bea.com | products | dev2dev | support | askBEA
 Download Docs   Site Map   Glossary 
Search
e-docs > WebLogic Server > Developing Security Providers for WebLogic Server > Authorization Providers

Developing Security Providers for WebLogic Server

 Previous Next Contents Index View as PDF  

Authorization Providers

Authorization is the process whereby the interactions between users and WebLogic resources are controlled, based on user identity or other information. In other words, authorization answers the question, "What can you access?" In WebLogic Server, an Authorization provider is used to limit the interactions between users and WebLogic resources to ensure integrity, confidentiality, and availability.

The following sections describe Authorization provider concepts and functionality, and provide step-by-step instructions for developing a custom Authorization provider:

 

Authorization Concepts

Before you develop an Authorization provider, you need to understand the following concepts:

WebLogic Resources

A WebLogic resource is a structured object used to represent an underlying WebLogic Server entity that can be protected from unauthorized access. The level of granularity for WebLogic resources is up to you. For example, you can consider an entire Web application, a particular Enterprise JavaBean (EJB) within that Web application, or a single method within that EJB to be a WebLogic resource.

Note: WebLogic resources replace WebLogic Server 6.x access control lists (ACLs).

The Architecture of WebLogic Resources

The Resource interface, located in the weblogic.security.spi package, provides the definition for an object that represents a WebLogic resource, which can be protected from unauthorized access. The ResourceBase class, located in the weblogic.security.service package, is an abstract base class for more specific WebLogic resource types, and facilitates the model for extending resources. (See Figure 6-1 and Types of WebLogic Resources for more information.)

Figure 6-1 Architecture of WebLogic Resources


 

The ResourceBase class includes the BEA-provided implementations of the getID, getKeys, getValues, and toString methods. For more information, see the WebLogic Server 7.0 API Reference Javadoc for the ResourceBase class.

This architecture allows you to develop security providers without requiring that they be aware of any WebLogic resources. Therefore, when new resource types are added, you should not need to modify the security providers.

Types of WebLogic Resources

As shown in Figure 6-1, certain classes in the weblogic.security.service package extend the ResourceBase class, and therefore provide you with implementations for specific types of WebLogic resources. WebLogic resource implementations are available for:

Note: Each of these WebLogic resource implementations are explained in detail in the WebLogic Server 7.0 API Reference Javadoc.

WebLogic Resource Identifiers

Each WebLogic resource (described in Types of WebLogic Resources) can identified in two ways: by its toString() representation or by an associated resource ID (that is, using the getID method).

The toString() Method

If you use the toString method of any WebLogic resource implementation, a description of the WebLogic resource will be returned in the form of a String. First, the type of the WebLogic resource is printed in pointy-brackets. Then, each key is printed, in order, along with its value. The keys are comma-separated. Values that are lists are comma-separated and delineated by open and close curly braces. Each value is printed as is, except that commas (,), open braces ({), close braces (}), and back slashes (\) are each escaped with a back slash. For example, the EJB resource:

EJBResource ("myApp",
             "MyJarFile",
             "myEJB",
             "myMethod",
             "Home",
             new String[ ] {"argumentType1", "argumentType2"}
            );

will produce the following toString output:

type=<ejb>, app=myApp, module="MyJarFile", ejb=myEJB, method="myMethod", methodInterface="Home", methodParams={argumentType1, argumentType2}

The format of the WebLogic resource description provided by the toString method is public (that is, you can construct one without using a Resource object) and is reversible (meaning that you can convert the String form back to the original WebLogic resource).

Note: Listing 6-1 illustrates how to use the toString method to identify a WebLogic resource.

Resource IDs and the getID Method

The getID method on each of the defined WebLogic resource types returns a 64-bit hashcode that can be used to uniquely identify the WebLogic resource in a security provider. The resource ID can be effectively used for fast runtime caching, using the following algorithm:

  1. Obtain a WebLogic resource.
  2. Get the resource ID for the WebLogic resource using the getID method.
  3. Look up the resource ID in the cache.
  4. If the resource ID is found, then return the security policy.
  5. If the resource ID is not found, then:
    1. Use the toString method to look up the WebLogic resource in the security provider database.
    2. Store the resource ID and the security policy in cache.
    3. Return the security policy.

Note: Listing 6-2 illustrates how to use the getID method to identify a WebLogic resource in Authorization provider, and provides a sample implementation of this algorithm.

Because it is not guaranteed stable across multiple runs, you should not use the resource ID to store information about the WebLogic resource in a security provider database. Instead, best practice dictates that the security provider database contains the Resource.toString-to-security policy mapping, while the runtime cache contains the Resource.getID-to-security policy mapping.

