WebLogic Security provides a comprehensive security architecture for securing WebLogic Server applications. It includes features such as authentication, authorization, auditing, identity assertion, and supports standards like SAML, JAAS, and WS-Security. The security service can be used standalone or as part of an enterprise security solution. It aims to balance ease of use with customizability and provides both default and customizable security providers.
A straight-forward explanation with an example of how JSR-88 aka Deployment Plans can be used in WebLogic Server to make changes to values in deployment descriptors without modifying application archives.
WebLogic Server Work Managers and Overload ProtectionJames Bayer
A tour of the WebLogic Server work manager and self-tuning thread pool features that automatically adjust to changing workloads and protect the server from overload conditions.
A straight-forward explanation with an example of how JSR-88 aka Deployment Plans can be used in WebLogic Server to make changes to values in deployment descriptors without modifying application archives.
WebLogic Server Work Managers and Overload ProtectionJames Bayer
A tour of the WebLogic Server work manager and self-tuning thread pool features that automatically adjust to changing workloads and protect the server from overload conditions.
To learn the architecture of WebLogic Server especially in terms of machines, domains and
servers.
• Installation and Configuration of WebLogic Server.
• Handling routine Administration tasks.
• Performing Backups and recovery.
• Monitoring server with GUI and command line tools.
• Setting up a cluster and distributing the resources to the cluster.
• To configure Oracle HTTP Server as the Web-tier front end for WebLogic Server instances and
clusters.
• Deploying and managing JavaEE applications/ large-scale Java EE applications throughout the
development and production life cycle.
• Configuring resource and application security
Have you ever used Oracle WebLogic Server? If the answer is no, this presentation is for you. We explain core WebLogic Server concepts and perform a live walkthrough of the console covering core administration areas that include managed servers, JVM servers, JMS resources, logs, data sources, application deployments, and more.
In order to optimize server performance for whatsoever reason, you need to start by monitoring the server. In most cases, before server monitoring commences, it is common practice to establish baseline performance metrics for the specific server.
HTTP Session Replication with Oracle Coherence, GlassFish, WebLogicOracle
In this talk we will cover the integration of Coherence and Application Servers like Oracle WebLogic and Oracle GlassFish Server, and touch on the native capabilities of each server for HTTP session state management as well. The integration makes it simpler to access Coherence named caches through resource injection. It also provides an optimized integration of Coherence*Web for HTTP session state management. From a management perspective, it offers Coherence cluster configuration support through the WLS administration domain as well as Runtime monitoring support through the WebLogic console.
Tuning and optimizing webcenter spaces application white paperVinay Kumar
This white paper focuses on Oracle WebCenter Spaces performance problem and analysis after post production deployment. We will tune JVM ( JRocket). Webcenter Portal, Webcenter content and ADF task flow.
Thi presentation is about -
SSL Concepts,
Configure SSL between IHS and WAS,
The ikeyman tool,
For more details visit -
http://vibranttechnologies.co.in/websphere-classes-in-mumbai.html
Azure Meetup: Keep your secrets and configurations safe in azure!dotnetcode
Le nostre applicazioni hanno di tutto nei loro file di configurazione: stringhe di connessione, chiavi di accesso ai servizi e informazioni sensibili si trovano, in chiaro, scritti in file accessibili da chiunque. Ogni applicazione, inoltre, ha il suo file di configurazione dove vengono duplicate informazioni che sono sempre le stesse.Sarà il modo corretto di conservare i segreti?
Come faccio a sapere chi e quando accede alle informazioni sensibili e come posso centralizzare le configurazioni comuni?
Azure Key Vault e Azure App Configuration possono essere la soluzione ai nostri problemi. In questo meetup vedremo quali strumenti e funzionalità ci forniscono per mettere in sicurezza le informazioni sensibili di configurazione delle nostre applicazioni…..e non solo!!!
