Table of Contents

• Title and Copyright Information
• Preface
  • Audience
  • Documentation Accessibility
  • Diversity and Inclusion
  • Related Documentation
  • Conventions
• 1 Introduction to Developing Security Providers for WebLogic Server
  • Prerequisites for This Guide
  • Overview of the Development Process
    • Designing the Custom Security Provider
    • Creating Runtime Classes for the Custom Security Provider by Implementing SSPIs
    • Generating an MBean Type to Configure and Manage the Custom Security Provider
    • Writing Console Extensions
    • Configuring the Custom Security Provider
    • Providing Management Mechanisms for Security Policies, Security Roles, and Credential Maps
• 2 Design Considerations
  • General Architecture of a Security Provider
  • Security Services Provider Interfaces (SSPIs)
    • Understand Two Important Restrictions
    • Understand the Purpose of the Provider SSPIs
    • Understand the Purpose of the Bulk Access Providers
    • Determine Which Provider Interface You Will Implement
      • The DeployableAuthorizationProviderV2 SSPI
      • The DeployableRoleProviderV2 SSPI
      • The DeployableCredentialProvider SSPI
    • Understand the SSPI Hierarchy and Determine Whether You Will Create One or Two Runtime Classes
    • SSPI Quick Reference
  • Security Service Provider Interface (SSPI) MBeans
    • Understand Why You Need an MBean Type
    • Determine Which SSPI MBeans to Extend and Implement
    • Understand the Basic Elements of an MBean Definition File (MDF)
      • Custom Providers and Classpaths
      • Throwing Exceptions from MBean Operations
      • Specifying Non-Clear Text Values for MBean Attributes
      • Using Dynamic MBean Attributes
    • Understand the SSPI MBean Hierarchy and How It Affects the Administration Console
    • Understand What the WebLogic MBeanMaker Provides
      • About the MBean Information File
    • SSPI MBean Quick Reference
  • Security Data Migration
    • Migration Concepts
      • Formats
      • Constraints
      • Migration Files
    • Adding Migration Support to Your Custom Security Providers
    • Administration Console Support for Security Data Migration
  • Management Utilities Available to Developers of Security Providers
  • Security Providers and WebLogic Resources
    • The Architecture of WebLogic Resources
    • Types of WebLogic Resources
    • WebLogic Resource Identifiers
      • The toString() Method
      • Resource IDs and the getID() Method
    • Creating Default Groups for WebLogic Resources
    • Creating Default Security Roles for WebLogic Resources
    • Creating Default Security Policies for WebLogic Resources
    • Looking Up WebLogic Resources in a Security Provider's Runtime Class
    • Single-Parent Resource Hierarchies
      • Pattern Matching for URL Resources
        • Example 1
        • Example 2
    • ContextHandlers and WebLogic Resources
      • Providers and Interfaces that Support Context Handlers
  • Initialization of the Security Provider Database
    • Best Practice: Create a Simple Database If None Exists
    • Best Practice: Configure an Existing Database
    • Best Practice: Delegate Database Initialization
    • Best Practice: Use the JDBC Connection Security Service API to Obtain Database Connections
      • Implementing a JDBC Connection Security Service: Main Steps
  • Differences In Attribute Validators
    • Differences In Attribute Validators for Custom Validators
• 3 Authentication Providers
  • Authentication Concepts
    • Users and Groups, Principals and Subjects
      • Providing Initial Users and Groups
    • LoginModules
      • The LoginModule Interface
      • LoginModules and Multipart Authentication
    • Java Authentication and Authorization Service (JAAS)
      • How JAAS Works With the WebLogic Security Framework
      • Example: Standalone T3 Application
  • The Authentication Process
  • Do You Need to Develop a Custom Authentication Provider?