How Security Providers Use WebLogic Resources

WebLogic resources are used in calls to Authorization and Role Mapping providers' runtime classes (specifically, in the AccessDecision and RoleMapper SSPI implementations). BEA recommends that these types of security providers store any resource-to-security policy and resource-to-role mappings in their corresponding security provider database using the WebLogic resource's toString method.

Notes: For more information about security provider databases, see Initializing the Security Provider Database. For more information about the toString method, see The toString() Method. For more information about Role Mapping providers, see Role Mapping Providers.

Listing 6-1 illustrates how to look up a WebLogic resource in the runtime class of an Authorization provider. This algorithm assumes that the security provider database for the Authorization provider contains a mapping of WebLogic resources to security policies. It is not required that you use the algorithm shown in Listing 6-1, or that you utitilize the call to the getParentResource method. (For more information about the getParentResource method, see Single-Parent Resource Hierarchies.)

Listing 6-1 How to Look Up a WebLogic Resource in an Authorization Provider: Using the toString Method

Policy findPolicy(Resource resource) {
   Resource myResource = resource;
   while (myResource != null) {
      String resourceText = myResource.toString();
      Policy policy = lookupInDB(resourceText);
      if (policy != null) return policy;
      myResource = myResource.getParentResource();
   }
   return null;
}

You can optimize the algorithm for looking up a WebLogic resource by using the getID method for the resource. (Use of the toString method alone, as shown in Listing 6-1, may impact performance due to the frequency of string concatenations.) The getID method may be quicker and more efficient because it is a hash operation that is calculated and cached within the WebLogic resource itself. Therefore, when the getID method is used, the toString value only needs to be calculated once per resource (as shown in Listing 6-2).

Listing 6-2 How to Look Up a WebLogic Resource in an Authorization Provider: Using the getID Method

Policy findPolicy(Resource resource) {
   Resource myResource = resource;
   while (myResource != null) {
      long id = myResource.getID();
      Policy policy = lookupInCache(id);
      if (policy != null) return policy;
      String resourceText = myResource.toString();
      Policy policy = lookupInDB(resourceText);
      if (policy != null) {
         addToCache(id, policy);
         return policy;
      }
      myResource = myResource.getParentResource();
   }
   return null;
}

Note: The getID method is not guaranteed between service packs or future WebLogic Server releases. Therefore, you should not store getID values in your security provider database.

Single-Parent Resource Hierarchies

WebLogic resources are arranged in a hierarchical structure ranging from most specific to least specific. You can use the getParentResource method for each of the WebLogic resource types if you like, but it is not required.

The WebLogic security providers use the single-parent resource hierarchy as follows: If a WebLogic security provider attempts to access a specific WebLogic resource and that resource cannot be located, the WebLogic security provider will call the getParentResource method of that resource. The parent of the current WebLogic resource is returned, and allows the WebLogic security provider to move up the resource hierarchy to protect the next (less-specific) resource. For example, if a caller attempts to access the following URL resource:

type=<url>, application=myApp, contextPath="/mywebapp", uri=foo/bar/my.jsp

and that exact URL resource cannot be located, the WebLogic security provider will progressively attempt to locate and protect the following resources (in order):

type=<url>, application=myApp, contextPath="/mywebapp", uri=/foo/bar/*
type=<url>, application=myApp, contextPath="/mywebapp", uri=/foo/*
type=<url>, application=myApp, contextPath="/mywebapp", uri=*.jsp
type=<url>, application=myApp, contextPath="/mywebapp", uri=/*
type=<url>, application=myApp, contextPath="/mywebapp"
type=<url>, application=myApp
type=<app>, application=myApp
type=<url>

Note: For more information about the getParentResource method, see the WebLogic Server 7.0 API Reference Javadoc for any of the predefined WebLogic resource types or the Resource interface.

WebLogic Resources, Roles, and Security Policies

Roles are abstract, logical collections of users similar to a group. Once you create a role, you define an association between that role and a WebLogic resource. This association (called a security policy) specifies who has what access to the WebLogic resource. Security policies (as well as roles) are instantiated for each level of the WebLogic resource hierarchy.

Notes: For more information about WebLogic resource hierarchies, see Single-Parent Resource Hierarchies. For information about roles and security policies for use with WebLogic resources, see "Understanding Roles" and "Understanding WebLogic Security Policies" in Managing WebLogic Security.

Access Decisions

Like LoginModules for Authentication providers, an Access Decision is the component of an Authorization provider that actually answers the "is access allowed?" question. Specifically, an Access Decision is asked whether a subject has permission to perform a given operation on a WebLogic resource, with specific parameters in an application. Given this information, the Access Decision responds with a result of PERMIT, DENY, or ABSTAIN.

