Developing Security Providers for WebLogic Server
Authentication providers rely on Principal Validation providers to sign and verify the authenticity of principals (users and groups) contained within a subject. Such verification provides an additional level of trust and may reduce the likelihood of malicious principal tampering. Verification of the subject's principals takes place during the WebLogic Server's demarshalling of RMI client requests for each invocation. The authenticity of the subject's principals is also verified when making authorization decisions.
Like Identity Assertion providers support specific types of tokens, Principal Validation providers support specific types of principals. For example, the WebLogic Principal Validation provider (described in Do You Need to Develop a Custom Principal Validation Provider?) signs and verifies the authenticity of WebLogic Server principals.
The Principal Validation provider that is associated with the configured Authentication provider (as described in How Principal Validation Providers Differ From Other Types of Security Providers) will sign and verify all the principals stored in the subject that are of the type the Principal Validation provider is designed to support.
A Principal Validation provider is a special type of security provider that primarily acts as a "helper" to an Authentication provider. The main function of a Principal Validation provider is to prevent malicious individuals from tampering with the principals stored in a subject.
AuthenticationProvider SSPI (as described in Implement the AuthenticationProviderV2 SSPI) includes a method called
getPrincipalValidator. In this method, you specify the Principal Validation provider's runtime class to be used with the Authentication provider. The Principal Validation provider's runtime class can be the one BEA provides (called the WebLogic Principal Validation provider) or one you develop (called a custom Principal Validation provider). An example of using the WebLogic Principal Validation provider in an Authentication provider's
getPrincipalValidator method is shown in Listing 3-1.
Because you generate MBean types for Authentication providers and configure Authentication providers using the WebLogic Server Administration Console, you do not have to perform these steps for a Principal Validation provider.
When the WebLogic Security Framework attempts an authentication (or authorization) operation, it checks the subject's principals to see if they are valid. If a principal is not valid, the WebLogic Security Framework throws a security exception with text indicating that the subject is invalid. A subject may be invalid because:
As shown in Figure 5-1, a user attempts to log into a system using a username/password combination. WebLogic Server establishes trust by calling the configured Authentication provider's LoginModule, which validates the user's username and password and returns a subject that is populated with principals per Java Authentication and Authorization Service (JAAS) requirements.
WebLogic Server passes the subject to the specified Principal Validation provider, which signs the principals and then returns them to the client application via WebLogic Server. Whenever the principals stored within the subject are required for other security operations, the same Principal Validation provider will verify that the principals stored within the subject have not been modified since they were signed.
The default (that is, active) security realm for WebLogic Server includes a WebLogic Principal Validation provider. Much like an Identity Assertion provider supports a specific type of token, a Principal Validation provider signs and verifies the authenticity of a specific type of principal. The WebLogic Principal Validation provider signs and verifies WebLogic Server principals. In other words, it signs and verifies principals that represent WebLogic Server users or WebLogic Server groups.
Notes: You can use the
WLSPrincipals class (located in the
weblogic.security package) to determine whether a principal (user or group) has special meaning to WebLogic Server. (That is, whether it is a predefined WebLogic Server user or WebLogic Server group.) Furthermore, any principal that is going to represent a WebLogic Server user or group needs to implement the
WLSGroup interfaces (available in the
The WebLogic Principal Validation provider includes implementations of the
WLSGroup interfaces, named
WLSGroupImpl. These are located in the
weblogic.security.principal package. It also includes an implementation of the
PrincipalValidator SSPI called
PrincipalValidatorImpl (located in the
weblogic.security.provider package). The
sign() method in the
PrincipalValidatorImpl class generates a random seed and computes a digest based on that random seed. (For more information about the
PrincipalValidator SSPI, see Implement the PrincipalValidator SSPI.)
equals()method to include your extra data members. Your implementation should call the
super.equals()method when complete so the
WLSAbstractPrincipalcan validate the remaining data.
If you have your own validation scheme and do not want to use the WebLogic Principal Validation provider, or if you want to provide validation for principals other than WebLogic Server principals, then you need to develop a custom Principal Validation provider.
PrincipalValidationImplclass by implementing the
weblogic.security.spi.PrincipalValidatorSSPI. (See Implement the PrincipalValidator SSPI.)
Your implementation of the
sign method should be a secret algorithm that malicious individuals cannot easily recreate. You can include that algorithm within the
sign method itself, have the
sign method call out to a server for a token it should use to sign the principal, or implement some other way of signing the principal.
For more information about the
PrincipalValidator SSPI and the methods described above, see the WebLogic Server API Reference Javadoc.