Go to main content
1/20
Contents
Title and Copyright Information
Preface
Documentation Accessibility
Conventions
1
Introduction and Roadmap
1.1
Document Scope
1.2
Documentation Audience
1.3
Guide to this Document
1.4
Related Information
1.5
New and Changed Features in this Release
2
Introduction to Developing Security Providers for WebLogic Server
2.1
Prerequisites for This Guide
2.2
Overview of the Development Process
2.2.1
Designing the Custom Security Provider
2.2.2
Creating Runtime Classes for the Custom Security Provider by Implementing SSPIs
2.2.3
Generating an MBean Type to Configure and Manage the Custom Security Provider
2.2.4
Writing Console Extensions
2.2.5
Configuring the Custom Security Provider
2.2.6
Providing Management Mechanisms for Security Policies, Security Roles, and Credential Maps
3
Design Considerations
3.1
General Architecture of a Security Provider
3.2
Security Services Provider Interfaces (SSPIs)
3.2.1
Understand Two Important Restrictions
3.2.2
Understand the Purpose of the Provider SSPIs
3.2.3
Understand the Purpose of the Bulk Access Providers
3.2.4
Determine Which Provider Interface You Will Implement
3.2.4.1
The DeployableAuthorizationProviderV2 SSPI
3.2.4.2
The DeployableRoleProviderV2 SSPI
3.2.4.3
The DeployableCredentialProvider SSPI
3.2.5
Understand the SSPI Hierarchy and Determine Whether You Will Create One or Two Runtime Classes
3.2.6
SSPI Quick Reference
3.3
Security Service Provider Interface (SSPI) MBeans
3.3.1
Understand Why You Need an MBean Type
3.3.2
Determine Which SSPI MBeans to Extend and Implement
3.3.3
Understand the Basic Elements of an MBean Definition File (MDF)
3.3.3.1
Custom Providers and Classpaths
3.3.3.2
Throwing Exceptions from MBean Operations
3.3.3.3
Specifying Non-Clear Text Values for MBean Attributes
3.3.4
Understand the SSPI MBean Hierarchy and How It Affects the Administration Console
3.3.5
Understand What the WebLogic MBeanMaker Provides
3.3.5.1
About the MBean Information File
3.3.6
SSPI MBean Quick Reference
3.4
Security Data Migration
3.4.1
Migration Concepts
3.4.1.1
Formats
3.4.1.2
Constraints
3.4.1.3
Migration Files
3.4.2
Adding Migration Support to Your Custom Security Providers
3.4.3
Administration Console Support for Security Data Migration
3.5
Management Utilities Available to Developers of Security Providers
3.6
Security Providers and WebLogic Resources
3.6.1
The Architecture of WebLogic Resources
3.6.2
Types of WebLogic Resources
3.6.3
WebLogic Resource Identifiers
3.6.3.1
The toString() Method
3.6.3.2
Resource IDs and the getID() Method
3.6.4
Creating Default Groups for WebLogic Resources
3.6.5
Creating Default Security Roles for WebLogic Resources
3.6.6
Creating Default Security Policies for WebLogic Resources
3.6.7
Looking Up WebLogic Resources in a Security Provider's Runtime Class
3.6.8
Single-Parent Resource Hierarchies
3.6.8.1
Pattern Matching for URL Resources
3.6.8.1.1
Example 1
3.6.8.1.2
Example 2
3.6.9
ContextHandlers and WebLogic Resources
3.6.9.1
Providers and Interfaces that Support Context Handlers
3.7
Initialization of the Security Provider Database
3.7.1
Best Practice: Create a Simple Database If None Exists
3.7.2
Best Practice: Configure an Existing Database
3.7.3
Best Practice: Delegate Database Initialization
3.7.4
Best Practice: Use the JDBC Connection Security Service API to Obtain Database Connections
3.7.4.1
Implementing a JDBC Connection Security Service: Main Steps
3.8
Differences In Attribute Validators
3.8.1
Differences In Attribute Validators for Custom Validators
4
Authentication Providers
4.1
Authentication Concepts
4.1.1
Users and Groups, Principals and Subjects
4.1.1.1
Providing Initial Users and Groups
4.1.2
LoginModules
4.1.2.1
The LoginModule Interface
4.1.2.2
LoginModules and Multipart Authentication
4.1.3
Java Authentication and Authorization Service (JAAS)
4.1.3.1
How JAAS Works With the WebLogic Security Framework
4.1.3.2
Example: Standalone T3 Application
4.2
The Authentication Process
4.3
Do You Need to Develop a Custom Authentication Provider?
