This document provides security vendors and application developers with the information needed to develop new security providers for use with the BEA WebLogic Server.
Documentation Audience
This document is written for independent software vendors (ISVs) who want to write their own security providers for use with WebLogic Server. It is assumed that most ISVs reading this documentation are sophisticated application developers who have a solid understanding of security concepts, and that no basic security concepts require explanation. It is also assumed that security vendors and application developers are familiar with BEA WebLogic Server and with Java (including Java Management eXtensions (JMX)).
Guide to this Document
This document provides security vendors and application developers with the information needed to develop new security providers for use with the BEA WebLogic Server.
The document is organized as follows:
Introduction to Developing Security Providers for WebLogic Server,which prepares you to learn more about developing security providers for use with WebLogic Server. It specifies the audience and prerequisites for this guide, and provides an overview of the development process.
Design Considerations,which explains the general architecture of a security provider and provides background information you should understand about implementing SSPIs and generating MBean types. This section also includes information about using optional management utilities and discusses how security providers interact with WebLogic resources. Lastly, this section suggests ways in which your custom security providers might work with databases that contain information security providers require.
Authentication Providers,which explains the authentication process (for simple logins) and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Authentication providers. This topic also includes a discussion about JAAS LoginModules.
Identity Assertion Providers,which explains the authentication process (for perimeter authentication using tokens) and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Identity Assertion providers.
Principal Validation Providers,which explains how Principal Validation providers assist Authentication providers by signing and verifying the authenticity of principals stored in a subject, and provides instructions about how to develop custom Principal Validation providers.
Authorization Providers,which explains the authorization process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Authorization providers.
Adjudication Providers,which explains the adjudication process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Adjudication providers.
Role Mapping Providers,which explains the role mapping process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Role Mapping providers.
Auditing Providers,which explains the auditing process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Auditing providers. This topic also includes information about how to audit from other types of security providers.
Credential Mapping Providers,which explains the credential mapping process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Credential Mapping providers.
Servlet Authentication Filters,which explains the Servlet authentication filter process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with Servlet authentication filters.
Versionable Application Providers,which explains the concept of versionable applications and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Versionable Application providers.
CertPath Providers,which explains the certificate lookup and validation process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom CertPath provider.
MBean Definition File (MDF) Element Syntax,which describes all the elements and attributes that are available for use in a valid MDF. An MDF is an XML file used to generate the MBean types, which enable the management of your custom security providers.
Related Information
The BEA corporate Web site provides all documentation for WebLogic Server. Other WebLogic Server documents that may be of interest to security vendors and application developers working with security providers are:
The following features have been added to the WebLogic Security Service in this release.
Bulk Access Versions of Authorization, Adjudication, and Role Mapping Providers
Version 9.2 of WebLogic Server includes bulk access versions of the following Authorization, Adjudication, and Role Mapping provider SSPI interfaces:
BulkAuthorizationProvider
BulkAccessDecision
BulkAdjudicationProvider
BulkAdjudicator
BulkRoleProvider
BulkRoleMapper
The bulk access SSPI interfaces allow Authorization, Adjudication, and Role Mapping providers to receive multiple decision requests in one call rather than through multiple calls, typically in a 'for' loop. The intent of the bulk SSPI variants is to allow provider implementations to take advantage of internal performance optimizations, such as detecting that many of the passed-in Resource objects are protected by the same policy and will generate the same decision result.
WebLogic Server implements a policy consumer for JMX (MBean) default policies and WebService annotations, and a role consumer for WebService annotations. This release of WebLogic Server includes an SSPI that Authorization and Role Mapping providers can use to obtain the policy and role collections.
The PolicyConsumer and RoleConsumer SSPI is optional; only those Authorization and Role Mapping providers that implement the SSPI are called to consume a policy or role collection.
The SSPI supports both the delivery of initial policy and role collections and the delivery of updated policy and role collections.
If you want your custom Authorization provider to support the delivery of policy collections, you must implement three interfaces:
WebLogic Server version 9.2 includes support for a new PolicyStoreMBean MBean (weblogic.management.security.authorization.PolicyStoreMBean) that allows for standard management (add, delete, get, list, modify, read) of administrator-generated XACML policies and policy sets. An Authorization or Role Mapping provider MBean can optionally implement this MBean interface.
The PolicyStoreMBean methods allow security administrators to manage policy in the server as XACML documents. This includes creating and managing a domain that uses the default XACML provider, as well as managing XACML documents that the administrator has created. The administrator can then use WLST to manage these XACML policies in WebLogic Server.
WebLogic Server includes an implementation of this MBean for use with the out-of-the-box XACML providers, and you can write your own implementation of this MBean for use with your own custom Authorization or Role Mapping providers.