> Administration Reference > Provider Extensions

Administration Reference

     Previous  Next    Open TOC in new window    View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Provider Extensions

The following topics are covered in this section:

 

What is a Provider Extension?

A provider extension is a plug-in function that you write to extend the capabilities of the existing providers. You can use plug-ins to manipulate existing policy data in a way that is not already provided or to retrieve data from external sources to add to an authorization or role mapping decision or a deployment audit. These plug-ins can be used with the ASI Authorization, ASI Role Mapping, Log4j Audit Channel, and Database Authentication providers.

While the security providers supplied with ALES are configurable, the plug-ins enable you to customize them to add additional functionality. For example, you may want some form of special business logic to retrieve additional data that you want to use before the authorization decision is made or for the custom processing of data, such as the audit context. Plug-ins are provided for a variety of functions:

Note: If you using the WebLogic Server SSM:

JAR Required for Provider Extensions

The asi_classes.jar (located in SSM/lib) contains classes required for provider extensions. That is, in order to implement provider extensions you need classes in asi_classes.jar.

The following sections provide more information on the plug-ins and how to use them.

 

Authorization and Role Mapping Extensions

ALES supports using Java-based plug-ins and language extensions with ALES security providers such as ASIAuthorizer and ASIRoleMapper. You can use these plug-ins to augment authorization and role mapping processing logic.

The following sections describe plug-ins in detail:

Plug-in Types

ALES providers support four types of Java-based plug-ins: attribute retrievers, evaluation functions, resource converters, and attribute converters. These plug-ins can only be used with ASI Authorization and ASI Role Mapping providers.

To implement a Java-based plug-in interface, you must perform the following steps:

  1. Write a Java class to implement the interface. The following sections provide descriptions of each type of plug-in interface:
  2. Build a Jar file and place it in the SSM’s /lib/providers directory (for the WLS SSM, use /lib/providers/wls/v9 directory). If you use other 3rd party libraries in support of your plug-in, also copy those Jar files to the same location.
  3. You can use Log4j libraries to insert debug statements in your plug-ins. The example found in <BEA_HOME>\java-ssm\examples\AttributeRetriever illustrates use of Log4j debugging messages.
  4. Refer to the following topics in the Console Help and use the Administration Console to register the Java plug-ins in the desired security providers for the desired Security Service Modules:
    • Configuring an ASI Authorization Provider
    • Configuring an ASI Role Mapping Provider

Attribute Retrievers

Attribute retrievers are used by ASI Authorization and ASI Role Mapping providers to retrieve attributes for use during runtime evaluation of policy. ALES 3.0 provides out-of-the-box attribute retrievers that can be configured in the ALES Administration Console (for the WLS SSM this must be done using the WebLogic console).

There is no need to create an attribute retriever to retrieve values from LDAP or a database store. Such retrievers can be directly configured via the ASIAuthorizer provider's Configuration tab in the ALES Administration Console.

Custom Attribute Retrievers

Dynamic attributes are often used to write policy constraints. In such cases the value of the dynamic attribute can come either from the application context or from an external source. If the external source is not a database store or LDAP, you must write a custom attribute retriever.

Examples:

AttributeRetriever is an interface in the com.bea.security.providers.authorization package that you can use to implement plug-ins for retrieving attributes.

ALES 2.5 included a version of the AttributeRetriever interface, AttributeRetrieverV2. This interface included an additional RequestHandle parameter compared to the older AttributeRetriever interface.

You can register multiple attribute retrievers with the same attribute name. If you do so, the attribute retrievers are called in order until one of them returns a non-null result.

Table 4-1 lists and describes the methods provided by the AttributeRetrieverV2 interface.

Table 4-1 AttributeRetrieverV2 Interface Methods
Method
Description
String[] getHandledAttributeNames()
This method returns the names of attributes handled by attribute retriever. An attribute retriever may return at least one attribute name in this method. If the method returns null or an empty value, this attribute retriever will be called when any dynamic attribute has to be resolved.
Object getAttributeValue(String name,RequestHandle requestHandle,Subject subject,Map roles,Resource resource,ContextHandler contextHandler)
This method retrieves the value of the named attribute. Additional authorization request data is made available to allow for more complex attribute retrieval. The parameters are as follows:
  • name — name of the needed attribute
  • subject — subject associated with the request
  • RequestHandle — the provider configuration parameters associated with the request, through which the function can get the values of other attributes if required. The com.bea.security.providers.authorization.asi.ARME.evaluator.RequestHandle interface is described in RequestHandle.getAttribute() Method.
  • roles — role membership of the subject, or null if this is a role mapping call
  • resource — resource associated with the request
  • contextHandler — context associated with the request; may be null if non-existent
This method returns the attribute value, or null if the attribute is not found.
Valid Java return types are String and String[].

