Developing security providers for WebLogic Server
Introduction and Roadmap
The following sections describe the content and organization of this document:
- Document Scope
- Documentation Audience
- Guide to this Document
- Related Information
- New and Changed Features in this Release
Document Scope
This document provides security vendors and application developers with the information needed to develop new security providers for use with WebLogic Server.
Documentation Audience
This document is written for independent software vendors (ISVs) who want to write their own security providers for use with WebLogic Server. It is assumed that most ISVs reading this documentation are sophisticated application developers who have a solid understanding of security concepts, and that no basic security concepts require explanation. It is also assumed that security vendors and application developers are familiar with WebLogic Server and with Java (including Java Management eXtensions (JMX)).
Guide to this Document
This document provides security vendors and application developers with the information needed to develop new security providers for use with the WebLogic Server.
The document is organized as follows:
- Introduction to Developing security providers for WebLogic Server,which prepares you to learn more about developing security providers for use with WebLogic Server. It specifies the audience and prerequisites for this guide, and provides an overview of the development process.
- Design Considerations,which explains the general architecture of a security provider and provides background information you should understand about implementing SSPIs and generating MBean types. This section also includes information about using optional management utilities and discusses how security providers interact with WebLogic resources. Lastly, this section suggests ways in which your custom security providers might work with databases that contain information security providers require.
- Authentication Providers,which explains the authentication process (for simple logins) and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Authentication providers. This topic also includes a discussion about JAAS LoginModules.
- Identity Assertion Providers,which explains the authentication process (for perimeter authentication using tokens) and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom identity assertion providers.
- Principal Validation Providers,which explains how Principal Validation providers assist Authentication providers by signing and verifying the authenticity of principals stored in a subject, and provides instructions about how to develop custom Principal Validation providers.
- Authorization Providers,which explains the authorization process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Authorization providers.
- Adjudication Providers,which explains the adjudication process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Adjudication providers.
- Role Mapping Providers,which explains the role mapping process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Role Mapping providers.
- Auditing Providers,which explains the auditing process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Auditing providers. This topic also includes information about how to audit from other types of security providers.
- credential mapping Providers,which explains the credential mapping process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom credential mapping providers.
- Auditing Events From Custom security providers,which explains how to add auditing capabilities to the custom security providers you develop.
- Servlet Authentication Filters,which explains the Servlet authentication filter process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with Servlet authentication filters.
- Versionable Application Providers,which explains the concept of versionable applications and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom Versionable Application providers.
- CertPath Providers,which explains the certificate lookup and validation process and provides instructions about how to implement each type of security service provider interface (SSPI) associated with custom CertPath provider.
- MBean Definition File (MDF) Element Syntax,which describes all the elements and attributes that are available for use in a valid MDF. An MDF is an XML file used to generate the MBean types, which enable the management of your custom security providers.
Related Information
The Oracle corporate Web site provides all documentation for WebLogic Server. Other WebLogic Server documents that may be of interest to security vendors and application developers working with security providers are:
- Understanding WebLogic Security
- Securing WebLogic Server
- Programming WebLogic Security
- Securing WebLogic Resources Using Roles and Policies
- Securing a Production Environment
Additional resources include:
New and Changed Features in this Release
For a comprehensive listing of the new WebLogic Server features introduced in this release, see “What's New in WebLogic Server” in Release Notes.