Developing Security Providers for WebLogic Server

Introduction and Roadmap

Document Scope

Documentation Audience

Guide to this Document

Related Information

New and Changed Features in this Release

Introduction to Developing Security Providers for WebLogic Server

Prerequisites for This Guide

Overview of the Development Process

Designing the Custom Security Provider

Creating Runtime Classes for the Custom Security Provider by Implementing SSPIs

Generating an MBean Type to Configure and Manage the Custom Security Provider

Writing Console Extensions

Configuring the Custom Security Provider

Providing Management Mechanisms for Security Policies, Security Roles, and Credential Maps

Design Considerations

General Architecture of a Security Provider

Security Services Provider Interfaces (SSPIs)

Understand Two Important Restrictions

Understand the Purpose of the “Provider” SSPIs

Understand the Purpose of the Bulk Access Providers

Determine Which “Provider” Interface You Will Implement

The DeployableAuthorizationProviderV2 SSPI

The DeployableRoleProviderV2 SSPI

The DeployableCredentialProvider SSPI

Understand the SSPI Hierarchy and Determine Whether You Will Create One or Two Runtime Classes

SSPI Quick Reference

Security Service Provider Interface (SSPI) MBeans

Understand Why You Need an MBean Type

Determine Which SSPI MBeans to Extend and Implement

Understand the Basic Elements of an MBean Definition File (MDF)

Custom Providers and Classpaths

Throwing Exceptions from MBean Operations

Specifying Non-Clear Text Values for MBean Attributes

Understand the SSPI MBean Hierarchy and How It Affects the Administration Console

Understand What the WebLogic MBeanMaker Provides

About the MBean Information File

SSPI MBean Quick Reference

Security Data Migration

Migration Concepts

Formats

Constraints

Migration Files

Adding Migration Support to Your Custom Security Providers

Administration Console Support for Security Data Migration

Management Utilities Available to Developers of Security Providers

Security Providers and WebLogic Resources

The Architecture of WebLogic Resources

Types of WebLogic Resources

WebLogic Resource Identifiers

The toString() Method

Resource IDs and the getID() Method

Creating Default Groups for WebLogic Resources

Creating Default Security Roles for WebLogic Resources

Creating Default Security Policies for WebLogic Resources

Looking Up WebLogic Resources in a Security Provider’s Runtime Class

Single-Parent Resource Hierarchies

Pattern Matching for URL Resources

Example 1

Example 2

ContextHandlers and WebLogic Resources

Providers and Interfaces that Support Context Handlers

Initialization of the Security Provider Database

Best Practice: Create a Simple Database If None Exists

Best Practice: Configure an Existing Database

Best Practice: Delegate Database Initialization

Differences In Attribute Validators

Differences In Attribute Validators for Custom Validators.

Authentication Providers

Authentication Concepts

Users and Groups, Principals and Subjects

Providing Initial Users and Groups

LoginModules

The LoginModule Interface

LoginModules and Multipart Authentication

Java Authentication and Authorization Service (JAAS)

How JAAS Works With the WebLogic Security Framework

Example: Standalone T3 Application

The Authentication Process

Do You Need to Develop a Custom Authentication Provider?

How to Develop a Custom Authentication Provider

Create Runtime Classes Using the Appropriate SSPIs

Implement the AuthenticationProviderV2 SSPI

Implement the JAAS LoginModule Interface

Throwing Custom Exceptions from LoginModules

Method 1: Make Custom Exceptions Available via the System and Compiler Classpath

Method 2: Make Custom Exceptions Available via the Application Classpath

Example: Creating the Runtime Classes for the Sample Authentication Provider

Generate an MBean Type Using the WebLogic MBeanMaker

Create an MBean Definition File (MDF)

Use the WebLogic MBeanMaker to Generate the MBean Type

No Optional SSPI MBeans and No Custom Operations

Optional SSPI MBeans or Custom Operations

About the Generated MBean Interface File

Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)

Install the MBean Type Into the WebLogic Server Environment

Configure the Custom Authentication Provider Using the Administration Console

Managing User Lockouts

Rely on the Realm-Wide User Lockout Manager

Implement Your Own User Lockout Manager

Specifying the Order of Authentication Providers

Identity Assertion Providers

Identity Assertion Concepts

Identity Assertion Providers and LoginModules

Identity Assertion and Tokens

How to Create New Token Types

How to Make New Token Types Available for Identity Assertion Provider Configurations

Passing Tokens for Perimeter Authentication

Common Secure Interoperability Version 2 (CSIv2)

The Identity Assertion Process

Do You Need to Develop a Custom Identity Assertion Provider?