4.4
How to Develop a Custom Authentication Provider
4.4.1
Create Runtime Classes Using the Appropriate SSPIs
4.4.1.1
Implement the AuthenticationProviderV2 SSPI
4.4.1.2
Implement the JAAS LoginModule Interface
4.4.1.3
Throwing Custom Exceptions from LoginModules
4.4.1.3.1
Method 1: Make Custom Exceptions Available via the System and Compiler Classpath
4.4.1.3.2
Method 2: Make Custom Exceptions Available via the Application Classpath
4.4.1.4
Example: Creating the Runtime Classes for the Sample Authentication Provider
4.4.2
Configure the Custom Authentication Provider Using the Administration Console
4.4.2.1
Managing User Lockouts
4.4.2.1.1
Rely on the Realm-Wide User Lockout Manager
4.4.2.1.2
Implement Your Own User Lockout Manager
4.4.2.2
Specifying the Order of Authentication Providers
5
Identity Assertion Providers
5.1
Identity Assertion Concepts
5.1.1
Identity Assertion Providers and LoginModules
5.1.2
Identity Assertion and Tokens
5.1.2.1
How to Create New Token Types
5.1.2.2
How to Make New Token Types Available for Identity Assertion Provider Configurations
5.1.3
Passing Tokens for Perimeter Authentication
5.1.4
Common Secure Interoperability Version 2 (CSIv2)
5.2
The Identity Assertion Process
5.3
Do You Need to Develop a Custom Identity Assertion Provider?
5.4
How to Develop a Custom Identity Assertion Provider
5.4.1
Create Runtime Classes Using the Appropriate SSPIs
5.4.1.1
Implement the AuthenticationProviderV2 SSPI
5.4.1.2
Implement the IdentityAsserterV2 SSPI
5.4.1.3
Example: Creating the Runtime Class for the Sample Identity Assertion Provider
5.4.2
Configure the Custom Identity Assertion Provider Using the Administration Console
5.4.3
Challenge Identity Assertion
5.4.3.1
Challenge/Response Limitations in the Java Servlet API 2.3 Environment
5.4.3.2
Filters and The Role of the weblogic.security.services.Authentication Class
5.4.3.3
How to Develop a Challenge Identity Asserter
5.4.3.4
Implement the ChallengeIdentityAsserterV2 Interface
5.4.3.5
Implement the ProviderChallengeContext Interface
5.4.3.6
Invoke the weblogic.security.services Challenge Identity Methods
5.4.3.7
Invoke the weblogic.security.services AppChallengeContext Methods
5.4.3.8
Implementing Challenge Identity Assertion from a Filter
6
Principal Validation Providers
6.1
Principal Validation Concepts
6.1.1
Principal Validation and Principal Types
6.1.2
How Principal Validation Providers Differ From Other Types of Security Providers
6.1.3
Security Exceptions Resulting from Invalid Principals
6.2
The Principal Validation Process
6.3
Do You Need to Develop a Custom Principal Validation Provider?
6.3.1
How to Use the WebLogic Principal Validation Provider
6.4
How to Develop a Custom Principal Validation Provider
6.4.1
Implement the PrincipalValidator SSPI
7
Authorization Providers
7.1
Authorization Concepts
7.1.1
Access Decisions
7.1.2
Using the Java Authorization Contract for Containers
7.2
The Authorization Process
7.3
Do You Need to Develop a Custom Authorization Provider?
