Security Considerations With Liquid Data Controls

This section describes security considerations to be aware of when developing applications using Liquid Data controls. The following sections are included:

Security Credentials Used to Create Liquid Data Control

The WebLogic Workshop Application Properties (Tools —> Application Properties) allow you to set the connection information to connect to the domain in which you are running. You can either use the connection information specified in the domain boot.properties file or override that information with a specified username and password.

When you create a Liquid Data Control (.jcx) file and are connecting to a local Liquid Data server (Liquid Data on the same domain as Workshop), the user specified in the Application Properties is used to connect to the Liquid Data server. When you create a Liquid Data Control and are connecting to a remote Liquid Data server (Liquid Data on a different domain from Workshop), you specify the connection information in the Liquid Data Control Wizard Connection information dialog (see Figure 1-5).

When you create a Liquid Data Control, the Control Wizard displays all queries to which the specified user has access privileges. The access privileges are defined by any security policies set on the queries, either directly or indirectly.

Note: The security credentials specified through the Application Properties or through the Liquid Data Control Wizard are only used for creating the Liquid Data Control (.jcx) file, not for testing queries through the control. To test a query through the control, you must get the user credentials either through the application (from a login page, for example) or by using the run-as property in the Web Service file.

Testing Controls With the Run-As Property in the JWS File

For testing, you can use the run-as property to test a control running as a specified user. To set the run-as property in a Web Service, open the Web Service and enter a user for the run-as property in the WebLogic Workshop property editor. Queries run through a Liquid Data Control used by the Web Service

When a query is run from an application, the application must have a mechanism for getting the security credential. The credential can come from a login screen, it can be hard-coded in the application, or it can be imbedded in a J2EE component (for example, using the run-as property in a .jws Web Service file).

Note: The Liquid Data Control property editor shows a run-as property, but the run-as property in the Liquid Data Control does not cause the Liquid Data Control to run as the specified user. If you want to use this feature, you must specify the run-as property in the .jws file, not in the .jcx file.

Trusted Domains

If the Liquid Data server is on different domain from WebLogic Workshop, then both domains must be set up as trusted domains. This is true even if security is not enabled on Liquid Data.

Domains are considered trusted domains if they share the same security credentials. With trusted domains, a user that exists on one domain need not be authenticated on the other domain (as long as the user exists on both domains).

Note: After configuring domains as trusted, you must restart the domains before the trusted configuration takes effect.

To Configure Trusted Domains

Perform the following steps to configure domains as a trusted:

  1. Log into the WebLogic Administration Console as an administrator.
  2. Click the node corresponding to your domain.
  3. At the bottom of the General tab for the domain configuration, click the link labeled "View Domain-wide Security Links."
  4. Click the Advanced tab.

Figure 1-20 Setting up Trusted Domains

image

  1. Uncheck the Enable Generated Credential box, enter and confirm a credential (usually a password), and click Apply.
  2. Repeat this procedure for all of the domains you want to set up as trusted. The credential must be the same on each domain.

For more details on WebLogic security, see Configuring Security for a WebLogic Domain in the WebLogic Server documentation.