Developing security providers for WebLogic Server
- Introduction and Roadmap
- Document Scope
- Documentation Audience
- Guide to this Document
- Related Information
- New and Changed Features in this Release
- Introduction to Developing security providers for WebLogic Server
- Prerequisites for This Guide
- Overview of the Development Process
- Designing the Custom Security Provider
- Creating Runtime Classes for the Custom Security Provider by Implementing SSPIs
- Generating an MBean Type to Configure and Manage the Custom Security Provider
- Writing Console Extensions
- Configuring the Custom Security Provider
- Providing Management Mechanisms for Security Policies, Security Roles, and Credential Maps
- Design Considerations
- General Architecture of a Security Provider
- Security Services Provider Interfaces (SSPIs)
- Understand Two Important Restrictions
- Understand the Purpose of the “Provider” SSPIs
- Understand the Purpose of the Bulk Access Providers
- Determine Which “Provider” Interface You Will Implement
- The DeployableAuthorizationProviderV2 SSPI
- The DeployableRoleProviderV2 SSPI
- The DeployableCredentialProvider SSPI
- Understand the SSPI Hierarchy and Determine Whether You Will Create One or Two Runtime Classes
- SSPI Quick Reference
- Security service provider Interface (SSPI) MBeans
- Understand Why You Need an MBean Type
- Determine Which SSPI MBeans to Extend and Implement
- Understand the Basic Elements of an MBean Definition File (MDF)
- Custom Providers and Classpaths
- Throwing Exceptions from MBean Operations
- Specifying Non-Clear Text Values for MBean Attributes
- Understand the SSPI MBean Hierarchy and How It Affects the Administration Console
- Understand What the WebLogic MBeanMaker Provides
- About the MBean Information File
- SSPI MBean Quick Reference
- Security Data Migration
- Migration Concepts
- Formats
- Constraints
- Migration Files
- Adding Migration Support to Your Custom security providers
- Administration Console Support for Security Data Migration
- Management Utilities Available to Developers of security providers
- security providers and WebLogic Resources
- The Architecture of WebLogic Resources
- Types of WebLogic Resources
- WebLogic Resource Identifiers
- The toString() Method
- Resource IDs and the getID() Method
- Creating Default Groups for WebLogic Resources
- Creating Default Security Roles for WebLogic Resources
- Creating Default Security Policies for WebLogic Resources
- Looking Up WebLogic Resources in a Security Provider's Runtime Class
- Single-Parent Resource Hierarchies
- Pattern Matching for URL Resources
- Example 1
- Example 2
- ContextHandlers and WebLogic Resources
- Providers and Interfaces that Support Context Handlers
- Initialization of the Security Provider Database
- Best Practice: Create a Simple Database If None Exists
- Best Practice: Configure an Existing Database
- Best Practice: Delegate Database Initialization
- Differences In Attribute Validators
- Differences In Attribute Validators for Custom Validators
- Authentication Providers
- Authentication Concepts
- Users and Groups, Principals and Subjects
- Providing Initial Users and Groups
- LoginModules
- The LoginModule Interface
- LoginModules and Multipart Authentication
- Java Authentication and Authorization Service (JAAS)
- How JAAS Works With the WebLogic Security Framework
- Example: Standalone T3 Application
- The Authentication Process
- Do You Need to Develop a Custom Authentication Provider?
- How to Develop a Custom Authentication Provider
- Create Runtime Classes Using the Appropriate SSPIs
- Implement the AuthenticationProviderV2 SSPI
- Implement the JAAS LoginModule Interface
- Throwing Custom Exceptions from LoginModules
- Method 1: Make Custom Exceptions Available via the System and Compiler Classpath
- Method 2: Make Custom Exceptions Available via the Application Classpath
- Example: Creating the Runtime Classes for the Sample Authentication Provider
- Generate an MBean Type Using the WebLogic MBeanMaker
- Create an MBean Definition File (MDF)
- Use the WebLogic MBeanMaker to Generate the MBean Type
- No Optional SSPI MBeans and No Custom Operations
- Optional SSPI MBeans or Custom Operations
- About the Generated MBean Interface File
- Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
- Install the MBean Type Into the WebLogic Server Environment
- Configure the Custom Authentication Provider Using the Administration Console
- Managing User Lockouts
- Rely on the Realm-Wide User Lockout Manager
- Implement Your Own User Lockout Manager
- Specifying the Order of Authentication Providers
- Identity Assertion Providers
- Identity Assertion Concepts
- Identity Assertion Providers and LoginModules
- Identity Assertion and Tokens
- How to Create New Token Types
- How to Make New Token Types Available for Identity Assertion Provider Configurations
- Passing Tokens for Perimeter Authentication
- Common Secure Interoperability Version 2 (CSIv2)
- The Identity Assertion Process
- Do You Need to Develop a Custom Identity Assertion Provider?
