Contents

Title and Copyright Information

Preface

• Documentation Accessibility
• Conventions

1 Introduction and Roadmap

• Document Scope
• Documentation Audience
• Guide to this Document
• Related Information
• New and Changed Features in this Release

2 Introduction to Developing Security Providers for WebLogic Server

• Prerequisites for This Guide
• Overview of the Development Process
  • Designing the Custom Security Provider
  • Creating Runtime Classes for the Custom Security Provider by Implementing SSPIs
  • Generating an MBean Type to Configure and Manage the Custom Security Provider
  • Writing Console Extensions
  • Configuring the Custom Security Provider
  • Providing Management Mechanisms for Security Policies, Security Roles, and Credential Maps

3 Design Considerations

• General Architecture of a Security Provider
• Security Services Provider Interfaces (SSPIs)
  • Understand Two Important Restrictions
  • Understand the Purpose of the "Provider" SSPIs
  • Understand the Purpose of the Bulk Access Providers
  • Determine Which "Provider" Interface You Will Implement
    • The DeployableAuthorizationProviderV2 SSPI
    • The DeployableRoleProviderV2 SSPI
    • The DeployableCredentialProvider SSPI
  • Understand the SSPI Hierarchy and Determine Whether You Will Create One or Two Runtime Classes
  • SSPI Quick Reference
• Security Service Provider Interface (SSPI) MBeans
  • Understand Why You Need an MBean Type
  • Determine Which SSPI MBeans to Extend and Implement
  • Understand the Basic Elements of an MBean Definition File (MDF)
    • Custom Providers and Classpaths
    • Throwing Exceptions from MBean Operations
    • Specifying Non-Clear Text Values for MBean Attributes
  • Understand the SSPI MBean Hierarchy and How It Affects the Administration Console
  • Understand What the WebLogic MBeanMaker Provides
    • About the MBean Information File
  • SSPI MBean Quick Reference
• Security Data Migration
  • Migration Concepts
    • Formats
    • Constraints
    • Migration Files
  • Adding Migration Support to Your Custom Security Providers
  • Administration Console Support for Security Data Migration
• Management Utilities Available to Developers of Security Providers
• Security Providers and WebLogic Resources
  • The Architecture of WebLogic Resources
  • Types of WebLogic Resources
  • WebLogic Resource Identifiers
    • The toString() Method
    • Resource IDs and the getID() Method
  • Creating Default Groups for WebLogic Resources
  • Creating Default Security Roles for WebLogic Resources
  • Creating Default Security Policies for WebLogic Resources
  • Looking Up WebLogic Resources in a Security Provider's Runtime Class
  • Single-Parent Resource Hierarchies
    • Pattern Matching for URL Resources
  • ContextHandlers and WebLogic Resources
    • Providers and Interfaces that Support Context Handlers
• Initialization of the Security Provider Database
  • Best Practice: Create a Simple Database If None Exists
  • Best Practice: Configure an Existing Database
  • Best Practice: Delegate Database Initialization
  • Best Practice: Use the JDBC Connection Security Service API to Obtain Database Connections
    • Implementing a JDBC Connection Security Service: Main Steps
• Differences In Attribute Validators
  • Differences In Attribute Validators for Custom Validators

4 Authentication Providers

• Authentication Concepts
  • Users and Groups, Principals and Subjects
    • Providing Initial Users and Groups
  • LoginModules
    • The LoginModule Interface
    • LoginModules and Multipart Authentication
  • Java Authentication and Authorization Service (JAAS)
    • How JAAS Works With the WebLogic Security Framework
    • Example: Standalone T3 Application
• The Authentication Process
• Do You Need to Develop a Custom Authentication Provider?
• How to Develop a Custom Authentication Provider
  • Create Runtime Classes Using the Appropriate SSPIs
    • Implement the AuthenticationProviderV2 SSPI
    • Implement the JAAS LoginModule Interface
    • Throwing Custom Exceptions from LoginModules
    • Example: Creating the Runtime Classes for the Sample Authentication Provider
  • Generate an MBean Type Using the WebLogic MBeanMaker
    • Create an MBean Definition File (MDF)
    • Use the WebLogic MBeanMaker to Generate the MBean Type
    • Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
    • Install the MBean Type Into the WebLogic Server Environment
  • Configure the Custom Authentication Provider Using the Administration Console
    • Managing User Lockouts
    • Specifying the Order of Authentication Providers

