> Administration Reference > Provider Extensions

Administration Reference

     Previous  Next    Open TOC in new window  Open Index in new window  View as PDF - New Window  Get Adobe Reader - New Window
Content starts here

Provider Extensions

The following topics are covered in this section:

 

What is a Provider Extension?

A provider extension is a plug-in function that you write to extend the capabilities of the existing providers. You can use these plug-ins to manipulate existing policy data in a way that is not already provided, or to retrieve data from external sources to add to an authorization or role mapping decision or a deployment audit. You can use these plug-ins with the ASI Authorization, ASI Role Mapping, Log4j Audit Channel, and Database Authentication providers.

While the security providers supplied with AquaLogic Enterprise Security are configurable, the plug-ins enable you to customize them to add additional functionality. For example, you may want some form of special business logic to retrieve additional data that you want to use before the authorization decision is made or for the custom processing of data, such as the audit context. Plug-ins are provided for a variety of functions:

Note: If you using the WebLogic Server 9.x SSM:

The following sections provide more information on the plug-ins and how to use them.

asi_classes JAR Required for Provider Extensions

The asi_classes.jar (located in SSM/lib) contains classes required for provider extensions. That is, in order to implement provider extensions you need classes in asi_classes.jar.

 

Authorization and Role Mapping Extensions

AquaLogic Enterprise Security supports using Java-based plug-ins and language extensions with security providers. You can use these plug-ins to performed custom functions for authorization and role mapping.

The following types of plug-ins are supported:

Using Java-Based Plug-ins

AquaLogic Enterprise Security providers support three types of Java-based plug-ins: resource converters, attribute retrievers, and attribute converters. Table 4-1 shows the types of Java-based plug-ins that each security provider supports.

Table 4-1 Java-based Plug-in Support for Security Providers
Security Provider
Supports Resource Converter Plug-in
Supports Attribute Retrievers Plug-in
Supports Attribute Converter Plug-in
ASI Authorization provider
Yes
Yes
Yes
ASI Role Mapping provider
Yes
Yes
Yes

To use these plug-ins, you must perform the following tasks:

  1. Write a Java class that implements the plug-in interface.
  2. Place the Java class in the appropriate directory of the Security Service Module with which you intend to use the plug-in. A single Java class may be used with more than one Security Service Module.
  3. Use the Administration Console to register the Java class on the desired Security Service Module(s). If you are using the WebLogic 9.x SSM, configuration of the ASI Authorization security provider and the ASI RoleMapper security provider needs to be done using both the ALES Administration Console and the WebLogic Server Administration Console.

For instructions for performing these tasks, refer to the following sections:

Using the Java-based Plug-in Interfaces

To implement a Java-based plug-in interface, you must perform the following steps:

  1. Refer to the description of the plug-in interface you want to use and write a Java class to implement the interface. The following sections provide descriptions of each type of plug-in interface:
  2. Use the Java class to create a JAR file and place the JAR file in the /lib/providers directory (or, if you are using the WebLogic 9.x SSM, in the /lib/providers/wls/v9 directory) in the installation directory for the Security Service Module on the machine on which the Security Service Module is installed. For example, the default location of this directory for the WebLogic Server Security Service Module is C:\bea\ales26-ssm\wls-ssm\lib\providers.
  3. You can use Log4j libraries to insert debug statements in your plug-ins. The example found in java-ssm\examples\AttributeRetriever illustrates use of Log4j debugging messages.
  4. Refer to the following topics in the Console Help and use the Administration Console to register the Java plug-ins in the desired security providers for the desired Security Service Modules:
    • Configuring an ASI Authorization Provider
    • Configuring an ASI Role Mapping Provider

Resource Converter

Resource converters are used by ASI Authorization and ASI Role Mapping providers to convert WebLogic Server resources into an internal resource format that is recognized by AquaLogic Enterprise Security. For a description of the policy data formats, see the BEA AquaLogic Enterprise Security Policy Managers Guide.