RequestHandle.getAttribute() Method

The com.bea.security.providers.authorization.asi.ARME.evaluator.RequestHandle object has the getAttribute() and appendReturnData() methods. These are defined as follows: 

public AttributeElement getAttribute(String name, boolean typeCheck)
throws ArmeRuntimeException, BadParameterException, CredvarException,BoolEvalInternalException, NotReadyException;
public void appendReturnData(String name, Object data);
}

Of the two methods, the RequestHandle.getAttribute() is of most interest to AttributeRetrieverV2 implementations. This method gets the named attribute and its value, and optionally type-checks the value. It returns the attribute name and value as a com.wles.util.AttributeElement object. For example if your attribute retriever needed to make an HTTP request to obtain the stock quote, then the application context can contain the URL of the stock quote service and you would use getAttribute() to obtain this value. This function will also help in obtaining the value of all the ALES runtime system attributes (sys_*) such as sys_dir, sys_app_q etc. Please refer to the Advanced Topics section in the Policy Managers Guide for a full list of system attributes.

The AttributeElement object represents an attribute name/value pair for a single element or a list. In the case of a list, your AttributeRetriever code might then transfer the AttributeElement list value to a list of String-type objects, such as in the following code fragment from the AttributeRetrieverV2 example: 

try { 
AttributeElement attrElement = requestHandle.getAttribute("sys_subjectgroups", true);	
Object value = null;
//It must be a list attribute
if(!attrElement.isList()) {
return null;
}
//transfer AttributeElement value to a list of String type object.
List subjectGroupList = (List)attrElement.getValueAs(String.class);
value = String.valueOf(subjectGroupList.size());
return value;
} catch (Exception e) {
//failed to retrieve attributes.
return null;
}

Your AttributeRetrieverV2 implementation can use the RequestHandle.getAttribute() method to get the value for user and resource attributes. However, when this method is used to get values of dynamic attributes that may be handled by other Attribute Retrievers (including built-in database and LDAP), it is possible that the ASIAuthorizer may or may not have computed it yet when the custom AttrbuteRetriever was called. In order to make sure that required attributes are present you should always list them before the attribute in the policy constraint via the use of sys_defined(<attr>) function. For example your attribute retriever depends on the URL attribute being present in the RequestHandle. If this attribute was also computed by another attribute retriever instead of being passed in as an application context, then your rule constraint would have to look something like this: IF sys_defined(URL) and BEAS_quote >= 19;

RequestHandle.getAttribute() and RequestHandle.appendReturnData() are also applicable to Evaluation functions, which are described in the next section.

The ASI providers always evaluate the minimum number of policies that are logically required, and attributes are retrieved only when a policy that references them is evaluated. Therefore, not all attribute retrievers are guaranteed to be called for all policy evaluations. ALES Attributes retrievers are not called unless the policy has been explicitly evaluated and the attribute can not be obtained from the application context or is not an associated user attribute.

Configuring a Custom Attribute Retriever

Note: This release of ALES includes a sample attribute retriever in <BEA_HOME>\ales30-ssm\java-ssm\examples\AttributeRetriever.

To configure a custom attribute retriever perform the following steps:

  1. Implement a custom attribute retriever and create a JAR file.

    2. The com.bea.security.providers. authorization.asi.AttributeRetrieverV2 interface is in <BEA_HOME>\ales30-ssm\<ssm-type>\lib\providers\ASIAuthorizer.jar (for WLS SSM, use <BEA_HOME>\ales30-ssm\wls-ssm\lib\providers\wls\v9\ASIAuthorizer.jar). Include this file and <BEA_HOME>\ales30-ssm\<ssm-type>\lib\asi_classes.jar in the classpath when compiling the custom attribute retriever.

