The Need for Security in the Enterprise

WebLogic Workshop provides many tools to facilitate rapid application development, but with great power comes great responsibility. With enterprise applications, there are many opportunities for data to be compromised by unauthorized individuals. To mitigate these risks, Workshop and the underlying WebLogic Platform offer a comprehensive set of security features.

Who Are You?

When data is being transmitted between any two parts of an enterprise system, the first issues that should be addressed are

• Making sure the recipient and/or sender are who they say they are

• Verifying that the sender is allowed to perform the operation in the request

In security lingo, these issues are known, respectively, as authentication and authorization .

There is a wide variety of ways to authenticate individuals, ranging from typing in a simple static password to performing a retina scan. In some systems, the security hierarchy might be flat ”in other words, everyone who has a key to the "front door" can perform any operations they want. In these systems, authentication is sufficient.

In most instances, however, there is a requirement to further compartmentalize access to ensure the system's integrity. In this book's Wonderland Casino model, for example, everyone ”guests, staff, and managers ”can access the Casino Web site's home page, but only employees can link to the online payroll subsystem, and only managers can access the bank account statements. In this segmented scenario, the need for authorization is apparent. Authorization provides specific levels of access based on an individual's identity as well as the roles he or she plays in the system.

As you'll learn in "Declarative Role-based Security," later in this chapter, WebLogic Workshop provides role-based security on the enterprise application, Web resource, and EJB levels to address authorization issues.

Is Anyone Else Listening?

Establishing a link between two trusted parties before transferring data is only half the battle. There are many ways for unscrupulous individuals to intercept data as it is being transmitted. Some might be eavesdropping just to acquire valuable personal and company proprietary information. Some might intend to corrupt the data to foul up the system's integrity, and some might be identity thieves bent on forging their own messages to fool the target system to relinquish even more valuable data or assets. In security lingo, maintaining data confidentiality ensures that only the intended recipient can read the data, and preserving data integrity gives the client a way to recognize when data has been tampered with during transmission.

In the next section, you learn how WebLogic Workshop's data transport security mechanisms provide data confidentiality and integrity. Note that establishing confidential communications via encryption, as Workshop does, provides data integrity without additional costs.