Hi,
my company is using a security framework that is integrated into Bea Weblogic via custom authentication and principal providers. The framework does not need the SecurityManager to be activated but for future extentions like JACC this might become necessary. So we turned on the SecurityManager and found that our custom authentication providers can no longer be loaded by the Weblogic server due to the now enfored policies.
We tried adjusting the policies but the amount of possible codebases and actions in combination with all resources allows for a multitude of configurations. I did end up with a policy file allowing all components to load but it had a lot of AllPermission entries which just gives me the creeps because i cannot think of all possible security holes i might open up that way that should not be there when a SecurityManager is running. On the other hand i have no clue how to figure out if any problems with such an installation are related to side effects due to possibly too strict policies.
What i would be interested in is a list of components that have to have access to the classes of custom authentication and principal providers (principal provider meaning components like role managers, policy managers, etc.) in order to integrate them properly into Weblogic without any side effects and security holes. At best the list would also include the minimal set of needed permissions and actions for those components.
We filed such a request with Bea support but after a few months of waiting they just told us "do it yourself". But we don't have that much Weblogic know-how to do that in a time efficient way, so i was hoping someone in here would be able to give a solution or at least some pointers.
Thanks,
Chris
Start Free Trial