  • How to Develop a Custom Authentication Provider
    • Create Runtime Classes Using the Appropriate SSPIs
      • Implement the AuthenticationProviderV2 SSPI
      • Implement the JAAS LoginModule Interface
      • Throwing Custom Exceptions from LoginModules
        • Method 1: Make Custom Exceptions Available via the System and Compiler Classpath
        • Method 2: Make Custom Exceptions Available via the Application Classpath
      • Example: Creating the Runtime Classes for the Sample Authentication Provider
    • Configure the Custom Authentication Provider Using the Administration Console
      • Managing User Lockouts
        • Rely on the Realm-Wide User Lockout Manager
        • Implement Your Own User Lockout Manager
      • Specifying the Order of Authentication Providers
• 4 Identity Assertion Providers
  • Identity Assertion Concepts
    • Identity Assertion Providers and LoginModules
    • Identity Assertion and Tokens
      • How to Create New Token Types
      • How to Make New Token Types Available for Identity Assertion Provider Configurations
    • Passing Tokens for Perimeter Authentication
    • Common Secure Interoperability Version 2 (CSIv2)
  • The Identity Assertion Process
  • Do You Need to Develop a Custom Identity Assertion Provider?
  • How to Develop a Custom Identity Assertion Provider
    • Create Runtime Classes Using the Appropriate SSPIs
      • Implement the AuthenticationProviderV2 SSPI
      • Implement the IdentityAsserterV2 SSPI
      • Example: Creating the Runtime Class for the Sample Identity Assertion Provider
    • Configure the Custom Identity Assertion Provider Using the Administration Console
    • Challenge Identity Assertion
      • Challenge/Response Limitations in the Java Servlet API 2.3 Environment
      • Filters and The Role of the weblogic.security.services.Authentication Class
      • How to Develop a Challenge Identity Asserter
      • Implement the ChallengeIdentityAsserterV2 Interface
      • Implement the ProviderChallengeContext Interface
      • Invoke the weblogic.security.services Challenge Identity Methods
      • Invoke the weblogic.security.services AppChallengeContext Methods
      • Implementing Challenge Identity Assertion from a Filter
• 5 Principal Validation Providers
  • Principal Validation Concepts
    • Principal Validation and Principal Types
    • How Principal Validation Providers Differ From Other Types of Security Providers
    • Security Exceptions Resulting from Invalid Principals
  • The Principal Validation Process
  • Do You Need to Develop a Custom Principal Validation Provider?
    • How to Use the WebLogic Principal Validation Provider
  • How to Develop a Custom Principal Validation Provider
    • Implement the PrincipalValidator SSPI
• 6 Authorization Providers
  • Authorization Concepts
    • Access Decisions
    • Using the Java Authorization Contract for Containers
  • The Authorization Process
  • Do You Need to Develop a Custom Authorization Provider?
    • Does Your Custom Authorization Provider Need to Support Application Versioning?
  • Is Your Custom Authorization Provider Thread Safe?
  • How to Develop a Custom Authorization Provider
    • Create Runtime Classes Using the Appropriate SSPIs
      • Implement the AuthorizationProvider SSPI
      • Implement the DeployableAuthorizationProviderV2 SSPI
        • The ApplicationInfo Interface
      • Implement the AccessDecision SSPI
      • Example: Creating the Runtime Class for the Sample Authorization Provider
    • Policy Consumer SSPI
      • Required SSPI Interfaces
      • Implement the PolicyConsumerFactory SSPI Interface
      • Implement the PolicyConsumer SSPI Interface
      • Implement the PolicyCollectionHandler SSPI Interface
      • Supporting an Updated Policy Collection
      • The PolicyConsumerMBean
    • PolicyStoreMBean
      • Examining the Format of a XACML Policy File
      • Using WLST to Add a Policy to the PolicyStoreMBean
      • Using WLST to Read a PolicySet as a String
    • Bulk Authorization Providers
    • Configure the Custom Authorization Provider Using the Administration Console
      • Managing Authorization Providers and Deployment Descriptors
      • Enabling Security Policy Deployment
    • Provide a Mechanism for Security Policy Management
      • Option 1: Develop a Stand-Alone Tool for Security Policy Management
      • Option 2: Integrate an Existing Security Policy Management Tool into the Administration Console
• 7 Adjudication Providers
  • The Adjudication Process
  • Do You Need to Develop a Custom Adjudication Provider?
