- Quicktipp: WebLogic Server 12c and BEA-101104: java.net.ProtocolException
- OFM Summer Camps V 2015: Cloud and above the cloud…
- DOAG 2014 Konferenz: IT-Sicherheit und OFM: Eine Herkulesaufgabe?
- SOA Suite 12c and the OPSS Keystore Service by Adam Desjardin
- Cloud Adapter for Salesforce.com – Understanding What It Does & How You Benefit by ITC
- IT-Security (Part 7): WebLogic Server, Roles, Role Mapping and Configuring a Role Mapping Provider
- IT-Security (Part 6): WebLogic Server and Authorization
Neselovskyi, Borys on OFM Summer Camps V 2015: Cloud… Neselovskyi, Borys on OFM Summer Camps V 2015: Cloud… dineshramitc on IT-Security: Part 1 to 5 as PD… IT-Security (Part 5)… on IT-Security (Part 5): WebLogic… pub on IT-Security (Part 2): WebLogic…
Category Archives: WebLogic Server
The OFM Summer Camps 2015 is finished successful (August 17th – 21st 2015 Lisbon Portugal) and Oracle Fusion Middleware community could review new capabilities of Oracle Cloud Service in different areas. More than 100 participants attended the event, learning much new stuff about new features and enhancements of Oracle Cloud Computing.
The four hands-on training were organized about the following topics:
- Mobile and Mobile Cloud Service
- BPM Suite 12c and Process Cloud Service
- Hybrid Integration with Integration Cloud Service, SOA Suite Cloud Service and SOA 12c
- Java Cloud Service
I try to give a short overview regarding Java Cloud technical workshop. As you know, Oracle Java Cloud Service is a part of the platform service offerings in Oracle Cloud. Powered by Oracle WebLogic Server, it provides a platform on top of Oracle’s enterprise-grade cloud infrastructure for developing and deploying new or existing Java EE applications. With Java Cloud, you have an Environment to Build, Deploy, and Manage Java Enterprise Applications. Cosmin Tudor, Oracle Principal Product Manager, presented in 4 days technical workshop the different steps and capabilities of Java Cloud.
Oracle Public Cloud Strategy suggests a flexible solution that the customer can combine the private and public cloud approaches. From my point of view, the security aspects are not enough cleared in public cloud and therefore my advice regarding critical data and information is private cloud! I see an advantage that oracle can provide a stable solution regarding private cloud. We can use hybrid Oracle Cloud approach not only as PaaS and IaaS, but also DaaS and SaaS is now available in public cloud too.
Developer Cloud Service, as a Platform as a Service (PaaS) Development Environment for the Enterprise, can simplify development with an automatically provisioned development platform that supports the complete development lifecycle.
Oracle Data as a Service (DaaS) for Business allows businesses to use data as a standalone asset and connect with partner data to make smarter decisions. Oracle DaaS is a service in Oracle Cloud that offers the most variety, scale, and connectivity in the industry, including cross-channel, cross-device, and known and anonymous data. Use Oracle DaaS to drive intelligent actions for B2B and B2C organizations.
In order to prepare our environment in technical workshop, we worked on Database Cloud Service too. Preparing Oracle Database in the Cloud was very fast and stable and we can await Oracle Database achieve new levels of efficiency, security, and availability.
In addition, working with Weblogic 12.1.3 and its new features was very amazing, specially using Oracle Traffic Director, JCS configuration – e.g. JCS network rules configuration, and Coherence clusters. It was important that many parts of workshop’s materials can be used as PoC for different needs of customer. Our working and training present us that Oracle Java Cloud Service is a complete platform with Oracle WebLogic Server as the application container, Oracle Coherence as a caching and data grid tier, and Oracle Traffic Director as the software load balancer.
I can summarize OFM Sommer Camp 2015 as bellow: A lot of things are done, a lot of things need to be done, and a lot of new ideas are here!
Special thanks to Jürgen Kress for the excellent organization of the event!
Thanks Simon Haslam for Foto and his comment: This is the room the *real* work is being done in – Cosmin’s JCS lab!
Es gab am 20. Juni in Nürnberg den DOAG 2014 Konferenz. Mein Kollege Frank Burkhardt und ich haben dort einen Vortrag über „IT-Sicherheit und OFM: Eine Herkulesaufgabe?“. Hier finden Sie unser Abstract und unsere Präsentation:
Die Anforderungen, die heute an IT-Sicherheitsexperten gestellt werden, erinnern mitunter an die scheinbar unlösbaren Aufgaben des Herkules in der griechischen Sage. Doch nicht jeder Security-Spezialist ist ein IT-Muskelmann. Und allein die traditionellen IT-Sicherheitsansätze und Maßnahmen reichen nicht aus, um neue technische aber auch organisatorische Fragen zu beantworten. Welche Lösungsansätze bietet Oracle aus diesem Dilemma? Nach einer kurzen Einführung in die Problematik stellen die Referenten die Security-Konzepte von Oracle vor und richten danach einen besonderen Fokus auf Oracle WebLogic Server und Oracle Plattform Security Services (OPSS).
