Weblogic Authors: Yeshim Deniz, Elizabeth White, Michael Meiner, Michael Bushong, Avi Rosenthal

Related Topics: Weblogic, Cloud Security

Weblogic: Article

The New Security Architecture of BEA WebLogic Server 7.0

The New Security Architecture of BEA WebLogic Server 7.0

Installing and maintaining security is a huge challenge for an IT organization. To serve a worldwide network of Web-based users, the IT organization must address the fundamental issues of maintaining the confidentiality, integrity, and availability of the system and its data. Security across the infrastructure is a complex business that requires vigilance and established and well-communicated security policies and procedures.

This article looks at securing the Java-based application and the WebLogic Server on which it is deployed. WebLogic Server 7.0 incorporates a completely redesigned security architecture that provides a unique and secure foundation for applications. WebLogic Server 7.0 security services can be used standalone to secure WebLogic Server applications, or as part of an enterprise-wide security management system that represents best-in-breed third-party security management solutions.

Security Issues Facing Customers Today
So, what are the problems with security? Well, there are quite a few, but the major ones that we've heard from customers are:

  • Application security today is in the hands of application developers. In order to implement really strong security or any kind of business security rules, the security-related code is included in the application. Since developers are typically not security experts, this makes it error prone and extremely costly to develop and maintain.
  • Hardcoded security policies are inflexible and policy changes require changes to application code, which is slow and expensive.
  • The need to integrate new applications with existing security products usually requires a very costly "custom code" to plug into third party products.

    Today, customers have to build aspects of application security directly into their applications. By building proprietary connectors, they can utilize the third-party point security solutions directly, which of course locks them into a single vendor and proprietary technology. And, if any intelligent business security rules need to be implemented - customers build their own security policy systems. This distracts them from implementing their core business functionality and increases time-to-market immensely.

    Why Is J2EE Not Good Enough?
    J2EE security attempted to provide a simple infrastructure to solve security issues. However, it turned out that in the real world J2EE security standards aren't strong enough or flexible enough, and in general don't have many of the features required by a modern agile enterprise application. These are some of the problems with J2EE security:
    1.   Requires developers to hard code security into the business logic and configuration files.
    2.   Administrators cannot change security settings - they need to know too many things to do it.
    3.   Developers and administrators cannot implement business rules for security policy - there is no concept of business security rules in J2EE.
    4.   Only controls certain J2EE components (EJBs, servlets, JSPs), not the entire application (what about JCA, JMS, databases, and all those non-J2EE components like Web services?).
    5.   Not integrated with the leading security ISV solutions that might be an existing corporate standard - many of these products are not even based on J2EE.
    6.   Has no provisions for Single Sign-On (SSO).

    The Solution:
    A Security Framework

    The WebLogic Security Framework, new in WebLogic Server 7.0, provides end-to-end application security, covering J2EE and non-J2EE components of your application hosted on WebLogic Server. With WebLogic security:
    1.   Security policies are created and managed by Security Administrators.
    2.   Security policies are flexible, dynamic, powerful rules that can be changed without recoding and redeployment.
    3.   Integration with existing security solutions is greatly simplified.

    Unlike J2EE, the WebLogic Security Framework separates application business logic from the security code. Security services, including security business rules, are provided by the infrastructure and don't have to be coded in the application. It's easy for nondevelopers to administer and doesn't require any programming or XML knowledge. A GUI for security administration is provided out-of-the-box.

    A built-in dynamic security rules engine makes it easy to implement dynamic business rules for security policies, and does not require any downtime to update these rules. It allows mapping company business rules to security policies in distributed deployments, providing easy customization of application security to business requirements.

    With an open Security Service Provider Interface (SSPI) the framework allows leading security solutions on the market to plug in and provide their security services to WebLogic applications, and also enables adding custom extensions. In addition, WebLogic Server 7.0 provides prebuilt implementations (security service providers) for most of these plug-in points.

    Single Sign-On is automatically available to WebLogic Server applications without any additional programming.

    WebLogic Server provides a complete range of security coverage for all J2EE and non-J2EE components deployed in WebLogic Server.

    Having said all this, it's important to remember that as a certified J2EE 1.3-compliant application server, WebLogic Server supports all the security features required by J2EE, such as JAAS. Also, it supports the WebLogic Server 6.x security model by providing a "compatibility mode" which should make it easy and painless to transition from the older 6.x security model to a new security framework.

    With an open architecture, standards support, and unified administration, WebLogic Server 7.0 security gives the IT department the tools it needs to address real-world issues in security.

