Developing Security Providers for WebLogic Server
Writing Console Extensions for Custom Security Providers
Console extensions allow you to provide functionality that is not included in the standard WebLogic Server Administration Console, or provide an alternate interface for existing functionality. You provide this functionality by adding nodes to the navigation tree, and/or by adding or replacing tabbed dialogs and dialog screens.
Note: Detailed information about how to write console extensions is provided in Extending the Administration Console, and should be reviewed before proceeding.
The following sections provide information about writing console extensions specifically for use with custom security providers:
When Should I Write a Console Extension?
To get complete configuration and management support through the WebLogic Server Administration Console for a custom security provider, you need to write a console extension when:
- You decide not to implement an optional SSPI MBean when you generate an MBean type for your custom security provider, but still want to configure and manage your custom security provider via the Administration Console. (That is, you do not want to use the WebLogic Server Command-Line Interface instead.)
Generating an MBean type (as described in Generating an MBean Type to Configure and Manage the Custom Security Provider) is the BEA-recommended way for configuring and managing custom security providers. However, you may want to configure and manage your custom security provider completely through a console extension that you write.
- You implement optional SSPI MBeans for custom security providers that are not custom Authentication providers.
When you implement optional SSPI MBeans to develop a custom Authentication provider, you automatically receive support in the Administration Console for the MBean type's attributes (inherited from the optional SSPI MBean). Other types of custom security providers, such as custom Authorization providers, do not receive this support.
- You add a custom attribute that cannot be represented as a simple data type to your MBean Definition File (MDF), which is used to generate the custom security provider's MBean type.
The Details tab for a custom security provider will automatically display custom attributes, but only if they are represented as a simple data type, such as a string, MBean, boolean or integer value. If you have custom attributes that are represented as atypical data types (for example, an image of a fingerprint), the Administration Console cannot visualize the custom attribute without customization.
- You add a custom operation to your MBean Definition File (MDF), which is used to generate the custom security provider's MBean type.
Because of the potential variety involved with custom operations, the Administration Console does not know how to automatically display or process them. Examples of custom operations might be a microphone for a voice print, or import/export buttons. The Administration Console cannot visualize and process these operations without customization.
Some other (optional) reasons for extending the Administration Console include:
- Corporate branding—when, for example, you want your organization's logo or look and feel on the pages used to configure and manage a custom security provider.
- Consolidation—when, for example, you want all the fields used to configure and manage a custom security provider on one page, rather than in separate tabs or locations.
When In the Development Process Should I Write a Console Extension?
The various programmatic elements that comprise a console extension are packaged into a Web application and deployed in your WebLogic Server domain. The point in the development process when you develop the Web application is completely up to you.
However, before you or an administrator can use the console extension to configure and manage a custom security provider, the MBean type for the custom security provider must have been generated (as described in Generating an MBean Type to Configure and Manage the Custom Security Provider) and the console extension Web application properly packaged and deployed.
Note: For instructions about how to develop, package, and deploy a console extension as a Web application, see Main Steps for Writing an Administration Console Extension.
How Writing a Console Extension for a Custom Security Provider Differs From a Basic Console Extension
While basic console extensions (described in Extending the Administration Console) provide a great deal of flexibility and capability, the additional mechanisms that are available for writing security provider-specific console extensions enable:
- Tighter integration with the Administration Console pages already provided for configuring and managing custom security providers.
- Integration of tabbed dialogs and dialog screens at several different, specific points. (Basic console extensions only allow you to add tabbed dialogs and dialog screens as part of new navigation tree nodes.)
- Replacement of existing tabbed dialogs and dialog screens used to configure and manage custom security providers.
Main Steps for Writing an Administration Console Extension
Although security provider-specific console extensions provide the additional features described in How Writing a Console Extension for a Custom Security Provider Differs From a Basic Console Extension, the main process for writing console extensions is the same:
- Create a Java class that defines your Administration Console extension. This class defines where your console extension appears in the navigation tree and can provide additional functionality required by your extension. For more information, see Implementing the NavTreeExtension Interface in Extending the Administration Console.
- Define the behavior of the Navigation tree. In this step you can define multiple nodes that appear under the node you define in step 1. You can also define right-click menus and actions. For more information, see Setting Up the Navigation Tree in Extending the Administration Console.
- Write JavaServer Pages (JSPs) to display your console extension screens. You may use localized text by looking up strings in a localization catalog. A supplied tag library allows you to create tabbed dialog screens similar to those in the standard Administration Console and to access the localization catalogs. For more information, see Writing the Console Screen JSPs in Extending the Administration Console.
- Deploy the Web application containing your console extension on the Administration Server in your WebLogic Server domain. For more information, see Deploying an Administration Console Extension in Extending the Administration Console.
Replacing Custom Security Provider-Related Administration Console Dialog Screens Using the SecurityExtensionV2 Interface
SecurityExtensionV2 interface provides methods that allow you to replace various custom security provider-related Administration Console dialog screens. The Java class you create to define your console extension can implement the
SecurityExtensionV2 interface in addition to (or in place of) extending the
Extension class. (The
Extension class is used for basic console extensions, and its use is described in Implementing the NavTreeExtension Interface in Extending the Administration Console.).
Note: You must implement all the methods in this interface. Simply return
null for the pages you choose not to replace.
Table 12-1 shows the security provider-related dialog screens that you are most likely to replace, as well as the methods in the
SecurityExtensionV2 interface that you need to implement to replace them.
Table 12-1 Using the SecurityExtensionV2 Interface
To Replace Dialog Screens Used to...
Configure a new custom security provider and edit an existing custom security provider's configuration
Create a new user and edit an existing user. (For use with custom Authentication providers.
Create a new group and edit an existing group. (For use with custom Authentication providers.
Create a new security role and edit an existing security role. (For use with custom Role Mapping providers.)
Create a new security policy and edit an existing security policy. (For use with custom Authorization providers.)
Configure a remote user's password. (For use with custom Credential Mapping providers.)
Map a resource ID and local username to a remote username. (For use with custom Credential Mapping providers.)
SecurityExtention interface is deprecated in this release of WebLogic Server. Be sure you use the
SecurityExtensionV2 interface. For more detailed information, see the WebLogic Server 8.1 API Reference Javadoc for the SecurityExtensionV2 interface and the Extension class.
How a Console Extension Affects the Administration Console
Whether you write a console extension that is meant is to replace the BEA-provided dialog screens for configuring a custom security provider, or the dialog screens for creating and editing users, groups, security roles, or security policies that are associated with security providers, the WebLogic Server Administration Console will be affected in the same way.
As an example, the following process will occur when you or an administrator attempt to configure a custom security provider using the WebLogic Server Administration Console:
- If you or an administrator click a Configure a New Security_Provider_Type... link on one of the Administration Console's dialog screens (examples of which are shown in the top portion of Figure 12-1), the Administration Console attempts to locate a console extension for the custom security provider.
Figure 12-1 Configuring the Sample Authentication Provider
If you or an administrator are editing a custom security provider's configuration (rather than adding it as step 1 describes), the Administration Console attempts to locate a console extension when you click the hyperlinked name of the custom security provider (examples of which are shown in the bottom portion of Figure 12-1).
- If the Administration Console detects that a console extension for the security provider is available, the Administration Console displays the JavaServer Page (JSP) specified by the URL that is returned from the
getExtensionForProvider method (or other
getExtensionFor* method described in Table 12-1).
- You or an administrator use the JSP to configure and manage the custom security provider, instead of the BEA-provided interface.