Import security data from deployment descriptors

WebLogic Server gives a choice of models for securing each Web application or EJB. One choice is to configure the Advanced security model so that it copies security roles and policies from deployment descriptors on initial deployment into the security provider data repositories (each security provider contains its own logic for importing security data). Then you can use the Administration Console to modify, remove, or add to the security roles and policies. See Understanding the Advanced Security Model.

Caution: To re-import security data from modules that you have already deployed and already imported security data, Oracle recommends that you delete the module and then reinstall it. See Manage security for Web applications and EJBs.

To copy security information from deployment descriptors on initial deployment:

If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit (see Use the Change Center).
Configure the Advanced model to copy security roles and policies from Web application and EJB deployment descriptors:
Note: This configuration applies to all Web applications and EJBs that you deploy using the Advanced security model. For example, if you deploy two Web applications, and if in the Install Application assistant you specify that both Web applications should use the Advanced security model, then when you finish the assistant, WebLogic Server will copy roles and policies from both of the Web applications. If you redeploy one of these Web applications, WebLogic Server will re-copy the security data from the redeployed module's deployment descriptors. To prevent this re-copy operation, reconfigure the Advanced model as described later in this topic.
1. In the left pane of the Administration Console, select Security Realms.
2. On the Summary of Security Realms page, select the name of the realm that you want to secure the resources (for example, myrealm).
3. On the Settings page, select the Configuration tab. Then select the General subtab.
4. On the Configuration: General page, in the Security Model Default list, choose Advanced.
5. Further down the page, click the Advanced toggle button to expand the Advanced section of the Configuration: General page.
6. In the Check Roles and Policies list, choose All Web Applications and EJBs.
  For information about this selection, see Advanced Configuration Options.
7. In the When Deploying Web Applications or EJBs list, select Initialize Roles and Policies From DD.
  This selection causes WebLogic Server to copy the roles and policies for Web application and EJB resources from the deployment descriptors into the configured Authorization and Role Mapping providers’ databases each time you deploy the resource.
8. Click Save.
If you changed the Check Roles and Policies list to All Web Applications and EJBs because it did not already contain this value, restart the server.
See Starting and Stopping Servers: Quick Reference.
Use the Install Application Assistant to deploy the Web application or EJB. When the assistant prompts you to choose a security model, select Advanced.
See Install a Web application or Install Stand-Alone EJBs.
To activate these changes, in the Change Center of the Administration Console, click Activate Changes.
Not all changes take effect immediately—some require a restart (see Use the Change Center).

After you finish

Caution: After you deploy your Web applications and EJBs, you must change the When Deploying Web Applications or EJBs list to Ignore roles and policies from DD. Otherwise, when you redeploy any Web application or EJB that uses the Advanced model, WebLogic Server will re-import its security data, which could override security configurations that you set in the Administration Console. See Stop importing roles and policies

Administration Console Online Help

Import security data from deployment descriptors