ResourceConverter is an interface in the com.bea.security.providers.authorization.asi package. This interface is used to implement plug-ins for converting from the Security Framework defined resource interface into an access query. There is no standard for resource definitions so plug-ins are needed to handle each of the resource types. The set of resource types is not fixed and you can define your own resource, in which case, you need to define a resource converter to allow the ASI Authorization provider to protect the resource. Numerous resource converters are supplied for your use, one for each defined WebLogic Server and AquaLogic Enterprise Resource type. Table 4-2 lists and describes the methods provided by the ResourceConverter interface.

Table 4-2 ResourceConverter Interface Methods
Method
Description
String[] getHandledTypes()
This method is called when the plug-in is instantiated and is used to determine what resource types the converter knows how to handle. The Security Framework represents resource types internally as strings.
AccessElement convertResource(Resource resource,ContextHandler contextHandler)
throws ResourceConversion
Exception
This method extracts enough information from a Resource and ContextHandler to form an access query. The minimum amount of required information to be extracted is the resource object and privilege. Additional information that can be included is the application name and input attributes extracted from the Resource or ContextHander:
If the application is not specified, then the provider uses the following rules for selecting one:
  • If no application is specified, then the object is queried under the shared resource node as specified in the provider configuration.
  • If an unqualified application is specified, the object is queried under the default deployment node, plus the application, plus the object.
  • If a fully qualified application is specified, then the object is queried under that node.
If the resource converter is unable to generate an access query from the information provided in the Resource, it throws a ResourceConversionException indicating to the provider and framework that this query cannot be answered by this provider.
Object getAttributeValue
(Resource resource, String name,ContextHandler
contextHandler)
This method finds the value of a missing attribute. It is left up to you as the developer of the ResourceConverter plug-in to determine how the ResourceConverter gets the required value. The plug-in may return null if the value is not found.

Configuring a Custom Resource Converter

To configure a custom resource converter, you must implement the resource converter and register it with the configured ASI Authorization and ASI Role Mapping providers.

To configure a resource converter, perform the following steps:

  1. Implement a custom resource converter and use the Java class to create a JAR file.

    2. The com.bea.security.providers.authorization.asi.ResourceConverter class is in the BEA_HOME\ales26-ssm\<ssm-type>\lib\providers\ASIAuthorizer.jar (or, if you are using the WebLogic Server 9.x SSM, use BEA_HOME\ales26-ssm\wls9-ssm\lib\providers\wls\v9\ASIAuthorizer.jar). Include this file, and the BEA_HOME\ales26-ssm\<ssm-type>\lib\asi_classes.jar, in the classpath when compiling the custom resource converter.

  2. Place the JAR file in the /lib/providers directory (or, if you are using the WebLogic Server 9.x SSM, use /lib/providers/wls/v9) in the installation directory for the Security Service Module (SSM) on the machine on which the SSM is installed (either the WebLogic Server SSM or the Java SSM). For example, the default directory for the WebLogic Server SSM is C:\bea\ales26-ssm\wls-ssm.
  3. In the left pane of the Administration Console, click the ASI Authorization provider configured for the SSM instance, select the Advanced tab in the right pane, type in the fully qualified name of your custom converter in the Resource Converters field, and click Apply. If you are using the WebLogic Server 9.x SSM, configuration changes to the ASI Authorization provider must also be made using the WebLogic Server Administration Console.
  4. Repeat step 3. to register the Resource Converter with the ASI Role Mapping provider. If you are using the WebLogic Server 9.x SSM, configuration changes to the ASI Role Mapping provider must also be made using the WebLogic Server Administration Console.
  5. In the left pane, click Deployment, select the Configuration tab, and deploy the configuration change to the SSM.
  6. Restart the SSM process.

