Administrative Reference

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Provider Extensions

The following topics are covered in this section:

 

What is a Provider Extension?

A provider extension is a plug-in function that you write to extend the capabilities of the existing providers. You can use plug-ins to manipulate existing policy data in a way that is not already provided or to retrieve data from external sources to add to an authorization or role mapping decision or a deployment audit. These plug-ins can be used with the ASI Authorization, ASI Role Mapping, Log4j Audit Channel, and Database Authentication providers.

While the out-of-box security providers are configurable, the plug-ins enable you to customize them to add additional functionality. For example, you may want some form of special business logic to retrieve additional data that you want to use before the authorization decision is made or for the custom processing of data, such as the audit context. Plug-ins are provided for a variety of functions:

Note: If you using the WLS SSM:

JAR Required for Provider Extensions

The asi_classes.jar (located in SSM/lib) contains classes required for provider extensions. That is, in order to implement provider extensions you need classes in asi_classes.jar.

The following sections provide more information on the plug-ins and how to use them.

 

Authorization and Role Mapping Extensions

This product supports the use of Java-based plug-ins and language extensions with the out-of-box security providers such as ASIAuthorizer and ASIRoleMapper. You can use these plug-ins to augment authorization and role mapping processing logic.

The following sections describe plug-ins in detail:

Plug-in Types

Four types of Java-based plug-ins are supported: attribute retrievers, evaluation functions, resource converters, and attribute converters. These plug-ins can only be used with ASI Authorization and ASI Role Mapping providers.

To implement a Java-based plug-in interface, you must perform the following steps:

  1. Write a Java class to implement the interface. The following sections provide descriptions of each type of plug-in interface:
  2. Build a Jar file and place it in the SSM’s /lib/providers directory (for the WLS SSM, use /lib/providers/wls/v9 directory). If you use other 3rd party libraries in support of your plug-in, also copy those Jar files to the same location.
  3. You can use Log4j libraries to insert debug statements in your plug-ins. The example found in <BEA_HOME>\java-ssm\examples\AttributeRetriever illustrates use of Log4j debugging messages.
  4. Refer to the following topics in the Console Help and use the Administration Console to register the Java plug-ins in the desired security providers for the desired SSMs:
    • Configuring an ASI Authorization Provider
    • Configuring an ASI Role Mapping Provider

Attribute Retrievers

Attribute retrievers are used by ASI Authorization and ASI Role Mapping providers to retrieve attributes for use during runtime evaluation of policy. The out-of-the-box attribute retrievers can be configured in the Administration Console (for the WLS SSM this must be done using the WebLogic console).

There is no need to create an attribute retriever to retrieve values from LDAP or a database store. Such retrievers can be directly configured via the ASIAuthorizer provider's Configuration tab in the Administration Console.

Custom Attribute Retrievers

Dynamic attributes are often used to write policy constraints. In such cases the value of the dynamic attribute can come either from the application context or from an external source. If the external source is not a database store or LDAP, you must write a custom attribute retriever.

Examples:

AttributeRetriever is an interface in the com.bea.security.providers.authorization package that you can use to implement plug-ins for retrieving attributes.

You can register multiple attribute retrievers with the same attribute name. If you do so, the attribute retrievers are called in order until one of them returns a non-null result.

Table 7-1 lists and describes the methods provided by the AttributeRetrieverV2 interface.

Table 7-1 AttributeRetrieverV2 Interface Methods
Method
Description
String[] getHandledAttributeNames()
Returns the names of attributes handled by attribute retriever. An attribute retriever may return at least one attribute name in this method. If the method returns null or an empty value, this attribute retriever will be called when any dynamic attribute has to be resolved.
Object getAttributeValue(String name,RequestHandle requestHandle,Subject subject,Map roles,Resource resource,ContextHandler contextHandler)
Retrieves the value of the named attribute. Additional authorization request data is made available to allow for more complex attribute retrieval. The parameters are as follows:
  • name — name of the needed attribute
  • subject — subject associated with the request
  • RequestHandle — the provider configuration parameters associated with the request, through which the function can get the values of other attributes if required. The com.bea.security.providers.authorization.asi.ARME.evaluator.RequestHandle interface is described in RequestHandle.getAttribute() Method.
  • roles — role membership of the subject, or null if this is a role mapping call
  • resource — resource associated with the request
  • contextHandler — context associated with the request; may be null if non-existent
Valid Java return types are String and String[].

