1/19
Contents
Title and Copyright Information
Preface
Documentation Accessibility
Conventions
1
Introduction and Roadmap
Document Scope
Documentation Audience
Guide to this Document
Related Information
New and Changed Features in this Release
2
Introduction to Developing Security Providers for WebLogic Server
Prerequisites for This Guide
Overview of the Development Process
Designing the Custom Security Provider
Creating Runtime Classes for the Custom Security Provider by Implementing SSPIs
Generating an MBean Type to Configure and Manage the Custom Security Provider
Writing Console Extensions
Configuring the Custom Security Provider
Providing Management Mechanisms for Security Policies, Security Roles, and Credential Maps
3
Design Considerations
General Architecture of a Security Provider
Security Services Provider Interfaces (SSPIs)
Understand Two Important Restrictions
Understand the Purpose of the "Provider" SSPIs
Understand the Purpose of the Bulk Access Providers
Determine Which "Provider" Interface You Will Implement
The DeployableAuthorizationProviderV2 SSPI
The DeployableRoleProviderV2 SSPI
The DeployableCredentialProvider SSPI
Understand the SSPI Hierarchy and Determine Whether You Will Create One or Two Runtime Classes
SSPI Quick Reference
Security Service Provider Interface (SSPI) MBeans
Understand Why You Need an MBean Type
Determine Which SSPI MBeans to Extend and Implement
Understand the Basic Elements of an MBean Definition File (MDF)
Custom Providers and Classpaths
Throwing Exceptions from MBean Operations
Specifying Non-Clear Text Values for MBean Attributes
Understand the SSPI MBean Hierarchy and How It Affects the Administration Console
Understand What the WebLogic MBeanMaker Provides
About the MBean Information File
SSPI MBean Quick Reference
Security Data Migration
Migration Concepts
Formats
Constraints
Migration Files
Adding Migration Support to Your Custom Security Providers
Administration Console Support for Security Data Migration
Management Utilities Available to Developers of Security Providers
Security Providers and WebLogic Resources
The Architecture of WebLogic Resources
Types of WebLogic Resources
WebLogic Resource Identifiers
The toString() Method
Resource IDs and the getID() Method
Creating Default Groups for WebLogic Resources
Creating Default Security Roles for WebLogic Resources
Creating Default Security Policies for WebLogic Resources
Looking Up WebLogic Resources in a Security Provider's Runtime Class
Single-Parent Resource Hierarchies
Pattern Matching for URL Resources
ContextHandlers and WebLogic Resources
Providers and Interfaces that Support Context Handlers
Initialization of the Security Provider Database
Best Practice: Create a Simple Database If None Exists
Best Practice: Configure an Existing Database
Best Practice: Delegate Database Initialization
Best Practice: Use the JDBC Connection Security Service API to Obtain Database Connections
Implementing a JDBC Connection Security Service: Main Steps
Differences In Attribute Validators
Differences In Attribute Validators for Custom Validators
4
Authentication Providers
Authentication Concepts
Users and Groups, Principals and Subjects
Providing Initial Users and Groups
LoginModules
The LoginModule Interface
LoginModules and Multipart Authentication
Java Authentication and Authorization Service (JAAS)
How JAAS Works With the WebLogic Security Framework
Example: Standalone T3 Application
The Authentication Process
Do You Need to Develop a Custom Authentication Provider?
How to Develop a Custom Authentication Provider
Create Runtime Classes Using the Appropriate SSPIs
Implement the AuthenticationProviderV2 SSPI
Implement the JAAS LoginModule Interface
Throwing Custom Exceptions from LoginModules
Example: Creating the Runtime Classes for the Sample Authentication Provider
Generate an MBean Type Using the WebLogic MBeanMaker
Create an MBean Definition File (MDF)
Use the WebLogic MBeanMaker to Generate the MBean Type
Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
Install the MBean Type Into the WebLogic Server Environment
Configure the Custom Authentication Provider Using the Administration Console
Managing User Lockouts
Specifying the Order of Authentication Providers
5
Identity Assertion Providers
Identity Assertion Concepts
Identity Assertion Providers and LoginModules
Identity Assertion and Tokens
How to Create New Token Types
How to Make New Token Types Available for Identity Assertion Provider Configurations
Passing Tokens for Perimeter Authentication
Common Secure Interoperability Version 2 (CSIv2)
The Identity Assertion Process
Do You Need to Develop a Custom Identity Assertion Provider?