Attribute Retriever

Attribute retrievers are used by ASI Authorization and ASI Role Mapping providers to retrieve attributes for use by AquaLogic Enterprise Security authorization and role mapping. AttributeRetriever is an interface in the com.bea.security.providers.authorization package that you can use to implement plug-ins for retrieving attributes. You use an implementation of the AttributeRetriever interface to get embedded data from complex data objects. For example, if the ContextHandler includes an address element, you can use an attribute retriever to make the zip code portion of the address available separately. You can also use an attribute retriever to fetch data from external data sources, for example, JDBC data stores.

Version 2.5 of AquaLogic Enterprise Security includes a new version of the AttributeRetriever interface, AttributeRetrieverV2. The AttributeRetrieverV2 interface includes an additional RequestHandle parameter.

Note: It is generally not necessary to write attribute retrievers for objects that appear directly in the ContextHandler; attribute retrievers are used to extract embedded or otherwise inaccessible data.

You can register multiple attribute retrievers with the same attribute name. If you do so, the attribute retrievers are called in order until one of them returns a non-null result.

Table 4-3 lists and describes the methods provided by the AttributeRetriever interface.

Table 4-3 AttributeRetriever Interface Methods
Method
Description
String[] getHandledAttributeNames()
This method returns the names of attributes handled by this object. An attribute retriever must return at least one attribute name in the getHandledAttributeNames() method. If the method returns null or an empty value, this attribute retriever will not be invoked again.
Object getAttributeValue(
String name,
Subject subject,
Map roles,
Resource resource,
ContextHandler contextHandler)
This method retrieves the value of the named attribute. Additional authorization request data is made available to allow for more complex attribute retrieval. The parameters are as follows:
  • name—name of the needed attribute
  • subject—subject associated with the request
  • roles—role membership of the subject, or null if this is a role mapping call
  • resource—resource associated with the request
  • contextHandler—context associated with the request; may be null if non-existent
This method returns the attribute value, or null if the attribute is not found.

Table 4-4lists and describes the methods provided by the AttributeRetrieverV2 interface.

Table 4-4 AttributeRetrieverV2 Interface Methods

Method
Description
String[] getHandledAttributeNames()
This method returns the names of attributes handled by this object. An attribute retriever must return at least one attribute name in the getHandledAttributeNames() method. If the method returns null or an empty value, this attribute retriever will not be invoked any more.
Object getAttributeValue(
String name,
RequestHandle requestHandle,
Subject subject,
Map roles,
Resource resource,
ContextHandler contextHandler)
This method retrieves the value of the named attribute. Additional authorization request data is made available to allow for more complex attribute retrieval. The parameters are as follows:
  • name—name of the needed attribute
  • subject—subject associated with the request
  • RequestHandle—the provider configuration parameters associated with the request, through which the function can get the required attribute value. The com.bea.security.providers.authorization.asi.ARME.evaluator.RequestHandle interface is described in RequestHandle getAttribute Method.
  • roles—role membership of the subject, or null if this is a role mapping call
  • resource—resource associated with the request
  • contextHandler—context associated with the request; may be null if non-existent
This method returns the attribute value, or null if the attribute is not found.

RequestHandle getAttribute Method

The com.bea.security.providers.authorization.asi.ARME.evaluator.RequestHandle interface, which is implemented for you and passed to your AttributeRetrieverV2 implementation, has two methods, getAttribute() and appendReturnData(), which are defined as follows: 

public AttributeElement getAttribute(String name, boolean typeCheck)
throws ArmeRuntimeException, BadParameterException, CredvarException,BoolEvalInternalException, NotReadyException;
public void appendReturnData(String name, Object data);
}

Of the two methods, the RequestHandle.getAttribute() is of most interest to AttributeRetrieverV2 implementations. The RequestHandle.getAttribute() method gets the named attribute and its value, and optionally type-checks the value. The getAttribute() method returns the attribute name and value as a com.wles.util.AttributeElement object.