    Putting It All Together: the New Security Architecture
    Figure 1 shows the WebLogic Server 7.0 service-based Security Framework, which provides interfaces to other BEA products, J2EE containers, and customer applications, and delegates requests to the appropriate security plug-in. Security plug-ins supplied by BEA with WebLogic Server perform the following functions out-of-the-box:

  • Authentication: Authenticates, verifies, and maps security tokens to an internal format for security support. Supports delegated username/password and certificate authentication with WebLogic Server, and HTTP certificate authentication via the standard service provided in a Web server.
  • Authorization: Enforces authorization policies for resources, taking business policies into consideration. Supports role-based authorization, in which access is based on job function and business rules.
  • Auditing: Audits all security actions in support of non-repudiation. Provides a customizable set of data for auditing security events such as failed login attempts, authentication requests, rejected digital certificates, and invalid roles.
  • Public key infrastructure: Supports standard public key encryption for data or digital signatures, or when electronic authentication of a client's identity is required.
  • Credential mapping: Maps a user's authentication credentials to those required for legacy applications, so that the legacy application gets the necessary credential information.
  • Role mapping: Maps roles to users or groups, based on policy. Determines the appropriate set of roles granted to a WebLogic Server user or group for a WebLogic resource.

    The Security SPI: the Interface for Flexibility
    The security plug-in scheme in WebLogic Server 7.0 is based on a set of Security Service Provider Interfaces (SPIs) for the plug-in points. The Security SPIs can be used by customers or third-party vendors to develop security plug-ins for the WebLogic Server environment. Security SPIs are available for authentication, authorization, auditing, credential mapping, role mapping, and the public key infrastructure (supporting the Java standard Key Store for encrypted storage of public and private encryption keys).

    The Security SPI scheme means that customers have four choices for securing WebLogic Server installations:

  • BEA-supplied security plug-ins
  • Third-party security plug-ins based on the BEA Security SPI interface
  • BEA Security SPIs to create customized security plug-ins for WebLogic Server systems
  • Existing third-party security technologies that have been adapted so that they are BEA-compliant (some are available today or are coming in the near future)

    An Open Architecture:
    Multi-Vendor and Multi-Protocol Support

    The open, interface-based security architecture in WebLogic Server allows use of existing security products while taking advantage of new security technologies available in the marketplace. With this architecture, a security installation can support security vendors' full value propositions, not just a subset. A user's choice of security products can be "mixed and matched" to create complete custom security solutions. In fact, WebLogic Server installation can run more than one security plug-in for a given function, and users can set constraints that govern which product or protocol will be used in a given situation.

    As users integrate new solutions or modify existing ones, administrators can set security policy for each security plug-in, using a built-in menu-driven policy tool. Security policy governs authorization: the rules and constraints for accessing resources or assuming roles. More than one security plug-in can run concurrently, as part of a migration or transition scheme, and set security policy accordingly. The BEA-supplied Adjudicator function resolves any conflicts in interpretation when making authorization decisions.

    The WebLogic Server 7.0 design for security services supports any choice of vendors and protocols because it separates the details of the security system from application code, simplifying application maintenance and management. Changing security system components or policies need not entail modifying applications. This unified architecture makes it easy to integrate best-of-breed security solutions, and to replace components of a security system with the latest technologies from third-party vendors, or from a development staff. The ability to swap in new security plug-ins and technologies as needed reduces the total cost of ownership and maximizes the return on investment in security technologies.

    Advantages for Developers, Administrators, and Vendors
    Figure 2 illustrates how different users would interact with the software architecture of the WebLogic Server security services. The new security architecture has benefits for three categories of users: application developers administrators, and third-party security service vendors.

    Benefits for Application Developers
    Since most of the security functionality for Web applications can be implemented by a system administrator, application developers need not pay attention to the details of securing the application unless there are special considerations that must be addressed in the code. In cases where programming custom security into an application is required, WebLogic Server application developers can take advantage of BEA-supplied Application Programming Interfaces (APIs) for obtaining information about subjects and principals (identifying information for users) that are used by WebLogic Server. The APIs are found in the weblogic.security package.

    With WebLogic Server's support for the Java standards, developers can also use the APIs in the Java platform security packages such as JAAS and JSSE, as well as the security-specific methods defined by J2EE.

    Benefits for Administrators
    Administrators who install, configure, deploy, and maintain WebLogic Server can use their choice of BEA-supplied security plug-ins, customized security plug-ins, or third-party security products, and manage them all with the Administration Console.