Note: For more information about Access Decisions, see Implement the AccessDecision SSPI.

 

The Authorization Process

Figure 6-2 illustrates how Authorization providers (and the associated Adjudication and Role Mapping providers) interact with the WebLogic Security Framework during the authorization process, and an explanation follows.

Figure 6-2 Authorization Providers and the Authorization Process


 

Generally, authorization is performed in the following manner:

  1. A user or system process requests a WebLogic resource on which it will attempt to perform a given operation.
  2. The resource container that handles the type of WebLogic resource being requested receives the request (for example, the EJB container receives the request for an EJB resource).
  3. The resource container constructs a ContextHandler object that may be used by the configured Role Mapping providers and the configured Authorization providers' Access Decisions to obtain information associated with the context of the request.

    Note: A ContextHandler is a high-performing WebLogic class that allows a variable number of arguments to be passed as strings to a method. For more information about ContextHandlers, see the WebLogic Server 7.0 API Reference Javadoc for the ContextHandler interface. For more information about Access Decisions, see Access Decisions. For more information about Role Mapping providers, see Role Mapping Providers.

    The resource container calls the WebLogic Security Framework, passing in the subject, the WebLogic resource, and optionally, the ContextHandler object (to provide additional input for the decision).

  4. The WebLogic Security Framework calls the configured Role Mapping providers.
  5. The Role Mapping providers use the ContextHandler to request various pieces of information about the request. They construct a set of Callback objects that represent the type of information being requested. This set of Callback objects is then passed as an array to the ContextHandler using the handle method.

    The Role Mapping providers use the values contained in the Callback objects, the subject, and the resource to compute a list of roles to which the subject making the request is entitled, and pass the list of applicable roles back to the WebLogic Security Framework.

  6. The WebLogic Security Framework delegates the actual decision about whether the subject is entitled to perform the requested action on the WebLogic resource to the configured Authorization providers.

    The Authorization providers' Access Decisions also use the ContextHandler to request various pieces of information about the request. They too construct a set of Callback objects that represent the type of information being requested. This set of Callback objects is then passed as an array to the ContextHandler using the handle method. (The process is the same as described for Role Mapping providers in Step 5.)

  7. The isAccessAllowed method of each configured Authorization provider's Access Decision is called to determine if the subject is authorized to perform the requested access, based on the ContextHandler, subject, resource, and roles. Each isAccessAllowed method can return one of three values:

    This process continues until all Access Decisions are used.

  8. The WebLogic Security Framework delegates the job of reconciling any discrepancies among the results rendered by the configured Authorization providers' Access Decisions to the Adjudication provider. The Adjudication provider determines the ultimate outcome of the authorization decision.

    Note: For more information about the Adjudication provider, see Adjudication Providers.

  9. The Adjudication provider returns either a TRUE or FALSE verdict to the Authorization provider, which forwards it to the resource container through the WebLogic Security Framework.

 

Do You Need to Develop a Custom Authorization Provider?

The default (that is, active) security realm for WebLogic Server includes a WebLogic Authorization provider. The WebLogic Authorization provider supplies the default enforcement of authorization for this version of WebLogic Server. The WebLogic Authorization provider returns an access decision using a policy-based authorization engine to determine if a particular user is allowed access to a protected WebLogic resource. The WebLogic Authorization provider also supports the deployment and undeployment of security policies within the system. If you want to use an authorization mechanism that already exists within your organization, you could create a custom Authorization provider to tie into that system.

 

How to Develop a Custom Authorization Provider

If the WebLogic Authorization provider does not meet your needs, you can develop a custom Authorization provider by following these steps:

  1. Create Runtime Classes Using the Appropriate SSPIs
  2. Generate an MBean Type Using the WebLogic MBeanMaker
  3. Configure the Custom Authorization Provider Using the Administration Console

Create Runtime Classes Using the Appropriate SSPIs

Before you start creating runtime classes, you should first:

When you understand this information and have made your design decisions, create the runtime classes for your custom Authorization provider by following these steps:

Note: At least one Authorization provider in a security realm must implement the DeployableAuthorizationProvider SSPI, or else it will be impossible to deploy Web applications and EJBs.

For an example of how to create a runtime class for a custom Authorization provider, see Example: Creating the Runtime Class for the Sample Authorization Provider.