- How to Develop a Custom Identity Assertion Provider
- Create Runtime Classes Using the Appropriate SSPIs
- Implement the AuthenticationProviderV2 SSPI
- Implement the IdentityAsserterV2 SSPI
- Example: Creating the Runtime Class for the Sample Identity Assertion Provider
- Generate an MBean Type Using the WebLogic MBeanMaker
- Create an MBean Definition File (MDF)
- Use the WebLogic MBeanMaker to Generate the MBean Type
- No Optional SSPI MBeans and No Custom Operations
- Optional SSPI MBeans or Custom Operations
- About the Generated MBean Interface File
- Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
- Install the MBean Type Into the WebLogic Server Environment
- Configure the Custom Identity Assertion Provider Using the Administration Console
- Challenge Identity Assertion
- Challenge/Response Limitations in the Java Servlet API 2.3 Environment
- Filters and The Role of the weblogic.security.services.Authentication Class
- How to Develop a Challenge Identity Asserter
- Implement the ChallengeIdentityAsserterV2 Interface
- Implement the ProviderChallengeContext Interface
- Invoke the weblogic.security.services Challenge Identity Methods
- Invoke the weblogic.security.services AppChallengeContext Methods
- Implementing Challenge Identity Assertion from a Filter
- Principal Validation Providers
- Principal Validation Concepts
- Principal Validation and Principal Types
- How Principal Validation Providers Differ From Other Types of security providers
- Security Exceptions Resulting from Invalid Principals
- The Principal Validation Process
- Do You Need to Develop a Custom Principal Validation Provider?
- How to Use the WebLogic Principal Validation Provider
- How to Develop a Custom Principal Validation Provider
- Implement the PrincipalValidator SSPI
- Authorization Providers
- Authorization Concepts
- Access Decisions
- Using the Java Authorization Contract for Containers
- The Authorization Process
- Do You Need to Develop a Custom Authorization Provider?
- Does Your Custom Authorization Provider Need to Support Application Versioning?
- How to Develop a Custom Authorization Provider
- Create Runtime Classes Using the Appropriate SSPIs
- Implement the AuthorizationProvider SSPI
- Implement the DeployableAuthorizationProviderV2 SSPI
- The ApplicationInfo Interface
- Implement the AccessDecision SSPI
- Developing Custom Authorization Providers That Are Compatible With the Realm Adapter Authentication Provider
- Example: Creating the Runtime Class for the Sample Authorization Provider
- Policy Consumer SSPI
- Required SSPI Interfaces
- Implement the PolicyConsumerFactory SSPI Interface
- Implement the PolicyConsumer SSPI Interface
- Implement the PolicyCollectionHandler SSPI Interface
- Supporting an Updated Policy Collection
- The PolicyConsumerMBean
- PolicyStoreMBean
- Examining the Format of a XACML Policy File
- Using WLST to Add a Policy to the PolicyStoreMBean
- Using WLST to Read a PolicySet as a String
- Bulk Authorization Providers
- Generate an MBean Type Using the WebLogic MBeanMaker
- Create an MBean Definition File (MDF)
- Use the WebLogic MBeanMaker to Generate the MBean Type
- No Optional SSPI MBeans and No Custom Operations
- Optional SSPI MBeans or Custom Operations
- About the Generated MBean Interface File
- Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
- Install the MBean Type Into the WebLogic Server Environment
- Configure the Custom Authorization Provider Using the Administration Console
- Managing Authorization Providers and Deployment Descriptors
- Enabling Security Policy Deployment
- Provide a Mechanism for Security Policy Management
- Option 1: Develop a Stand-Alone Tool for Security Policy Management
- Option 2: Integrate an Existing Security Policy Management Tool into the Administration Console
- Adjudication Providers
- The Adjudication Process
- Do You Need to Develop a Custom Adjudication Provider?