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONSMarkus Eisele
Security in applications is a never-ending story. Most of the knowledge about how to build secure applications is derived from knowledge and experience. And we've all done the same mistakes every Java EE developer does over and over again. But how to solve the real business requirements behind access and authorization with Java EE? Can I have a 15k rights matrix? Does that perform? How to secure the transport layer? How does session binding works? Can I implement 2-Factor-Authentication? And what about social integrations? This talk outlines the key capabilities of the Java EE platform and introduces the audience to additional frameworks and concepts which do help by implementing all kinds of security requirements in Java EE based applications.
To learn the architecture of WebLogic Server especially in terms of machines, domains and
servers.
• Installation and Configuration of WebLogic Server.
• Handling routine Administration tasks.
• Performing Backups and recovery.
• Monitoring server with GUI and command line tools.
• Setting up a cluster and distributing the resources to the cluster.
• To configure Oracle HTTP Server as the Web-tier front end for WebLogic Server instances and
clusters.
• Deploying and managing JavaEE applications/ large-scale Java EE applications throughout the
development and production life cycle.
• Configuring resource and application security
Have you ever used Oracle WebLogic Server? If the answer is no, this presentation is for you. We explain core WebLogic Server concepts and perform a live walkthrough of the console covering core administration areas that include managed servers, JVM servers, JMS resources, logs, data sources, application deployments, and more.
In order to optimize server performance for whatsoever reason, you need to start by monitoring the server. In most cases, before server monitoring commences, it is common practice to establish baseline performance metrics for the specific server.
HTTP Session Replication with Oracle Coherence, GlassFish, WebLogicOracle
In this talk we will cover the integration of Coherence and Application Servers like Oracle WebLogic and Oracle GlassFish Server, and touch on the native capabilities of each server for HTTP session state management as well. The integration makes it simpler to access Coherence named caches through resource injection. It also provides an optimized integration of Coherence*Web for HTTP session state management. From a management perspective, it offers Coherence cluster configuration support through the WLS administration domain as well as Runtime monitoring support through the WebLogic console.
Tuning and optimizing webcenter spaces application white paperVinay Kumar
This white paper focuses on Oracle WebCenter Spaces performance problem and analysis after post production deployment. We will tune JVM ( JRocket). Webcenter Portal, Webcenter content and ADF task flow.
Thi presentation is about -
SSL Concepts,
Configure SSL between IHS and WAS,
The ikeyman tool,
For more details visit -
http://vibranttechnologies.co.in/websphere-classes-in-mumbai.html
Azure Meetup: Keep your secrets and configurations safe in azure!dotnetcode
Le nostre applicazioni hanno di tutto nei loro file di configurazione: stringhe di connessione, chiavi di accesso ai servizi e informazioni sensibili si trovano, in chiaro, scritti in file accessibili da chiunque. Ogni applicazione, inoltre, ha il suo file di configurazione dove vengono duplicate informazioni che sono sempre le stesse.Sarà il modo corretto di conservare i segreti?
Come faccio a sapere chi e quando accede alle informazioni sensibili e come posso centralizzare le configurazioni comuni?
Azure Key Vault e Azure App Configuration possono essere la soluzione ai nostri problemi. In questo meetup vedremo quali strumenti e funzionalità ci forniscono per mettere in sicurezza le informazioni sensibili di configurazione delle nostre applicazioni…..e non solo!!!
THEFT-PROOF JAVA EE - SECURING YOUR JAVA EE APPLICATIONSMarkus Eisele
Security in applications is a never-ending story. Most of the knowledge about how to build secure applications is derived from knowledge and experience. And we've all done the same mistakes every Java EE developer does over and over again. But how to solve the real business requirements behind access and authorization with Java EE? Can I have a 15k rights matrix? Does that perform? How to secure the transport layer? How does session binding works? Can I implement 2-Factor-Authentication? And what about social integrations? This talk outlines the key capabilities of the Java EE platform and introduces the audience to additional frameworks and concepts which do help by implementing all kinds of security requirements in Java EE based applications.
Framework adoption for java enterprise application developmentClarence Ho
Java enterprise framework description and comparison.
Experience sharing on a project done, include the architect design, challenges and lesson learn.
Some thoughts on choosing framework and how to cope with the rapid change of technology.
