New Security Features in WebLogic 9.2 Beta
Earlier this week I noticed that BEA released a beta of WebLogic 9.2. The release notes mention the following security-related items:
- Support for Custom XACML Roles and Policies
- Customizable Security Roles and Policies for WebLogic Server MBeans
- WebLogic Server Security for Custom MBeans
- Bulk Access Versions of Authorization, Adjudication, and Role Mapping Providers
- Policy and Role Consumer SSPI
Now, I haven’t had the chance to look at 9.2 yet, but several of these items seem pretty juicy. For example, the addition of custom XACML roles and policies could pave the way for a standardized approach to extending the J2EE security model without relying on proprietary mechanisms. This is definitely on my list to check out.
The other additions are interesting, too.
WLS 8.x didn’t break much ground in the security department, but 9.x is coming out swinging with lots of new things to think about. There have been new provider types (the CertPathValidator, for example), new provider implementations (SAML, RDBMS, etc.), and now the changes in 9.2.
I’m particularly curious about the bulk providers. I haven’t dug into it, but how the heck does WebLogic know which resources to roll up into a bulk authorization check? [4/13/06 Update: Since writing this post, it's occurred to me that the most likely candidates for bulk authorization are hierarchical resources such as JNDI and URLs. Just speculation, though...]
Anyway, I have a gut feeling that at least being aware of the changes in this release will pay off in the future. Perhaps your next clever usage of the security framework will hinge on one of these new features…