  2. Place the JAR file in the /lib/providers directory (for WLS SSM, use /lib/providers/wls/v9) in the SSM’s installation directory (either the WLS or Java SSM). For example, the WLS SSM default directory is C:\bea\ales30-ssm\wls-ssm.
  3. Do one of the following:
    • (For all SSMs other than the WLS SSM) In the left pane of the Administration Console, click the ASI Authorization provider configured for the SSM instance and select the Attribute Retrievers tab in the right pane.Then create a new custom attribute retriever for the plugin using the JAR file you just created. Select CustomAttributeRetriever as the type.
    • (WLS SSM) Changes to the ASI Authorization provider must be made using the WebLogic Server Administration Console. In the Home > Summary of Security Realms > asiadmin > Providers > ASI Authorization Provider page create a new attribute retriever for your plugin using the JAR file you just created. Select CustomAttributeRetriever as the type.
  4. In the left pane, select the Deployment node. Then select the Configuration tab in the right pane and deploy the configuration change to the SSM.
  5. Restart the SSM.

Configuring Caching for Custom Attributes

Caching options can be specified for all attribute values returned by a custom attribute retriever. To set these options, select the Custom Attribute Retriever’s Cache All Attributes checkbox and specify how long the values should be cached in the Cache All Attributes TLL field.

It is also possible to specify caching requirement for individual attributes. When this is done, the caching parameters take precedence over those defined for the custom attribute retriever.

To specify a caching requirement for an attribute, perform the following steps:

  1. On the ASI Authorization provider’s Attributes tab, click on Configure a new Attribute.
  2. Enter attribute name and click Create.
  3. In the Retriever field, select the custom attribute retriever that returns the value for this attribute.
  4. Select the Use Cache checkbox.
  5. In the TTL field, specify how long the values should be cached.

Evaluation Functions

You can use a named evaluation function to augment built-in authorization and role mapping logic. This method is invoked when the policy contains a custom evaluation function with a matching name. For example: 

grant(any, //app/policy/ASI, //user/asi/test/) if myFunc(name);

where myFunc() is the custom evaluation function name.

A custom evaluation function is implemented as a method in a class that should also implement init() and shutdown() methods. This class may contain one or more custom evaluation functions. You can choose any name for custom evaluation function so long as the corresponding method name matches the name that is used in a policy. Custom evaluation functions can be as passed arguments. These arguments can be any constants or names of other attributes including the dynamic ones.

Note: Since all evaluation functions share a common namespace, two functions cannot have the same name.

Custom Initialization/Shutdown Interface

This section describes the interface for writing custom evaluation functions.

Note: This release of ALES includes a sample evaluation function in <BEA_HOME>\ales30-ssm\java-ssm\examples\ARMEPlugins.

You can implement the com.bea.security.providers.authorization.asi.InitializationShutdownFunction interface if you need to implement custom initialization and/or shutdown steps specific to your evaluation functions.

The init() method is invoked during the Authorization or Role Mapping provider initialization and can be used to initialize some plug-in specific data, for example, connection pool. The shutdown() method is invoked during the Authorization or Role Mapping provider shutdown and can be used to free data allocated in the "init()" method.

When init() method is called, it is passed all configuration parameters for Authorization provider or Role Mapping provider. For the complete list of available parameters see javadocs for InitializationShutdownFunction.

Table 4-2 lists and describes the methods provided by the InitializationShutdownFunction interface required to implement an Evaluation Function.

Table 4-2 InitializationShutdownFunction Interface
Method
Description
void init(Map config)
This method is called during the Authorization or Role Mapping provider's initialization and is passed the list of configuration parameters for the provider's
void shutdown()
This method is invoked during the Authorization or Role Mapping provider shutdown
Evaluation Function (Not part of InitializationShutdownFunction interface)
public boolean some_method_name( RequestHandle requestHandle, Object[] args, Subject subject, Map roles, Resource resource, ContextHandler contextHandler)
This method receives the name of the argument (can be an attribute) passed in during constraint evaluation. Additional request information is made available via requestHandle to allow the function to obtain the value of the named attribute. The parameters are as follows:
  • requestHandle — The attributes container associated with the request, through which the method can get required attribute values and also return data. See RequestHandle.getAttribute() Method for a description of how to get values for attributes. See RequestHandle.appendReturnData() Method for a description of how to return data.
  • args — An array of method arguments. Each element is either <code>null</code>, or a String
  • subject — subject associated with the request
  • roles — role membership of the subject, or null if this is a role mapping call
  • resource — resource associated with the request
  • contextHandler — context associated with the request; may be null if non-existent
This method should return either True or False as the result of the method.

