:

Listing 8-2 Security Policy Syntax

<security-permission>
 <description>
  Allow getting the J2EEJ2SETest4 property
 </description>
 <security-permission-spec>
  grant {
    permission java.util.PropertyPermission "welcome.J2EEJ2SETest4","read";
  };
 </security-permission-spec>
</security-permission>

Note: The <security-permission-spec> tag cannot currently be added to a weblogic-application.xml file, you are limited to using this tag within a weblogic-ejb-jar.xml, rar.xml, or weblogic.xml file. Also, variables are not supported in the <security-permission-spec> attribute.

Using the Recording Security Manager Utility

The Recording Security Manager utility can be used to detect permission problems that occur when starting and running WebLogic Server. The utility outputs permissions that can be added to your Java security policy file to resolve the permission problems that the utility finds. The Recording Security Manager is available at the BEA dev2dev Online.

Using the Java Authorization Contract for Containers

The Java Authorization Contract for Containers (JACC) is part of J2EE 1.4. JACC extends the Java 2 permission-based security model to EJBs and Servlets. JACC is defined by JSR-115.

JACC provides an alternate authorization mechanism for the EJB and Servlet containers in a WebLogic Server domain. As shown in Table 8-1, when JACC is configured, the WebLogic Security framework access decisions, adjudication, and role mapping functions are not used for EJB and Servlet authorization decisions.

WebLogic Server implements a JACC provider which, although fully compliant with JSR-115, is not as optimized as the WebLogic Authorization provider. The Java JACC classes are used for rendering access decisions. Because JSR-115 does not define how to address role mapping, WebLogic JACC classes are used for role-to-principal mapping. See http://java.sun.com/j2ee/javaacc for information on developing a JACC provider.

Note: The JACC classes used by WebLogic Server do not include an implementation of a Policy object for rendering decisions but instead rely on the java.security.Policy object.

This section discusses the following topics:

Table 8-1 shows which providers are used for role mapping when JACC is enabled.

Table 8-1 When JACC is Enabled

	Provider used for EJB/Servlet Authorization and Role Mapping	Provider used for all other Authorization and Role Mapping	EJB/Servlet Roles and Policies Can be Viewed and Modified by the Administration Console
JACC is enabled	JACC provider	WebLogic Security Framework providers	No
JACC is not enabled	WebLogic Security Framework providers	WebLogic Security Framework providers	Yes, depending on settings

Note: In a domain, either enable JACC on all servers or on none. The reason is that JACC is server-specific while the WebLogic Security Framework is realm/domain specific. If you enable JACC, either by using the WebLogic JACC provider or (recommended) by creating your own JACC provider, you are responsible for keeping EJB and Servlet authorization policies synchronized across the domain. For example, applications are redeployed each time a server boots. If a server configured for JACC reboots without specifying the JACC options on the command line, the server will use the default WebLogic Authorization provider for EJB and Servlet role mapping and authorization decisions.

Comparing the WebLogic JACC Provider with the WebLogic Authentication Provider

The WebLogic JACC provider fully complies with JSR-115; however, it does not support dynamic role mapping, nor does it address authorization decisions for resources other than EJBs and Servlets. For better performance, and for more flexibility regarding security features, BEA recommends using SSPI-based providers.

Table 8-2 compares the features provided by the WebLogic JACC provider with those of the WebLogic Authorization provider.

Table 8-2 Comparing the WebLogic JACC Provider with the WebLogic Authorization Provider

WebLogic JACC Provider	WebLogic Authorization Provider
Implements the JACC specification (JSR-115)	Value-added security framework
Addresses only EJB and Servlet deployment/authorization decisions	Addresses deployment/authorization decisions
Uses the `java.security.Policy` object to render decisions	Allows for multiple authorization/role providers
Static role mapping at deployment time	Dynamic role mapping
J2SE permissions control access	Entitlements engine controls access
Role and role-to-principal mappings are modifiable only through deployment descriptors	Roles and role-to-principal mappings are modifiable through deployment descriptors and the Administration Console

Enabling the WebLogic JACC Provider

To enable the WebLogic JACC Provider from the command line, you must specify the following system property/value pairs:

Property: java.security.manager Value:No value required.
Property: java.security.policy Value:A valid weblogic.policy file, specified using either a relative or an absolute pathname
Property: javax.security.jacc.PolicyConfigurationFactory Value: weblogic.security.jacc.PolicyConfigurationFactoryImpl
Property: javax.security.jacc.PolicyConfigurationFactoryValue: weblogic.security.jacc.PolicyConfigurationFactoryImpl
Property: javax.security.jacc.policy.providerValue: weblogic.security.jacc.simpleprovider.SimpleJACCPolicy
Property: weblogic.security.jacc.RoleMapperFactory.providerValue: weblogic.security.jacc.simpleprovider.RoleMapperFactoryImpl

For example, assuming a properly configured weblogic.policy file, the following command line will enable the WebLogic JACC provider:

# ./startWebLogic.sh -Djava.security.manager\ -Djava.security.policy=<pathname>/weblogic.policy \ -Djavax.security.jacc.policy.provider=\ weblogic.security.jacc.simpleprovider.SimpleJACCPolicy \ -Djavax.security.jacc.PolicyConfigurationFactory.provider=\ weblogic.security.jacc.simpleprovider.PolicyConfigurationFactoryImpl \ -Dweblogic.security.jacc.RoleMapperFactory.provider=\ weblogic.security.jacc.simpleprovider.RoleMapperFactoryImpl

Note: Use -Djava.security.policy==<pathname>/weblogic.security if you want to override any default security policy. A single equal sign (=) causes the weblogic.policy file to be appended to an existing security policy.