How to Develop a Custom Identity Assertion Provider
Create Runtime Classes Using the Appropriate SSPIs
Implement the AuthenticationProviderV2 SSPI
Implement the IdentityAsserterV2 SSPI
Example: Creating the Runtime Class for the Sample Identity Assertion Provider
Generate an MBean Type Using the WebLogic MBeanMaker
Create an MBean Definition File (MDF)
Use the WebLogic MBeanMaker to Generate the MBean Type
Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
Install the MBean Type Into the WebLogic Server Environment
Configure the Custom Identity Assertion Provider Using the Administration Console
Challenge Identity Assertion
Challenge/Response Limitations in the Java Servlet API 2.3 Environment
Filters and The Role of the weblogic.security.services.Authentication Class
How to Develop a Challenge Identity Asserter
Implement the ChallengeIdentityAsserterV2 Interface
Implement the ProviderChallengeContext Interface
Invoke the weblogic.security.services Challenge Identity Methods
Invoke the weblogic.security.services AppChallengeContext Methods
Implementing Challenge Identity Assertion from a Filter
6
Principal Validation Providers
Principal Validation Concepts
Principal Validation and Principal Types
How Principal Validation Providers Differ From Other Types of Security Providers
Security Exceptions Resulting from Invalid Principals
The Principal Validation Process
Do You Need to Develop a Custom Principal Validation Provider?
How to Use the WebLogic Principal Validation Provider
How to Develop a Custom Principal Validation Provider
Implement the PrincipalValidator SSPI
7
Authorization Providers
Authorization Concepts
Access Decisions
Using the Java Authorization Contract for Containers
The Authorization Process
Do You Need to Develop a Custom Authorization Provider?
Does Your Custom Authorization Provider Need to Support Application Versioning?
Is Your Custom Authorization Provider Thread Safe?
How to Develop a Custom Authorization Provider
Create Runtime Classes Using the Appropriate SSPIs
Implement the AuthorizationProvider SSPI
Implement the DeployableAuthorizationProviderV2 SSPI
Implement the AccessDecision SSPI
Example: Creating the Runtime Class for the Sample Authorization Provider
Policy Consumer SSPI
Required SSPI Interfaces
Implement the PolicyConsumerFactory SSPI Interface
Implement the PolicyConsumer SSPI Interface
Implement the PolicyCollectionHandler SSPI Interface
Supporting an Updated Policy Collection
The PolicyConsumerMBean
PolicyStoreMBean
Examining the Format of a XACML Policy File
Using WLST to Add a Policy to the PolicyStoreMBean
Using WLST to Read a PolicySet as a String
Bulk Authorization Providers
Generate an MBean Type Using the WebLogic MBeanMaker
Create an MBean Definition File (MDF)
Use the WebLogic MBeanMaker to Generate the MBean Type
Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
Install the MBean Type Into the WebLogic Server Environment
Configure the Custom Authorization Provider Using the Administration Console
Managing Authorization Providers and Deployment Descriptors
Enabling Security Policy Deployment
Provide a Mechanism for Security Policy Management
Option 1: Develop a Stand-Alone Tool for Security Policy Management
Option 2: Integrate an Existing Security Policy Management Tool into the Administration Console
8
Adjudication Providers
The Adjudication Process
Do You Need to Develop a Custom Adjudication Provider?