5 Identity Assertion Providers

• Identity Assertion Concepts
  • Identity Assertion Providers and LoginModules
  • Identity Assertion and Tokens
    • How to Create New Token Types
    • How to Make New Token Types Available for Identity Assertion Provider Configurations
  • Passing Tokens for Perimeter Authentication
  • Common Secure Interoperability Version 2 (CSIv2)
• The Identity Assertion Process
• Do You Need to Develop a Custom Identity Assertion Provider?
• How to Develop a Custom Identity Assertion Provider
  • Create Runtime Classes Using the Appropriate SSPIs
    • Implement the AuthenticationProviderV2 SSPI
    • Implement the IdentityAsserterV2 SSPI
    • Example: Creating the Runtime Class for the Sample Identity Assertion Provider
  • Generate an MBean Type Using the WebLogic MBeanMaker
    • Create an MBean Definition File (MDF)
    • Use the WebLogic MBeanMaker to Generate the MBean Type
    • Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
    • Install the MBean Type Into the WebLogic Server Environment
  • Configure the Custom Identity Assertion Provider Using the Administration Console
  • Challenge Identity Assertion
    • Challenge/Response Limitations in the Java Servlet API 2.3 Environment
    • Filters and The Role of the weblogic.security.services.Authentication Class
    • How to Develop a Challenge Identity Asserter
    • Implement the ChallengeIdentityAsserterV2 Interface
    • Implement the ProviderChallengeContext Interface
    • Invoke the weblogic.security.services Challenge Identity Methods
    • Invoke the weblogic.security.services AppChallengeContext Methods
    • Implementing Challenge Identity Assertion from a Filter

6 Principal Validation Providers

• Principal Validation Concepts
  • Principal Validation and Principal Types
  • How Principal Validation Providers Differ From Other Types of Security Providers
  • Security Exceptions Resulting from Invalid Principals
• The Principal Validation Process
• Do You Need to Develop a Custom Principal Validation Provider?
  • How to Use the WebLogic Principal Validation Provider
• How to Develop a Custom Principal Validation Provider
  • Implement the PrincipalValidator SSPI

7 Authorization Providers

• Authorization Concepts
  • Access Decisions
  • Using the Java Authorization Contract for Containers
• The Authorization Process
• Do You Need to Develop a Custom Authorization Provider?
  • Does Your Custom Authorization Provider Need to Support Application Versioning?
• Is Your Custom Authorization Provider Thread Safe?
• How to Develop a Custom Authorization Provider
  • Create Runtime Classes Using the Appropriate SSPIs
    • Implement the AuthorizationProvider SSPI
    • Implement the DeployableAuthorizationProviderV2 SSPI
    • Implement the AccessDecision SSPI
    • Example: Creating the Runtime Class for the Sample Authorization Provider
  • Policy Consumer SSPI
    • Required SSPI Interfaces
    • Implement the PolicyConsumerFactory SSPI Interface
    • Implement the PolicyConsumer SSPI Interface
    • Implement the PolicyCollectionHandler SSPI Interface
    • Supporting an Updated Policy Collection
    • The PolicyConsumerMBean
  • PolicyStoreMBean
    • Examining the Format of a XACML Policy File
    • Using WLST to Add a Policy to the PolicyStoreMBean
    • Using WLST to Read a PolicySet as a String
  • Bulk Authorization Providers
  • Generate an MBean Type Using the WebLogic MBeanMaker
    • Create an MBean Definition File (MDF)
    • Use the WebLogic MBeanMaker to Generate the MBean Type
    • Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
    • Install the MBean Type Into the WebLogic Server Environment
  • Configure the Custom Authorization Provider Using the Administration Console
    • Managing Authorization Providers and Deployment Descriptors
    • Enabling Security Policy Deployment
  • Provide a Mechanism for Security Policy Management
    • Option 1: Develop a Stand-Alone Tool for Security Policy Management
    • Option 2: Integrate an Existing Security Policy Management Tool into the Administration Console