    Out-of-the-box, a complete security solution can be implemented using the BEA-supplied security plug-ins. Administrators can use the menu-driven rule-based policy engine to create an authorization scheme that implements your company's business rules.

    Setting Policies: No Programming Required
    The built-in Policy engine provides a GUI interface that lets Administrators set policies in the Administration Console, without writing application code. By right clicking on the system resource displayed in the Administration Console, users can select among the constraints displayed on the drop-down menus. Figure 3 illustrates this simple menu-based approach to adding or changing security in applications.

    Benefits for Third-Party Security Vendors
    Most leading security service providers have announced plans to support WebLogic Server 7.0. These providers are integrating their products with the WebLogic Server environment using the Security SPIs. As the underlying integration mechanism for BEA's security plug-ins, the Security SPIs permit development of customized security plug-ins for the WebLogic Server environment. Security SPIs are available for authentication, authorization, auditing, public key infrastructure, credential mapping, and role mapping. This allows third-party vendors to provide tightly integrated solutions that are easy to implement.

    Security via Users, Roles and Policies
    The key to WebLogic Server 7.0's security architecture is the organization of application users into users and groups that take on roles according to defined security policies. Users can be organized into groups. Groups can be used to represent organizational boundaries as well as to simplify administration. Each application user and group is mapped to a role dynamically during application execution, when authorization is needed.

    Roles and policies determine access to system resources, and permitted behaviors. User roles are registered by an administrator using the built-in menu-driven security policy tool embedded in the BEA-supplied Authorization plug-in. The security policy tool's interface reflects business concepts, not programming concepts, and allows an administrator to create simple prose-based rules for dynamically assigning roles and calculating access privileges. Application developers are freed from having to write application code to implement complex business policies, because the policy tool separates the tasks of business policy creation and application creation.

    The roles that a user can be assigned to are determined by policies defined by the administrator, on behalf of the company. Since policies reflect business security rules, a company's management sets security policies rather than the software development staff. Security policies can easily be changed with changes in business conditions.

    The role-and-policy-based security scheme replaces the previous scheme of users, groups, and access control lists (ACLs), and offers clear advantages for ease of administration and ease of adaptability as security requirements change. Using roles and policies for authorization permits dynamic computation of access status for each resource, for each user or group.

    WebLogic Server 7.0's dynamic, role-based authorization scheme can be applied to all WebLogic Server resources. The administrator and applications developer are no longer constrained by the limitations of the declarative security model in J2EE, which embeds security constraints in the code and makes it difficult to modify a security scheme when business requirements change.

    *  *  *

    Next month, I'll look at more of the details of the security functionality provided by WebLogic Server 7.0.

  • More Stories By Vadim Rosenberg

    Vadim Rosenberg is the product marketing manager for BEA WebLogic Server. Before joining BEA two years ago, Vadim had spent 13 years in business software engineering, most recently at Compaq Computers (Tandem Division) developing a fault-tolerant and highly scalable J2EE framework.

    More Stories By Paul Patrick

    As chief security architect for BEA Systems, Paul Patrick is responsible for the overall security product strategy at BEA. He plays a key role in driving the design and implementation of security functionality across all of BEA’s products, and is the architect for BEA’s new enterprise security infrastructure product, WebLogic Enterprise Security. Prior to becoming chief security architect, Paul was the lead architect of BEA’s ObjectBroker CORBA ORB and co-architect of WebLogic Enterprise (now Tuxedo). He is also the author of several patent applications as well as industry publications and a book on CORBA.

    Comments (0)

    Share your thoughts on this story.