RequestHandle.getAttribute() Method

The com.bea.security.providers.authorization.asi.ARME.evaluator.RequestHandle object has the getAttribute() and appendReturnData() methods. These are defined as follows: 

public AttributeElement getAttribute(String name, boolean typeCheck)
throws ArmeRuntimeException, BadParameterException, CredvarException,BoolEvalInternalException, NotReadyException;
public void appendReturnData(String name, Object data);
}

Of the two methods, the RequestHandle.getAttribute() is of most interest to AttributeRetrieverV2 implementations. This method gets the named attribute and its value, and optionally type-checks the value. It returns the attribute name and value as a com.wles.util.AttributeElement object. For example if your attribute retriever needed to make an HTTP request to obtain the stock quote, then the application context can contain the URL of the stock quote service and you would use getAttribute() to obtain this value. This function will also help in obtaining the value of all the runtime system attributes (sys_*) such as sys_dir, sys_app_q etc. Please refer to the Advanced Topics section in the Policy Managers Guide for a full list of system attributes.

The AttributeElement object represents an attribute name/value pair for a single element or a list. In the case of a list, your AttributeRetriever code might then transfer the AttributeElement list value to a list of String-type objects, such as in the following code fragment: 

try { 
AttributeElement attrElement = requestHandle.getAttribute("sys_subjectgroups", true);	
Object value = null;
//It must be a list attribute
if(!attrElement.isList()) {
return null;
}
//transfer AttributeElement value to a list of String type object.
List subjectGroupList = (List)attrElement.getValueAs(String.class);
value = String.valueOf(subjectGroupList.size());
return value;
} catch (Exception e) {
//failed to retrieve attributes.
return null;
}

The AttributeRetrieverV2 implementation can use the RequestHandle.getAttribute() method to get the value for user and resource attributes. However, when this method is used to get values of dynamic attributes that may be handled by other Attribute Retrievers (including built-in database and LDAP), it is possible that the ASIAuthorizer may or may not have computed it yet when the custom AttrbuteRetriever was called. In order to make sure that required attributes are present, always list them before the attribute in the policy constraint via the use of sys_defined(<attr>) function. For example, the attribute retriever depends on the URL attribute being present in the RequestHandle. If this attribute is also computed by another attribute retriever, instead of being passed in as an application context, then the rule constraint would have to look something like this: IF sys_defined(URL) and BEAS_quote >= 19;

RequestHandle.getAttribute() and RequestHandle.appendReturnData() are also applicable to Evaluation functions, which are described in the next section.

ASI providers always evaluate the minimum number of required policies and attributes are retrieved only when a policy that references them is evaluated. Therefore, not all attribute retrievers are guaranteed to be called for all policy evaluations. OES attributes retrievers are not called unless the policy has been explicitly evaluated and the attribute can not be obtained from the application context or is not an associated user attribute.

Configuring a Custom Attribute Retriever

To configure a custom attribute retriever, perform the following steps:

  1. Implement a custom attribute retriever and create a JAR file.

    2. The com.bea.security.providers.authorization.asi.AttributeRetrieverV2 interface is in <BEA_HOME>\ales32-ssm\<ssm-type>\lib\providers\ASIAuthorizer.jar (for WLS SSM, use <BEA_HOME>\ales32-ssm\wls-ssm\lib\providers\wls\v9\ASIAuthorizer.jar). Include this file and <BEA_HOME>\ales32-ssm\<ssm-type>\lib\asi_classes.jar in the classpath when compiling the custom attribute retriever.