How to Develop a Custom Identity Assertion Provider

Create Runtime Classes Using the Appropriate SSPIs

Implement the AuthenticationProviderV2 SSPI

Implement the IdentityAsserterV2 SSPI

Example: Creating the Runtime Class for the Sample Identity Assertion Provider

Generate an MBean Type Using the WebLogic MBeanMaker

Create an MBean Definition File (MDF)

Use the WebLogic MBeanMaker to Generate the MBean Type

No Optional SSPI MBeans and No Custom Operations

Optional SSPI MBeans or Custom Operations

About the Generated MBean Interface File

Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)

Install the MBean Type Into the WebLogic Server Environment

Configure the Custom Identity Assertion Provider Using the Administration Console

Challenge Identity Assertion

Challenge/Response Limitations in the Java Servlet API 2.3 Environment

Filters and The Role of the weblogic.security.services.Authentication Class

How to Develop a Challenge Identity Asserter

Implement the ChallengeIdentityAsserterV2 Interface

Implement the ProviderChallengeContext Interface

Invoke the weblogic.security.services Challenge Identity Methods

Invoke the weblogic.security.services AppChallengeContext Methods

Implementing Challenge Identity Assertion from a Filter

Principal Validation Providers

Principal Validation Concepts

Principal Validation and Principal Types

How Principal Validation Providers Differ From Other Types of Security Providers

Security Exceptions Resulting from Invalid Principals

The Principal Validation Process

Do You Need to Develop a Custom Principal Validation Provider?

How to Use the WebLogic Principal Validation Provider

How to Develop a Custom Principal Validation Provider

Implement the PrincipalValidator SSPI

Authorization Providers

Authorization Concepts

Access Decisions

Using the Java Authorization Contract for Containers

The Authorization Process

Do You Need to Develop a Custom Authorization Provider?

Does Your Custom Authorization Provider Need to Support Application Versioning?

How to Develop a Custom Authorization Provider

Create Runtime Classes Using the Appropriate SSPIs

Implement the AuthorizationProvider SSPI

Implement the DeployableAuthorizationProviderV2 SSPI

The ApplicationInfo Interface

Implement the AccessDecision SSPI

Developing Custom Authorization Providers That Are Compatible With the Realm Adapter Authentication Provider

Example: Creating the Runtime Class for the Sample Authorization Provider

Policy Consumer SSPI

Required SSPI Interfaces

Implement the PolicyConsumerFactory SSPI Interface

Implement the PolicyConsumer SSPI Interface

Implement the PolicyCollectionHandler SSPI Interface

Supporting an Updated Policy Collection

The PolicyConsumerMBean

PolicyStoreMBean

Examining the Format of a XACML Policy File

Using WLST to Add a Policy to the PolicyStoreMBean

Using WLST to Read a PolicySet as a String

Bulk Authorization Providers

Generate an MBean Type Using the WebLogic MBeanMaker

Create an MBean Definition File (MDF)

Use the WebLogic MBeanMaker to Generate the MBean Type

No Optional SSPI MBeans and No Custom Operations

Optional SSPI MBeans or Custom Operations

About the Generated MBean Interface File

Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)

Install the MBean Type Into the WebLogic Server Environment

Configure the Custom Authorization Provider Using the Administration Console

Managing Authorization Providers and Deployment Descriptors

Enabling Security Policy Deployment

Provide a Mechanism for Security Policy Management

Option 1: Develop a Stand-Alone Tool for Security Policy Management

Option 2: Integrate an Existing Security Policy Management Tool into the Administration Console

Adjudication Providers

The Adjudication Process

Do You Need to Develop a Custom Adjudication Provider?