RequestHandle.appendReturnData() Method

The RequestHandle.appendReturnData() method can be used to create a named response attribute with a specified value. It is equivalent to using report_as() function from inside a custom evaluation function.

Table 4-3 RequestHandle.appendReturnData()
Method
Description
void appendReturnData (java.lang.String name, java.lang.Object data) throws RuntimeException
Parameters:
name — Name of return attribute
data — Attribute value to be returned if the rule evaluates to true.
Throws:
RuntimeException — may throw RuntimeException if there is problem in converting to ALES Response object.

If the same attribute value is redefined by another plug-in within the same policy, the result value is overwritten.

RequestHandle.getAttribute() Method

When the evaluation function is called, the ALES runtime system passes in the literal string as an argument to the function as part args[0]. To obtain the value of the attribute passed in, make use of the RequestHandle.getAttribute() method. This method gets the named attribute and its value, and optionally type-checks the value. It returns the attribute name and value as a com.wles.util.AttributeElement object. The AttributeElement object represents an attribute name/value pair for a single element or a list.

Listed below is part of the sample code for MyEvaluationFunction example that shows this. 

try {
AttributeElement strLength = requestHandle.getAttribute((String)args[0], true);
if(strLength != null) {
if(strLength.isList()) {
// string_longer_then: first argument not a single value
return false;
} 
intCompLength = Integer.parseInt((String)strLength.getValueAs(String.class));

} else {
// numerical constant will be passed in as is. 
try {
intCompLength = Integer.parseInt((String)args[0]);
} catch(NumberFormatException ne) {
//value format is an error, and there is no attribute in the requestHandle.
throw new MissingAttributeException("missing attribute: " + args[0], (String)args[0]);
}
}
} catch(Exception e) {
//caught exception while getting attribute
throw new RuntimeException("failed while getting attribute: " + (String)args[0] + ". Exception: " + e.getMessage());
}

It is also possible to use dynamic attributes as an argument to a evaluation function such that the dynamic attribute is handled by a Custom Attribute Retrievers. When the evaluation function calls requestHandle.getAttribute((String)args[0], true) the value will be returned after custom Attribute retriever is called.

Configuring a Custom Evaluation Function

To configure a custom extensions plug-in, perform the following steps:

  1. Implement a custom evaluation function plug-in and create a JAR file.

    2. The com.bea.security.providers.authorization.asi.InitializationShutdownFunction class is in BEA_HOME\ales30-ssm\<ssm-type>\lib\providers\ASIAuthorizer.jar (for WLS SSM, use BEA_HOME\ales30-ssm\wls-ssm\lib\providers\wls\v9\ASIAuthorizer.jar). Include this file and <BEA_HOME>\ales30-ssm\<ssm-type>\lib\asi_classes.jar in the classpath when compiling the custom evaluation function.

  2. Place the Jar file in the SSM’s /lib/providers directory (for the WLS SSM use /lib/providers/wls/v9).
  3. In the left pane of the Administration Console, click the ASI Authorization provider configured for the SSM instance and select the Advanced tab in the right pane. Then enter the fully-qualified name of the custom extensions plugin in the Evaluation Functions field and click Apply.

    4. For the WLS SSM, configure the Authorization and Role Mapping providers and the custom extension, in the WebLogic Administration Console.

  4. Repeat step 3 to register the extensions plug-in with the ASI Role Mapping provider.
  5. In the left pane, click Deployment, select the Configuration tab, and deploy the configuration change to the SSM.
  6. Restart the SSM process.

Resource Converters

Resource converters are used by ASI Authorization and ASI Role Mapping providers to convert application-specific resources to an internal resource format that is recognized by ALES. ALES provides out-of-box resource types that know how to convert WLS-style and ALES-style resource types. For a complete list of supported Resource types see WebLogic Resource Type in the Policy Managers Guide.