Implement the AuthorizationProvider SSPI

To implement the AuthorizationProvider SSPI, provide implementations for the methods described in Understand the Purpose of the "Provider" SSPIs and the following method:

getAccessDecision

public AccessDecision getAccessDecision();

The getAccessDecision method obtains the implementation of the AccessDecision SSPI. For a single runtime class called MyAuthorizationProviderImpl.java, the implementation of the getAccessDecision method would be:

return this;

If there are two runtime classes, then the implementation of the getAccessDecision method could be:

return new MyAccessDecisionImpl;

This is because the runtime class that implements the AuthorizationProvider SSPI is used as a factory to obtain classes that implement the AccessDecision SSPI.

For more information about the AuthorizationProvider SSPI and the getAccessDecision method, see the WebLogic Server 7.0 API Reference Javadoc.

Implement the DeployableAuthorizationProvider SSPI

To implement the DeployableAuthorizationProvider SSPI, provide implementations for the methods described in Understand the Purpose of the "Provider" SSPIs, Implement the AuthorizationProvider SSPI, and the following methods:

deployPolicy

public void deployPolicy(Resource resource, java.lang.String[] roleNames) throws ResourceCreationException

The deployPolicy method creates a policy on behalf of a deployed Web application or EJB, based on the WebLogic resource to which the policy should apply and the role names that are in the policy.

undeployPolicy

public void undeployPolicy(Resource resource) throws ResourceRemovalException

The undeployPolicy method deletes a policy on behalf of an undeployed Web application or EJB, based on the WebLogic resource to which the policy applied.

For more information about the DeployableAuthorizationProvider SSPI and the deployPolicy and undeployPolicy methods, see the WebLogic Server 7.0 API Reference Javadoc.

Implement the AccessDecision SSPI

When you implement the AccessDecision SSPI, you must provide implementations for the following methods:

isAccessAllowed

public Result isAccessAllowed(Subject subject, Map roles,

Resource resource, ContextHandler handler, Direction direction) throws InvalidPrincipalException

The isAccessAllowed method utilizes information contained within the subject to determine if the requestor should be allowed to access a protected method. The isAccessAllowed method may be called prior to or after a request, and returns values of PERMIT, DENY, or ABSTAIN. If multiple Access Decisions are configured and return conflicting values, an Adjudication provider will be needed to determine a final result. For more information, see Adjudication Providers.

isProtectedResource

public boolean isProtectedResource(Subject subject, Resource resource) throws InvalidPrincipalException

The isProtectedResource method is used to determine whether the specified WebLogic resource is protected, without incurring the cost of an actual access check. It is only a lightweight mechanism because it does not compute a set of roles that may be granted to the caller's subject.

For more information about the AccessDecision SSPI and the isAccessAllowed and isProtectedResource methods, see the WebLogic Server 7.0 API Reference Javadoc.

Example: Creating the Runtime Class for the Sample Authorization Provider

Listing 6-3 shows the SampleAuthorizationProviderImpl.java class, which is the runtime class for the sample Authorization provider. This runtime class includes implementations for:

Note: The bold face code in Listing 6-3 highlights the class declaration and the method signatures.