How to Develop a Custom Adjudication Provider
Create Runtime Classes Using the Appropriate SSPIs
Implement the AdjudicationProviderV2 SSPI
Implement the AdjudicatorV2 SSPI
Bulk Adjudication Providers
Generate an MBean Type Using the WebLogic MBeanMaker
Create an MBean Definition File (MDF)
Use the WebLogic MBeanMaker to Generate the MBean Type
Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
Install the MBean Type Into the WebLogic Server Environment
Configure the Custom Adjudication Provider Using the Administration Console
9
Role Mapping Providers
Role Mapping Concepts
Security Roles
Dynamic Security Role Computation
The Role Mapping Process
Is Your Custom Role Mapping Provider Thread Safe?
Do You Need to Develop a Custom Role Mapping Provider?
Does Your Custom Role Mapping Provider Need to Support Application Versioning?
How to Develop a Custom Role Mapping Provider
Create Runtime Classes Using the Appropriate SSPIs
Implement the RoleProvider SSPI
Implement the DeployableRoleProviderV2 SSPI
Implement the RoleMapper SSPI
Implement the SecurityRole Interface
Example: Creating the Runtime Class for the Sample Role Mapping Provider
Role Consumer SSPI
Required SSPI Interfaces
Implement the RoleConsumerFactory SSPI Interface
Implement the RoleConsumer SSPI Interface
Implement the RoleCollectionHandler SSPI Interface
Supporting an Updated Role Collection
The RoleConsumerMBean
PolicyStoreMBean
Examining the Format of a XACML Policy File
Using WLST to Add a Policy to the PolicyStoreMBean
Using WLST to Read a PolicySet as a String
Bulk Role Mapping Providers
Generate an MBean Type Using the WebLogic MBeanMaker
Create an MBean Definition File (MDF)
Use the WebLogic MBeanMaker to Generate the MBean Type
Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
Install the MBean Type Into the WebLogic Server Environment
Configure the Custom Role Mapping Provider Using the Administration Console
Managing Role Mapping Providers and Deployment Descriptors
Enabling Security Role Deployment
Provide a Mechanism for Security Role Management
Option 1: Develop a Stand-Alone Tool for Security Role Management
Option 2: Integrate an Existing Security Role Management Tool into the Administration Console
10
Auditing Providers
Auditing Concepts
Audit Channels
Auditing Events From Custom Security Providers
The Auditing Process
Implementing the ContextHandler MBean
ContextHandlerMBean Methods
Example: Implementing the ContextHandlerMBean
Extend weblogic.management.security.audit.ContextHandlerImpl
Do You Need to Develop a Custom Auditing Provider?
How to Develop a Custom Auditing Provider
Create Runtime Classes Using the Appropriate SSPIs
Implement the AuditProvider SSPI
Implement the AuditChannel SSPI
Example: Creating the Runtime Class for the Sample Auditing Provider
Generate an MBean Type Using the WebLogic MBeanMaker
Create an MBean Definition File (MDF)
Use the WebLogic MBeanMaker to Generate the MBean Type
Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
Install the MBean Type Into the WebLogic Server Environment
Configure the Custom Auditing Provider Using the Administration Console
Configuring Audit Severity
Security Framework Audit Events
Passing Additional Audit Information
Audit Event Interfaces and Audit Events
AuditApplicationVersionEvent
AuditAtnEventV2
AuditAtzEvent
AuditCerPathBuilderEvent, AuditCertPathValidatorEvent
AuditConfigurationEvent
AuditCredentialMappingEvent
AuditLifecycleEvent
AuditMgmtEvent
AuditPolicyEvent
AuditRoleDeploymentEvent
AuditRoleEvent
11
Credential Mapping Providers
Credential Mapping Concepts
The Credential Mapping Process
Do You Need to Develop a Custom Credential Mapping Provider?
Does Your Custom Credential Mapping Provider Need to Support Application Versioning?