To add support for additional resource types, define a resource converter to allow the ASI Authorization provider to protect the new resource types. ResourceConverter is an interface in the com.bea.security.providers.authorization.asi package.

Table 4-4 lists and describes the methods provided by the ResourceConverter interface.

Table 4-4 ResourceConverter Interface Methods
Method
Description
String[] getHandledTypes()
This method is called when the plug-in is instantiated to register the resource types supported by this custom resource converter.
The ALES Security Framework represents resource types internally as strings such as <http> or <wlp>. The return parameter should be a list of strings that contains the names of the resource types that this custom resource converter is going to handle.
AccessElement convertResource( Resource resource, ContextHandler contextHandler) throws ResourceConversionException
This method is called when the ASI Authorizer or Role Mapper encounters resources types that match what was registered via getHandledTypes() function.
This method would have the knowledge to extract information from the Resource and ContextHandler objects to obtain the ALES representation of resource and privilege. Additional information that can be obtained is the application name and input attributes extracted from the Resource or ContextHandler:
Listed below are general guidelines to follow when dealing with application name and where to place the resource names present in the ALES resource hierarchy:
  • If no application name is specified, then the resource is assumed to be a child of the /shared resource node as specified in the provider configuration. Eg. App_name="" then ALES_res= //app/myapp/shared/res1/res2
  • If an unqualified application name is specified, the resource is assumed to be a child of the application name which in turn is a child of the default deployment parent node. Eg. App_name="trading" and App_deployment_parent="myapp" then ALES_res=//app/myapp/trading/res1/res2
  • If a fully qualified application name is present, then the resource is assumed to be a child of that application name. Eg. App_name="//app/app1/trading" then ALES_res="//app/app1/trading/res1/res2".
If the resource converter is unable to obtain enough information to create AccessElement from input parameters then it should throw a ResourceConversionException indicating to the provider that this resource cannot be converted into a equivalent ALES format.
Object getAttributeValue(Resource resource, String name,ContextHandler contextHandler)
This method needs to be able to obtain the value of a attribute that is passed in as an argument. It is the task of ResourceConverter developer to determine how the ResourceConverter gets the required value. The plug-in may return null if the value is not found.

Configuring a Custom Resource Converter

To configure a custom resource converter, you must implement the resource converter and register it with the configured ASI Authorization and ASI Role Mapping providers.

To configure a resource converter, perform the following steps:

  1. Implement a custom resource converter and create a JAR file.

    2. The com.bea.security.providers.authorization.asi.ResourceConverter class is present in <BEA_HOME>\ales30-ssm\<ssm-type>\lib\providers\ASIAuthorizer.jar (for WLS SSM, use <BEA_HOME>\ales30-ssm\wls9-ssm\lib\providers\wls\v9\ASIAuthorizer.jar). Include this file and the <BEA_HOME>\ales30-ssm\<ssm-type>\lib\asi_classes.jar in the classpath when compiling the custom resource converter.

  2. Place the JAR file in the /lib/providers directory (or, if you are using the WLS SSM, use /lib/providers/wls/v9) in the installation directory for the Security Service Module (SSM) on the machine on which the SSM is installed (either the WLS or Java SSM). For example, the default directory for the WLS SSM is C:\bea\ales30-ssm\wls-ssm.
  3. In the left pane of the Administration Console, click the ASI Authorization provider configured for the SSM instance, select the Advanced tab in the right pane, type in the fully qualified name of your custom converter in the Resource Converters field, and click Apply. If you are using the WWLS SSM, configuration changes to the ASI Authorization provider must also be made using the WebLogic Server Administration Console.
  4. Repeat step 3 to register the Resource Converter with the ASI Role Mapping provider. If you are using the WLS SSM, configuration changes to the ASI Role Mapping provider must also be made using the WebLogic Server Administration Console.
  5. In the left pane, click Deployment, select the Configuration tab, and deploy the configuration change to the SSM.
  6. Restart the SSM process.

Attribute Converters

Attribute converters are used by ASI Authorization and ASI Role Mapping providers to convert Java attribute types to ALES attribute types, and vice versa. ALES provides out-of-box attribute converters that convert between Java and ALES types. For a list of supported attribute types, see the Attribute Declarations in the Policy Managers guide.