8 Adjudication Providers

• The Adjudication Process
• Do You Need to Develop a Custom Adjudication Provider?
• How to Develop a Custom Adjudication Provider
  • Create Runtime Classes Using the Appropriate SSPIs
    • Implement the AdjudicationProviderV2 SSPI
    • Implement the AdjudicatorV2 SSPI
  • Bulk Adjudication Providers
  • Generate an MBean Type Using the WebLogic MBeanMaker
    • Create an MBean Definition File (MDF)
    • Use the WebLogic MBeanMaker to Generate the MBean Type
    • Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
    • Install the MBean Type Into the WebLogic Server Environment
  • Configure the Custom Adjudication Provider Using the Administration Console

9 Role Mapping Providers

• Role Mapping Concepts
  • Security Roles
  • Dynamic Security Role Computation
• The Role Mapping Process
• Is Your Custom Role Mapping Provider Thread Safe?
• Do You Need to Develop a Custom Role Mapping Provider?
  • Does Your Custom Role Mapping Provider Need to Support Application Versioning?
• How to Develop a Custom Role Mapping Provider
  • Create Runtime Classes Using the Appropriate SSPIs
    • Implement the RoleProvider SSPI
    • Implement the DeployableRoleProviderV2 SSPI
    • Implement the RoleMapper SSPI
    • Implement the SecurityRole Interface
    • Example: Creating the Runtime Class for the Sample Role Mapping Provider
  • Role Consumer SSPI
    • Required SSPI Interfaces
    • Implement the RoleConsumerFactory SSPI Interface
    • Implement the RoleConsumer SSPI Interface
    • Implement the RoleCollectionHandler SSPI Interface
    • Supporting an Updated Role Collection
    • The RoleConsumerMBean
  • PolicyStoreMBean
    • Examining the Format of a XACML Policy File
    • Using WLST to Add a Policy to the PolicyStoreMBean
    • Using WLST to Read a PolicySet as a String
  • Bulk Role Mapping Providers
  • Generate an MBean Type Using the WebLogic MBeanMaker
    • Create an MBean Definition File (MDF)
    • Use the WebLogic MBeanMaker to Generate the MBean Type
    • Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
    • Install the MBean Type Into the WebLogic Server Environment
  • Configure the Custom Role Mapping Provider Using the Administration Console
    • Managing Role Mapping Providers and Deployment Descriptors
    • Enabling Security Role Deployment
  • Provide a Mechanism for Security Role Management
    • Option 1: Develop a Stand-Alone Tool for Security Role Management
    • Option 2: Integrate an Existing Security Role Management Tool into the Administration Console

10 Auditing Providers

• Auditing Concepts
  • Audit Channels
  • Auditing Events From Custom Security Providers
• The Auditing Process
• Implementing the ContextHandler MBean
  • ContextHandlerMBean Methods
  • Example: Implementing the ContextHandlerMBean
  • Extend weblogic.management.security.audit.ContextHandlerImpl
• Do You Need to Develop a Custom Auditing Provider?
• How to Develop a Custom Auditing Provider
  • Create Runtime Classes Using the Appropriate SSPIs
    • Implement the AuditProvider SSPI
    • Implement the AuditChannel SSPI
    • Example: Creating the Runtime Class for the Sample Auditing Provider
  • Generate an MBean Type Using the WebLogic MBeanMaker
    • Create an MBean Definition File (MDF)
    • Use the WebLogic MBeanMaker to Generate the MBean Type
    • Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
    • Install the MBean Type Into the WebLogic Server Environment
  • Configure the Custom Auditing Provider Using the Administration Console
    • Configuring Audit Severity
• Security Framework Audit Events
  • Passing Additional Audit Information
  • Audit Event Interfaces and Audit Events
    • AuditApplicationVersionEvent
    • AuditAtnEventV2
    • AuditAtzEvent
    • AuditCerPathBuilderEvent, AuditCertPathValidatorEvent
    • AuditConfigurationEvent
    • AuditCredentialMappingEvent
    • AuditLifecycleEvent
    • AuditMgmtEvent
    • AuditPolicyEvent
    • AuditRoleDeploymentEvent
    • AuditRoleEvent

