Developing Security Providers for WebLogic Server
Developing Security Providers for WebLogic Server is designed for independent software vendors (ISVs) who want to write their own security providers for use with WebLogic Server. It is assumed that most ISVs reading this documentation are sophisticated application developers who have a solid understanding of security concepts, and that no basic security concepts require explanation. It is also assumed that security vendors and application developers are familiar with BEA WebLogic Server and with Java (including Java Management eXtensions (JMX)).
Additionally, WebLogic Server security includes many unique terms and concepts that you need to understand. These terms and concepts—which you will encounter throughout the WebLogic Server security documentation—are defined in the Terminology and the Security Fundamentals sections of Introduction to WebLogic Security, respectively.
Descriptions of the WebLogic security providers are available under The WebLogic Security Providers in Introduction to WebLogic Security and in later sections of this guide under the "Do You Need to Create a Custom <Provider_Type> Provider?" headings. <Provider_Type> can be Authentication, Identity Assertion, Principal Validation, Authorization, Adjudication, Role Mapping, Auditing, or Credential Mapping.
The type may be Authentication, Identity Assertion, Principal Validation, Authorization, Adjudication, Role Mapping, Auditing, or Credential Mapping, described in Types of Security Providers in Introduction to WebLogic Security. Your custom security provider can augment or replace the WebLogic security providers that are already supplied with WebLogic Server.
These options are discussed in Understand the SSPI Hierarchy and Determine Whether You Will Create One or Two Runtime Classes.
These two database initialization options are explained in Initialization of the Security Provider Database.
For more information, see Security Providers and WebLogic Resources.
In one or two runtime classes, implement the SSPIs you have identified by providing implementations for each of their methods. The methods should contain the specific algorithms for the security services offered by the custom security provider. The content of these methods describe how the service should behave.
Procedures for this task are dependent on the type of security provider you want to create, and are provided under the "Create Runtime Classes Using the Appropriate SSPIs" heading in the sections that discuss each security provider in detail.
Information about MDFs is available in Understand the Basic Elements of an MBean Definition File (MDF), and procedures for this task are provided under the "Create an MBean Definition File (MDF)" heading in the sections that discuss each security provider in detail.
Information about the WebLogic MBeanMaker and how it uses the MDF to generate Java files is provided in Understand What the WebLogic MBeanMaker Provides, and procedures for this task are provided under the "Use the WebLogic MBeanMaker to Generate the MBean Type" heading in the sections that discuss each security provider in detail.
Console extensions allow you to add JavaServer Pages (JSPs) to the WebLogic Server Administration Console to support additional management and configuration of custom security providers. Console extensions allow you to include Administration Console support where that support does not yet exist, as well as to customize administrative interactions as you see fit.
Generating an MBean type (as described in Generating an MBean Type to Configure and Manage the Custom Security Provider) is the BEA-recommended way for configuring and managing custom security providers. However, you may want to configure and manage your custom security provider completely through a console extension that you write.
When you implement optional SSPI MBeans to develop a custom Authentication provider, you automatically receive support in the Administration Console for the MBean type's attributes (inherited from the optional SSPI MBean). Other types of custom security providers, such as custom Authorization providers, do not receive this support.
The Details tab for a custom security provider will automatically display custom attributes, but only if they are represented as a simple data type, such as a string, MBean, boolean or integer value. If you have custom attributes that are represented as atypical data types (for example, an image of a fingerprint), the Administration Console cannot visualize the custom attribute without customization.
Because of the potential variety involved with custom operations, the Administration Console does not know how to automatically display or process them. Examples of custom operations might be a microphone for a voice print, or import/export buttons. The Administration Console cannot visualize and process these operations without customization.
In any of the preceding situations, if you do not want to write a console extension that allows you to use the WebLogic Server Administration Console, you can use the
weblogic.Admin command to manage and configure your custom security providers instead. For more information about the
weblogic.Admin command, see the WebLogic Server Command Reference.
For more information about console extensions, see Extending the Administration Console and Writing Console Extensions for Custom Security Providers.
The configuration process consists of using the WebLogic Server Administration Console (or the
weblogic.Admin command) to supply the custom security provider with configuration information. If you generated an MBean type for managing the custom security provider, "configuring" the custom security provider in the Administration Console also means that you are creating a specific instance of the MBean type.
For more information about configuring security providers using the Administration Console, see Customizing the Default Security Configuration in Managing WebLogic Security. For more information about the
weblogic.Admin command, see the WebLogic Server Command Reference.
Certain types of security providers need to provide administrators with a way to manage the security data associated with them. For example, an Authorization provider needs to supply administrators with a way to manage security policies. Similarly, a Role Mapping provider needs to supply administrators with a way to manage security roles, and a Credential Mapping provider needs to supply administrators with a way to manage credential maps.
For the WebLogic Authorization, Role Mapping, and Credential Mapping providers, there are already management mechanisms available for administrators in the WebLogic Server Administration Console. However, do you not inherit these mechanisms when you develop a custom version of one of these security providers; you need to provide your own mechanisms to manage security policies, security roles, and credential maps. These mechanisms must read and write the appropriate security data to and from the custom security provider's database, but may or may not be integrated with the Administration Console.