7.3.1
Does Your Custom Authorization Provider Need to Support Application Versioning?
7.4
Is Your Custom Authorization Provider Thread Safe?
7.5
How to Develop a Custom Authorization Provider
7.5.1
Create Runtime Classes Using the Appropriate SSPIs
7.5.1.1
Implement the AuthorizationProvider SSPI
7.5.1.2
Implement the DeployableAuthorizationProviderV2 SSPI
7.5.1.2.1
The ApplicationInfo Interface
7.5.1.3
Implement the AccessDecision SSPI
7.5.1.4
Example: Creating the Runtime Class for the Sample Authorization Provider
7.5.2
Policy Consumer SSPI
7.5.2.1
Required SSPI Interfaces
7.5.2.2
Implement the PolicyConsumerFactory SSPI Interface
7.5.2.3
Implement the PolicyConsumer SSPI Interface
7.5.2.4
Implement the PolicyCollectionHandler SSPI Interface
7.5.2.5
Supporting an Updated Policy Collection
7.5.2.6
The PolicyConsumerMBean
7.5.3
PolicyStoreMBean
7.5.3.1
Examining the Format of a XACML Policy File
7.5.3.2
Using WLST to Add a Policy to the PolicyStoreMBean
7.5.3.3
Using WLST to Read a PolicySet as a String
7.5.4
Bulk Authorization Providers
7.5.5
Configure the Custom Authorization Provider Using the Administration Console
7.5.5.1
Managing Authorization Providers and Deployment Descriptors
7.5.5.2
Enabling Security Policy Deployment
7.5.6
Provide a Mechanism for Security Policy Management
7.5.6.1
Option 1: Develop a Stand-Alone Tool for Security Policy Management
7.5.6.2
Option 2: Integrate an Existing Security Policy Management Tool into the Administration Console
8
Adjudication Providers
8.1
The Adjudication Process
8.2
Do You Need to Develop a Custom Adjudication Provider?
8.3
How to Develop a Custom Adjudication Provider
8.3.1
Create Runtime Classes Using the Appropriate SSPIs
8.3.1.1
Implement the AdjudicationProviderV2 SSPI
8.3.1.2
Implement the AdjudicatorV2 SSPI
8.3.2
Bulk Adjudication Providers
8.3.3
Configure the Custom Adjudication Provider Using the Administration Console
9
Role Mapping Providers
9.1
Role Mapping Concepts
9.1.1
Security Roles
9.1.2
Dynamic Security Role Computation
9.2
The Role Mapping Process
9.3
Is Your Custom Role Mapping Provider Thread Safe?
9.4
Do You Need to Develop a Custom Role Mapping Provider?
9.4.1
Does Your Custom Role Mapping Provider Need to Support Application Versioning?
9.5
How to Develop a Custom Role Mapping Provider
9.5.1
Create Runtime Classes Using the Appropriate SSPIs
9.5.1.1
Implement the RoleProvider SSPI
9.5.1.2
Implement the DeployableRoleProviderV2 SSPI
9.5.1.2.1
The ApplicationInfo Interface
9.5.1.3
Implement the RoleMapper SSPI
9.5.1.4
Implement the SecurityRole Interface
9.5.1.5
Example: Creating the Runtime Class for the Sample Role Mapping Provider
9.5.2
Role Consumer SSPI
9.5.2.1
Required SSPI Interfaces
9.5.2.2
Implement the RoleConsumerFactory SSPI Interface
9.5.2.3
Implement the RoleConsumer SSPI Interface
9.5.2.4
Implement the RoleCollectionHandler SSPI Interface
9.5.2.5
Supporting an Updated Role Collection
9.5.2.6
The RoleConsumerMBean
9.5.3
PolicyStoreMBean
9.5.3.1
Examining the Format of a XACML Policy File
9.5.3.2
Using WLST to Add a Policy to the PolicyStoreMBean
9.5.3.3
Using WLST to Read a PolicySet as a String
9.5.4
Bulk Role Mapping Providers
9.5.5
Configure the Custom Role Mapping Provider Using the Administration Console
9.5.5.1
Managing Role Mapping Providers and Deployment Descriptors
9.5.5.2
Enabling Security Role Deployment
9.5.6
Provide a Mechanism for Security Role Management
9.5.6.1
Option 1: Develop a Stand-Alone Tool for Security Role Management
9.5.6.2
Option 2: Integrate an Existing Security Role Management Tool into the Administration Console
10
Auditing Providers
10.1
Auditing Concepts
10.1.1
Audit Channels
10.1.2
Auditing Events From Custom Security Providers
10.2
The Auditing Process
10.3
Implementing the ContextHandler MBean
10.3.1
ContextHandlerMBean Methods
10.3.2
Example: Implementing the ContextHandlerMBean
10.3.3
Extend weblogic.management.security.audit.ContextHandlerImpl
10.4
Do You Need to Develop a Custom Auditing Provider?