To add new ALES attribute types to the system, implement a TypeConverter interface to handle the conversion. ALES attribute types are the also called ‘credential’ types. They are listed in the ALES Administration Console integer, date, string etc. These are Java equivalents, but are represented as ALES Attribute types.

TypeConverter is an interface in the com.wles.util package.

Table 4-5 lists and describes the TypeConverter interface.

Table 4-5 TypeConverter Interface Methods
Method
Description
Class getType()
This method returns the Java class type which this converter converts. Eg. For an IntegerConverter this call would return Class.forName("java.lang.Integer");
String getASITypeName()
This method returns the ALES type name. Eg. For an IntegerConverter this call would return "integer";"
String convertToASI(Object javaFormat) throws UnsupportedTypeException
This method converts a java object into a ALES string.
Object convertFromASI(String asiFormat) throws TypeConversionException
This method converts an ALES string to a Java Object.

Configuring a Custom Attribute Converter

To configure a custom attribute converter, you must implement the attribute converter and register it with the configured ASI Authorization and ASI Role Mapping providers.

To configure an attribute converter, perform the following steps:

  1. Implement a custom attribute converter and create a JAR file.

    2. The com.wles.util.TypeConverter class is present in <BEA_HOME>\ales30-ssm\<ssm-type>\lib\asi_classes.jar. Include this file in the classpath when compiling the custom attribute converters.

  2. Place the JAR file in the /lib/providers directory (for WLS SSM, use /lib/providers/wls/v9/ASIAuthorizer.jar) in the SSM’s installation directory (either the WLS or Java SSM). For example, the WLS SSM default directory is C:\bea\ales30-ssm\wls-ssm.
  3. In the left pane of the Administration Console, click the ASI Authorization provider configured for the SSM instance, select the Advanced tab in the right pane, type in the fully qualified name of your custom converter in the Attribute Converters field, and click Apply. If you are using the WLS SSM, configuration changes to the ASI Authorization provider must also be made using the WebLogic Server Administration Console.
  4. Repeat step 3 to register the Attribute Converter with the ASI Role Mapping provider. If you are using the WebLogic Server SSM, configuration changes to the ASI Role Mapping provider must also be made using the WebLogic Server Administration Console.
  5. In the left pane, click Deployment, select the Configuration tab, and deploy the configuration change to the SSM.
  6. Restart the SSM process.

 

Custom Audit Plug-ins

The Log4j Audit Channel provider uses Log4j renderer classes that convert the associated audit event object into a simple string representation. However, you can write custom renderers that convert the audit event object to something other than the default string representation and register them as plug-ins using the Administration Console.

Refer to the following topics for information how to write and register custom audit plug-ins:

Using the Custom Audit Plug-in

To implement an audit plug-in interface, you must perform the following steps:

  1. Refer to Audit Plug-in Renderer Class for a description of the audit plug-in renderer class and write a Java class to implement a new renderer class.
  2. Use the Java class to create a JAR file and place it in the /lib/providers directory (for WLS SSM, use /lib/providers/wls/v9) in the SSM’s installation directory. For example, the WLS SSM default location is: C:\bea\ales30-wls-ssm\lib\providers.
  3. Use the Administration Console to register the audit plug-in for the desired Log4j Audit Channel provider. For instructions, see Configuring a Log4j Audit Channel Provider in the Console Help.

Audit Plug-in Renderer Class

To write a plug-in renderer class, you must implement the org.apache.log4j.or.ObjectRenderer interface and then register the renderer class to the type of Audit Event class for which you want to use that renderer. For example, weblogic.security.spi.MyAuditEvent=com.bea.security.providers.
audit.MyAuditEventRenderer

For instructions on how to write a renderer for a custom object, see the Log4j documentation located at http://logging.apache.org/log4j/docs/documentation.html.

Table 4-6 lists and describes a sample AuditEventRenderer class.

Table 4-6 AuditEventRenderer Class Method
Method
Description
public class MyAuditAtnEventRenderer implements org.apache.log4j.or.ObjectRenderer {
public String doRender(Object o) {
String eventStr = null;
if(o instanceof MyAuditEvent) {
MyAuditEvent event = (MyAuditEvent) o;
eventStr = event.getEventType()+" --
"+event.toString();
}
return eventStr;
}
}
In this sample, this method renders the AuditEvent object as a simple string. To render the Audit Event as something other than a simple string, modify this method to form your own string representation.