The AttributeElement object represents an attribute name/value pair for a single element or a list. In the case of a list, your AttributeRetrieverV2 code might then transfer the AttributeElement list value to a list of String-type objects, such as in the following code fragment from the AttributeRetrieverV2 example: 

try {
            AttributeElement attrElement = requestHandle.getAttribute("asi_subjectgroups", true);
            
            Object value = null;
            //It must be a list attribute
            if(!attrElement.isList()) {
                return null;
            }
            
            //transfer AttributeElement value to a list of String type object.
            List subjectGroupList = (List)attrElement.getValueAs(String.class);
            value = String.valueOf(subjectGroupList.size());
            return value;
        } catch(Exception e) {
            //failed to retrieve attributes.
            return null;
        }

Your AttributeRetrieverV2 implementation can use the RequestHandle.getAttribute() method to get the value for user and resource attributes. However, it should not rely on the RequestHandle.getAttribute() method to get values of dynamic or extension attributes, as they may or may not be computed for a particular request.

The ASI providers always evaluate the minimum number of policies that are logically required, and attributes are retrieved only when a policy that references them is evaluated. Therefore, some attribute values will not be available. AttributeRetrieverV2 will not get the attribute value unless the policy has been explicitly evaluated.

Configuring a Custom Attribute Retriever

Note: This release of AquaLogic Enterprise Security includes attribute retriever examples, in BEA_HOME\ales26-ssm\java-ssm\examples\AttributeRetriever.

To configure a custom attribute retriever, you must implement the attribute retriever, and then register it with the configured ASI Authorization and ASI Role Mapping providers.

To configure an attribute retriever, perform the following steps:

  1. Implement a custom attribute retriever and use the Java class to create a JAR file.

    2. The com.bea.security.providers.authorization.asi.AttributeRetriever and com.bea.security.providers.authorization.asi.AttributeRetrieverV2 classes are in the BEA_HOME\ales26-ssm\<ssm-type>\lib\providers\ASIAuthorizer.jar (or, if you are using the WebLogic Server 9.x SSM, use BEA_HOME\ales26-ssm\wls9-ssm\lib\providers\wls\v9\ASIAuthorizer.jar). Include this file, and the BEA_HOME\ales26-ssm\<ssm-type>\lib\asi_classes.jar, in the classpath when compiling the custom attribute retriever.

  2. Place the JAR file in the /lib/providers directory (or, if you are using the WebLogic Server 9.x SSM, use /lib/providers/wls/v9) in the installation directory for the Security Service Module (SSM) on the machine on which the SSM is installed (either the WebLogic Server SSM or the Java SSM). For example, the default directory for the WebLogic Server SSM is C:\bea\ales26-ssm\wls-ssm.
  3. In the left pane of the Administration Console, click the ASI Authorization provider configured for the SSM instance, select the Advanced tab in the right pane, type in the fully qualified name of your custom retriever in the Attribute Retrievers field, and click Apply. If you are using the WebLogic Server 9.x SSM, configuration changes to the ASI Authorization provider must also be made using the WebLogic Server Administration Console.
  4. Repeat step 3 to register the Attribute Retriever with the ASI Role Mapping provider. If you are using the WebLogic Server 9.x SSM, configuration changes to the ASI Role Mapping provider must also be made using the WebLogic Server Administration Console.
  5. In the left pane, click Deployment, select the Configuration tab, and deploy the configuration change to the SSM.
  6. Restart the SSM process.

Attribute Converter

Attribute converters are used by ASI Authorization and ASI Role Mapping providers to convert context data to an internal attribute format. For a description of the policy data formats, see the BEA AquaLogic Enterprise Security Policy Managers Guide.

To create attribute converters, you implement the TypeConverter interface. This interface converts between native Java types and ASI formatted Strings. If you create a new ASI type, you may want to create a Java class to handle it and implement a TypeConverter interface to handle that class. ASI types are the credential types that are visible through the console such as integer, date, and string types, and so on, versus Java data types.

Table 4-5 lists and describes methods provided by the TypeConverter interface.

