Previous Document Next Document

Configuring Security in Web Applications

Secure access to the WebLogic Platform Tour is provided by WebLogic Server security realm user authentication.

To provide secure access to a Web application using user authentication, update the web.xml and weblogic.xml deployment descriptors to define the following parameters:

Deployment descriptors are XML documents that describe the contents of an application directory or JAR file. The J2EE specification defines standard, portable deployment descriptors for J2EE components and applications, such as web.xml. BEA defines additional WebLogic-specific deployment descriptors, such as weblogic.xml, for deploying a component or application in a WebLogic Server environment.

In a WebLogic Server environment, the deployment descriptors are located in the WEB-INF directory of the Web application root directory, as required by the J2EE specification. The WEB-INF directory also contains two subdirectories for storing compiled Java classes and library JAR files. Note that the root directory of the Web application hierarchy defines the document root. All files under this root directory (except files in the WEB-INF directory) can be served to the client.

Security constraints, such as user authentication, are defined in the web.xml file.

For example, supposed you wanted to define security constraints for the e2ePortal application. Open the web.xml file for the e2ePortal application in WebLogic Workshop, as follows:

  1. In the e2ePortal/e2ePortalProject folder, expand the WEB-INF directory in the Applications window.
  2. Double-click the web.xml file, located in the WEB-INF directory.
  3. This file defines the security constraint information as follows:

<!-- Security -->
<security-constraint>
	<web-resource-collection>
		<web-resource-name>login</web-resource-name>
		<url-pattern>/Controller.jpf</url-pattern>
	</web-resource-collection>
	<auth-constraint>
		<role-name>employee</role-name>
		<role-name>manager</role-name>
	</auth-constraint>
	<user-data-constraint>
		<transport-guarantee>NONE</transport-guarantee>
	</user-data-constraint>
</security-constraint>
<security-constraint>
	<web-resource-collection>
		<web-resource-name>employee</web-resource-name>
		<url-pattern>/Employee.portal</url-pattern>
	</web-resource-collection>
	<auth-constraint>
 		<role-name>employee</role-name>
	</auth-constraint>
	<user-data-constraint>
		<transport-guarantee>NONE</transport-guarantee>
	</user-data-constraint>
</security-constraint>
<security-constraint>
	<web-resource-collection>
 		<web-resource-name>manager</web-resource-name>
		<url-pattern>/Manager.portal</url-pattern>
	</web-resource-collection>
	<auth-constraint>
		<role-name>manager</role-name>
	</auth-constraint>
	<user-data-constraint>
		<transport-guarantee>NONE</transport-guarantee>
	</user-data-constraint>
</security-constraint>
<login-config>
	<auth-method>FORM</auth-method>
	<form-login-config>
		<form-login-page>/login/loginRedirect.jsp</form-login-page>
		<form-error-page>/login/login_error.jsp</form-error-page>
	</form-login-config>
</login-config>
<security-role>
	<role-name>employee</role-name>
</security-role>
<security-role>
	<role-name>manager</role-name>
</security-role>
<security-role>
	<description>Administrator</description>
	<role-name>Admin</role-name>
</security-role>
<security-role>
	<description>all users</description>
	<role-name>AnonymousRole</role-name>
</security-role> 

The following table describes the XML elements in the previous code excerpt.

This element...
Performs this function...

<login-config>

Enables form-based authentication and specifies:

  • /login/loginRedirect.jsp as the JSP page containing the authentication form
  • /login/login_error.jsp as the JSP file page to return in the event of an error

The login.jsp file that is initially displayed in the Log In portlet generates an input form for obtaining user login information. It defines the action as follows:

<% String formActionURL = 
   response.encodeURL("j_security_check");%>
   <form method="post" action="<%formActionURL %>"> 

As a result, the login information is passed to j_security_check for authentication.

<security-constraint>

Specifies the following security details:

  • Web application component to which the security constraint is applied—this is the first page that is called when you invoke the Web application in a browser.
  • User roles that have security access, such as employee and manager.
  • No transport guarantees are required for communications between client and server.

<security-role>

Specifies valid security roles. At deployment time, security role mappings are obtained from the weblogic.xml file. (This file is configured using the WebLogic Server Administration Console.)

To learn more about configuring security, see Securing Web Applications in Programming WebLogic Security, available on E-docs.

Before proceeding to the next step in the WebLogic Platform Tour:

  1. Close all open files by choosing File —> Close Files
  2. To conserve screen real estate, temporarily minimize the WebLogic Workshop window.

Previous Document Next Document