Diese Themen stehen dabei Mittelpunkt:
- Herausforderungen der IT-Sicherheit in weltweit vernetzten Systeme
- IT-Sicherheitsarchitektur und der Ansatz von Oracle
- Oracle Fusion Middleware und Bausteine der Sicherheitstechnologie von Oracle: WLS, OAM, OID, OVD, WebGate
Sichere Systeme: Best Practice und Erfahrungsberichte zu Authentication, Authorization, Single-Sign-On (SSO), Secure Socket Layer (SSL) und Security Assertion Markup Language (SAML)
Link zu unserer Präsentation:
Key words: IT-Security, WebLogic Server, WebLogic Security Framework, Authorization, authorization process, Role Mapping, Roles, Adjudication Process, Security Service Provider Interfaces (SSPIs), Users, Groups, Principals and Subjects
We discussed about Authentication in Part 4 and 5; now let us focus on Authorization topic. Authorization is known as access control too and is used to clear main questions such as: “What can you access?”, “Who has access to a WebLogic resource?”, “Is access allowed?” and in general “Who can do what?“ In order to guarantee integrity, confidentiality (privacy), and availability of resources, WebLogic are restricted accesses to these resources. In other words, authorization process is responsible to grant access to specific resources based on an authenticated user’s privileges.
Authorization: What can you access?
After authentication one user, it is the first question that system has to answer: “What can you access?” In this sense, WebLogic Server has to clear, which resources are available for a particular user, that will be cleared by using the user’s security role and the security policy assigned to the requested WebLogic resource. A WebLogic resource is generally understood as a structured object used to represent an underlying WebLogic Server entity, which can be protected from unauthorized access using security roles and security policies. WebLogic resource implementations are available for:
- Administrative resources
- Application resources
- Common Object Model (COM) resources
- Enterprise Information System (EIS) resources
- Enterprise JavaBean (EJB) resources
- Java Database Connectivity (JDBC) resources
- Java Messaging Service (JMS) resources
- Java Naming and Directory Interface (JNDI) resources
- Server resources
- Web application resources
- Web service resources
- Work Context resources
The Authorization Process
I’m going to clear whole process in a top-down approach. First of all, we have to see what will be happen in Authorization Process? Figure 1 Authorization Process shows how WebLogic Security Framework communicated with a particular Security Provider and Authorization providers respectively.
Figure 1 Authorization Process
If a user want to use one protected resource, then WebLogic send a request to “Resource Container” that handles the type of WebLogic resource being requested receives the request (for example, the EJB container receives the request for an EJB resource). It forwards to “WebLogic Security Framework” and its request parameters, including information such as the subject of the request and the WebLogic resource being requested. The Role Mapping providers use the request parameters to compute a list of roles to which the subject making the request is entitled and passes the list of applicable roles back to the WebLogic Security Framework. On this information will be decided about authorization: e.g. PERMIT and/or DENY. WebLogic Server provides an auditing to collect, store and distribute information about requests and outcomes. It calls Adjudication. It can happened that for Authorization is defined multiple providers. For such cases is an Adjudication provider available. The WebLogic Security Framework delegates the job of merging any conflicts in the Access Decisions rendered by the Authorization providers to the Adjudication provider. It resolves the conflicts and sends a final decision (TRUE or FALSE) to WebLogic Security Framework.
WebLogic Security Framework
I have mentioned a bit about WebLogic Security Framework in Part 1 and 2. Figure 2 WebLogic Security Service Architecture shows a high-level view of the WebLogic Security Framework. The framework contains interfaces, classes, and exceptions in the weblogic.security.service package. The Framework provides a simplified application programming interface (API) that can be used by security and application developers to define security services. Within that context, the WebLogic Security Framework also acts as an intermediary between the WebLogic containers (Web and EJB), the Resource containers, and the security providers.
Figure 2 WebLogic Security Service Architecture
The Security Service Provider Interfaces (SSPIs) can be used by developers and third-party vendors to develop security providers for the WebLogic Server environment.
