Covering J2EE Security and WebLogic Topics

WebLogic and the Security Manager

Felipe Gaucho recently blogged about security managers with his post entitled Is the security-manager enabled in your server? Essentially, he states that most developers are either blissfully unaware of the security manager or know about it but choose to ignore it. He says:

…[T]he most popular web-servers come with the security-manager disabled. Why? The server vendors argue about the facility of disabling security-manager during the development phase and also argue about the need of a experienced technician in order to configure the correct details during the deployment into a production server. Well, I agree in part with such policy but I perceive the damage on the culture of the developers. How many times did you, developer, think about the security-manager and its functionality? If you answer almost never or if you even don’t know what this thing means, don’t worry – you are part of the majority of Java community that never has time or interest to learn about that.

With WebLogic, the security manager is disabled by default but can be enabled by specifying java.security.manager as a Java command line argument when starting the server.

When the security manager is enabled, WebLogic uses <WL_HOME>\server\lib\weblogic.policy as the policy file by default. This can be changed by modifying the java.security.policy command line argument in the startup script.

For more information, see Using Java Security to Protect WebLogic Resources.