How to Develop a Custom Credential Mapping Provider
Create Runtime Classes Using the Appropriate SSPIs
Implement the CredentialProviderV2 SSPI
Implement the DeployableCredentialProvider SSPI
Implement the CredentialMapperV2 SSPI
Generate an MBean Type Using the WebLogic MBeanMaker
Create an MBean Definition File (MDF)
Use the WebLogic MBeanMaker to Generate the MBean Type
Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
Install the MBean Type Into the WebLogic Server Environment
Provide a Mechanism for Credential Map Management
Option 1: Develop a Stand-Alone Tool for Credential Map Management
Option 2: Integrate an Existing Credential Map Management Tool into the Administration Console
12
Auditing Events From Custom Security Providers
Security Services and the Auditor Service
How to Audit From a Custom Security Provider
Create an Audit Event
Implement the AuditEvent SSPI
Implement an Audit Event Convenience Interface
Audit Severity
Audit Context
Example: Implementation of the AuditRoleEvent Interface
Obtain and Use the Auditor Service to Write Audit Events
Example: Obtaining and Using the Auditor Service to Write Role Audit Events
Auditing Management Operations from a Provider's MBean
Example: Auditing Management Operations from a Provider's MBean
Best Practice: Posting Audit Events from a Provider's MBean
13
Servlet Authentication Filters
Authentication Filter Concepts
Why Filters are Needed
Servlet Authentication Filter Design Considerations
How Filters Are Invoked
Do Not Call Servlet Authentication Filters From Authentication Providers
Example of a Provider that Implements a Filter
How to Develop a Custom Servlet Authentication Filter
Create Runtime Classes Using the Appropriate SSPIs
Implement the Servlet Authentication Filter SSPI
Implement the Filter Interface Methods
Implementing Challenge Identity Assertion from a Filter
Generate an MBean Type Using the WebLogic MBeanMaker
Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
Configure the Authentication Provider Using Administration Console
14
Versionable Application Providers
Versionable Application Concepts
The Versionable Application Process
Do You Need to Develop a Custom Versionable Application Provider?
How to Develop a Custom VersionableApplication Provider
Create Runtime Classes Using the Appropriate SSPIs
Implement the VersionableApplication SSPI
Example: Creating the Runtime Class for the Sample VersionableApplication Provider
Generate an MBean Type Using the WebLogic MBeanMaker
Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
Configure the Custom Versionable Application Provider Using the Administration Console
15
CertPath Providers
Certificate Lookup and Validation Concepts
The Certificate Lookup and Validation Process
Do You Need to Implement Separate CertPath Validators and Builders?
CertPath Provider SPI MBeans
WebLogic CertPath Validator SSPI
WebLogic CertPath Builder SSPI
Relationship Between the WebLogic Server CertPath SSPI and the JDK SPI
Do You Need to Develop a Custom CertPath Provider?
How to Develop a Custom CertPath Provider
Create Runtime Classes Using the Appropriate SSPIs
Implement the JDK CertPathBuilderSpi and/or CertPathValidatorSpi Interfaces
Implement the CertPath Provider SSPI
Implement the JDK Security Provider SPI
Use the CertPathBuilderParametersSpi SSPI in Your CertPathBuilderSpi Implementation
Use the CertPathValidatorParametersSpi SSPI in Your CertPathValidatorSpi Implementation
Returning the Builder or Validator Results
Example: Creating the Sample Cert Path Provider
Generate an MBean Type Using the WebLogic MBeanMaker
Create an MBean Definition File (MDF)
Use the WebLogic MBeanMaker to Generate the MBean Type
Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
Install the MBean Type Into the WebLogic Server Environment
Configure the Custom CertPath Provider Using the Administration Console
A
MBean Definition File (MDF) Element Syntax
The MBeanType (Root) Element
The MBeanAttribute Subelement
The MBeanConstructor Subelement
The MBeanOperation Subelement
MBean Operation Exceptions
Examples: Well-Formed and Valid MBean Definition Files (MDFs)
Scripting on this page enhances content navigation, but does not change the content in any way.