  2. Place the JAR file in the /lib/providers directory in the SSM’s installation directory (either the WLS or Java SSM). For example, the WLS SSM default directory is <BEA_HOME>\ales32-ssm\wls-ssm.
  3. Do one of the following:
    • (For all SSMs except the WLS SSM) In the left pane of the Administration Console, click the ASI Authorization provider configured for the SSM instance and select the Attribute Retrievers tab in the right pane.Then create a new custom attribute retriever for the plugin using the JAR file you just created. Select CustomAttributeRetriever as the type.
    • (WLS SSM Only) In the WebLogic Server Administration Console, select Home > Summary of Security Realms > asiadmin > Providers > ASI Authorization Provider and create a new attribute retriever for the plugin using the JAR file you just created. Select CustomAttributeRetriever as the type.
  4. In the left pane, select the Deployment node. Then select the Configuration tab in the right pane and deploy the configuration change to the SSM.
  5. Restart the SSM.

Configuring Caching for Custom Attributes

Caching options can be specified for all attribute values returned by a custom attribute retriever. To set these options, select the Custom Attribute Retriever’s Cache All Attributes checkbox and specify how long the values should be cached in the Cache All Attributes TLL field.

It is also possible to specify a caching requirement for individual attributes. When this is done, the caching parameters take precedence over those defined for the custom attribute retriever.

To specify a caching requirement for an attribute, perform the following steps:

  1. On the ASI Authorization provider’s Attributes tab, click on Configure a new Attribute.
  2. Enter the attribute name and click Create.
  3. In the Retriever field, select the custom attribute retriever that returns the value for this attribute.
  4. Select the Use Cache checkbox.
  5. In the TTL field, specify how long the values should be cached.

Evaluation Functions

You can use a named evaluation function to augment built-in authorization and role mapping logic. This method is invoked when the policy contains a custom evaluation function with a matching name. For example: 

grant(any, //app/policy/ASI, //user/asi/test/) if myFunc(name);

where myFunc() is the custom evaluation function name.

A custom evaluation function is implemented as a method in a class that should also implement init() and shutdown() methods. This class may contain one or more custom evaluation functions. You can choose any name for custom evaluation function so long as the corresponding method name matches the name that is used in a policy. Custom evaluation functions can be passed arguments consisting of constants or names of other attributes, including dynamic attributes.

Note: Since all evaluation functions share a common namespace, two functions cannot have the same name.

Custom Initialization/Shutdown Interface

This section describes the interface for writing custom evaluation functions.

The com.bea.security.providers.authorization.asi.InitializationShutdownFunction interface can be used to implement custom initialization and/or shutdown steps that are specific to your evaluation functions.

The init() method is invoked during the Authorization or Role Mapping provider initialization and can be used to initialize some plug-in specific data, such as a connection pool. The shutdown() method is invoked during the Authorization or Role Mapping provider shutdown and can be used to free data allocated in the "init()" method.

When the init() method is called, it is passed all configuration parameters for Authorization provider or Role Mapping provider. For the complete list of available parameters, see javadocs for InitializationShutdownFunction.

Table 7-2 lists and describes the methods provided by the InitializationShutdownFunction interface required to implement an Evaluation Function.

Table 7-2 InitializationShutdownFunction Interface
Method
Description
void init(Map config)
This method is called during the Authorization or Role Mapping provider's initialization and is passed the list of configuration parameters for the provider's
void shutdown()
This method is invoked during the Authorization or Role Mapping provider shutdown
Evaluation Function (Not part of InitializationShutdownFunction interface)
public boolean some_method_name( RequestHandle requestHandle, Object[] args, Subject subject, Map roles, Resource resource, ContextHandler contextHandler)
This method receives the name of the argument (can be an attribute) passed in during constraint evaluation. Additional request information is made available via requestHandle to allow the function to obtain the value of the named attribute. The parameters are as follows:
  • requestHandle — The attributes container associated with the request, through which the method can get required attribute values and also return data. See RequestHandle.getAttribute() Method for a description of how to get values for attributes. See RequestHandle.appendReturnData() Method for a description of how to return data.
  • args — An array of method arguments. Each element is either <code>null</code>, or a String
  • subject — subject associated with the request
  • roles — role membership of the subject, or null if this is a role mapping call
  • resource — resource associated with the request
  • contextHandler — context associated with the request; may be null if non-existent
This method should return True or False.

