Java Management Extensions (JMX) clients are used to both update the Oracle WebLogic Server configuration and monitor the running Oracle WebLogic Server domain. Oracle WebLogic Server provides a variety of configuration options and APIs to allow you to ensure security for your JMX operations.

In this article, I will explore the various security features of Oracle WebLogic Server, concentrating on how these features can be used with JMX. This includes

* An overview of how authorization and auditing are performed for JMX requests, including a description of default policies and Java 2 Platform, Standard Edition (J2SE) security interaction
* A set of simple use cases that demonstrate how you customize security for JMX MBeans
* Links to reference materials for more information

With these use cases, I will demonstrate
* How to configure the system to use the Oracle WebLogic Server security service for JMX MBean authorization
* How to enable configuration auditing
* How to add your own custom policies for JMX MBean authorization
* How to write your own security providers to further customize authorization and auditing for JMX MBeans


Oracle WebLogic Server Security Features

The tasks outlined above require using the following Oracle WebLogic Server features:

Oracle WebLogic Server security service
* Oracle WebLogic Server auditing security provider
* Oracle WebLogic Server authorization security provider
* Configuration auditing
* JMXResource auditing

For more information on these features, refer to Understanding Security for Oracle WebLogic Server documentation. Brief definitions from the documentation are included below:

The Oracle WebLogic Server security service is a comprehensive infrastructure that provides end-to-end security for Oracle WebLogic Server applications. The Oracle WebLogic Server security service is a framework for security providers that provides authentication, role mapping, authorization, credential mapping, certificate support, and auditing. Default Oracle WebLogic Server security providers allow for a working security implementation out of the box, but customers can also use third-party or custom providers that implement the security service provider interfaces and replace the Oracle WebLogic Server default providers.

Auditing is the process whereby information about requests and the outcome of those requests is collected, stored, and distributed for the purposes of nonrepudiation. Auditing provides an electronic trail of computer activity. In the Oracle WebLogic Server security architecture, an auditing security provider is used to provide auditing services.

Authorization is the process whereby a user’s access to a resource is permitted or denied.In the Oracle WebLogic Server security architecture, an authorization security provider controls access to Oracle WebLogic Server resources based on the user’s security role and the security policy assigned to the requested Oracle WebLogic Server resource.

In the Oracle WebLogic Server security architecture, a Resource object represents entities that are accessible from Oracle WebLogic Server, such as servlets, JDBC connection pools, Java Message Service (JMS) destinations, JNDI contexts, MBeans, and so on. A JMXResource object represents a JMX MBean.

Configuration auditing records audit information about changes made to the Oracle WebLogic Server configuration. Audit information can be either written to the server log or sent to the auditing provider. This information includes additions, deletions, and modifications to configuration elements.

JMXResource auditing records audit information about operations evaluated on the MBean resource. This includes authorization and role mapping. The auditing provider processes the audit events and writes them to the audit log maintained by the provider. Overview of Security for JMX Operations

In this section, I provide an overview of the major components of Oracle WebLogic Server security that are used in ensuring security for JMX requests. This includes a summary of
* A sample JMX request as it flows through the Oracle WebLogic Server security components
* The default policies for Oracle WebLogic Server MBeans
* How Oracle WebLogic Server and J2SE MBean security interact

JMX Request Flow
A client invokes on a JMX MBean. This request goes across the network and is processed by Oracle WebLogic Server, and the result is returned to the client. As this request flows through the system, Oracle WebLogic Server performs various security checks and security operations. Figure 1 provides an overview of the request flow and the major security components used:

Full article...