Discuss four pillars of azure architecture - Security, Performance & scalability, Availability & recoverability and Efficiency & Operation. Things you need to consider before architecting in the cloud. This presentation also provides a framework for architectural decisions
Enterprise DevOps is different then DevOps in startups and smaller companies. This session how AWS/CSC address this. How AWS IaaS level automation via CloudFormation, UserData, Console, APIS and some PaaS OpsWorks/Beanstalk is complimented by CSC Agility Platform. CSC Agility adds application compliance and security to the AWS infrastructure compliance and security. CSC Agility allows for the creation of architecture blueprints for predefined application offerings.
Fine Grained Authorization: Technical Insights for Using Oracle Entitlements ...Subbu Devulapalli
This document is Oracle Entitlements Server (OES) technical white paper. It gives an overview of OES product and how it applies to Fine Grained Authorization and Access Control.
Visit my Blog (http://finegrainedauthorization.blogspot.com/) to stay in touch with cool stuff happening in area of Identity Management/Authorization and OES. You can find more information at OES Product Page (http://www.oracle.com/technetwork/middleware/oes/overview/index.html)
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Globus
Large Language Models (LLMs) are currently the center of attention in the tech world, particularly for their potential to advance research. In this presentation, we'll explore a straightforward and effective method for quickly initiating inference runs on supercomputers using the vLLM tool with Globus Compute, specifically on the Polaris system at ALCF. We'll begin by briefly discussing the popularity and applications of LLMs in various fields. Following this, we will introduce the vLLM tool, and explain how it integrates with Globus Compute to efficiently manage LLM operations on Polaris. Attendees will learn the practical aspects of setting up and remotely triggering LLMs from local machines, focusing on ease of use and efficiency. This talk is ideal for researchers and practitioners looking to leverage the power of LLMs in their work, offering a clear guide to harnessing supercomputing resources for quick and effective LLM inference.
Understanding Globus Data Transfers with NetSageGlobus
NetSage is an open privacy-aware network measurement, analysis, and visualization service designed to help end-users visualize and reason about large data transfers. NetSage traditionally has used a combination of passive measurements, including SNMP and flow data, as well as active measurements, mainly perfSONAR, to provide longitudinal network performance data visualization. It has been deployed by dozens of networks world wide, and is supported domestically by the Engagement and Performance Operations Center (EPOC), NSF #2328479. We have recently expanded the NetSage data sources to include logs for Globus data transfers, following the same privacy-preserving approach as for Flow data. Using the logs for the Texas Advanced Computing Center (TACC) as an example, this talk will walk through several different example use cases that NetSage can answer, including: Who is using Globus to share data with my institution, and what kind of performance are they able to achieve? How many transfers has Globus supported for us? Which sites are we sharing the most data with, and how is that changing over time? How is my site using Globus to move data internally, and what kind of performance do we see for those transfers? What percentage of data transfers at my institution used Globus, and how did the overall data transfer performance compare to the Globus users?
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Your Digital Assistant.
Making complex approach simple. Straightforward process saves time. No more waiting to connect with people that matter to you. Safety first is not a cliché - Securely protect information in cloud storage to prevent any third party from accessing data.
Would you rather make your visitors feel burdened by making them wait? Or choose VizMan for a stress-free experience? VizMan is an automated visitor management system that works for any industries not limited to factories, societies, government institutes, and warehouses. A new age contactless way of logging information of visitors, employees, packages, and vehicles. VizMan is a digital logbook so it deters unnecessary use of paper or space since there is no requirement of bundles of registers that is left to collect dust in a corner of a room. Visitor’s essential details, helps in scheduling meetings for visitors and employees, and assists in supervising the attendance of the employees. With VizMan, visitors don’t need to wait for hours in long queues. VizMan handles visitors with the value they deserve because we know time is important to you.
Feasible Features
One Subscription, Four Modules – Admin, Employee, Receptionist, and Gatekeeper ensures confidentiality and prevents data from being manipulated
User Friendly – can be easily used on Android, iOS, and Web Interface
Multiple Accessibility – Log in through any device from any place at any time
One app for all industries – a Visitor Management System that works for any organisation.