RequestHandle.appendReturnData() Method

The RequestHandle.appendReturnData() method can be used to create a named response attribute with a specified value. It is equivalent to using the report_as() function from inside a custom evaluation function.

Table 7-3 RequestHandle.appendReturnData()
Method
Description
void appendReturnData (java.lang.String name, java.lang.Object data) throws RuntimeException
Parameters:
name — Name of return attribute
data — Attribute value to be returned if the rule evaluates to true.
Throws:
RuntimeException — may throw RuntimeException if there is problem in converting to the Response object.

If the same attribute value is redefined by another plug-in within the same policy, the result value is overwritten.

RequestHandle.getAttribute() Method

When the evaluation function is called, the runtime system passes in the literal string as an argument to the function as part args[0]. To obtain the value of the attribute passed in, make use of the RequestHandle.getAttribute() method. This method gets the named attribute and its value, and optionally type-checks the value. It returns the attribute name and value as a com.wles.util.AttributeElement object. The AttributeElement object represents an attribute name/value pair for a single element or a list.

The following code fragment provides an example. 

try {
AttributeElement strLength = requestHandle.getAttribute((String)args[0], true);
if(strLength != null) {
if(strLength.isList()) {
// string_longer_then: first argument not a single value
return false;
} 
intCompLength = Integer.parseInt((String)strLength.getValueAs(String.class));

} else {
// numerical constant will be passed in as is. 
try {
intCompLength = Integer.parseInt((String)args[0]);
} catch(NumberFormatException ne) {
//value format is an error, and there is no attribute in the requestHandle.
throw new MissingAttributeException("missing attribute: " + args[0], (String)args[0]);
}
}
} catch(Exception e) {
//caught exception while getting attribute
throw new RuntimeException("failed while getting attribute: " + (String)args[0] + ". Exception: " + e.getMessage());
}

It is also possible to use dynamic attributes as arguments to an evaluation function such that the dynamic attribute is handled by a Custom Attribute Retrievers. When the evaluation function calls requestHandle.getAttribute((String)args[0], true), the value will be returned after the custom attribute retriever is called.

Configuring a Custom Evaluation Function

To configure a custom extensions plug-in, perform the following steps:

  1. Implement a custom evaluation function plug-in and create a JAR file.

    2. The com.bea.security.providers.authorization.asi.InitializationShutdownFunction class is in BEA_HOME\ales32-ssm\<ssm-type>\lib\providers\ASIAuthorizer.jar (for WLS SSM, use BEA_HOME\ales32-ssm\wls-ssm\lib\providers\wls\v9\ASIAuthorizer.jar). Include this file and <BEA_HOME>\ales32-ssm\<ssm-type>\lib\asi_classes.jar in the classpath when compiling the custom evaluation function.

  2. Place the Jar file in the SSM’s /lib/providers directory (for the WLS SSM use /lib/providers/wls/v9).
  3. In the left pane of the Administration Console, click the ASI Authorization provider configured for the SSM instance and select the Advanced tab in the right pane. Then enter the fully-qualified name of the custom extensions plugin in the Evaluation Functions field and click Apply.

    4. For the WLS SSM, use the WebLogic Administration Console to configure the Authorization and Role Mapping providers.

  4. Repeat step 3 to register the extensions plug-in with the ASI Role Mapping provider.
  5. In the left pane, click Deployment and select the Configuration tab. Then deploy the configuration change to the SSM.
  6. Restart the SSM.

Resource Converters

Resource converters are used by ASI Authorization and ASI Role Mapping providers to convert application-specific resources to an internal OES resource format that is recognized. Out-of-box resource types will convert WLS-style and OES-style resource types.

To add support for additional resource types, define a resource converter to allow the ASI Authorization provider to protect the new resource types. ResourceConverter is an interface in the com.bea.security.providers.authorization.asi package.

Table 7-4 lists and describes the methods provided by the ResourceConverter interface.