How to Develop a Custom Adjudication Provider

Create Runtime Classes Using the Appropriate SSPIs

Implement the AdjudicationProviderV2 SSPI

Implement the AdjudicatorV2 SSPI

Bulk Adjudication Providers

Generate an MBean Type Using the WebLogic MBeanMaker

Create an MBean Definition File (MDF)

Use the WebLogic MBeanMaker to Generate the MBean Type

No Custom Operations

Custom Operations

About the Generated MBean Interface File

Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)

Install the MBean Type Into the WebLogic Server Environment

Configure the Custom Adjudication Provider Using the Administration Console

Role Mapping Providers

Role Mapping Concepts

Security Roles

Dynamic Security Role Computation

The Role Mapping Process

Do You Need to Develop a Custom Role Mapping Provider?

Does Your Custom Role Mapping Provider Need to Support Application Versioning?

How to Develop a Custom Role Mapping Provider

Create Runtime Classes Using the Appropriate SSPIs

Implement the RoleProvider SSPI

Implement the DeployableRoleProviderV2 SSPI

The ApplicationInfo Interface

Implement the RoleMapper SSPI

Developing Custom Role Mapping Providers That Are Compatible With the Realm Adapter Authentication Provider

Implement the SecurityRole Interface

Example: Creating the Runtime Class for the Sample Role Mapping Provider

Role Consumer SSPI

Required SSPI Interfaces

Implement the RoleConsumerFactory SSPI Interface

Implement the RoleConsumer SSPI Interface

Implement the RoleCollectionHandler SSPI Interface

Supporting an Updated Role Collection

The RoleConsumerMBean

PolicyStoreMBean

Examining the Format of a XACML Policy File

Using WLST to Add a Policy to the PolicyStoreMBean

Using WLST to Read a PolicySet as a String

Bulk Role Mapping Providers

Generate an MBean Type Using the WebLogic MBeanMaker

Create an MBean Definition File (MDF)

Use the WebLogic MBeanMaker to Generate the MBean Type

No Custom Operations

Custom Operations

About the Generated MBean Interface File

Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)

Install the MBean Type Into the WebLogic Server Environment

Configure the Custom Role Mapping Provider Using the Administration Console

Managing Role Mapping Providers and Deployment Descriptors

Enabling Security Role Deployment

Provide a Mechanism for Security Role Management

Option 1: Develop a Stand-Alone Tool for Security Role Management

Option 2: Integrate an Existing Security Role Management Tool into the Administration Console

Auditing Providers

Auditing Concepts

Audit Channels

Auditing Events From Custom Security Providers

The Auditing Process

Implementing the ContextHandler MBean

ContextHandlerMBean Methods

Example: Implementing the ContextHandlerMBean

Extend weblogic.management.security.audit.ContextHandlerImpl

Do You Need to Develop a Custom Auditing Provider?

How to Develop a Custom Auditing Provider

Create Runtime Classes Using the Appropriate SSPIs

Implement the AuditProvider SSPI

Implement the AuditChannel SSPI

Example: Creating the Runtime Class for the Sample Auditing Provider

Generate an MBean Type Using the WebLogic MBeanMaker

Create an MBean Definition File (MDF)

Use the WebLogic MBeanMaker to Generate the MBean Type

No Custom Operations

Custom Operations

About the Generated MBean Interface File

Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)

Install the MBean Type Into the WebLogic Server Environment

Configure the Custom Auditing Provider Using the Administration Console

Configuring Audit Severity

Security Framework Audit Events

Passing Additional Audit Information

Audit Event Interfaces and Audit Events

AuditApplicationVersionEvent

AuditAtnEventV2

AuditAtzEvent

AuditCerPathBuilderEvent, AuditCertPathValidatorEvent

AuditConfigurationEvent

AuditCredentialMappingEvent

AuditLifecycleEvent

AuditMgmtEvent

AuditPolicyEvent

AuditRoleDeploymentEvent

AuditRoleEvent

Credential Mapping Providers

Credential Mapping Concepts

The Credential Mapping Process

Do You Need to Develop a Custom Credential Mapping Provider?

Does Your Custom Credential Mapping Provider Need to Support Application Versioning?