Stress-free Sign-up
Visitor is registered and checked-in by the Receptionist
Host gets a notification, where they opt to Approve the meeting
Host notifies the Receptionist of the end of the meeting
Visitor is checked-out by the Receptionist
Host enters notes and remarks of the meeting
Customizable Components
Scheduling Meetings – Host can invite visitors for meetings and also approve, reject and reschedule meetings
Single/Bulk invites – Invitations can be sent individually to a visitor or collectively to many visitors
VIP Visitors – Additional security of data for VIP visitors to avoid misuse of information
Courier Management – Keeps a check on deliveries like commodities being delivered in and out of establishments
Alerts & Notifications – Get notified on SMS, email, and application
Parking Management – Manage availability of parking space
Individual log-in – Every user has their own log-in id
Visitor/Meeting Analytics – Evaluate notes and remarks of the meeting stored in the system
Visitor Management System is a secure and user friendly database manager that records, filters, tracks the visitors to your organization.
"Secure Your Premises with VizMan (VMS) – Get It Now"
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
Tim Combridge from Sensible Giraffe and Salesforce Ben presents some important tips that all developers should know when dealing with Flows in Salesforce.
Why React Native as a Strategic Advantage for Startup Innovation.pdfayushiqss
Do you know that React Native is being increasingly adopted by startups as well as big companies in the mobile app development industry? Big names like Facebook, Instagram, and Pinterest have already integrated this robust open-source framework.
In fact, according to a report by Statista, the number of React Native developers has been steadily increasing over the years, reaching an estimated 1.9 million by the end of 2024. This means that the demand for this framework in the job market has been growing making it a valuable skill.
But what makes React Native so popular for mobile application development? It offers excellent cross-platform capabilities among other benefits. This way, with React Native, developers can write code once and run it on both iOS and Android devices thus saving time and resources leading to shorter development cycles hence faster time-to-market for your app.
Let’s take the example of a startup, which wanted to release their app on both iOS and Android at once. Through the use of React Native they managed to create an app and bring it into the market within a very short period. This helped them gain an advantage over their competitors because they had access to a large user base who were able to generate revenue quickly for them.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
2. Overview of Weblogic Security
• ··Introduction to the WebLogic Security Service
• ··Features of the WebLogic Security Service
• ··Oracle Platform Security Services (OPSS)
• ··Balancing Ease of Use and Customizability
• ··New and Changed Features in This Release
3. Introduction to the WebLogic
Security Service
● Deploying, managing, and maintaining security is a huge challenge for an
information technology (IT) organization that is providing new and expanded
services to customers using the Web. To serve a worldwide network of Web-based
users, an IT organization must address the fundamental issues of maintaining the
confidentiality, integrity and availability of the system and its data. Challenges to
security involve every component of the system, from the network itself to the
individual client machines. Security across the infrastructure is a complex business
that requires vigilance as well as established and well-communicated security
policies and procedures.
● WebLogic Server includes a security architecture that provides a unique and secure
foundation for applications that are available via the Web. By taking advantage of
the security features in WebLogic Server, enterprises benefit from a comprehensive,
flexible security infrastructure designed to address the security challenges of making
applications available on the Web. WebLogic security can be used standalone to
secure WebLogic Server applications or as part of an enterprise-wide, security
management system that represents a best-in-breed, security management solution.
4. Features of the WebLogic Security
Service
● A comprehensive and standards-based design.
● End-to-end security for WebLogic Server-hosted applications, from the mainframe
to the Web browser.
● Legacy security schemes that integrate with WebLogic Server security, allowing
companies to leverage existing investments.
● Security tools that are integrated into a flexible, unified system to ease security
management across the enterprise.
● Easy customization of application security to business requirements through
mapping of company business rules to security policies.
● A consistent model for applying security policies to Java EE and application-defined
resources.
● Easy updates to security policies. This release includes usability enhancements to
the process of creating security policies as well as additional expressions that
control access to WebLogic resources.
● Easy adaptability for customized security solutions.
5. Features of the WebLogic Security
Service
● A modularized architecture, so that security infrastructures can change over time to
meet the requirements of a particular company.
● Support for configuring multiple security providers, as part of a transition scheme or
upgrade path.