Listing 6-3 SampleAuthorizationProviderImpl.java

package examples.security.providers.authorization;
import java.security.Principal;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import weblogic.management.security.ProviderMBean;
import weblogic.security.WLSPrincipals;
import weblogic.security.service.ContextHandler;
import weblogic.security.spi.AccessDecision;
import weblogic.security.spi.DeployableAuthorizationProvider;
import weblogic.security.spi.Direction;
import weblogic.security.spi.InvalidPrincipalException;
import weblogic.security.spi.Resource;
import weblogic.security.spi.ResourceCreationException;
import weblogic.security.spi.ResourceRemovalException;
import weblogic.security.spi.Result;
import weblogic.security.spi.SecurityServices;
public final class SampleAuthorizationProviderImpl implements DeployableAuthorizationProvider, AccessDecision
{
   private String description;
   private SampleAuthorizerDatabase database;
   public void initialize(ProviderMBean mbean, SecurityServices services)
   {
      System.out.println("SampleAuthorizationProviderImpl.initialize");
      SampleAuthorizerMBean myMBean = (SampleAuthorizerMBean)mbean;
      description = myMBean.getDescription() + "\n" + myMBean.getVersion();
      database = new SampleAuthorizerDatabase(myMBean);
   }
   public String getDescription()
   {
      return description;
   }
   public void shutdown()
   {
      System.out.println("SampleAuthorizationProviderImpl.shutdown");
   }
   public AccessDecision getAccessDecision()
   {
      return this;
   }
   public Result isAccessAllowed(Subject subject, Map roles, Resource resource, 
   ContextHandler handler, Direction direction) throws InvalidPrincipalException
   {
      System.out.println("SampleAuthorizationProviderImpl.isAccessAllowed");
      System.out.println("\tsubject\t= " + subject);
      System.out.println("\troles\t= " + roles);
      System.out.println("\tresource\t= " + resource);
      System.out.println("\tdirection\t= " + direction);
      Set principals = subject.getPrincipals();
      for (Resource res = resource; res != null; res = res.getParentResource()) {
         if (database.policyExists(res)) {
            return isAccessAllowed(res, principals, roles);
         }
      }
      return Result.ABSTAIN;
   }
   public boolean isProtectedResource(Subject subject, Resource resource) throws 
   InvalidPrincipalException 
   {
      System.out.println("SampleAuthorizationProviderImpl.
        isProtectedResource");
      System.out.println("\tsubject\t= " + subject);
      System.out.println("\tresource\t= " + resource);
      for (Resource res = resource; res != null; res = res.getParentResource()) {
         if (database.policyExists(res)) {
            return true;
         }
      }
      return false;
   }
   public void deployPolicy(Resource resource, String[] roleNamesAllowed)
   throws ResourceCreationException
   {
      System.out.println("SampleAuthorizationProviderImpl.deployPolicy");
      System.out.println("\tresource\t= " + resource);
      for (int i = 0; roleNamesAllowed != null && i < roleNamesAllowed.length; 
       i++) {
         System.out.println("\troleNamesAllowed[" + i + "]\t= " + 
         roleNamesAllowed[i]);
      }
      database.setPolicy(resource, roleNamesAllowed);
   }
   public void undeployPolicy(Resource resource) throws ResourceRemovalException
   {
      System.out.println("SampleAuthorizationProviderImpl.undeployPolicy");
      System.out.println("\tresource\t= " + resource);
      database.removePolicy(resource);
   }
   private boolean principalsOrRolesContain(Set principals, Map roles, String 
   principalOrRoleNameWant)
   {
      if (roles.containsKey(principalOrRoleNameWant)) {
         return true;
      }
      {
         for (Iterator i = principals.iterator(); i.hasNext();) {
            Principal principal = (Principal)i.next();
            String principalNameHave = principal.getName();
            if (principalOrRoleNameWant.equals(principalNameHave)) {
               return true;
            }
         }
      }
      return false; 
   }
   private Result isAccessAllowed(Resource resource, Set principals, Map roles)
   {
      for (Enumeration e = database.getPolicy(resource); e.hasMoreElements();) 
      {
       String principalOrRoleNameAllowed = (String)e.nextElement();
       if (WLSPrincipals.getEveryoneGroupname().
         equals(principalOrRoleNameAllowed) || 
         (WLSPrincipals.getUsersGroupname().equals(principalOrRoleNameAllowed)
         && !principals.isEmpty()) || principalsOrRolesContain(principals, 
         roles, principalOrRoleNameAllowed)) 
         {
            return Result.PERMIT;
         }
      }
      return Result.DENY;
   }
}

Generate an MBean Type Using the WebLogic MBeanMaker

Before you start generating an MBean type for your custom security provider, you should first:

When you understand this information and have made your design decisions, create the MBean type for your custom Authorization provider by following these steps:

  1. Create an MBean Definition File (MDF)
  2. Use the WebLogic MBeanMaker to Generate the MBean Type
  3. Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
  4. Install the MBean Type Into the WebLogic Server Environment

Notes: Several sample security providers (available under "Code Direct" on the dev2dev Web site) illustrate how to perform these steps.

All instructions provided in this section assume that you are working in a Windows environment.

Create an MBean Definition File (MDF)

To create an MBean Definition File (MDF), follow these steps:

  1. Copy the MDF for the sample Authorization provider to a text file.

    Note: The MDF for the sample Authorization provider is called SampleAuthorizer.xml.

  2. Modify the content of the <MBeanType> and <MBeanAttribute> elements in your MDF so that they are appropriate for your custom Authorization provider.
  3. Add any custom attributes and operations (that is, additional <MBeanAttribute> and <MBeanOperation> elements) to your MDF.
  4. Save the file.

Note: A complete reference of MDF element syntax is available in MBean Definition File (MDF) Element Syntax.

Use the WebLogic MBeanMaker to Generate the MBean Type

Once you create your MDF, you are ready to run it through the WebLogic MBeanMaker. The WebLogic MBeanMaker is currently a command-line utility that takes as its input an MDF, and outputs some intermediate Java files, including an MBean interface, an MBean implementation, and an associated MBean information file. Together, these intermediate files form the MBean type for your custom security provider.