How to Develop a Custom Credential Mapping Provider

Create Runtime Classes Using the Appropriate SSPIs

Implement the CredentialProviderV2 SSPI

Implement the DeployableCredentialProvider SSPI

Implement the CredentialMapperV2 SSPI

Developing Custom Credential Mapping Providers That Are Compatible With the Realm Adapter Authentication Provider

Generate an MBean Type Using the WebLogic MBeanMaker

Create an MBean Definition File (MDF)

Use the WebLogic MBeanMaker to Generate the MBean Type

No Optional SSPI MBeans and No Custom Operations

Optional SSPI MBeans or Custom Operations

About the Generated MBean Interface File

Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)

Install the MBean Type Into the WebLogic Server Environment

Provide a Mechanism for Credential Map Management

Option 1: Develop a Stand-Alone Tool for Credential Map Management

Option 2: Integrate an Existing Credential Map Management Tool into the Administration Console

Auditing Events From Custom Security Providers

Security Services and the Auditor Service

How to Audit From a Custom Security Provider

Create an Audit Event

Implement the AuditEvent SSPI

Implement an Audit Event Convenience Interface

The AuditAtnEventV2 Interface

The AuditAtzEvent and AuditPolicyEvent Interfaces

The AuditMgmtEvent Interface

The AuditRoleEvent and AuditRoleDeploymentEvent Interfaces

Audit Severity

Audit Context

Example: Implementation of the AuditRoleEvent Interface

Obtain and Use the Auditor Service to Write Audit Events

Example: Obtaining and Using the Auditor Service to Write Role Audit Events

Auditing Management Operations from a Provider’s MBean

Example: Auditing Management Operations from a Provider’s MBean

Best Practice: Posting Audit Events from a Provider's MBean

Servlet Authentication Filters

Authentication Filter Concepts

Why Filters are Needed

Servlet Authentication Filter Design Considerations

How Filters Are Invoked

Do Not Call Servlet Authentication Filters From Authentication Providers

Example of a Provider that Implements a Filter

How to Develop a Custom Servlet Authentication Filter

Create Runtime Classes Using the Appropriate SSPIs

Implement the Servlet Authentication Filter SSPI

Implement the Filter Interface Methods

Implementing Challenge Identity Assertion from a Filter

Generate an MBean Type Using the WebLogic MBeanMaker

Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)

Configure the Authentication Provider Using Administration Console

Versionable Application Providers

Versionable Application Concepts

The Versionable Application Process

Do You Need to Develop a Custom Versionable Application Provider?

How to Develop a Custom VersionableApplication Provider

Create Runtime Classes Using the Appropriate SSPIs

Implement the VersionableApplication SSPI

Example: Creating the Runtime Class for the Sample VersionableApplication Provider

Generate an MBean Type Using the WebLogic MBeanMaker

Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)

Configure the Custom Versionable Application Provider Using the Administration Console

CertPath Providers

Certificate Lookup and Validation Concepts

The Certificate Lookup and Validation Process

Do You Need to Implement Separate CertPath Validators and Builders?

CertPath Provider SPI MBeans

WebLogic CertPath Validator SSPI

WebLogic CertPath Builder SSPI

Relationship Between the WebLogic Server CertPath SSPI and the JDK SPI

Do You Need to Develop a Custom CertPath Provider?

How to Develop a Custom CertPath Provider

Create Runtime Classes Using the Appropriate SSPIs

Implement the JDK CertPathBuilderSpi and/or CertPathValidatorSpi Interfaces

Implement the CertPath Provider SSPI

Implement the JDK Security Provider SPI

Use the CertPathBuilderParametersSpi SSPI in Your CertPathBuilderSpi Implementation

Use the CertPathValidatorParametersSpi SSPI in Your CertPathValidatorSpi Implementation

Returning the Builder or Validator Results

Example: Creating the Sample Cert Path Provider

Generate an MBean Type Using the WebLogic MBeanMaker

Create an MBean Definition File (MDF)

Use the WebLogic MBeanMaker to Generate the MBean Type

No Optional SSPI MBeans and No Custom Operations

Optional SSPI MBeans or Custom Operations

About the Generated MBean Interface File

Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)

Install the MBean Type Into the WebLogic Server Environment

Configure the Custom CertPath Provider Using the Administration Console

MBean Definition File (MDF) Element Syntax

The MBeanType (Root) Element

The MBeanAttribute Subelement

The MBeanConstructor Subelement

The MBeanOperation Subelement

MBean Operation Exceptions

Examples: Well-Formed and Valid MBean Definition Files (MDFs)