Oracle WLS provides a complete security infrastructure which combines the JVM Security Manager and the standard JAAS authentication and authorization options. The main components of WLS Security service are illustrated by the following picture:
As you can see from the above picture, at the highest level WLS uses a Security API which combines with Java Security API. This security stack allows application developers to specify authorization information that is used when Oracle WebLogic Server acts as a client; it also allows application developers to obtain information about the Subject and Principals used by Oracle WebLogic.
Next stack is the Security Service Provider Interfaces (SSPI) for developing new security services that can be plugged into the Oracle WebLogic Server environment. SSPIs are available for Authentication, Authorization, Auditing, Role Mapping, Certificate Lookup and Validation and Credential Mapping.
The implementation of SSPIs are a set of WebLogic security providers. These security providers are the Oracle implementation of the SSPIs and are available by default in the Oracle WebLogic Server.
A Security Realm is a mechanism for protecting all Oracle WebLogic Server resources. Each security realm consists of a set of configured security providers, users, groups, security roles and security policies. You can configure multiple security realms in a domain; however, only one can be the active security realm.
WebLogic Server provides a default security realm named myrealm which has the WebLogic Adjudication, Authentication, Identity Assertion, Authorization, Role Mapping and Credential Mapping providers configured by default.
You can access the security realm screen from the Administration console under the Domain | Security Realms option:
By clicking on the Configuration | General tab, you can configure the general behaviour of the security realm:
The Security Model Default determines how applications are protected by default.
When using the default option (DD Only) WLS only uses the roles and policies defined in the JEE deployment descriptors. Thus, if an EJB or a Web application is not protected by a role or policy in the DD, then it is unprotected and anyone can access it.
The other Security Model options allow to Customize Roles Only (which means that policies are taken from DD but Roles are customized) and Customize Roles and Policies (both Roles and Policies are customized). Finally the Advanced Security model is used mostly for backward compatibility with prior-to-9 releases of the application server. This model uses the roles and policies defined in the deployment descriptors to seed the WebLogic Server security roles and policies; it then uses the WebLogic Console to modify roles and policies from that point onward.