weblogic.security.providers.authentication
Interface DefaultIdentityAsserterMBean

All Superinterfaces:

AuthenticationProviderMBean, IdentityAsserterMBean, ProviderMBean

public interface DefaultIdentityAsserterMBean
extends IdentityAsserterMBean

The MBean that represents configuration atrributes for the WebLogic Identity Assertion provider. The WebLogic Identity Assertion provider supports identity assertion using X.509 certificates and CORBA Common Secure Interoperability version 2 (CS1 v2). The class also contains attributes for the default user name mapping class plus the list of trusted client principals.

Deprecation of MBeanHome and Type-Safe Interfaces

This is a type-safe interface for a WebLogic Server MBean, which you can import into your client classes and access through weblogic.management.MBeanHome. As of 9.0, the MBeanHome interface and all type-safe interfaces for WebLogic Server MBeans are deprecated. Instead, client classes that interact with WebLogic Server MBeans should use standard JMX design patterns in which clients use the javax.management.MBeanServerConnection interface to discover MBeans, attributes, and attribute types at runtime.

Method Summary

String	getDefaultUserNameMapperAttributeDelimiter() The delimiter that ends the attribute value when mapping from the X.509 certificate or X.500 name token to the WebLogic user name.
String	getDefaultUserNameMapperAttributeType() The name of the attribute from the subject DN to use when mapping from the X.509 certificate or X.500 name token to the WebLogic user name.
String	getDescription() A short description of the Identity Assertion provider.
String	getDigestDataSourceName() The name of the data source to use for storage digest values.
int	getDigestExpirationTimePeriod() Determines how long digests are valid.
String	getName() The name of this configuration.
String	getProviderClassName() The name of the Java class used to load the Identity Assertion provider.
String[]	getSupportedTypes() The token types supported by the Identity Assertion provider.
String[]	getTrustedClientPrincipals() The list of trusted client principals to use in CSI v2 identity assertion.
String	getUserNameMapperClassName() The name of the Java class that maps X.509 digital certificates and X.501 distinguished names to WebLogic user names.
String	getVersion() The version number of the Identity Assertion provider.
boolean	isDigestReplayDetectionEnabled() Enables the storage of the digest nonce values used to detect replay attacks.
boolean	isUseDefaultUserNameMapper() Uses the user name mapping class provided by WebLogic Server.
void	setDefaultUserNameMapperAttributeDelimiter(String newValue) The delimiter that ends the attribute value when mapping from the X.509 certificate or X.500 name token to the WebLogic user name.
void	setDefaultUserNameMapperAttributeType(String newValue) The name of the attribute from the subject DN to use when mapping from the X.509 certificate or X.500 name token to the WebLogic user name.
void	setDigestDataSourceName(String newValue) The name of the data source to use for storage digest values.
void	setDigestExpirationTimePeriod(int newValue) Determines how long digests are valid.
void	setDigestReplayDetectionEnabled(boolean newValue) Enables the storage of the digest nonce values used to detect replay attacks.
void	setTrustedClientPrincipals(String[] newValue) The list of trusted client principals to use in CSI v2 identity assertion.
void	setUseDefaultUserNameMapper(boolean newValue) Uses the user name mapping class provided by WebLogic Server.
void	setUserNameMapperClassName(String newValue) The name of the Java class that maps X.509 digital certificates and X.501 distinguished names to WebLogic user names.

Methods inherited from interface weblogic.management.security.authentication.IdentityAsserterMBean

getActiveTypes, getBase64DecodingRequired, setActiveTypes, setBase64DecodingRequired

Methods inherited from interface weblogic.management.security.ProviderMBean

getRealm

Method Detail

getProviderClassName

String getProviderClassName()

The name of the Java class used to load the Identity Assertion provider.

Default Value:

"weblogic.security.providers.authentication.DefaultIdentityAsserterProviderImpl"

getDescription

String getDescription()

A short description of the Identity Assertion provider.

Specified by:

getDescription in interface ProviderMBean

Default Value:

"WebLogic Identity Assertion provider"

getVersion

String getVersion()

The version number of the Identity Assertion provider.

Specified by:

getVersion in interface ProviderMBean

Default Value:

"1.0"

getSupportedTypes

String[] getSupportedTypes()

The token types supported by the Identity Assertion provider.

Specified by:

getSupportedTypes in interface IdentityAsserterMBean

Default Value:

weblogic.security.spi.IdentityAsserter.AU_TYPE,weblogic.security.spi.IdentityAsserter.X509_TYPE,weblogic.security.spi.IdentityAsserter.CSI_PRINCIPAL_TYPE,weblogic.security.spi.IdentityAsserter.CSI_ANONYMOUS_TYPE,weblogic.security.spi.IdentityAsserter.CSI_X509_CERTCHAIN_TYPE,weblogic.security.spi.IdentityAsserter.CSI_DISTINGUISHED_NAME_TYPE,weblogic.security.spi.IdentityAsserter.WSSE_PASSWORD_DIGEST_TYPE

getUserNameMapperClassName

String getUserNameMapperClassName()

The name of the Java class that maps X.509 digital certificates and X.501 distinguished names to WebLogic user names.

setUserNameMapperClassName

void setUserNameMapperClassName(String newValue)
                                throws InvalidAttributeValueException

The name of the Java class that maps X.509 digital certificates and X.501 distinguished names to WebLogic user names.

Parameters:

newValue - - new value for attribute UserNameMapperClassName

Throws:

InvalidAttributeValueException

getTrustedClientPrincipals

String[] getTrustedClientPrincipals()

The list of trusted client principals to use in CSI v2 identity assertion.