Table 4-5 TypeConverter Interface Methods
Method
Description
Class getType()
This method returns the type which this converter converts.
String getASITypeName()
This method returns the ASI type name.
String convertToASI(Object javaFormat) throws UnsupportedTypeException
This method converts a java object into a ASI string.
Object convertFromASI(String asiFormat) throws TypeConversionException
This method converts a ASI string to a Java Object.

Configuring a Custom Attribute Converter

To configure a custom attribute converter, you must implement the attribute converter and register it with the configured ASI Authorization and ASI Role Mapping providers.

To configure an attribute converter, perform the following steps:

  1. Implement a custom attribute converter and use the Java class to create a JAR file
  2. Place the JAR file in the /lib/providers directory (or, if you are using the WebLogic Server 9.x SSM, use /lib/providers/wls/v9/ASIAuthorizer.jar) in the installation directory for the Security Service Module (SSM) on the machine on which the SSM is installed (either the WebLogic Server SSM or the Java SSM). For example, the default directory for the WebLogic Server SSM is C:\bea\ales26-ssm\wls-ssm.
  3. In the left pane of the Administration Console, click the ASI Authorization provider configured for the SSM instance, select the Advanced tab in the right pane, type in the fully qualified name of your custom converter in the Attribute Converters field, and click Apply. If you are using the WebLogic Server 9.x SSM, configuration changes to the ASI Authorization provider must also be made using the WebLogic Server Administration Console.
  4. Repeat step 3 to register the Attribute Converter with the ASI Role Mapping provider. If you are using the WebLogic Server 9.x SSM, configuration changes to the ASI Role Mapping provider must also be made using the WebLogic Server Administration Console.
  5. In the left pane, click Deployment, select the Configuration tab, and deploy the configuration change to the SSM.
  6. Restart the SSM process.

Using Java Entensions Plug-Ins

Note: This section replaces the version 2.2 Policy Language Custom Extension Library API Reference.

You can use Java extensions plug-ins to add your own custom initialization, shutdown, and authorization and role mapping evaluation functions to the standard ones provided. After you develop a function, administrators can manipulate its input using the Administration Console. The plug-in appears to the administrator simply as new evaluation functions or newly available dynamic attributes.

This section describes the Application Programming Interface (API) for writing custom extension functions to enhance features available through the policy language.

Custom Initialization/Shutdown Interface

Note: This release of AquaLogic Enterprise Security includes an initialization/shutdown function example, in BEA_HOME\ales26-ssm\java-ssm\examples\MyEvaluationFunction.

You can implement the com.bea.security.providers.authorization.asi.InitializationShutdownFunction interface to add initialization and shutdown functions for your plug-in.

The init() method is invoked during the Authorization or Role Mapping provider initialization and initializes attributes for the provider. For example, it might open a database connection pool. The shutdown() method is invoked during the Authorization or Role Mapping provider shutdown and might then close the connections to the pool.

The InitializationShutdownFunction interface includes a key map of constants and attributes primarily supported by the AsiAuthorizer security provider. A portion of this key map is shown in Listing 4-1.

Listing 4-1 InitializationShutdownFunction Key Map 
/**
     * map key for get ATZ provider or RM provider's version info.
     */
    public static final String VERSION = "Version";
    /**
     * map key for get ATZ provider or RM provider's description info.
     */
    public static final String DESCRIPTION = "Description";
    /**
     * map key for get ATZ provider or RM provider's class name.
     */
    public static final String PROVIDER_CLASSNAME = "ProviderClassName";
    /**
     * map key for get advanced configuration properties for ATZ provider or RM provider. The corresoponding value in map is <code>Properties<code>.
     */
    public static final String ADVANCED_CONFIGURATION_PROPERTIES = "AdvancedConfigurationProperties";
    /**
     * map key for get ATZ provider or RM provider's directory.
     */
    public static final String DIRECTORY = "Directory";
    /**
     * map key for get configuration for preload attributes.
     */
    public static final String PRELOAD_ATTRIBUTES = "PreLoadAttributes";
    /**
     * map key for get configuration for session eviction capacity.
     */
    public static final String SESSION_EVICTION_CAPACITY = "SessionEvictionCapacity";
:
:

The attributes are described in the BLM Configuration API Security Providers Reference. You use this key map to get initialization parameters for the plug-in.

