3-4 Developing Security Providers for Oracle WebLogic Server ■ shutdown public void shutdown This method shuts down the custom security provider. Because they extend SecurityProvider, a runtime class that implements any SSPI ending in Provider must provide implementations for these inherited methods.

3.2.3 Understand the Purpose of the Bulk Access Providers

This release of WebLogic Server includes bulk access versions of the following Authorization, Adjudication, and Role Mapping provider SSPI interfaces: ■ BulkAuthorizationProvider ■ BulkAccessDecision ■ BulkAdjudicationProvider ■ BulkAdjudicator ■ BulkRoleProvider ■ BulkRoleMapper The bulk access SSPI interfaces allow Authorization, Adjudication, and Role Mapping providers to receive multiple decision requests in one call rather than through multiple calls, typically in a for loop. The intent of the bulk SSPI variants is to allow provider implementations to take advantage of internal performance optimizations, such as detecting that many of the passed-in Resource objects are protected by the same policy and will generate the same decision result. See Section 7.5.4, Bulk Authorization Providers, Section 8.3.2, Bulk Adjudication Providers, and Section 9.5.4, Bulk Role Mapping Providers for additional information.

3.2.4 Determine Which Provider Interface You Will Implement

Implementations of SSPIs that begin with the prefix Deployable and end with the suffix Provider for example, DeployableRoleProviderV2 expose the services of a custom security provider into the WebLogic Security Framework as explained in Section 3.2.2, Understand the Purpose of the Provider SSPIs. However, implementations of these SSPIs also perform additional tasks. These SSPIs also provide support for security in deployment descriptors, including the servlet deployment descriptors web.xml, weblogic.xml, the EJB deployment descriptors ejb-jar.xml, weblogic-ejb.jar.xml and the EAR deployment descriptors application.xml, weblogic-application.xml. Authorization providers, Role Mapping providers, and Credential Mapping providers have deployable versions of their Provider SSPIs. Note: If your security provider database which stores security policies, security roles, and credentials is read-only, you can implement the non-deployable version of the SSPI for your Authorization, Role Mapping, and Credential Mapping security providers. However, you will still need to configure deployable versions of these security provider that do handle deployment. Design Considerations 3-5

3.2.4.1 The DeployableAuthorizationProviderV2 SSPI

An Authorization provider that supports deploying security policies on behalf of Web application or Enterprise JavaBean EJB deployments needs to implement the DeployableAuthorizationProviderV2 SSPI instead of the AuthorizationProvider SSPI. However, because the DeployableAuthorizationProviderV2 SSPI extends the AuthorizationProvider SSPI, you actually will need to implement the methods from both SSPIs. This is because Web application and EJB deployment activities require the Authorization provider to perform additional tasks, such as creating and removing security policies. In a security realm, at least one Authorization provider must support the DeployableAuthorizationProviderV2 SSPI, or else it will be impossible to deploy Web applications and EJBs.

3.2.4.2 The DeployableRoleProviderV2 SSPI

A Role Mapping provider that supports deploying security roles on behalf of Web application or Enterprise JavaBean EJB deployments needs to implement the DeployableRoleProviderV2 SSPI instead of the RoleProvider SSPI. However, because the DeployableRoleProviderV2 SSPI extends the RoleProvider SSPI, you will actually need to implement the methods from both SSPIs. This is because Web application and EJB deployment activities require the Role Mapping provider to perform additional tasks, such as creating and removing security roles. In a security realm, at least one Role Mapping provider must support this SSPI, or else it will be impossible to deploy Web applications and EJBs.

3.2.4.3 The DeployableCredentialProvider SSPI

A Credential Mapping provider that supports deploying security policies on behalf of Resource Adapter RA deployments needs to implement the DeployableCredentialProvider SSPI instead of the CredentialProvider SSPI. However, because the DeployableCredentialProvider SSPI extends the CredentialProvider SSPI, you will actually need to implement the methods from both SSPIs. This is because Resource Adapter deployment activities require the Credential Mapping provider to perform additional tasks, such as creating and removing credentials and mappings. In a security realm, at least one Credential Mapping provider must support this SSPI, or else it will be impossible to deploy Resource Adapters. Note: For more information about security policies, see Security Policies in Securing Resources Using Roles and Policies for Oracle WebLogic Server. Note: For more information about security roles, see Users, Groups, and Security Roles in Securing Resources Using Roles and Policies for Oracle WebLogic Server. Note: The DeployableCredentialProvider interface is deprecated in this release of WebLogic Server. 3-6 Developing Security Providers for Oracle WebLogic Server

3.2.5 Understand the SSPI Hierarchy and Determine Whether You Will Create One or Two Runtime Classes