Table 7-4 ResourceConverter Interface Methods
Method
Description
String[] getHandledTypes()
This method is called when the plug-in is instantiated to register the resource types supported by this custom resource converter.
The Security Framework represents resource types internally as strings such as <http> or <wlp>. The return parameter should be a list of strings that contains the names of the resource types that this custom resource converter is going to handle.
AccessElement convertResource( Resource resource, ContextHandler contextHandler) throws ResourceConversionException
This method is called when the ASI Authorizer or Role Mapper encounters resources types that match what was registered via getHandledTypes() function.
This method would have the knowledge to extract information from the Resource and ContextHandler objects to obtain the OES representation of resource and privilege. Additional information that can be obtained is the application name and input attributes extracted from the Resource or ContextHandler:
Use the following guidelines when dealing with application name and where to place the resource names in the resource hierarchy:
  • If no application name is specified, the resource is assumed to be a child of the /shared resource node as specified in the provider configuration. For example, App_name="" then ALES_res= //app/myapp/shared/res1/res2
  • If an unqualified application name is specified, the resource is assumed to be a child of the application name, which is a child of the default deployment parent node. For example, App_name="trading" and App_deployment_parent="myapp" then ALES_res=//app/myapp/trading/res1/res2
  • If a fully-qualified application name is present, the resource is assumed to be a child of that application name. For example, App_name="//app/app1/trading" then ALES_res="//app/app1/trading/res1/res2".
If the resource converter is unable to obtain enough information to create AccessElement from input parameters, it should throw a ResourceConversionException indicating to the provider that this resource cannot be converted into a equivalent OES format.
Object getAttributeValue(Resource resource, String name,ContextHandler contextHandler)
This method must obtain the value of a attribute that is passed in as an argument. It is the task of ResourceConverter developer to determine how the ResourceConverter obtains the value. The plug-in may return null if the value is not found.

Configuring a Custom Resource Converter

To configure a custom resource converter, implement the resource converter and register it with the configured ASI Authorization and ASI Role Mapping providers.

To configure a resource converter, perform the following steps:

  1. Implement a custom resource converter and create a JAR file.

    2. The com.bea.security.providers.authorization.asi.ResourceConverter class is present in <BEA_HOME>\ales32-ssm\<ssm-type>\lib\providers\ASIAuthorizer.jar (for WLS SSM, use <BEA_HOME>\ales32-ssm\wls9-ssm\lib\providers\wls\v9\ASIAuthorizer.jar). Include this file and <BEA_HOME>\ales32-ssm\<ssm-type>\lib\asi_classes.jar in the classpath when compiling the custom resource converter.

  2. Copy the JAR file in the /lib/providers directory (or /lib/providers/wls/v9 if using the WLS SSM) in the SSM’s installation directory. For example, the default directory for the WLS SSM is <BEA_HOME>\bea\ales32-ssm\wls-ssm.
  3. In the left pane of the Administration Console, click the ASI Authorization provider configured for the SSM instance and select the Advanced tab in the right pane. Then enter the fully-qualified name of the custom converter in the Resource Converters field and click Apply. If you are using the WWLS SSM, configuration changes to the ASI Authorization provider must also be made using the WebLogic Server Administration Console.
  4. Repeat step 3 to register the Resource Converter with the ASI Role Mapping provider. If you are using the WLS SSM, configuration changes to the ASI Role Mapping provider must also be made using the WebLogic Server Administration Console.
  5. In the left pane, click Deployment and select the Configuration tab. Then deploy the configuration change to the SSM.
  6. Restart the SSM.

Attribute Converters

Attribute converters are used by ASI Authorization and ASI Role Mapping providers to convert Java attribute types to the internal attribute types, and vice versa. Out-of-box attribute converters that convert between Java and internal types are provided. For a list of supported attribute types, see the Attribute Declarations in the Policy Managers guide.

To add new attribute types, implement a TypeConverter interface to handle the conversion. Attribute types are the also called ‘credential’ types. They are listed in the Administration Console integer, date, string etc. These are Java equivalents, but are represented as internal attribute types.

TypeConverter is an interface in the com.wles.util package.

Table 7-5 lists and describes the TypeConverter interface.