The instructions for generating an MBean type differ based on the design of your custom Authorization provider. Follow the instructions that are appropriate to your situation:

No Optional SSPI MBeans and No Custom Operations

If the MDF for your custom Authorization provider does not implement any optional SSPI MBeans and does not include any custom operations, follow these steps:

  1. Create a new DOS shell.
  2. Type the following command:

    java -DMDF=xmlfile -DFiles=filesdir -DcreateStubs=true weblogic.management.commo.WebLogicMBeanMaker

    where xmlFile is the MDF (the XML MBean Description File) and filesdir is the location where the WebLogic MBeanMaker will place the intermediate files for the MBean type.

    Whenever xmlfile is provided, a new set of output files is generated. If files already exist in the location specified by filesdir, you are informed that the existing files will be overwritten and are asked to confirm.

    Each time you use the -DcreateStubs=true flag, it overwrites any existing MBean implementation file.

    Note: The WebLogic MBeanMaker processes one MDF at a time. Therefore, you may have to repeat this process if you have multiple MDFs (in other words, multiple Authorization providers).

  3. Proceed to Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF).

Optional SSPI MBeans or Custom Operations

If the MDF for your custom Authorization provider does implement some optional SSPI MBeans or does include custom operations, consider the following:

  1. Create a new DOS shell.
  2. Type the following command:

    java -DMDF=xmlfile -DFiles=filesdir -DcreateStubs=true weblogic.management.commo.WebLogicMBeanMaker

    where xmlFile is the MDF (the XML MBean Description File) and filesdir is the location where the WebLogic MBeanMaker will place the intermediate files for the MBean type.

    Whenever xmlfile is provided, a new set of output files is generated. If files already exist in the location specified by filesdir, you are informed that the existing files will be overwritten and are asked to confirm.

    Each time you use the -DcreateStubs=true flag, it overwrites any existing MBean implementation file.

    Note: The WebLogic MBeanMaker processes one MDF at a time. Therefore, you may have to repeat this process if you have multiple MDFs (in other words, multiple Authorization providers).

  3. If you implemented optional SSPI MBeans in your MDF, follow these steps:
    1. Locate the MBean implementation file.

      2. The MBean implementation file generated by the WebLogic MBeanMaker is named MBeanNameImpl.java. For example, for the MDF named SampleAuthorizer, the MBean implementation file to be edited is named SampleAuthorizerImpl.java.

    2. For each optional SSPI MBean that you implemented in your MDF, copy the method stubs from the "Mapping MDF Operation Declarations to Java Method Signatures Document" (available on the dev2dev Web site) into the MBean implementation file, and implement each method. Be sure to also provide implementations for any methods that the optional SSPI MBean inherits.
  4. If you included any custom operations in your MDF, implement the methods using the method stubs.
  5. Save the file.
  6. Proceed to Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF).
  1. Copy your existing MBean implementation file to a temporary directory so that your current method implementations are not overwritten by the WebLogic MBeanMaker.
  2. Create a new DOS shell.
  3. Type the following command:

    java -DMDF=xmlfile -DFiles=filesdir -DcreateStubs=true weblogic.management.commo.WebLogicMBeanMaker

    where xmlFile is the MDF (the XML MBean Description File) and filesdir is the location where the WebLogic MBeanMaker will place the intermediate files for the MBean type.

    Whenever xmlfile is provided, a new set of output files is generated. If files already exist in the location specified by filesdir, you are informed that the existing files will be overwritten and are asked to confirm.

    Each time you use the -DcreateStubs=true flag, it overwrites any existing MBean implementation file.

    Note: The WebLogic MBeanMaker processes one MDF at a time. Therefore, you may have to repeat this process if you have multiple MDFs (in other words, multiple Authorization providers).

  4. If you implemented optional SSPI MBeans in your MDF, follow these steps:
    1. Locate the MBean implementation file.

      2. The MBean implementation file generated by the WebLogic MBeanMaker is named MBeanNameImpl.java. For example, for the MDF named SampleAuthorizer, the MBean implementation file to be edited is named SampleAuthorizerImpl.java.

    2. Open your existing MBean implementation file (which you saved to a temporary directory in step 1).
    3. Synchronize the existing MBean implementation file with the MBean implementation file generated by the WebLogic MBeanMaker.

      4. Accomplishing this task may include, but is not limited to: copying the method implementations from your existing MBean implementation file into the newly-generated MBean implementation file (or, alternatively, adding the new methods from the newly-generated MBean implementation file to your existing MBean implementation file), and verifying that any changes to method signatures are reflected in the version of the MBean implementation file that you are going to use (for methods that exist in both MBean implementation files).