Listing 4-2 shows the init() function from the BEA_HOME\ales26-ssm\java-ssm\examples\MyEvaluationFunction example.

Listing 4-2 Sample MyEvaluationFunction init() Method 
/**
public void init(Map config) {
        // Initialization function executed.
        
        // Samples to get value from Map.
        
        //get advanced configuration properties
        Properties advanced = (Properties)config.get(ADVANCED_CONFIGURATION_PROPERTIES);
        
        //get all configured evaluation function class names.
        String[] evalFunctions = (String[])config.get(EVALUATION_FUNCTIONS);
        
        String ifActivateOnStartUp = config.get(ACTIVATE_ON_STARTUP).toString();
        return;
    }

Custom Evaluation Method Plug-in

You can use a named evaluation method to make additional authorization request data available, and therefore allow a more complex attribute evaluation to be performed. This method is invoked while the policy contains a custom evaluation function with a matching name. For example:

grant(any, //app/policy/ASI, //user/asi/test/) if myFunc(name);

where myFunc() is the custom evaluation function name. You must register one evaluation class that includes the myFunc() method.

You can use whatever name you want, but the name must exactly match the name you supply in the policy, and the method must have exactly these arguments: 

public boolean some_method_name(RequestHandle requestHandle,
            Object[] args,
            Subject subject,
            Map roles,
            Resource resource,
            ContextHandler contextHandler)

Table 4-6 contains a description of the evaluation method arguments.

Table 4-6 Evaluation Method Arguments
requestHandle
The attributes container associated with the request, through which the method can get required attribute value. See RequestHandle getAttribute Method for a description of this method. See RequestHandle appendReturnData Method for a description of this method.
args
An array of method arguments. Each element is either <code>null</code>, or a String
subject
The subject associated with the request
roles

key

value

The role membership of the subject. Null if the method is called during role mapping.

The role name

The role object.

resource
The resource associated with the request
contextHandler
The context associated with the request, may be <code>null</code> if non-existent
return
True or false as the result of the method

RequestHandle appendReturnData Method

The RequestHandle.appendReturnData() method appends the evaluation result to an object so that it can be retrieved after atzSvc.isAccessAllowed() is invoked.

You pass in an Object containing the evaluation result. The appendReturnData()method converts the Object to a suitable ASI type, and then appends it to a com.bea.security.providers.authorization.asi.ARME.engine.EvalResultI object. You can access this result after the atzSvc.isAccessAllowed() method is invoked. The QueryResources example (BEA_HOME\ales22-ssm\java-ssm\examples\QueryResources) shows how to access the returned data.

If the same attribute value is redefined by another plug-in within the same policy, the result value is overwritten.

The evaluation result (the appended data) is returned only if the complete rule condition result is true. That is, the evaluation result is returned only if the policy successfully executes.

For example, if the rule condition includes two evaluation functions, both func1(arg1) and func2(arg2) can invoke appendReturnData, but the data is not available unless both functions evaluate to true. As a programming practice, do not call appendReturnData unless your evaluation result is true.

The policy might not execute if another policy makes evaluating it superfluous. For example, once a user is explicitly denied access with a deny policy, a thousand grant policies cannot undo the one deny. Knowing this, as soon as a single grant policy for an access attempt is found, BEA AquaLogic Enterprise Security looks only for deny policies. When a single deny policy is found, it stops looking.

Configuring a Custom Entensions Plug-In

Note: This release of AquaLogic Enterprise Security includes an evaluation function example, in BEA_HOME\ales26-ssm\java-ssm\examples\MyEvaluationFunction.

To configure a custom extensions plug-in, you must implement the extensions plug-in, and then register it with the configured ASI Authorization and ASI Role Mapping providers.