Table 7-5 TypeConverter Interface Methods
Method
Description
Class getType()
Returns the Java class type which this converter converts. For an IntegerConverter this call would return Class.forName("java.lang.Integer");
String getASITypeName()
Returns the type name. For an IntegerConverter this call would return "integer";"
String convertToASI(Object javaFormat) throws UnsupportedTypeException
Converts a java object into a string.
Object convertFromASI(String asiFormat) throws TypeConversionException
This method converts a string to a Java Object.

Configuring a Custom Attribute Converter

To configure a custom attribute converter, you must implement the attribute converter and register it with the configured ASI Authorization and ASI Role Mapping providers.

To configure an attribute converter, perform the following steps:

  1. Implement a custom attribute converter and create a JAR file.

    2. The com.wles.util.TypeConverter class is present in <BEA_HOME>\ales32-ssm\<ssm-type>\lib\asi_classes.jar. Include this file in the classpath when compiling the custom attribute converters.

  2. Copy the JAR file in /lib/providers directory (or /lib/providers/wls/v9/ASIAuthorizer.jar for the WLS SSM) in the SSM’s installation directory (either the WLS or Java SSM). For example, the WLS SSM default directory is <BEA_HOME>\bea\ales32-ssm\wls-ssm.
  3. In the left pane of the Administration Console, click the ASI Authorization provider configured for the SSM instance and select the Advanced tab in the right pane. Then enter fully-qualified name of the custom converter in the Attribute Converters field and click Apply. If you are using the WLS SSM, configuration changes to the ASI Authorization provider must also be made using the WebLogic Server Administration Console.
  4. Repeat step 3 to register the Attribute Converter with the ASI Role Mapping provider. If you are using the WebLogic Server SSM, configuration changes to the ASI Role Mapping provider must also be made using the WebLogic Server Administration Console.
  5. In the left pane, click Deployment, select the Configuration tab, and deploy the configuration change to the SSM.
  6. Restart the SSM.

 

Custom Audit Plug-ins

The Log4j Audit Channel provider uses Log4j renderer classes that convert the associated audit event object into a simple string representation. However, you can write custom renderers that convert the audit event object to something other than the default string representation and register them as plug-ins using the Administration Console.

Refer to the following topics for information how to write and register custom audit plug-ins:

Using the Custom Audit Plug-in

To implement an audit plug-in interface, you must perform the following steps:

  1. Refer to Audit Plug-in Renderer Class for a description of the audit plug-in renderer class and write a Java class to implement a new renderer class.
  2. Use the Java class to create a JAR file and place it in /lib/providers (or /lib/providers/wls/v9/ASIAuthorizer.jar for the WLS SSM) in the SSM’s installation directory. For example, the WLS SSM default location is: <BEA_HOME>\ales32-wls-ssm\lib\providers.
  3. Use the Administration Console to register the audit plug-in for the desired Log4j Audit Channel provider. For instructions, see Configuring a Log4j Audit Channel Provider in the Console Help.

Audit Plug-in Renderer Class

To write a plug-in renderer class, you must implement the org.apache.log4j.or.ObjectRenderer interface and then register the renderer class to the type of Audit Event class for which you want to use that renderer. For example, weblogic.security.spi.MyAuditEvent=com.bea.security.providers.
audit.MyAuditEventRenderer

For instructions on how to write a renderer for a custom object, see the Log4j documentation located at http://logging.apache.org/log4j/docs/documentation.html.

Table 7-6 describes a sample AuditEventRenderer class.

Table 7-6 AuditEventRenderer Class Method
Method
Description
public class MyAuditAtnEventRenderer implements org.apache.log4j.or.ObjectRenderer {
public String doRender(Object o) {
String eventStr = null;
if(o instanceof MyAuditEvent) {
MyAuditEvent event = (MyAuditEvent) o;
eventStr = event.getEventType()+" --
"+event.toString();
}
return eventStr;
}
}
In this sample, this method renders the AuditEvent object as a simple string. To render the Audit Event as something other than a simple string, modify this method to form your own string representation.