  • How to Develop a Custom Adjudication Provider
    • Create Runtime Classes Using the Appropriate SSPIs
      • Implement the AdjudicationProviderV2 SSPI
      • Implement the AdjudicatorV2 SSPI
    • Bulk Adjudication Providers
    • Configure the Custom Adjudication Provider Using the Administration Console
• 8 Role Mapping Providers
  • Role Mapping Concepts
    • Security Roles
    • Dynamic Security Role Computation
  • The Role Mapping Process
  • Is Your Custom Role Mapping Provider Thread Safe?
  • Do You Need to Develop a Custom Role Mapping Provider?
    • Does Your Custom Role Mapping Provider Need to Support Application Versioning?
  • How to Develop a Custom Role Mapping Provider
    • Create Runtime Classes Using the Appropriate SSPIs
      • Implement the RoleProvider SSPI
      • Implement the DeployableRoleProviderV2 SSPI
        • The ApplicationInfo Interface
      • Implement the RoleMapper SSPI
      • Implement the SecurityRole Interface
      • Example: Creating the Runtime Class for the Sample Role Mapping Provider
    • Role Consumer SSPI
      • Required SSPI Interfaces
      • Implement the RoleConsumerFactory SSPI Interface
      • Implement the RoleConsumer SSPI Interface
      • Implement the RoleCollectionHandler SSPI Interface
      • Supporting an Updated Role Collection
      • The RoleConsumerMBean
    • PolicyStoreMBean
      • Examining the Format of a XACML Policy File
      • Using WLST to Add a Policy to the PolicyStoreMBean
      • Using WLST to Read a PolicySet as a String
    • Bulk Role Mapping Providers
    • Configure the Custom Role Mapping Provider Using the Administration Console
      • Managing Role Mapping Providers and Deployment Descriptors
      • Enabling Security Role Deployment
    • Provide a Mechanism for Security Role Management
      • Option 1: Develop a Stand-Alone Tool for Security Role Management
      • Option 2: Integrate an Existing Security Role Management Tool into the Administration Console
• 9 Auditing Providers
  • Auditing Concepts
    • Audit Channels
    • Auditing Events From Custom Security Providers
  • The Auditing Process
  • Implementing the ContextHandler MBean
    • ContextHandlerMBean Methods
    • Example: Implementing the ContextHandlerMBean
    • Extend weblogic.management.security.audit.ContextHandlerImpl
  • Do You Need to Develop a Custom Auditing Provider?
  • How to Develop a Custom Auditing Provider
    • Create Runtime Classes Using the Appropriate SSPIs
      • Implement the AuditProvider SSPI
      • Implement the AuditChannel SSPI
      • Example: Creating the Runtime Class for the Sample Auditing Provider
    • Configure the Custom Auditing Provider Using the Administration Console
      • Configuring Audit Severity
  • Security Framework Audit Events
    • Passing Additional Audit Information
    • Audit Event Interfaces and Audit Events
      • AuditApplicationVersionEvent
      • AuditAtnEventV2
      • AuditAtzEvent
      • AuditCerPathBuilderEvent, AuditCertPathValidatorEvent
      • AuditConfigurationEvent
      • AuditCredentialMappingEvent
      • AuditLifecycleEvent
      • AuditMgmtEvent
      • AuditPolicyEvent
      • AuditRoleDeploymentEvent
      • AuditRoleEvent
• 10 Credential Mapping Providers
  • Credential Mapping Concepts
  • The Credential Mapping Process
  • Do You Need to Develop a Custom Credential Mapping Provider?
    • Does Your Custom Credential Mapping Provider Need to Support Application Versioning?