- How to Develop a Custom Adjudication Provider
- Create Runtime Classes Using the Appropriate SSPIs
- Implement the AdjudicationProviderV2 SSPI
- Implement the AdjudicatorV2 SSPI
- Bulk Adjudication Providers
- Generate an MBean Type Using the WebLogic MBeanMaker
- Create an MBean Definition File (MDF)
- Use the WebLogic MBeanMaker to Generate the MBean Type
- No Custom Operations
- Custom Operations
- About the Generated MBean Interface File
- Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
- Install the MBean Type Into the WebLogic Server Environment
- Configure the Custom Adjudication Provider Using the Administration Console
- Role Mapping Providers
- Role Mapping Concepts
- Security Roles
- Dynamic Security Role Computation
- The Role Mapping Process
- Do You Need to Develop a Custom Role Mapping Provider?
- Does Your Custom Role Mapping Provider Need to Support Application Versioning?
- How to Develop a Custom Role Mapping Provider
- Create Runtime Classes Using the Appropriate SSPIs
- Implement the RoleProvider SSPI
- Implement the DeployableRoleProviderV2 SSPI
- The ApplicationInfo Interface
- Implement the RoleMapper SSPI
- Developing Custom Role Mapping Providers That Are Compatible With the Realm Adapter Authentication Provider
- Implement the SecurityRole Interface
- Example: Creating the Runtime Class for the Sample Role Mapping Provider
- Role Consumer SSPI
- Required SSPI Interfaces
- Implement the RoleConsumerFactory SSPI Interface
- Implement the RoleConsumer SSPI Interface
- Implement the RoleCollectionHandler SSPI Interface
- Supporting an Updated Role Collection
- The RoleConsumerMBean
- PolicyStoreMBean
- Examining the Format of a XACML Policy File
- Using WLST to Add a Policy to the PolicyStoreMBean
- Using WLST to Read a PolicySet as a String
- Bulk Role Mapping Providers
- Generate an MBean Type Using the WebLogic MBeanMaker
- Create an MBean Definition File (MDF)
- Use the WebLogic MBeanMaker to Generate the MBean Type
- No Custom Operations
- Custom Operations
- About the Generated MBean Interface File
- Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
- Install the MBean Type Into the WebLogic Server Environment
- Configure the Custom Role Mapping Provider Using the Administration Console
- Managing Role Mapping Providers and Deployment Descriptors
- Enabling Security Role Deployment
- Provide a Mechanism for Security Role Management
- Option 1: Develop a Stand-Alone Tool for Security Role Management
- Option 2: Integrate an Existing Security Role Management Tool into the Administration Console
- Auditing Providers
- Auditing Concepts
- Audit Channels
- Auditing Events From Custom security providers
- The Auditing Process
- Implementing the ContextHandler MBean
- ContextHandlerMBean Methods
- Example: Implementing the ContextHandlerMBean
- Extend weblogic.management.security.audit.ContextHandlerImpl
- Do You Need to Develop a Custom Auditing Provider?
- How to Develop a Custom Auditing Provider
- Create Runtime Classes Using the Appropriate SSPIs
- Implement the AuditProvider SSPI
- Implement the AuditChannel SSPI
- Example: Creating the Runtime Class for the Sample Auditing Provider
- Generate an MBean Type Using the WebLogic MBeanMaker
- Create an MBean Definition File (MDF)
- Use the WebLogic MBeanMaker to Generate the MBean Type
- No Custom Operations
- Custom Operations
- About the Generated MBean Interface File
- Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
- Install the MBean Type Into the WebLogic Server Environment
- Configure the Custom Auditing Provider Using the Administration Console
- Configuring Audit Severity
- Security Framework Audit Events
- Passing Additional Audit Information
- Audit Event Interfaces and Audit Events
- AuditApplicationVersionEvent
- AuditAtnEventV2
- AuditAtzEvent
- AuditCerPathBuilderEvent, AuditCertPathValidatorEvent
- AuditConfigurationEvent
- AuditCredentialMappingEvent
- AuditLifecycleEvent
- AuditMgmtEvent
- AuditPolicyEvent
- AuditRoleDeploymentEvent
- AuditRoleEvent
- credential mapping Providers
- credential mapping Concepts
- The credential mapping Process
- Do You Need to Develop a Custom credential mapping Provider?
- Does Your Custom credential mapping Provider Need to Support Application Versioning?