● A separation between security details and application infrastructure, making security
easier to deploy, manage, maintain, and modify as requirements change.
● Default WebLogic security providers that provide you with a working security
scheme out of the box. This release supports additional authentication stores such as
databases, and gives the option to configure an external RDBMS system as a
datastore to be used by select security providers.
● Customization of security schemes using custom security providers
● Unified management of security rules, security policies, and security providers
through the WebLogic Server Administration Console.
6. Features of the WebLogic Security
Service
• Support for standard Java EE security technologies such as the Java
Authentication and Authorization Service (JAAS), Java Secure Sockets
Extensions (JSSE), Java Cryptography Extensions (JCE), and Java
Authorization Contract for Containers (JACC).
• A foundation for Web services security including support for Security
Assertion Markup Language (SAML) 1.1 and 2.0.
• Capabilities which allow WebLogic Server to participate in single sign-on
(SSO) with web sites, web applications, and desktop clients.
• A framework for managing public keys which includes certificate lookup,
verification, validation, and revocation as well as a certificate registry.
7. Oracle Platform Security Services
(OPSS)
● Oracle Platform Security Services (OPSS) provides enterprise product
development teams, systems integrators (SIs), and independent
software vendors (ISVs) with a standards-based, portable, integrated,
enterprise-grade security framework for Java Standard Edition (Java
SE) and Java Enterprise Edition (Java EE) applications.
● OPSS provides an abstraction layer in the form of standards-based
application programming interfaces (APIs) that insulates developers
from security and identity management implementation details. With
OPSS, developers don't need to know the details of cryptographic key
management or interfaces with user repositories and other identity
management infrastructures. With OPSS, in-house developed
applications, third-party applications, and integrated applications all
benefit from the same uniform security, identity management, and
audit services across the enterprise. OPSS is available as part of
WebLogic Server.
8. Balancing Ease of Use and
Customizability
● Easy to use: WebLogic Server provides a Domain Configuration Wizard to help
with the creation of new domains with an administration server, managed servers,
and optionally, a cluster, or with extending existing domains by adding individual
severs. The Domain Configuration Wizard also automatically generates a
config.xml file and start scripts for the servers you choose to add to the new domain.
● Manageable: Administrators who configure and deploy applications in the
WebLogic Server environment can use the WebLogic security providers included
with the product. These default providers support all required security functions, out
of the box. An administrator can store security data in the WebLogic Server-
supplied, security store (an embedded, special-purpose, LDAP directory server) or
use an external LDAP server, database, or user source. To simplify the
configuration and management of security in WebLogic Server, a robust, default
security configuration is provided.
● Customizable: For application developers, WebLogic Server supports the WebLogic
security API and Java EE security standards such as JAAS, JSS, JCE, and JACC.
Using these APIs and standards, you can create a fine-grained and customized
security environment for applications that connect to WebLogic Server.
10. Auditing
● Auditing is the process whereby information about operating requests and
the outcome of those requests are collected, stored, and distributed for the
purposes of non-repudiation. In other words, auditing provides an electronic
trail of computer activity. In the WebLogic Server security architecture, an
Auditing provider is used to provide auditing services.
● If configured, the WebLogic Security Framework will call through to an
Auditing provider before and after security operations (such as
authentication or authorization) have been performed, when changes to the
domain configuration are made, or when management operations on any
resources in the domain are invoked. The decision to audit a particular event
is made by the Auditing provider itself and can be based on specific audit
criteria and/or severity levels. The records containing the audit information
may be written to output repositories such as an LDAP server, database, and
a simple file.
11. Authentication
Authentication is the mechanism by which callers prove that they are acting on
behalf of specific users or systems. Authentication answers the question, "Who
are you?" using credentials such as username/password combinations.
In WebLogic Server, Authentication providers are used to prove the identity of
users or system processes. Authentication providers also remember, transport,
and make identity information available to various components of a system (via
subjects) when needed. During the authentication process, a Principal Validation
provider provides additional security protections for the principals (users and
groups) contained within the subject by signing and verifying the authenticity of
those principals.