 

Database Authentication Plug-in

The Database Authentication extension is used by the Database Authentication provider to customize authentication features. The default database authentication extension (located in the com.bea.security.providers.authentication.dbms.DefaultDBMSPluginImpl package) is designed to authenticate the user against the policy database. This implementation uses a specific password hashing algorithm, namely SHA1 and SHA-1. It also uses a special format for the user name and the group name that is pertinent to the policy database. The hashing algorithm used is: 

{Algorithm} + 4 byte Salt+passwordhash

The policy database uses name scope (for example, directory name) and a qualified name format to store the user and group. See the Policy Managers Guide for details.

If you are authenticating users against another database that uses a different password hashing algorithm and a different user/group name format, you may want to implement a plug-in by following the guidelines provided with the plug-in.

A custom database authentication plug-in must also extend the DBMSPlugin abstract class (located in the com.bea.security.providers.authentication.dbms.DBMSPlugin package). The DBMSPlugin abstract class implementation must include the methods described in Table 7-7.

To use your plug-in implementation, deploy the plug-in class (or its JAR file) in the classpath of the Database Authentication provider (/lib/providers or /lib/providers/wls/v9 if using the WLS SSM). Then use the WebLogic Server Administration Console (for the WLS SSM) or the Administration Console (for other SSMs) to configure the Database Authentication provider to use the plug-in.

Table 7-7 lists and describes the methods provided by the DBMSPlugin abstract class.

Table 7-7 DBMSPlugin Methods
Method
Description
public void initialize()
This method is executed when the authorization provider is initialized on startup.
public void shutdown()
This method is executed when the authorization provider is shut down.
public boolean authenticate(
String user,
char[] password, char[] databasePassword,
Map options)
When the Database Authentication provider attempts to authenticate a user, the authenticate method is called on the plug-in. This method may be called in one following two scenarios:
  • If the provider is configured with the SQL Query to retrieve password, the password (databasePassword) is retrieved from the database using this query and is provided to this method. This authenticate method must determine if the user provides the correct password (password) and return true, if authenticated, or false.

    The options map contains a TRUE value for key = "QueryPassword".
  • If no SQL Query string is configured for retrieving the password, the Database Authentication provider assumes that the authentication plug-in retrieves the password and then authenticates the user. The options map contains values for these keys, "scope" and "connection", and a FALSE value for key = "QueryPassword". Also, databasePassword = null.
public String formatUser(String user, Map options)
This method is executed before any call to the database. The user string is the one passed into the login module. This method returns a formatted user name, which is later used as the input parameter in all the SQL queries to verify user, to retrieve password, and to retrieve groups. The options Map contains values for these keys, "scope" and "connection", and the configured string of the SQL query to verify user with key = "SQL_QUERY".
public Vector formatGroups(String user, Vector groups, Map options)
This method is executed after the call to retrieve groups from the database. A vector of strings containing the groups the user belongs to are passed in. Any formatting of group names that is required before inserting these into the Subject should be done and the resulting vector passed back. The options Map contains values for these keys, scope and connection, and the configured string of the SQL query to retrieve groups with key = "SQL_QUERY".
public String unformatUser(String user, Map options)
This method is executed after any call to the database that returns users. The user string is the one received from the database. This method returns a unformatted user name. The options Map contains values for these keys, "scope" and "connection".
public String formatGroup(String group, Map options)
This method is executed after the call to retrieve groups from the database. Any formatting of group name that is required before inserting these into the Subject should be done and the resulting string passed back. The options Map contains values for these keys, scope and connection, and the configured string of the SQL query to retrieve group with key = "SQL_QUERY".
public String unformatGroup(String group, Map options)
This method is executed after any call to the database that returns a group membership for a user. The group string is the one received from the database. This method returns an unformatted group name. The options Map contains values for these keys, "scope" and "connection".
public Vector unformatGroups(String user, Vector groups, Map options)
This method is executed after any call to the database that returns a list of groups. The user is the unformatted user name and the vector of groups is the one received from the database. This method returns a vector of unformatted group names. The options Map contains values for these keys, "scope" and "connection".

The options object is a map containing optional information for use by the plug-in. The most common options and keys for retrieval are:


  Back to Top       Previous  Next