    Add your comment
    You must be signed in to add a comment. Sign-in | Register

    In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

    @ThingsExpo Stories
    Large industrial manufacturing organizations are adopting the agile principles of cloud software companies. The industrial manufacturing development process has not scaled over time. Now that design CAD teams are geographically distributed, centralizing their work is key. With large multi-gigabyte projects, outdated tools have stifled industrial team agility, time-to-market milestones, and impacted P&L stakeholders.
    Gemini is Yahoo’s native and search advertising platform. To ensure the quality of a complex distributed system that spans multiple products and components and across various desktop websites and mobile app and web experiences – both Yahoo owned and operated and third-party syndication (supply), with complex interaction with more than a billion users and numerous advertisers globally (demand) – it becomes imperative to automate a set of end-to-end tests 24x7 to detect bugs and regression. In th...
    "Cloud Academy is an enterprise training platform for the cloud, specifically public clouds. We offer guided learning experiences on AWS, Azure, Google Cloud and all the surrounding methodologies and technologies that you need to know and your teams need to know in order to leverage the full benefits of the cloud," explained Alex Brower, VP of Marketing at Cloud Academy, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clar...
    In his session at 21st Cloud Expo, Carl J. Levine, Senior Technical Evangelist for NS1, will objectively discuss how DNS is used to solve Digital Transformation challenges in large SaaS applications, CDNs, AdTech platforms, and other demanding use cases. Carl J. Levine is the Senior Technical Evangelist for NS1. A veteran of the Internet Infrastructure space, he has over a decade of experience with startups, networking protocols and Internet infrastructure, combined with the unique ability to it...
    "There's plenty of bandwidth out there but it's never in the right place. So what Cedexis does is uses data to work out the best pathways to get data from the origin to the person who wants to get it," explained Simon Jones, Evangelist and Head of Marketing at Cedexis, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
    "Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
    "MobiDev is a software development company and we do complex, custom software development for everybody from entrepreneurs to large enterprises," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
    SYS-CON Events announced today that CrowdReviews.com has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5–7, 2018, at the Javits Center in New York City, NY. CrowdReviews.com is a transparent online platform for determining which products and services are the best based on the opinion of the crowd. The crowd consists of Internet users that have experienced products and services first-hand and have an interest in letting other potential buye...
    "IBM is really all in on blockchain. We take a look at sort of the history of blockchain ledger technologies. It started out with bitcoin, Ethereum, and IBM evaluated these particular blockchain technologies and found they were anonymous and permissionless and that many companies were looking for permissioned blockchain," stated René Bostic, Technical VP of the IBM Cloud Unit in North America, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Conventi...
    SYS-CON Events announced today that Telecom Reseller has been named “Media Sponsor” of SYS-CON's 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
    "Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
    Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection between Coke and its customers. Digital signs pair software with high-resolution displays so that a message can be changed instantly based on what the operator wants to communicate or sell. In their Day 3 Keynote at 21st Cloud Expo, Greg Chambers, Global Group Director, Digital Innovation, Coca-Cola, and Vidya Nagarajan, a Senior Product Manager at Google, discussed how from store operations and ...
    It is of utmost importance for the future success of WebRTC to ensure that interoperability is operational between web browsers and any WebRTC-compliant client. To be guaranteed as operational and effective, interoperability must be tested extensively by establishing WebRTC data and media connections between different web browsers running on different devices and operating systems. In his session at WebRTC Summit at @ThingsExpo, Dr. Alex Gouaillard, CEO and Founder of CoSMo Software, presented ...
    WebRTC is great technology to build your own communication tools. It will be even more exciting experience it with advanced devices, such as a 360 Camera, 360 microphone, and a depth sensor camera. In his session at @ThingsExpo, Masashi Ganeko, a manager at INFOCOM Corporation, introduced two experimental projects from his team and what they learned from them. "Shotoku Tamago" uses the robot audition software HARK to track speakers in 360 video of a remote party. "Virtual Teleport" uses a multip...
    A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
    SYS-CON Events announced today that Evatronix will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Evatronix SA offers comprehensive solutions in the design and implementation of electronic systems, in CAD / CAM deployment, and also is a designer and manufacturer of advanced 3D scanners for professional applications.
    Leading companies, from the Global Fortune 500 to the smallest companies, are adopting hybrid cloud as the path to business advantage. Hybrid cloud depends on cloud services and on-premises infrastructure working in unison. Successful implementations require new levels of data mobility, enabled by an automated and seamless flow across on-premises and cloud resources. In his general session at 21st Cloud Expo, Greg Tevis, an IBM Storage Software Technical Strategist and Customer Solution Architec...
    To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
    An increasing number of companies are creating products that combine data with analytical capabilities. Running interactive queries on Big Data requires complex architectures to store and query data effectively, typically involving data streams, an choosing efficient file format/database and multiple independent systems that are tied together through custom-engineered pipelines. In his session at @BigDataExpo at @ThingsExpo, Tomer Levi, a senior software engineer at Intel’s Advanced Analytics gr...
    When talking IoT we often focus on the devices, the sensors, the hardware itself. The new smart appliances, the new smart or self-driving cars (which are amalgamations of many ‘things’). When we are looking at the world of IoT, we should take a step back, look at the big picture. What value are these devices providing? IoT is not about the devices, it’s about the data consumed and generated. The devices are tools, mechanisms, conduits. In his session at Internet of Things at Cloud Expo | DXWor...