12. Authentication
– Subjects and Principals
Subjects and principals are closely related.
A principal is an identity assigned to a user or group as a result of authentication.
Both users and groups can be used as principals by application servers such as
WebLogic Server. The Java Authentication and Authorization Service (JAAS)
requires that subjects be used as containers for authentication information,
including principals.
As part of a successful authentication, principals are signed and stored in a
subject for future use. A Principal Validation provider signs principals, and an
Authentication provider's LoginModule actually stores the principals in the
subject. Later, when a caller attempts to access a principal stored within a
subject, a Principal Validation provider verifies that the principal has not been
altered since it was signed, and the principal is returned to the caller (assuming
all other security conditions are met).
Any principal that is going to represent a WebLogic Server user or group needs
to implement the WLSUser and WLSGroup interfaces, which are available in
13. Authentication
– Java Authentication and Authorization Service
(JAAS)
Whether the client is an application, applet, Enterprise JavaBean (EJB), or servlet that
requires authentication, WebLogic Server uses the Java Authentication and
Authorization Service (JAAS) classes to reliably and securely authenticate to the client.
JAAS implements a Java version of the Pluggable Authentication Module (PAM)
framework, which permits applications to remain independent from underlying
authentication technologies. Therefore, the PAM framework allows the use of new or
updated authentication technologies without requiring modifications to your application.
WebLogic Server uses JAAS for remote fat-client authentication, and internally for
authentication. Therefore, only developers of custom Authentication providers and
developers of remote fat client applications need to be involved with JAAS directly.
Users of thin clients or developers of within-container fat client applications (for
example, those calling an Enterprise JavaBean (EJB) from a servlet) do not require the
direct use or knowledge of JAAS.
14. Authentication
– CallbackHandlers
● A CallbackHandler is a highly-flexible JAAS standard that allows a variable number of arguments to be
passed as complex objects to a method. There are three types of CallbackHandlers: NameCallback,
PasswordCallback, and TextInputCallback, all of which are part of the
javax.security.auth.callback package. The NameCallback and PasswordCallback
return the username and password, respectively. TextInputCallback can be used to access the data
users enter into any additional fields on a login form (that is, fields other than those for obtaining the
username and password). When used, there should be one TextInputCallback per additional form
field, and the prompt string of each TextInputCallback must match the field name in the form.
WebLogic Server only uses the TextInputCallback for form-based Web application login.
● An application implements a CallbackHandler and passes it to underlying security services so that
they may interact with the application to retrieve specific authentication data, such as usernames and
passwords, or to display certain information, such as error and warning messages.
● CallbackHandlers are implemented in an application-dependent fashion. For example,
implementations for an application with a graphical user interface (GUI) may pop up windows to prompt
for requested information or to display error messages. An implementation may also choose to obtain
requested information from an alternate source without asking the user.
● Underlying security services make requests for different types of information by passing individual
Callbacks to the CallbackHandler. The CallbackHandler implementation decides how to
retrieve and display information depending on the Callbacks passed to it. For example, if the
underlying service needs a username and password to authenticate a user, it uses a NameCallback and
PasswordCallback. The CallbackHandler can then choose to prompt for a username and
15. Authentication
– Mutual Authentication
With mutual authentication, both the client and the
server are required to authenticate themselves to each
other. This can be done by means of certificates or
other forms of proof material. WebLogic Server
supports two-way SSL authentication, which is a form
of mutual authentication. However, by strict definition,
mutual authentication takes place at higher layers in
the protocol stack then does SSL authentication.
16. Authentication
– Servlet Authentication Filters
As defined by the Java Servlet API 2.3 specification, filters are objects that can modify a request
or response. Filters are preprocessors of the request before it reaches the servlet, and/or
postprocessors of the response leaving the servlet. Filters provide the ability to encapsulate
recurring tasks in reusable units.
Filters can be used as a substitute for container-based authentication but there are some drawbacks
to this design:
• As specified by the Java Servlet API 2.3 specification, filters are run after authentication and
authorization. If filters are used for authentication, they must also be used for authorization
thereby preventing container-managed authorization from being used. Most use cases that require
extensions to the authentication process in the Servlet container do not require extensions to the
authorization process. Having to implement the authorization process in a filter is awkward, time
consuming, and error-prone.
