Topics

Public Review Draft Comments - WebLogic Security Team


Will Hopkins
 

I'm submitting these comments on behalf of Oracle's WebLogic security team.

Section 1.1:
  • Add groups to "security data" in description of Identity Store?
Section 1.2.1:
  • Concern about default mapping for groups -- does this introduce a security risk that user's will be granted roles unexpectedly due to pre-existing membership in particular groups? Should we specify an explicit mapping mechanism instead?
Section 2.2, para 7:
  • Reference to HttpMessageContext promised, but not provided.
Section 2.4:
  • Consider language to describe/prescribe what happens when more than one instance of a bean is present.
Section 2.4.1:
  • Consider language to say what happens if both HAM and web.xml <login-config> are present.
  • Typo: BASIC and BASIC
Section 2.4.3:
  • Typo in javadoc: "send" should be "sent".
Section 2.4.5:
  • Consider adding info/references to APIs that exist only in javadoc (for this annotation they are used by the RI).
Section 3.2.1:
  • First code block references CredentialValidationResult, but it's only defined later. Add pointer, and include interface declaration in code block that lists methods.
Section 3.2.2:
  • Define "privileged" in reference to the need to restrict access?
Section 3.2.3:
  • Typo, first bullet item, comma not needed.
Section 3.4:
  • Make clear there is no requirement for implementations to supply an action database or LDAP server.
  • Describe RememberMe identity store?
Section 3.4.1:
  • Consider including the following attributes:
    • timeout values (connection, results)
    • scope of results (one level, subtree)
  • Need more description of what these are; not sure what searchBase and searchExpression do.
Section 3.4.3:
  • What happens if ejb (or other non-web) container tries to use methods to test access to web resource?
  • Could these methods be added to a servlet-specific context?
  • What is the scope of the resource argument?  I.e., is it relative to app context, or is it absolute/fully qualified?


-- 
Will Hopkins | WebLogic Security Architect | +1.781.442.0310
Oracle Application Development
35 Network Drive, Burlington, MA 01803