Figure 1 Authorization Process presents Security Provider as next module that provides security services to applications to protect WebLogic resources. A security provider consists of runtime classes and MBeans, which are created from SSPIs and/or Mbean types. Security providers are WebLogic security providers (provided with WebLogic Server) or custom security providers. You can use the security providers that are provided as part of the WebLogic Server product, purchase custom security providers from third-party security vendors, or develop your own custom security providers.
In order to complete authorization process, is Role Mapping within security provider necessary. Simple to say, a role mapper maps a valid token to a WebLogic user. Formerly that we focus on Roles, I would like to clarify a few more terms.
Users, Groups, Principals and Subjects
User is an entity that is authenticated in our security provider in last steps (See: Part 4 and 5 – Authentication Process). A user can be a person or a software entity or other instances of WebLogic Server. As a result of authentication, a user is assigned an identity, or principal. A principal is an identity assigned to a user or group as a result of authentication and can consist of any number of users and groups. Principals are typically stored within subjects. Both users and groups can be used as principals by WebLogic Server.
Groups are logically ordered sets of users. Usually, group members have something in common. For example, a company may separate its IT-Department into two groups, Admins and Developers. In this form, it will be possible to define different levels of access to WebLogic resources, depending on their group membership. Managing groups is more efficient than managing large numbers of users individually. For example, an administrator can specify permissions for several users at one time by placing the users in a group, assigning the group to a security role, and then associating the security role with a WebLogic resource via a security policy. All user names and groups must be unique within a security realm.
Role is a dynamically computed privilege that is granted to users or groups based on specific conditions. The difference between groups and roles is that a group is a static identity that a server administrator assigns, while membership in a role is dynamically calculated based on data such as user name, group membership, or the time of day. Security roles are granted to individual users or to groups, and multiple roles can be used to create security policies for a WebLogic resource. A security role is a privilege granted to users or groups based on specific conditions.
Like groups, security roles allow you to restrict access to WebLogic resources for several users at once. However, unlike groups, security roles:
- Are computed and granted to users or groups dynamically, based on conditions such as user name, group membership, or the time of day.
- Can be scoped to specific WebLogic resources within a single application in a WebLogic Server domain (unlike groups, which are always scoped to an entire WebLogic Server domain).
Granting a security role to a user or a group confers the defined access privileges to that user or group, as long as the user or group is “in” the security role. Multiple users or groups can be granted a single security role. It can be summarized as follows:
Groups are static and defined on Domain level (coarse granularity) and Roles are dynamic and defined on Resource level (fine granularity). Continued…
See too last parts of IT-Security and Oracle Fusion Middleware:
 Oracle® Fusion Middleware Understanding Security for Oracle WebLogic Server, 11g Release 1 (10.3.6), E13710-06
 Oracle® Fusion Middleware Securing Oracle WebLogic Server 11g Release 1 (10.3.6), E13707-06
 Oracle® Fusion Middleware Securing Oracle WebLogic Server 11g Release 1 (10.3.6), E13707-06
Key words:IT-Security, Security Challenges, OPSS Architecture, WebLogic Server, JAAS, JAAS LoginModules, Authentication, Basic Authentication, Certificate Authentication, Digest Authentication, perimeter Authentication and Identity Assertion
Until now I have published five parts of a series of articles on IT-Security and Oracle Fusion Middleware:
I’m going to continue the IT-Security’s articles and you can access to complete first five parts as PDF-file here:
Es gab am 06. März 2014 in Hochschule für angewandte Wissenschaften München den DOAG Regionaltreffen München/Südbayern. Ich habe dort einen Vortrag über „Orchestrierung der IT-Sicherheit: Wie sieht es mit der Oracle Fusion Middleware aus?“ gehalten. Hier finden Sie mein Abstract und meine Präsentation:
Orchestrierung ist eine riesige Symphonie verschiedenster Komponenten im IT-Bereich. Die Orchestrierung der IT-Sicherheit ist daher mehr als nur eine klassische administrative Aufgabe, die auf Netzwerkebene zu realisieren ist. IT-Sicherheit ist eine Herausforderung im Zeitalter des Cloud Computing, der veränderten Herausforderungen in einer verteilten, heterogenen und noch mehr komplexen IT-Welt.
In diesem Vortrag wird gezeigt, dass allein die traditionellen IT-Sicherheitsansätze und Maßnahmen nicht ausreichen, um neue technische aber auch organisatorische Fragen zu beantworten. Nach einer kurzen Einführung in die Problematik werden Lösungsansätze von Oracle vorgestellt. Ein besonderer Fokus wird dabei auf Oracle WebLogic Server und Oracle Plattform Security Services (OPSS) gelegt.