  • How to Develop a Custom Credential Mapping Provider
    • Create Runtime Classes Using the Appropriate SSPIs
      • Implement the CredentialProviderV2 SSPI
      • Implement the DeployableCredentialProvider SSPI
      • Implement the CredentialMapperV2 SSPI
    • Provide a Mechanism for Credential Map Management
      • Option 1: Develop a Stand-Alone Tool for Credential Map Management
      • Option 2: Integrate an Existing Credential Map Management Tool into the Administration Console
• 11 Auditing Events From Custom Security Providers
  • Security Services and the Auditor Service
  • How to Audit From a Custom Security Provider
    • Create an Audit Event
      • Implement the AuditEvent SSPI
      • Implement an Audit Event Convenience Interface
        • The AuditAtnEventV2 Interface
        • The AuditAtzEvent and AuditPolicyEvent Interfaces
        • The AuditMgmtEvent Interface
        • The AuditRoleEvent and AuditRoleDeploymentEvent Interfaces
      • Audit Severity
      • Audit Context
      • Example: Implementation of the AuditRoleEvent Interface
    • Obtain and Use the Auditor Service to Write Audit Events
      • Example: Obtaining and Using the Auditor Service to Write Role Audit Events
      • Auditing Management Operations from a Provider's MBean
      • Example: Auditing Management Operations from a Provider's MBean
    • Best Practice: Posting Audit Events from a Provider's MBean
• 12 Servlet Authentication Filters
  • Authentication Filter Concepts
    • Why Filters are Needed
    • Servlet Authentication Filter Design Considerations
  • How Filters Are Invoked
    • Do Not Call Servlet Authentication Filters From Authentication Providers
  • Example of a Provider that Implements a Filter
  • How to Develop a Custom Servlet Authentication Filter
    • Create Runtime Classes Using the Appropriate SSPIs
    • Implement the Servlet Authentication Filter SSPI
    • Implement the Filter Interface Methods
    • Implementing Challenge Identity Assertion from a Filter
    • Generate an MBean Type Using the WebLogic MBeanMaker
      • Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
    • Configure the Authentication Provider Using Administration Console
• 13 Versionable Application Providers
  • Versionable Application Concepts
  • The Versionable Application Process
  • Do You Need to Develop a Custom Versionable Application Provider?
  • How to Develop a Custom VersionableApplication Provider
    • Create Runtime Classes Using the Appropriate SSPIs
      • Implement the VersionableApplication SSPI
      • Example: Creating the Runtime Class for the Sample VersionableApplication Provider
    • Generate an MBean Type Using the WebLogic MBeanMaker
      • Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
    • Configure the Custom Versionable Application Provider Using the Administration Console
• 14 CertPath Providers
  • Certificate Lookup and Validation Concepts
    • The Certificate Lookup and Validation Process
    • Do You Need to Implement Separate CertPath Validators and Builders?
    • CertPath Provider SPI MBeans
    • WebLogic CertPath Validator SSPI
    • WebLogic CertPath Builder SSPI
    • Relationship Between the WebLogic Server CertPath SSPI and the JDK SPI
  • Do You Need to Develop a Custom CertPath Provider?
  • How to Develop a Custom CertPath Provider
    • Create Runtime Classes Using the Appropriate SSPIs
      • Implement the JDK CertPathBuilderSpi and/or CertPathValidatorSpi Interfaces
      • Implement the CertPath Provider SSPI
      • Implement the JDK Security Provider SPI
      • Use the CertPathBuilderParametersSpi SSPI in Your CertPathBuilderSpi Implementation
      • Use the CertPathValidatorParametersSpi SSPI in Your CertPathValidatorSpi Implementation
      • Returning the Builder or Validator Results
      • Example: Creating the Sample Cert Path Provider
    • Configure the Custom CertPath Provider Using the Administration Console
• A MBean Definition File (MDF) Element Syntax
  • The MBeanType (Root) Element
  • The MBeanAttribute Subelement
  • The MBeanConstructor Subelement
  • The MBeanOperation Subelement
  • MBean Operation Exceptions
  • Examples: Well-Formed and Valid MBean Definition Files (MDFs)
• B Generate an MBean Type Using the WebLogic MBeanMaker
  • Overview of Steps
  • Create an MBean Definition File (MDF)
  • Use the WebLogic MBeanMaker to Generate the MBean Type
    • No Custom Operations
    • No Optional SSPI MBeans and No Custom Operations
    • Optional SSPI MBeans or Custom Operations
    • About the Generated MBean Interface File
  • Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
  • Install the MBean Type Into the WebLogic Server Environment