To configure a custom extensions plug-in, perform the following steps:

  1. Implement a custom extensions plug-in and use the Java class to create a JAR file.

    2. The com.bea.security.providers.authorization.asi.InitializationShutdownFunction class is in the BEA_HOME\ales26-ssm\<ssm-type>\lib\providers\ASIAuthorizer.jar. Include this file, and the BEA_HOME\ales26-ssm\<ssm-type>\lib\asi_classes.jar, in the classpath when compiling the custom attribute retriever.

  2. Place the JAR file in the /lib/providers (/lib/providers/wls/v9 for the WLS 9.x SSM) directory in the installation directory for the Security Service Module (SSM) on the machine on which the SSM is installed (either the WebLogic Server SSM or the Java SSM). For example, the default directory for the WebLogic Server SSM is BEA_HOME\ales26-ssm\wls-ssm.
  3. In the left pane of the Administration Console, click the ASI Authorization provider configured for the SSM instance, select the Advanced tab in the right pane, type in the fully qualified name of your custom extensions plug-in in the Evaluation Functions field, and click Apply.

    4. For the WLS 9.x SSM, configure the Authorization and Role Mapping providers, and the custom extension, in the WebLogic Administration Console.

  4. Repeat step 3 to register the extensions plug-in with the ASI Role Mapping provider.
  5. In the left pane, click Deployment, select the Configuration tab, and deploy the configuration change to the SSM.
  6. Restart the SSM process.

 

Custom Audit Plug-ins

The Log4j Audit Channel provider uses Log4j renderer classes that convert the associated audit event object into a simple string representation. However, you can write custom renderers that convert the audit event object to something other than the default string representation and register them as plug-ins using the Administration Console.

Refer to the following topics for information how to write and register custom audit plug-ins:

Using the Custom Audit Plug-in

To implement an audit plug-in interface, you must perform the following steps:

  1. Refer to Audit Plug-in Renderer Class for a description of the audit plug-in renderer class and write a Java class to implement a new renderer class.
  2. Use the Java class to create a JAR file and place the JAR file in the /lib/providers directory (or, if you are using the WebLogic Server 9.x SSM, use /lib/providers/wls/v9) in the installation directory for the Security Service Module on the machine on which the Security Service Module is installed. For example, the default location of this directory for the WebLogic Server Security Service Module is: C:\bea\ales26-wls-ssm\lib\providers.
  3. For instructions on using the Administration Console to register the audit plug-in for the desired Log4j Audit Channel provider, refer to Configuring a Log4j Audit Channel Provider in the Console Help.

Audit Plug-in Renderer Class

To write a plug-in renderer class, you must implement the org.apache.log4j.or.ObjectRenderer interface and then register the renderer class to the type of Audit Event class for which you want to use that renderer. For example, weblogic.security.spi.MyAuditEvent=com.bea.security.providers.
audit.MyAuditEventRenderer

For instructions on how to write a renderer for a custom object, see the Log4j documentation located at http://logging.apache.org/log4j/docs/documentation.html.

Table 4-7 lists and describes a sample AuditEventRenderer class.

Table 4-7 AuditEventRenderer Class Method
Method
Description
public class MyAuditAtnEventRenderer implements org.apache.log4j.or.ObjectRenderer {
public String doRender(Object o) {
String eventStr = null;
if(o instanceof MyAuditEvent) {
MyAuditEvent event = (MyAuditEvent) o;
eventStr = event.getEventType()+" --
"+event.toString();
}
return eventStr;
}
}
In this sample, this method renders the AuditEvent object as a simple string. To render the Audit Event as something other than a simple string, modify this method to form your own string representation.

 

Database Authentication Plug-in

The Database Authentication extension is used by the Database Authentication provider to customize authentication features. The default database authentication extension (located in the com.bea.security.providers.authentication.dbms.DefaultDBMSPluginImpl package) is designed to authenticate the user against the policy database. This implementation uses a specific password hashing algorithm, namely, SHA1 and SHA-1. It also uses a special format for the user name and the group name that is pertinent to the policy database. The hashing algorithm used is: 

{Algorithm} + 4 byte Salt+passwordhash

The policy database uses name scope (for example, directory name) and a qualified name format to store the user and group. See the BEA AquaLogic Enterprise Security Policy Managers Guide for details.

