Contents for Developing Security Providers

Introduction and Roadmap

Scope

Prerequisites for This Document

Documentation Audience

Guide to this Document

Related Information

Introduction to Developing Security Providers

Overview of the Development Process

Types of Providers

Security Provider Concepts

Security Provider Management Concepts

How is Your Custom Provider Going to Be Called?

Extended WebLogic Security Service Provider Interface (SSPI)

Authentication Concepts

Users and Groups, Principals and Subjects

Java Authentication and Authorization Service (JAAS)

Writing a JAAS LoginModule

LoginModule Interface

JAAS Control Flags

CallbackHandlers

How JAAS Works

Identity Assertion Concepts

Identity Assertion Providers and LoginModules

Identity Assertion and Tokens

How to Create New Token Types

How to Make New Token Types Available

Passing Tokens for Perimeter Authentication

Principal Validation Concepts

Principal Validation and Principal Types

How Principal Validation Providers Differ From Other Types of Security Providers

Security Exceptions Resulting from Invalid Principals

Authorization Concepts

Role Mapping Concepts

Security Roles

Dynamic Security Role Computation

Auditing Concepts

Audit Channels

Auditing Events from Custom Security Providers

Credential Mapping Concepts

Design Considerations

General Architecture of a Security Provider

Security Services Provider Interface

Developing Security Providers using the SSPI

Using ResourceActionBundle

com.bea.security.spi.ProviderResource

com.bea.security.spi.ProviderAction

Using the ProviderAuditRecord Interface

Security Services Provider Interface MBeans

Understanding why You Need an MBean Type

Determining which SSPI MBeans to Extend

Understanding the Basic Elements of an MBean Definition File

Understanding the SSPI MBean Hierarchy

Understanding What the WebLogic MBeanMaker Provides

Initialization of the Security Provider Database

Creating a Simple Database

Configuring an Existing Database

Delegating Database Initialization

Developing Custom Security Providers

Types of Custom Security Providers Supported

Writing an MBean Definition File

Using the WebLogic MBeanMaker to Generate the MBean Type

About the Generated MBean Interface File

Creating Security Provider Runtime Classes

Creating Authentication Provider Runtime Classes

Implementing the AuthenticationProvider SSPI

Implementing the JAAS LoginModule Interface

Implementing Custom Exceptions for LoginModules

Method 1: Make Custom Exceptions Available through the System Classpath

Method 2: Make Custom Exceptions Available through the System Classpath and the Authentication Provider

Creating Identity Assertion Runtime Classes

Implementing the AuthenticationProvider SSPI

Implementing the IdentityAsserter SSPI

Creating Principal Validation Provider Runtime Classes

Implementing the PrincipalValidator SSPI

Creating Role Mapping Provider Runtime Classes

Implement the RoleProvider SSPI

Implement the RoleMapper SSPI

Implement the SecurityRole Interface

Creating AuthorizationProvider Runtime Classes

Implement the AuthorizationProvider SSPI

Implement the AccessDecision SSPI

Creating AdjudicationProvider Runtime Classes

Implement the AdjudicationProvider SSPI

Implement the Adjudicator SSPI

Creating Auditing Provider Runtime Classes

Implement the AuditProvider SSPI

Implement the AuditChannel SSPI

Creating Credential Mapping Provider Runtime Classes

Implement the CredentialProvider SSPI

Implement the Credential Mapper SSPI

Creating an MBean JAR File

Deploying a Security Provider MJF File

Auditing Events from Custom Security Providers

How Events are Audited

Security Services and the Auditor Service

Adding Auditing to a Custom Security Provider

Creating an Audit Event

Implementing the AuditEvent SSPI

Implementing an AuditEvent Interface

AuditAtnEvent Interface

AuditAtzEvent and AuditPolicyEvent Interfaces

AuditMgmtEvent Interface

AuditRoleEvent Interface

AuditCredentialMappingEvent

AuditRoleDeploymentEvent

Audit Severity and the AuditSeverity Class

AuditContext Interface

Obtain and Use the Auditor Service to Write Audit Events

ContextHandler Object

Best Practice: Posting Audit Events from a Provider's MBean

Code Examples for Developing Security Providers

Example: Creating the Runtime Classes for the Sample Authentication Provider

Example: Creating the Runtime Class for the Sample Identity Assertion Provider

Example: Creating the Runtime Class for the Sample Authorization Provider

Example: Creating the Runtime Class for the Sample Role Mapping Provider

Example: Creating the Runtime Class for the Sample Auditing Provider

Example: Implementation of the AuditRoleEvent Interface

Example: Obtaining and Using the Auditor Service to Write Role Audit Events

MBean Definition File Element Syntax

The MBeanType (Root) Element

The MBeanAttribute Subelement

The MBeanConstructor Subelement

The MBeanOperation Subelement

MBean Operation Exceptions

Examples: Well-Formed and Valid MBean Definition Files (MDFs)