dcsimg

Is there a simple example of how to use web application security in WebLogic?

Created May 7, 2012

Robert Castaneda

Following is an example for WebLogic 6.x that protects all URLs that begin with /secure:

WEB-INF/web.xml - Define a constraint and a role

<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">

<web-app>
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>SecurePages</web-resource-name>
			<description>Security constraint for resources in the secure directory</description>
			<url-pattern>/secure/*</url-pattern>
			<http-method>POST</http-method>
			<http-method>GET</http-method>
		</web-resource-collection>

		<auth-constraint>
			<description>only let the admin role access the pages </description>
			<role-name>admin</role-name>
		</auth-constraint>

		<user-data-constraint>
			<description>SSL not required</description>
			<transport-guarantee>NONE</transport-guarantee>
		</user-data-constraint>
	</security-constraint>


    	<login-config>
    		<auth-method>BASIC</auth-method>
    		    
	<security-role>
	    <description>A role to access the secured pages</description>
	    <role-name>admin</role-name>
 	</security-role>
</web-app>

WEB-INF/weblogic.xml - Map the admin role to the system user in WebLogic.

<!DOCTYPE weblogic-web-app PUBLIC "-//BEA Systems, Inc.//DTD Web Application 6.0//EN" "http://www.bea.com/servers/wls600/dtd/weblogic-web-jar.dtd">

<weblogic-web-app>

  <security-role-assignment>
	<role-name>admin</role-name>
	<principal-name>system</principal-name>
  </security-role-assignment>


</weblogic-web-app>