- How to Develop a Custom credential mapping Provider
- Create Runtime Classes Using the Appropriate SSPIs
- Implement the CredentialProviderV2 SSPI
- Implement the DeployableCredentialProvider SSPI
- Implement the CredentialMapperV2 SSPI
- Developing Custom credential mapping Providers That Are Compatible With the Realm Adapter Authentication Provider
- Generate an MBean Type Using the WebLogic MBeanMaker
- Create an MBean Definition File (MDF)
- Use the WebLogic MBeanMaker to Generate the MBean Type
- No Optional SSPI MBeans and No Custom Operations
- Optional SSPI MBeans or Custom Operations
- About the Generated MBean Interface File
- Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
- Install the MBean Type Into the WebLogic Server Environment
- Provide a Mechanism for Credential Map Management
- Option 1: Develop a Stand-Alone Tool for Credential Map Management
- Option 2: Integrate an Existing Credential Map Management Tool into the Administration Console
- Auditing Events From Custom security providers
- Security Services and the Auditor Service
- How to Audit From a Custom Security Provider
- Create an Audit Event
- Implement the AuditEvent SSPI
- Implement an Audit Event Convenience Interface
- The AuditAtnEventV2 Interface
- The AuditAtzEvent and AuditPolicyEvent Interfaces
- The AuditMgmtEvent Interface
- The AuditRoleEvent and AuditRoleDeploymentEvent Interfaces
- Audit Severity
- Audit Context
- Example: Implementation of the AuditRoleEvent Interface
- Obtain and Use the Auditor Service to Write Audit Events
- Example: Obtaining and Using the Auditor Service to Write Role Audit Events
- Auditing Management Operations from a Provider's MBean
- Example: Auditing Management Operations from a Provider's MBean
- Best Practice: Posting Audit Events from a Provider's MBean
- Servlet Authentication Filters
- Authentication Filter Concepts
- Why Filters are Needed
- Servlet Authentication Filter Design Considerations
- How Filters Are Invoked
- Do Not Call Servlet Authentication Filters From Authentication Providers
- Example of a Provider that Implements a Filter
- How to Develop a Custom Servlet Authentication Filter
- Create Runtime Classes Using the Appropriate SSPIs
- Implement the Servlet Authentication Filter SSPI
- Implement the Filter Interface Methods
- Implementing Challenge Identity Assertion from a Filter
- Generate an MBean Type Using the WebLogic MBeanMaker
- Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
- Configure the Authentication Provider Using Administration Console
- Versionable Application Providers
- Versionable Application Concepts
- The Versionable Application Process
- Do You Need to Develop a Custom Versionable Application Provider?
- How to Develop a Custom VersionableApplication Provider
- Create Runtime Classes Using the Appropriate SSPIs
- Implement the VersionableApplication SSPI
- Example: Creating the Runtime Class for the Sample VersionableApplication Provider
- Generate an MBean Type Using the WebLogic MBeanMaker
- Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
- Configure the Custom Versionable Application Provider Using the Administration Console
- CertPath Providers
- Certificate Lookup and Validation Concepts
- The Certificate Lookup and Validation Process
- Do You Need to Implement Separate CertPath Validators and Builders?
- CertPath Provider SPI MBeans
- WebLogic CertPath Validator SSPI
- WebLogic CertPath Builder SSPI
- Relationship Between the WebLogic Server CertPath SSPI and the JDK SPI
- Do You Need to Develop a Custom CertPath Provider?
- How to Develop a Custom CertPath Provider
- Create Runtime Classes Using the Appropriate SSPIs
- Implement the JDK CertPathBuilderSpi and/or CertPathValidatorSpi Interfaces
- Implement the CertPath Provider SSPI
- Implement the JDK Security Provider SPI
- Use the CertPathBuilderParametersSpi SSPI in Your CertPathBuilderSpi Implementation
- Use the CertPathValidatorParametersSpi SSPI in Your CertPathValidatorSpi Implementation
- Returning the Builder or Validator Results
- Example: Creating the Sample Cert Path Provider
- Generate an MBean Type Using the WebLogic MBeanMaker
- Create an MBean Definition File (MDF)
- Use the WebLogic MBeanMaker to Generate the MBean Type
- No Optional SSPI MBeans and No Custom Operations
- Optional SSPI MBeans or Custom Operations
- About the Generated MBean Interface File
- Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
- Install the MBean Type Into the WebLogic Server Environment
- Configure the Custom CertPath Provider Using the Administration Console
- MBean Definition File (MDF) Element Syntax
- The MBeanType (Root) Element
- The MBeanAttribute Subelement
- The MBeanConstructor Subelement
- The MBeanOperation Subelement
- MBean Operation Exceptions
- Examples: Well-Formed and Valid MBean Definition Files (MDFs)