11 Credential Mapping Providers

• Credential Mapping Concepts
• The Credential Mapping Process
• Do You Need to Develop a Custom Credential Mapping Provider?
  • Does Your Custom Credential Mapping Provider Need to Support Application Versioning?
• How to Develop a Custom Credential Mapping Provider
  • Create Runtime Classes Using the Appropriate SSPIs
    • Implement the CredentialProviderV2 SSPI
    • Implement the DeployableCredentialProvider SSPI
    • Implement the CredentialMapperV2 SSPI
  • Generate an MBean Type Using the WebLogic MBeanMaker
    • Create an MBean Definition File (MDF)
    • Use the WebLogic MBeanMaker to Generate the MBean Type
    • Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
    • Install the MBean Type Into the WebLogic Server Environment
  • Provide a Mechanism for Credential Map Management
    • Option 1: Develop a Stand-Alone Tool for Credential Map Management
    • Option 2: Integrate an Existing Credential Map Management Tool into the Administration Console

12 Auditing Events From Custom Security Providers

• Security Services and the Auditor Service
• How to Audit From a Custom Security Provider
  • Create an Audit Event
    • Implement the AuditEvent SSPI
    • Implement an Audit Event Convenience Interface
    • Audit Severity
    • Audit Context
    • Example: Implementation of the AuditRoleEvent Interface
  • Obtain and Use the Auditor Service to Write Audit Events
    • Example: Obtaining and Using the Auditor Service to Write Role Audit Events
    • Auditing Management Operations from a Provider's MBean
    • Example: Auditing Management Operations from a Provider's MBean
  • Best Practice: Posting Audit Events from a Provider's MBean

13 Servlet Authentication Filters

• Authentication Filter Concepts
  • Why Filters are Needed
  • Servlet Authentication Filter Design Considerations
• How Filters Are Invoked
  • Do Not Call Servlet Authentication Filters From Authentication Providers
• Example of a Provider that Implements a Filter
• How to Develop a Custom Servlet Authentication Filter
  • Create Runtime Classes Using the Appropriate SSPIs
  • Implement the Servlet Authentication Filter SSPI
  • Implement the Filter Interface Methods
  • Implementing Challenge Identity Assertion from a Filter
  • Generate an MBean Type Using the WebLogic MBeanMaker
    • Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
  • Configure the Authentication Provider Using Administration Console

14 Versionable Application Providers

• Versionable Application Concepts
• The Versionable Application Process
• Do You Need to Develop a Custom Versionable Application Provider?
• How to Develop a Custom VersionableApplication Provider
  • Create Runtime Classes Using the Appropriate SSPIs
    • Implement the VersionableApplication SSPI
    • Example: Creating the Runtime Class for the Sample VersionableApplication Provider
  • Generate an MBean Type Using the WebLogic MBeanMaker
    • Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
  • Configure the Custom Versionable Application Provider Using the Administration Console

15 CertPath Providers

• Certificate Lookup and Validation Concepts
  • The Certificate Lookup and Validation Process
  • Do You Need to Implement Separate CertPath Validators and Builders?
  • CertPath Provider SPI MBeans
  • WebLogic CertPath Validator SSPI
  • WebLogic CertPath Builder SSPI
  • Relationship Between the WebLogic Server CertPath SSPI and the JDK SPI
• Do You Need to Develop a Custom CertPath Provider?
• How to Develop a Custom CertPath Provider
  • Create Runtime Classes Using the Appropriate SSPIs
    • Implement the JDK CertPathBuilderSpi and/or CertPathValidatorSpi Interfaces
    • Implement the CertPath Provider SSPI
    • Implement the JDK Security Provider SPI
    • Use the CertPathBuilderParametersSpi SSPI in Your CertPathBuilderSpi Implementation
    • Use the CertPathValidatorParametersSpi SSPI in Your CertPathValidatorSpi Implementation
    • Returning the Builder or Validator Results
    • Example: Creating the Sample Cert Path Provider
  • Generate an MBean Type Using the WebLogic MBeanMaker
    • Create an MBean Definition File (MDF)
    • Use the WebLogic MBeanMaker to Generate the MBean Type
    • Use the WebLogic MBeanMaker to Create the MBean JAR File (MJF)
    • Install the MBean Type Into the WebLogic Server Environment
  • Configure the Custom CertPath Provider Using the Administration Console

A MBean Definition File (MDF) Element Syntax

• The MBeanType (Root) Element
• The MBeanAttribute Subelement
• The MBeanConstructor Subelement
• The MBeanOperation Subelement
• MBean Operation Exceptions
• Examples: Well-Formed and Valid MBean Definition Files (MDFs)