10.5
How to Develop a Custom Auditing Provider
10.5.1
Create Runtime Classes Using the Appropriate SSPIs
10.5.1.1
Implement the AuditProvider SSPI
10.5.1.2
Implement the AuditChannel SSPI
10.5.1.3
Example: Creating the Runtime Class for the Sample Auditing Provider
10.5.2
Configure the Custom Auditing Provider Using the Administration Console
10.5.2.1
Configuring Audit Severity
10.6
Security Framework Audit Events
10.6.1
Passing Additional Audit Information
10.6.2
Audit Event Interfaces and Audit Events
10.6.2.1
AuditApplicationVersionEvent
10.6.2.2
AuditAtnEventV2
10.6.2.3
AuditAtzEvent
10.6.2.4
AuditCerPathBuilderEvent, AuditCertPathValidatorEvent
10.6.2.5
AuditConfigurationEvent
10.6.2.6
AuditCredentialMappingEvent
10.6.2.7
AuditLifecycleEvent
10.6.2.8
AuditMgmtEvent
10.6.2.9
AuditPolicyEvent
10.6.2.10
AuditRoleDeploymentEvent
10.6.2.11
AuditRoleEvent
11
Credential Mapping Providers
11.1
Credential Mapping Concepts
11.2
The Credential Mapping Process
11.3
Do You Need to Develop a Custom Credential Mapping Provider?
11.3.1
Does Your Custom Credential Mapping Provider Need to Support Application Versioning?
11.4
How to Develop a Custom Credential Mapping Provider
11.4.1
Create Runtime Classes Using the Appropriate SSPIs
11.4.1.1
Implement the CredentialProviderV2 SSPI
11.4.1.2
Implement the DeployableCredentialProvider SSPI
11.4.1.3
Implement the CredentialMapperV2 SSPI
11.4.2
Provide a Mechanism for Credential Map Management
11.4.2.1
Option 1: Develop a Stand-Alone Tool for Credential Map Management
11.4.2.2
Option 2: Integrate an Existing Credential Map Management Tool into the Administration Console
12
Auditing Events From Custom Security Providers
12.1
Security Services and the Auditor Service
12.2
How to Audit From a Custom Security Provider
12.2.1
Create an Audit Event
12.2.1.1
Implement the AuditEvent SSPI
12.2.1.2
Implement an Audit Event Convenience Interface
12.2.1.2.1
The AuditAtnEventV2 Interface
12.2.1.2.2
The AuditAtzEvent and AuditPolicyEvent Interfaces
12.2.1.2.3
The AuditMgmtEvent Interface
12.2.1.2.4
The AuditRoleEvent and AuditRoleDeploymentEvent Interfaces
12.2.1.3
Audit Severity
12.2.1.4
Audit Context
12.2.1.5
Example: Implementation of the AuditRoleEvent Interface
12.2.2
Obtain and Use the Auditor Service to Write Audit Events
12.2.2.1
Example: Obtaining and Using the Auditor Service to Write Role Audit Events
12.2.2.2
Auditing Management Operations from a Provider's MBean
12.2.2.3
Example: Auditing Management Operations from a Provider's MBean
12.2.3
Best Practice: Posting Audit Events from a Provider's MBean
13
Servlet Authentication Filters
13.1
Authentication Filter Concepts
13.1.1
Why Filters are Needed
13.1.2
Servlet Authentication Filter Design Considerations
13.2
How Filters Are Invoked
13.2.1
Do Not Call Servlet Authentication Filters From Authentication Providers
13.3
Example of a Provider that Implements a Filter
13.4
How to Develop a Custom Servlet Authentication Filter
13.4.1
Create Runtime Classes Using the Appropriate SSPIs