    4. If you modified the MDF to implement optional SSPI MBeans that were not in the original MDF, copy the method stubs from the "Mapping MDF Operation Declarations to Java Method Signatures Document" (available on the dev2dev Web site) into the MBean implementation file, and implement each method. Be sure to also provide implementations for any methods that the optional SSPI MBean inherits.
  5. If you modified the MDF to include any custom operations that were not in the original MDF, implement the methods using the method stubs.
  6. Save the version of the MBean implementation file that is complete (that is, has all methods implemented).
  7. Copy this MBean implementation file into the directory where the WebLogic MBeanMaker placed the intermediate files for the MBean type. You specified this as filesdir in step 3. (You will be overriding the MBean implementation file generated by the WebLogic MBeanMaker as a result of step 3.)
  8. Proceed to Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF).

About the Generated MBean Interface File

The MBean interface file is the client-side API to the MBean that your runtime class or your MBean implementation will use to obtain configuration data. It is typically used in the initialize method as described in Understand the Purpose of the "Provider" SSPIs.

Because the WebLogic MBeanMaker generates MBean types from the MDF you created, the generated MBean interface file will have the name of the MDF, plus the text "MBean" appended to it. For example, the result of running the SampleAuthorizer MDF through the WebLogic MBeanMaker will yield an MBean interface file called SampleAuthorizerMBean.java.

Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)

Once your have run your MDF through the WebLogic MBeanMaker to generate your intermediate files, and you have edited the MBean implementation file to supply implementations for the appropriate methods within it, you need to package the MBean files and the runtime classes for the custom Authorization provider into an MBean JAR File (MJF). The WebLogic MBeanMaker also automates this process.

To create an MJF for your custom Authorization provider, follow these steps:

  1. Create a new DOS shell.
  2. Type the following command:

    java -DMJF=jarfile -DFiles=filesdir weblogic.management.commo.WebLogicMBeanMaker

    where jarfile is the name for the MJF and filesdir is the location where the WebLogic MBeanMaker looks for the files to JAR into the MJF.

    Compilation occurs at this point, so errors are possible. If jarfile is provided, and no errors occur, an MJF is created with the specified name.

Notes: If you want to update an existing MJF, simply delete the MJF and regenerate it. The WebLogic MBeanMaker also has a -DIncludeSource option, which controls whether source files are included into the resulting MJF. Source files include both the generated source and the MDF itself. The default is false. This option is ignored when -DMJF is not used.

The resulting MJF can be installed into your WebLogic Server environment, or distributed to your customers for installation into their WebLogic Server environments.

Install the MBean Type Into the WebLogic Server Environment

To install an MBean type into the WebLogic Server environment, copy the MJF into the WL_HOME\server\lib\mbeantypes directory, where WL_HOME is the top-level installation directory for WebLogic Server. This "deploys" your custom Authorization provider—that is, it makes the custom Authorization provider manageable from the WebLogic Server Administration Console.

You can create instances of the MBean type by configuring your custom Authorization provider (see Configure the Custom Authorization Provider Using the Administration Console), and then use those MBean instances from a GUI, from other Java code, or from APIs. For example, you can use the WebLogic Server Administration Console to get and set attributes and invoke operations, or you can develop other Java objects that instantiate MBeans and automatically respond to information that the MBeans supply. We recommend that you back up these MBean instances. For more information, see "Backing Up Security Configuration Data" under "Recovering Failed Servers" in Creating and Configuring WebLogic Server Domains.

Configure the Custom Authorization Provider Using the Administration Console

Configuring a custom Authorization provider means that you are adding the custom Authorization provider to your security realm, where it can be accessed by applications requiring authorization services.

Configuring custom security providers is an administrative task, but it is a task that may also be performed by developers of custom security providers. This section contains information that is important for the person configuring your custom Authorization providers:

Note: The steps for configuring a custom Authorization provider using the WebLogic Server Administration Console are described under "Configuring a Custom Security Provider" in Managing WebLogic Security.

Managing Authorization Providers and Deployment Descriptors

Some application components, such as Enterprise JavaBeans (EJBs) and Web applications, store relevant deployment information in Java 2 Enterprise Edition (J2EE) and WebLogic Server deployment descriptors. For Web applications, the deployment descriptor files (called web.xml and weblogic.xml) contain information for implementing the J2EE security model, including declarations of security policies. Typically, you will want to include this information when first configuring your Authorization providers in the WebLogic Server Administration Console.

The Administration Console provides an Ignore Security Data in Deployment Descriptors flag for this purpose, which you or an administrator should deselect the first time a custom Authorization provider is configured. (To locate this flag, click Security —> Realms —> realm in the left pane of the Administration Console, where realm is the name of your security realm. Then select the General tab.) When this flag is deselected and a Web application or EJB is deployed, WebLogic Server reads security policy information from the web.xml and weblogic.xml deployment descriptor files (an example of a web.xml file is shown in Listing 6-4). This information is then copied into the security provider database for the Authorization provider.

