WebLogic Security

The AdminConsole security supports FORM based authentication and authorization using container based security model. This document outlines the security model configuration with WebLogic 12c.

WebLogic Server provides a standard security model for securing web-application deployed in WebLogic. WebLogic comes with a variety of security models for application resources. Some of the common options available are:

  • DD Only: Use only roles and policies that are defined in the Deployment Descriptors.

  • Custom Roles:Use roles that are defined in the Administration Console; use policies that are defined in the Deployment Descriptor.

  • Custom Roles and Policies: Use only roles and policies that are defined in the Administration Console.

  • Advanced: Use a custom model that you have configured on the realm's configuration page.

AdminConsole implements the default security model with Deployment Descriptor configuration out of the box, and the users can override the security model (Roles, Policies) using Advanced (custom) security model.

Some key concepts of RBAC for reference:

  • Roles:Bring Users, Groups, Policies together. Roles define what users can do with a resource.

  • Users: Principal that is requesting access to a resource.

  • Policies:List of rules that defines access to a resource.

  • Resources:Things you want to grant access to.

Role Definition for Admin Console

The roles defined for AdminConsole will be per service rather than per resource. Roles by service means that each service will define roles required to access that particular service. For instance, a Policy Service will define roles that will be used by Segments and Roles within that policy. The roles are not defined by resources or entities. Since segments and policy roles can not be accessed outside the context of a policy.

  • ACADMIN

  • ACCYCLE

Create Group in Weblogic Security Realm

  1. Navigate to Security Data Tree/Realms/myrealm/Authentication Providers/DefaultAuthenticator/Groups.

  2. Click New.

  3. In the Create a New group page, enter AC_ADMIN group in the Name field, and enter the description for the new group in the Description field (for Admin Console Admin group) and Click on CREATE button.

Group is created and displayed:

Create User in Weblogic Security Realm

  1. Navigate to Security Data Tree/Realms/myrealm/Authentication Providers/DefaultAuthenticator/Users.

  1. Click New.

  2. In the Create a New User page, enter 'qatester3' in the Name field, and enter the description for the new User in the Description field.

    Note: User should be OIPA application user to access the Rest services consumed by Admin console.

  1. Click CREATE.

  1. Select the newly created user 'qatester3' and navigate to Membeship tab.

  2. Add the group AC_ADMIN from Available groups to Chosen groups and click Save.

  1. The settings are Updated successfully.

Create Global Roles in Weblogic Realm

  1. Navigate to Security Data Tree/Realms/myrealm/RoleMappers/XACMLRoleMapper/Global/Roles.

  2. Expand Global Roles and click Roles link from the roles grid.

  1. In the Global Roles page, click New to add a new Global Role called AC_ADMIN role and click Save.

  1. Select AC_ADMIN as the newly created role.

  1. To add role conditions, click Add Conditions.

  1. Select Group from the Predicate list and click Next.

  2. In the Group Argument Name, enter AC_ADMIN the group name and click Add.

  3. Click OK to complete the process.

  1. Click Save.

Note: Both group name and role name are identical to depict the mapping between them. The group name and role name can also be different. The role name must match the name defined in the deployment descriptor file of the application (web.xml and weblogic.xml). Group name could be any given name.

  1. Click Save.

  2. Now, deploy the application. Once application is deployed and active, restart the admin and managed server instances, for changes to take effect.

 
Role Name Role Description Role Privilege Role Association
AC_ADMIN Admin Console Administrator Permit All All Services
AC_CYCLE Cycle Read Access GET cycle