Deployment Descriptor (DD) Configuration

In order for the group and roles to work, the deployment descriptor files (web.xml and weblogic.xml) need to have security-constraints defined. The role names defined in deployment descriptors should match exactly same with the role names created inside weblogic security realm.

web.xml

Defined Security Roles
`<security-role>` `<role-name>SL_ADMIN</role-name>` `</security-role>` `<security-role>` `<role-name>POLICY_READ</role-name>` `</security-role>` `<security-role>` `<role-name>POLICY_WRITE</role-name>` `</security-role>` `<security-role>` `<role-name>CLIENT_READ</role-name>` `</security-role>` `<security-role>` `<role-name>CLIENT_WRITE</role-name>` `</security-role>` `<!-- Deployment Descriptor based Security Constraint -->` `<security-constraint>` `<web-resource-collection>` `<web-resource-name>PASService</web-resource-name>` `<url-pattern>/services/v11.2/*</url-pattern>` `<http-method>GET</http-method>` `<http-method>POST</http-method>` `</web-resource-collection>` `<auth-constraint>` `<role-name>SL_ADMIN</role-name>` `<role-name>POLICY_READ</role-name>` `<role-name>POLICY_WRITE</role-name>` `<role-name>CLIENT_READ</role-name>` `<role-name>CLIENT_WRITE</role-name>` `</auth-constraint>` `<user-data-constraint>` `<transport-guarantee>CONFIDENTIAL</transport-guarantee>` `</user-data-constraint>` `</security-constraint>` `<login-config>` `<auth-method>BASIC</auth-method>` `</login-config>`

Defined Security Roles

<security-role>
                                                            

 <role-name>SL_ADMIN</role-name>
                                                            

</security-role>
                                                            

<security-role>
                                                            

 <role-name>POLICY_READ</role-name>
                                                            

</security-role>
                                                            

<security-role>
                                                            

 <role-name>POLICY_WRITE</role-name>
                                                            

</security-role>
                                                            

<security-role>
                                                            

 <role-name>CLIENT_READ</role-name>
                                                            

</security-role>
                                                            

<security-role>
                                                            

 <role-name>CLIENT_WRITE</role-name>
                                                            

</security-role>
                                                            

<!-- Deployment Descriptor based Security Constraint -->
                                                            

<security-constraint>
                                                            

 <web-resource-collection>
                                                            

 <web-resource-name>PASService</web-resource-name>
                                                            

 <url-pattern>/services/v11.2/*</url-pattern>
                                                            

 <http-method>GET</http-method>
                                                            

 <http-method>POST</http-method>
                                                            

 </web-resource-collection>
                                                            

 <auth-constraint>
                                                            

 <role-name>SL_ADMIN</role-name>
                                                            

 <role-name>POLICY_READ</role-name>
                                                            

 <role-name>POLICY_WRITE</role-name>
                                                            

 <role-name>CLIENT_READ</role-name>
                                                            

 <role-name>CLIENT_WRITE</role-name>
                                                            

 </auth-constraint>
                                                            

 <user-data-constraint>
                                                            

 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                                                            

 </user-data-constraint>
                                                            

</security-constraint>
                                                            

<login-config>
                                                            

 <auth-method>BASIC</auth-method>
                                                            

</login-config>
                                                            

weblogic.xml

Deployment Descriptor based Security Constraint with externally mapped/defined groups and users
`<wls:security-role-assignment>` `<wls:role-name>SL_ADMIN</wls:role-name>` `<wls:externally-defined/>` `</wls:security-role-assignment>` `<wls:security-role-assignment>` `<wls:role-name>POLICY_READ</wls:role-name>` `<wls:externally-defined/>` `</wls:security-role-assignment>` `<wls:security-role-assignment>` `<wls:role-name>POLICY_WRITE</wls:role-name>` `<wls:externally-defined/>` `</wls:security-role-assignment>` `<wls:security-role-assignment>` `<wls:role-name>CLIENT_READ</wls:role-name>` `<wls:externally-defined/>` `</wls:security-role-assignment>` `<wls:security-role-assignment>` `<wls:role-name>CLIENT_WRITE</wls:role-name>` `<wls:externally-defined/>` `</wls:security-role-assignment>`

Deployment Descriptor based Security Constraint with externally mapped/defined groups and users

<wls:security-role-assignment>
                                                            

 <wls:role-name>SL_ADMIN</wls:role-name>
                                                            

 <wls:externally-defined/>
                                                            

</wls:security-role-assignment>
                                                            

<wls:security-role-assignment>
                                                            

 <wls:role-name>POLICY_READ</wls:role-name>
                                                            

 <wls:externally-defined/>
                                                            

</wls:security-role-assignment>
                                                            

<wls:security-role-assignment>
                                                            

 <wls:role-name>POLICY_WRITE</wls:role-name>
                                                            

 <wls:externally-defined/>
                                                            

</wls:security-role-assignment>
                                                            

<wls:security-role-assignment>
                                                            

 <wls:role-name>CLIENT_READ</wls:role-name>
                                                            

 <wls:externally-defined/>
                                                            

</wls:security-role-assignment>
                                                            

<wls:security-role-assignment>
                                                            

 <wls:role-name>CLIENT_WRITE</wls:role-name>
                                                            

 <wls:externally-defined/>
                                                            

</wls:security-role-assignment>
                                                            