Listing 6-4 Sample web.xml File

<?xml version="1.0" ?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.2//EN" "http://java.sun.com/j2ee/dtds/web-app_2_2.dtd">
<web-app>
     ...
     <context-param>
          <param-name>HTTPS_PORT</param-name>
          <param-value>7502</param-value>
     </context-param>
     ...
     <servlet>
          <servlet-name>Security</servlet-name>
          <servlet-class>com.beasys.commerce.ebusiness.security.
              EncryptionServlet</servlet-class>
     </servlet>
     ...
     <servlet-mapping>
          <servlet-name>Security</servlet-name>
          <url-pattern>/security</url-pattern>
     </servlet-mapping>
     ...
     <session-config>
          <session-timeout>15</session-timeout>
     </session-config>
     ...
     <security-constraint>
          <web-resource-collection>
              <web-resource-name>Administration Tool Pages</web-resource-name>
              <description>The Administration Tool Pages</description>
              <url-pattern>/tools/catalog/*</url-pattern>
              <url-pattern>/tools/content/*</url-pattern>
              <url-pattern>/tools/order/*</url-pattern>
              <url-pattern>/tools/property/*</url-pattern>
              <url-pattern>/tools/usermgmt/*</url-pattern>
              <url-pattern>/tools/util/*</url-pattern>
              <url-pattern>/tools/webflow/*</url-pattern>
              <url-pattern>/tools/*info.jsp</url-pattern>
              <url-pattern>/repository/*</url-pattern>
          		    <url-pattern>/security/*</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
              <description>Administrators</description>
              <role-name>SystemAdminRole</role-name>
          </auth-constraint>
          <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
     </security-constraint>
     <security-constraint>
          <web-resource-collection>
              <web-resource-name>Portal Administration Tool Pages
              </web-resource-name>
              <description>The Portal Administration Tool Pages</description>
              <url-pattern>/tools/portal/*</url-pattern>
              <url-pattern>/tools/wlps_home.jsp</url-pattern>
              <url-pattern>/repository/*</url-pattern>
              <url-pattern>/security/*</url-pattern>
              <http-method>GET</http-method>
              <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
              <description>Administrators</description>
              <role-name>DelegatedAdminRole</role-name>
              <role-name>SystemAdminRole</role-name> 
          </auth-constraint>
          <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
          </user-data-constraint>
     </security-constraint>
     ...
     <login-config>
          <auth-method>BASIC</auth-method>
     </login-config> 
     <security-role>
          <description>System Administrators</description>
          <role-name>SystemAdminRole</role-name>
     </security-role> 
     ...
</web-app>

While you can set additional security policies in the web.xml/weblogic.xml deployment descriptors and in the Administration Console, BEA recommends that you copy the security policies defined in the Web application or EJB deployment descriptors once, then use the Administration Console to define subsequent security policies. This is because any changes made to the security policies through the Administration Console during configuration of an Authorization provider will not be persisted to the web.xml and weblogic.xml files. Before you deploy the application again (which will happen if you redeploy it through the Administration Console, modify it on disk, or restart WebLogic Server), you should select the Ignore Security Data in Deployment Descriptors flag. If you do not, the security policies defined using the Administration Console will be overwritten by those defined in the deployment descriptors.

Note: The Ignore Security Data in Deployment Descriptors flag also affects Role Mapping providers and Credential Mapping providers. For more information, see Managing Role Mapping Providers and Deployment Descriptors and Managing Credential Mapping Providers, Resource Adapters, and Deployment Descriptors, respectively.

Enabling Security Policy Deployment

If you implemented the DeployableAuthorizationProvider SSPI and want to support deployable security policies with your custom Authorization provider, the person configuring the custom Authorization provider (that is, you or an administrator) must be sure that the Policy Deployment Enabled flag in the WebLogic Server Administration Console is checked. Otherwise, deployment for the Authorization provider is considered "turned off." Therefore, if multiple Authorization providers are configured, the Policy Deployment Enabled flag can be used to control which Authorization provider is used for security policy deployment.

The Policy Deployment Enabled flag performs the same function as the Ignore Security Data in Deployment Descriptors flag (described in Managing Authorization Providers and Deployment Descriptors), but is specific to Authorization providers.

Note: If both the Policy Deployment Enabled flag and the Ignore Security Data in Deployment Descriptors flag are checked, the Ignore Security Data in Deployment Descriptors flag takes precedence. In other words, if the Ignore Security Data in Deployment Descriptors flag is checked, the Authorization provider will not do deployment even if its Policy Deployment Enabled flag is checked.

 

Back to Top Previous Next