WebLogic lets you define a set of rules to protect resources on the application or even on the server. These rules are called security policies and they leverage the WebLogic security framework using Authentication Providers, Users, and Groups. This model is extended by introducing conditions, which not only defines who can access a resource but also when; sometimes, a combination of other conditions can be used to let the user access the resources. Some examples of these policies are as follows:
A user in a specific group can call any EJB method during business hours
Only users with the admin role can edit JDBC resources
Only one specific user can post messages on a JMS queue
And to illustrate one of these examples, we're going to implement a sign-up user case for the Store application using a protected JMS queue in the next section.
Here is a comprehensive list of the main resources that can be secured in WebLogic:
Administrative resources – Secures actions such as checking server logs, unlocking users, and uploading deployment files
Application resources – Secures any valid Java EE module such as web applications and EJB modules
EJB resources – Secures any specific bean or business method
Java Database Connectivity (JDBC) resources – A set of administrative actions that can manage a JDBC pool
Java Messaging Service (JMS) Resources – Actions such as send or receive a message
Java Naming and Directory Interface (JNDI) Resources – Protect actions such as lookups or modifications on the JNDI tree
JMX Resources – Useful to secure JMX connections from clients that need to monitor or manage WebLogic
Server Resources – Secure actions that change server status
URL Resources – The traditional URL pattern protection specified in deployment descriptors
Web Service Resources – Protects web services and its operations from web service clients
Tip
The security policies can be created using the WebLogic console, usually by clicking on the Security tab of the specified resource. As an alternative, these policies can be created through WLST scripts or even using eXtensible Access Control Markup Language (XACML) documents. For more details on these advanced features, check the WebLogic documentation.