If you are authenticating users against another database that uses a different password hashing algorithm and a different user/group name format, you may decide to implement your own plug-in by following the guidelines provided with the plug-in.

A custom database authentication plug-in must also extend the DBMSPlugin abstract class (located in the com.bea.security.providers.authentication.dbms.DBMSPlugin package). The DBMSPlugin abstract class implementation must include the methods described in Table 4-8.

To use your plug-in implementation, you need to deploy the plug-in class (or its JAR file) in the classpath of the Database Authentication provider (/lib/providers or, if you are using the WebLogic Server 9.x SSM, /lib/providers/wls/v9) and use the WebLogic Server Administration Console (if you are using the WebLogic Server 9.x SSM) or the ALES Administration Console (for other SSMs) to configure the Database Authentication provider to use the plug-in.

Table 4-8 lists and describes the methods provided by the DBMSPlugin abstract class.

Table 4-8 DBMSPlugin Methods
Method
Description
public void initialize()
This method is executed when the authorization provider is initialized on startup.
public void shutdown()
This method is executed when the authorization provider is shut down.
public boolean authenticate(
String user,
char[] password, char[] databasePassword,
Map options)
When the Database Authentication provider attempts to authenticate a user, the authenticate method is called on the plug-in. This method may be called in one following two scenarios. If the provider is configured with the SQL Query to retrieve password, the password (databasePassword) is retrieved from the database using this query and is provided to this method. This authenticate method must determine if the user provides the correct password (password) and return true, if authenticated, or false.
The options map contains a TRUE value for key = "QueryPassword". If no SQL Query string is configured for retrieving the password, the Database Authentication provider assumes that the authentication plug-in retrieves the password and then authenticates the user. The options map contains values for these keys, "scope" and "connection", and a FALSE value for key = "QueryPassword". Also, databasePassword = null.
public String formatUser(String user, Map options)
This method is executed before any call to the database. The user string is the one passed into the login module. This method returns a formatted user name, which is later used as the input parameter in all the SQL queries to verify user, to retrieve password, and to retrieve groups. The options Map contains values for these keys, "scope" and "connection", and the configured string of the SQL query to verify user with key = "SQL_QUERY".
public Vector formatGroups(String user, Vector groups, Map options)
This method is executed after the call to retrieve groups from the database. A vector of strings containing the groups the user belongs to are passed in. Any formatting of group names that is required before inserting these into the Subject should be done and the resulting vector passed back. The options Map contains values for these keys, scope and connection, and the configured string of the SQL query to retrieve groups with key = "SQL_QUERY".
public String unformatUser(String user, Map options)
This method is executed after any call to the database that returns users. The user string is the one received from the database. This method returns a unformatted user name. The options Map contains values for these keys, "scope" and "connection".
public String formatGroup(String group, Map options)
This method is executed after the call to retrieve groups from the database. Any formatting of group name that is required before inserting these into the Subject should be done and the resulting string passed back. The options Map contains values for these keys, scope and connection, and the configured string of the SQL query to retrieve group with key = "SQL_QUERY".
public String unformatGroup(String group, Map options)
This method is executed after any call to the database that returns a group membership for a user. The group string is the one received from the database. This method returns an unformatted group name. The options Map contains values for these keys, "scope" and "connection".
public Vector unformatGroups(String user, Vector groups, Map options)
This method is executed after any call to the database that returns a list of groups. The user is the unformatted user name and the vector of groups is the one received from the database. This method returns a vector of unformatted group names. The options Map contains values for these keys, "scope" and "connection".

The options object is a map containing optional information that the plug-in may want to use. The most common options of use and their keys for retrieval are:


  Back to Top       Previous  Next