13.4.2
Implement the Servlet Authentication Filter SSPI
13.4.3
Implement the Filter Interface Methods
13.4.4
Implementing Challenge Identity Assertion from a Filter
13.4.5
Generate an MBean Type Using the WebLogic MBeanMaker
13.4.5.1
Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
13.4.6
Configure the Authentication Provider Using Administration Console
14
Versionable Application Providers
14.1
Versionable Application Concepts
14.2
The Versionable Application Process
14.3
Do You Need to Develop a Custom Versionable Application Provider?
14.4
How to Develop a Custom VersionableApplication Provider
14.4.1
Create Runtime Classes Using the Appropriate SSPIs
14.4.1.1
Implement the VersionableApplication SSPI
14.4.1.2
Example: Creating the Runtime Class for the Sample VersionableApplication Provider
14.4.2
Generate an MBean Type Using the WebLogic MBeanMaker
14.4.2.1
Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
14.4.3
Configure the Custom Versionable Application Provider Using the Administration Console
15
CertPath Providers
15.1
Certificate Lookup and Validation Concepts
15.1.1
The Certificate Lookup and Validation Process
15.1.2
Do You Need to Implement Separate CertPath Validators and Builders?
15.1.3
CertPath Provider SPI MBeans
15.1.4
WebLogic CertPath Validator SSPI
15.1.5
WebLogic CertPath Builder SSPI
15.1.6
Relationship Between the WebLogic Server CertPath SSPI and the JDK SPI
15.2
Do You Need to Develop a Custom CertPath Provider?
15.3
How to Develop a Custom CertPath Provider
15.3.1
Create Runtime Classes Using the Appropriate SSPIs
15.3.1.1
Implement the JDK CertPathBuilderSpi and/or CertPathValidatorSpi Interfaces
15.3.1.2
Implement the CertPath Provider SSPI
15.3.1.3
Implement the JDK Security Provider SPI
15.3.1.4
Use the CertPathBuilderParametersSpi SSPI in Your CertPathBuilderSpi Implementation
15.3.1.5
Use the CertPathValidatorParametersSpi SSPI in Your CertPathValidatorSpi Implementation
15.3.1.6
Returning the Builder or Validator Results
15.3.1.7
Example: Creating the Sample Cert Path Provider
15.3.2
Configure the Custom CertPath Provider Using the Administration Console
A
MBean Definition File (MDF) Element Syntax
A.1
The MBeanType (Root) Element
A.2
The MBeanAttribute Subelement
A.3
The MBeanConstructor Subelement
A.4
The MBeanOperation Subelement
A.5
MBean Operation Exceptions
A.6
Examples: Well-Formed and Valid MBean Definition Files (MDFs)
B
Generate an MBean Type Using the WebLogic MBeanMaker
B.1
Overview of Steps
B.2
Create an MBean Definition File (MDF)
B.3
Use the WebLogic MBeanMaker to Generate the MBean Type
B.3.1
No Custom Operations
B.3.2
No Optional SSPI MBeans and No Custom Operations
B.3.3
Optional SSPI MBeans or Custom Operations
B.3.4
About the Generated MBean Interface File
B.4
Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
B.5
Install the MBean Type Into the WebLogic Server Environment
Scripting on this page enhances content navigation, but does not change the content in any way.