 

Database Authentication Plug-in

The Database Authentication extension is used by the Database Authentication provider to customize authentication features. The default database authentication extension (located in the com.bea.security.providers.authentication.dbms.DefaultDBMSPluginImpl package) is designed to authenticate the user against the policy database. This implementation uses a specific password hashing algorithm, namely SHA1 and SHA-1. It also uses a special format for the user name and the group name that is pertinent to the policy database. The hashing algorithm used is: 

{Algorithm} + 4 byte Salt+passwordhash

The policy database uses name scope (for example, directory name) and a qualified name format to store the user and group. See the Policy Managers Guide for details.

If you are authenticating users against another database that uses a different password hashing algorithm and a different user/group name format, you may want to implement a plug-in by following the guidelines provided with the plug-in.

A custom database authentication plug-in must also extend the DBMSPlugin abstract class (located in the com.bea.security.providers.authentication.dbms.DBMSPlugin package). The DBMSPlugin abstract class implementation must include the methods described in Table 4-7.

To use your plug-in implementation, deploy the plug-in class (or its JAR file) in the classpath of the Database Authentication provider (/lib/providers or /lib/providers/wls/v9 if you are using the WLS SSM). Then use the WebLogic Server Administration Console (for the WLS SSM) or the ALES Administration Console (for other SSMs) to configure the Database Authentication provider to use the plug-in.

Table 4-7 lists and describes the methods provided by the DBMSPlugin abstract class.

Table 4-7 DBMSPlugin Methods
Method
Description
public void initialize()
This method is executed when the authorization provider is initialized on startup.
public void shutdown()
This method is executed when the authorization provider is shut down.
public boolean authenticate(
String user,
char[] password, char[] databasePassword,
Map options)
When the Database Authentication provider attempts to authenticate a user, the authenticate method is called on the plug-in. This method may be called in one following two scenarios. If the provider is configured with the SQL Query to retrieve password, the password (databasePassword) is retrieved from the database using this query and is provided to this method. This authenticate method must determine if the user provides the correct password (password) and return true, if authenticated, or false.
The options map contains a TRUE value for key = "QueryPassword". If no SQL Query string is configured for retrieving the password, the Database Authentication provider assumes that the authentication plug-in retrieves the password and then authenticates the user. The options map contains values for these keys, "scope" and "connection", and a FALSE value for key = "QueryPassword". Also, databasePassword = null.
public String formatUser(String user, Map options)
This method is executed before any call to the database. The user string is the one passed into the login module. This method returns a formatted user name, which is later used as the input parameter in all the SQL queries to verify user, to retrieve password, and to retrieve groups. The options Map contains values for these keys, "scope" and "connection", and the configured string of the SQL query to verify user with key = "SQL_QUERY".
public Vector formatGroups(String user, Vector groups, Map options)
This method is executed after the call to retrieve groups from the database. A vector of strings containing the groups the user belongs to are passed in. Any formatting of group names that is required before inserting these into the Subject should be done and the resulting vector passed back. The options Map contains values for these keys, scope and connection, and the configured string of the SQL query to retrieve groups with key = "SQL_QUERY".
public String unformatUser(String user, Map options)
This method is executed after any call to the database that returns users. The user string is the one received from the database. This method returns a unformatted user name. The options Map contains values for these keys, "scope" and "connection".
public String formatGroup(String group, Map options)
This method is executed after the call to retrieve groups from the database. Any formatting of group name that is required before inserting these into the Subject should be done and the resulting string passed back. The options Map contains values for these keys, scope and connection, and the configured string of the SQL query to retrieve group with key = "SQL_QUERY".
public String unformatGroup(String group, Map options)
This method is executed after any call to the database that returns a group membership for a user. The group string is the one received from the database. This method returns an unformatted group name. The options Map contains values for these keys, "scope" and "connection".
public Vector unformatGroups(String user, Vector groups, Map options)
This method is executed after any call to the database that returns a list of groups. The user is the unformatted user name and the vector of groups is the one received from the database. This method returns a vector of unformatted group names. The options Map contains values for these keys, "scope" and "connection".

The options object is a map containing optional information that the plug-in may want to use. The most common options of use and their keys for retrieval are:


  Back to Top       Previous  Next