The wildcard character (*) can be used to specify all principals are trusted. If a client is not listed as a trusted client principal, the CSIv2 identity assertion fails and the invoke is rejected.

setTrustedClientPrincipals

void setTrustedClientPrincipals(String[] newValue)
                                throws InvalidAttributeValueException

The list of trusted client principals to use in CSI v2 identity assertion.

The wildcard character (*) can be used to specify all principals are trusted. If a client is not listed as a trusted client principal, the CSIv2 identity assertion fails and the invoke is rejected.

Parameters:

newValue - - new value for attribute TrustedClientPrincipals

Throws:

InvalidAttributeValueException

isUseDefaultUserNameMapper

boolean isUseDefaultUserNameMapper()

Uses the user name mapping class provided by WebLogic Server. The default user name mapping class only validates that a certificate has not expired.

If you require additional validation, you need to write your own user name mapping class. Writing your own user name mapping class also allows you to specify what attribute in the subject DN of the certificate is used to map to the user name.

Default Value:

false

setUseDefaultUserNameMapper

void setUseDefaultUserNameMapper(boolean newValue)
                                 throws InvalidAttributeValueException

Uses the user name mapping class provided by WebLogic Server. The default user name mapping class only validates that a certificate has not expired.

If you require additional validation, you need to write your own user name mapping class. Writing your own user name mapping class also allows you to specify what attribute in the subject DN of the certificate is used to map to the user name.

Parameters:

newValue - - new value for attribute UseDefaultUserNameMapper

Throws:

InvalidAttributeValueException

Default Value:

false

getDefaultUserNameMapperAttributeType

String getDefaultUserNameMapperAttributeType()

The name of the attribute from the subject DN to use when mapping from the X.509 certificate or X.500 name token to the WebLogic user name.

Default Value:

"E"

Valid Values:

"C","CN","E","L","O","OU","S","STREET"

setDefaultUserNameMapperAttributeType

void setDefaultUserNameMapperAttributeType(String newValue)
                                           throws InvalidAttributeValueException

The name of the attribute from the subject DN to use when mapping from the X.509 certificate or X.500 name token to the WebLogic user name.

Parameters:

newValue - - new value for attribute DefaultUserNameMapperAttributeType

Throws:

InvalidAttributeValueException

Default Value:

"E"

Valid Values:

"C","CN","E","L","O","OU","S","STREET"

getDefaultUserNameMapperAttributeDelimiter

String getDefaultUserNameMapperAttributeDelimiter()

The delimiter that ends the attribute value when mapping from the X.509 certificate or X.500 name token to the WebLogic user name.

Default Value:

"@"

setDefaultUserNameMapperAttributeDelimiter

void setDefaultUserNameMapperAttributeDelimiter(String newValue)
                                                throws InvalidAttributeValueException

The delimiter that ends the attribute value when mapping from the X.509 certificate or X.500 name token to the WebLogic user name.

Parameters:

newValue - - new value for attribute DefaultUserNameMapperAttributeDelimiter

Throws:

InvalidAttributeValueException

Default Value:

"@"

isDigestReplayDetectionEnabled

boolean isDigestReplayDetectionEnabled()

Enables the storage of the digest nonce values used to detect replay attacks.

If this setting is enabled, you must configure a data source to store the nonces for the specified expiration period. WebLogic Server then stores all the nonces from digest authentication attempts for all the machines in the domain. On each digest authentication attempt, the nonce is validated against the stored nonces. If the nonce is present, a replay attack has occurred and the digest authentication attempt fails.

Default Value:

false

setDigestReplayDetectionEnabled

void setDigestReplayDetectionEnabled(boolean newValue)
                                     throws InvalidAttributeValueException

Enables the storage of the digest nonce values used to detect replay attacks.

If this setting is enabled, you must configure a data source to store the nonces for the specified expiration period. WebLogic Server then stores all the nonces from digest authentication attempts for all the machines in the domain. On each digest authentication attempt, the nonce is validated against the stored nonces. If the nonce is present, a replay attack has occurred and the digest authentication attempt fails.

Parameters:

newValue - - new value for attribute DigestReplayDetectionEnabled

Throws:

InvalidAttributeValueException

Default Value:

false

getDigestExpirationTimePeriod

int getDigestExpirationTimePeriod()

Determines how long digests are valid.

A digest that was created before the specified time will not be valid. This setting impacts how long previous digest values must be stored in the database for use in detecting replay attacks.

Default Value:

300

setDigestExpirationTimePeriod

void setDigestExpirationTimePeriod(int newValue)
                                   throws InvalidAttributeValueException

Determines how long digests are valid.

A digest that was created before the specified time will not be valid. This setting impacts how long previous digest values must be stored in the database for use in detecting replay attacks.

Parameters:

newValue - - new value for attribute DigestExpirationTimePeriod

Throws:

InvalidAttributeValueException

Default Value:

300

getDigestDataSourceName

String getDigestDataSourceName()

The name of the data source to use for storage digest values. These digest values are used to detect replay attacks.

setDigestDataSourceName

void setDigestDataSourceName(String newValue)
                             throws InvalidAttributeValueException

The name of the data source to use for storage digest values. These digest values are used to detect replay attacks.

Parameters:

newValue - - new value for attribute DigestDataSourceName

Throws:

InvalidAttributeValueException

getName

String getName()

Description copied from interface: ProviderMBean

The name of this configuration. WebLogic Server uses an MBean to implement and persist the configuration.

Specified by:

getName in interface ProviderMBean

Default Value:

"DefaultIdentityAsserter"