• J2EE filters are defined per Web application. Code for a filter must reside in the WAR file
for the Web application and the configuration must be defined in the web.xml file. An
authentication mechanism is typically determined by the system administrator after an application
is written (not by the programmer who created the WAR file). The mechanism can be changed
during the lifetime of an application, and is desired for all (or at least most) applications in a site.
17. Authentication
– Identity Assertion Providers and LoginModules
When used with a LoginModule, Identity Assertion providers support single sign-on.
For example, an Identity Assertion provider can process a SAML assertion so that users
are not asked to sign on more than once.
The LoginModule that an Identity Assertion provider uses can be:
• Part of a custom Authentication provider you develop.
• Part of the WebLogic Authentication provider that Oracle developed and packaged
with WebLogic Server.
• Part of a third-party security vendor's Authentication provider.
Unlike in a simple authentication situation, the LoginModules that Identity Assertion
providers use do not verify proof material such as usernames and passwords; they
simply verify that the user exists.
18. Authentication
– Identity Assertion and Tokens
Identity Assertion providers support user name mappers, which map a
valid token to a WebLogic Server user. You develop Identity Assertion
providers to support the specific types of tokens that you will be using to
assert the identities of users or system processes. You can develop an
Identity Assertion provider to support multiple token types, but the
WebLogic Server administrator must configure the Identity Assertion
provider so that it validates only one "active" token type. While you can
have multiple Identity Assertion providers in a security realm with the
ability to validate the same token type, only one Identity Assertion
provider can actually perform this validation.
19. Authentication
– Challenge Identity Assertion
Challenge identity assertion schemes provide for
multiple challenges, responses messages, and state. A
WebLogic Server security realm can include security
providers that support authentication protocols such as
Microsoft's Windows NT Challenge/Response
(NTLM), Simple and Protected GSS-API Negotiation
Mechanism (SPNEGO), and other challenge/response
authentication mechanisms. WebLogic Server includes
a SPNEGO security provider, named the Negotiate
Identity Assertion provider. You can develop and
deploy security providers that implement NTLM or
other challenge/response authentication mechanisms.
20. Authentication
– Servlet Authentication Filters
As defined by the Java Servlet API 2.3 specification, filters are objects that can modify a
request or response. Filters are preprocessors of the request before it reaches the servlet,
and/or postprocessors of the response leaving the servlet. Filters provide the ability to
encapsulate recurring tasks in reusable units.
Filters can be used as a substitute for container-based authentication but there are some
drawbacks to this design:
• As specified by the Java Servlet API 2.3 specification, filters are run after
authentication and authorization. If filters are used for authentication, they must also be
used for authorization thereby preventing container-managed authorization from being
used. Most use cases that require extensions to the authentication process in the Servlet
container do not require extensions to the authorization process. Having to implement
the authorization process in a filter is awkward, time consuming, and error-prone.
• J2EE filters are defined per Web application. Code for a filter must reside in the
WAR file for the Web application and the configuration must be defined in the
web.xml file. An authentication mechanism is typically determined by the system
administrator after an application is written (not by the programmer who created the
WAR file). The mechanism can be changed during the lifetime of an application, and is
21. SAML
Security Assertion Markup Language (SAML)
The SAML standard defines a common XML framework for creating, requesting, and
exchanging security assertions between software entities on the Web. This framework
specifies how SAML assertions and protocols may be used to provide the following:
• Browser-based single sign-on (SSO) between online business partners
• The exchange of identity information in web services security
22. SAML
Security Assertion Markup Language (SAML)
SAML was developed by the Organization for the Advancement of Structured
Information Standards (OASIS), and this release of WebLogic Server includes broad
support for SAML 1.1 and 2.0, including support for the following:
• SAML Web SSO profile
The SAML Web SSO profile specifies how SAML assertions and protocols should be
used to provide browser-based single sign-on between an Identity Provider (a producer
of assertions) and a Service Provider (a consumer of assertions).
