Securing WebLogic Server 12c

Securing WebLogic Server 12c

Overview of this book

Security is a must in modern Enterprise architecture, and WebLogic implements a very complete and complex architecture for configuration and implementation, and we need to deeply know in technologies, terminology and how the security process works between all actors. Transparent security of your applications and Weblogic infrastructure need a good knowledge of the issues you can incur in this long and error prone configuration process. "Securing WebLogic Server 12c" will simplify a complex world like WebLogic Security, helping the reader to implement and configure. It's the only fast guide that will let you develop and deploy in a production system with best practices both from the development world and the operation world. This book will try to make a clear picture of Java EE Security with clean and simple step-by-step examples that will guide the reader to security implementation and configuration From the concepts of Java EE Security to the development of secure application, from the configuration of a realm to the setup of Kerberos Single Sign on, every concept is expressed in simple terms and surrounded by examples and pictures. Finally, also a way to develop WebLogic Security Providers with Maven, so that you can add the security part of your infrastructure to your enterprise best practices.

Securing WebLogic Server 12c

Credits

About the Authors

About the Reviewers

www.PacktPub.com

Preface

Free Chapter

WebLogic Security Concepts

General concept of security in Java EE

Authentication Providers

Identity Assertion

Credential Mapper

JASPIC and Java EE

JACC

Summary

WebLogic Security Realm

Configuration of local LDAP server: user/roles/lockout

Configuring an external LDAP for Authentication/Authorization

Using Identity Assertion

Summary

Java EE Security with WebLogic

Setting up an Enterprise Maven project

Securing the web module

A RESTful and secure EJB component

Summary

Creating Custom Authentication Providers with Maven

The Maven project

Writing the MBean implementation

Custom JAAS LoginModule

Summary

Integrating with Kerberos SPNEGO Identity Assertion

Using Identity Assertion SSO Kerberos in a Microsoft domain

SPNEGO Identity asserter configuration

Summary

Index

Customer Reviews

5 star

4 star

3 star

2 star

1 star

JASPIC and Java EE

After so many pages talking about security and how to implement it in WebLogic, the question is: why is all this custom-made and not regulated by Java EE?

Java EE 6 has the correct answer to this question: the JASPIC 1.0 specification, a message processing framework that is protocol-independent and that can do what an Authentication Provider does for us; that is, populate Subjects with Principals and therefore authenticate a remote user agent.

In a manner that is different from WebLogic Security Framework, where everything is inside a secure framework API because the message and the protocol are managed by the application server, this is done at the message level. In this way, it enforces the concept that security is something related to the protocol and the way information is exchanged.

In fact, currently we have three profiles that are part of the standard specification, one that is able to authenticate HTTP clients, another that works with SOAP messages, and a third profile that tries to bridge the new specification with the existing JAAS login module on the market.

This is the first implementation in WebLogic and its immaturity is apparent from the total lack of documentation and the fact that the configuration is not integrated into the custom deployment descriptors. So, consider using it only on noncritical systems.

Securing WebLogic Server 12c

Securing WebLogic Server 12c

Overview of this book

Related Content you might be interested in

Current Title:

Securing WebLogic Server 12c

JASPIC and Java EE