In the SAML 2.0 Web SSO profile, a web user either invokes a resource hosted by a
Service Provider site, or accesses an Identity Provider site in a way that results in an
invocation on a resource hosted by the Service Provider. In either case, the web user is
authenticated by the Identity Provider, which in turn generates an assertion on behalf of
that user that contains information about the user's identity. The Identity Provider sends
the assertion to the Service Provider, which consumes the assertion by extracting
identity information about the user that is mapped to a Subject in the local security
realm.
23. SAML
Security Assertion Markup Language (SAML)
• Web Services Security (WS-Security) SAML Token profile 1.1
The SAML Token profile is part of the core set of WS-Security standards, and specifies
how SAML assertions can be used for Web services security. WebLogic Server supports
SAML Token Profile 1.1, including support for SAML 2.0 and SAML 1.1 assertions.
SAML Token Profile 1.1 is backwards compatible with SAML Token Profile 1.0.
24. Single Siggn On (SSO)
Single Sign-On is the ability to require a user to sign
on to an application only once and gain access to many
different application components, even though these
components may have their own authentication
schemes. Single sign-on enables users to login securely
to all their applications, web sites and mainframe
sessions with just one identity. WebLogic Server
provides single sign-on (SSO) with the following
environments:
• ··Web Browsers and HTTP Clients via SAML
• ··Desktop Clients
25. Authorization
Authorization is the process whereby the interactions between users and WebLogic
resources are controlled, based on user identity or other information. In other words,
authorization answers the question, "What can you access?" In WebLogic Server, an
Authorization provider is used to limit the interactions between users and WebLogic
resources to ensure integrity, confidentiality, and availability.
The following sections describe authorization concepts and functionality:
• ··WebLogic Resources
• ··Security Policies
• ··ContextHandlers
• ··Access Decisions
• ··Adjudication
• ··Java Authorization Contract for Containers (JACC)
26. Identity and Trust
Private keys, digital certificates, and trusted certificate authority certificates establish
and verify identity and trust in the WebLogic Server environment.
The public key is embedded into a digital certificate. A private key and digital certificate
provide identity. The trusted certificate authority (CA) certificate establishes trust for a
certificate. Certificates and certificate chains need to be validated before a trust
relationship is established.
This topic details the concepts associated with identity and trust. For more information,
see:
• ··Private Keys
• ··Digital Certificates
• ··Certificate Authorities
• ··Certificate Lookup and Validation
27. Secure Sockets Layer(SSL)
WebLogic Server fully supports SSL communication,
which enables secure communication between
applications connected through the Web. This release
of WebLogic Server includes support for using the
Java Secure Socket Extension (JSSE) as the SSL stack
for the following:
• Incoming SSL connections.
• Outgoing SSL connections that use the WebLogic
SSL APIs (it has always been possible for applications
to call JSSE directly for outbound SSL connections).
28. Firewall
A firewall limits traffic between two networks. Firewalls can be a combination of software and
hardware, including routers and dedicated gateway machines. They employ filters that allow or
disallow traffic to pass based on the protocol, the service requested, routing information, and the
origin and destination hosts or networks. They may also allow access for authenticated users.
You can use the following features in WebLogic Server in conjunction with firewalls:
• ··Connection Filters
• ··Perimeter Authentication
29. Java EE and Weblogic Security
For implementation and use of user authentication and authorization, WebLogic Server
utilizes the security services of the JDK version 6.0. Like the other Java EE components,
the security services are based on standardized, modular components. WebLogic Server
implements these Java security service methods according to the standard, and adds
extensions that handle many details of application behavior automatically, without
requiring additional programming.
WebLogic Server's support for Java EE 6.0 security means that application developers
can take advantage of Sun Microsystems' latest enhancements and developments in the
area of security, thus leveraging a company's investment in Java programming expertise.
By following the defined and documented Java standard, WebLogic Server's security
support has a common baseline for Java developers. The innovations that WebLogic
Server provides rest on the baseline support for J2SE 5.0.
The following topics are discussed in this section:
• ··Java EE 6.0 Security Packages
• ··Common Secure Interoperability Version 2 (CSIv2)