Design Considerations 3-9 they are created, you can configure and manage the custom security provider using the MBean instance, through the Administration Console.

3.3.2 Determine Which SSPI MBeans to Extend and Implement

You use MBean interfaces called SSPI MBeans to create MBean types. There are two types of SSPI MBeans you can use to create an MBean type for a custom security provider: ■ Required SSPI MBeans , which you must extend because they define the basic methods that allow a security provider to be configured and managed within the WebLogic Server environment. ■ Optional SSPI MBeans , which you can implement because they define additional methods for managing security providers. Different types of security providers are able to use different optional SSPI MBeans. For more information, see Section 3.3.6, SSPI MBean Quick Reference.

3.3.3 Understand the Basic Elements of an MBean Definition File MDF

An MBean Definition File MDF is an XML file used by the WebLogic MBeanMaker utility to generate the Java files that comprise an MBean type. All MDFs must extend a required SSPI MBean that is specific to the type of the security provider you have created, and can implement optional SSPI MBeans. Example 3–1 shows a sample MBean Definition File MDF, and an explanation of its content follows. Specifically, it is the MDF used to generate an MBean type for the WebLogic Credential Mapping provider. Note that the DeployableCredentialProvider interface is deprecated in this release of WebLogic Server. Example 3–1 DefaultCredentialMapper.xml MBeanType Name = DefaultCredentialMapper DisplayName = DefaultCredentialMapper Package = weblogic.security.providers.credentials Extends = weblogic.management.security.credentials. DeployableCredentialMapper Implements = weblogic.management.security.credentials. UserPasswordCredentialMapEditor, weblogic.management.security.credentials.UserPasswordCredentialMapExtendedReader, weblogic.management.security.ApplicationVersioner, weblogic.management.security.Import, weblogic.management.security.Export PersistPolicy = OnUpdate Description = This MBean represents configuration attributes for the WebLogic Credential Mapping provider.lt;pgt; Note: All MBean instances are aware of their parent type, so if you modify the configuration of an MBean type, all instances that you or an administrator may have created using the Administration Console will also update their configurations. For more information, see Section 3.3.4, Understand the SSPI MBean Hierarchy and How It Affects the Administration Console. Note: A complete reference of MDF element syntax is available in Appendix A, MBean Definition File MDF Element Syntax. 3-10 Developing Security Providers for Oracle WebLogic Server MBeanAttribute Name = ProviderClassName Type = java.lang.String Writeable = false Default = quot;weblogic.security.providers.credentials. DefaultCredentialMapperProviderImplquot; Description = The name of the Java class that loads the WebLogic Credential Mapping provider. MBeanAttribute Name = Description Type = java.lang.String Writeable = false Default = quot;Provider that performs Default Credential Mappingquot; Description = A short description of the WebLogic Credential Mapping provider. MBeanAttribute Name = Version Type = java.lang.String Writeable = false Default = quot;1.0quot; Description = The version of the WebLogic Credential Mapping provider. : : MBeanType The bold attributes in the MBeanType tag show that this MDF is named DefaultCredentialMapper and that it extends the required SSPI MBean called DeployableCredentialMapper. It also includes additional management capabilities by implementing the UserPasswordCredentialMapEditor optional SSPI MBean. The ProviderClassName, Description, and Version attributes defined in the MBeanAttribute tags are required in any MDF used to generate MBean types for security providers because they define the security providers basic configuration methods, and are inherited from the base required SSPI MBean called Provider see Figure 3–5 . The ProviderClassName attribute is especially important. The value for the ProviderClassName attribute is the Java filename of the security providers runtime class that is, the implementation of the appropriate SSPI ending in Provider. The example runtime class shown in Example 3–1 is DefaultCredentialMapperProviderImpl.java. While not shown in Example 3–1 , you can include additional attributes and operations in an MDF using the MBeanAttribute and MBeanOperation tags. Most custom attributes will automatically appear in the Provider Specific tab for your custom security provider in the WebLogic Server Administration Console. To display custom operations, however, you need to write a console extension. See Section 2.2.4, Writing Console Extensions. Note: The Sample Auditing provider available at https:codesamples.samplecode.oracle.comservletst racking?id=S224 on the Oracle Technology Network Web site provides an example of adding a custom attribute. Design Considerations 3-11

3.3.3.1 Custom Providers and Classpaths

Classes loaded from WL_HOME\server\lib\mbeantypes are not visible to other JAR and EAR files deployed on WebLogic Server. If you have common utility classes that you want to share, you must place them in the system classpath.

3.3.3.2 Throwing Exceptions from MBean Operations

Your custom provider MBeans must throw only JDK exception types or weblogic.management.utils exception types. Otherwise, JMX clients may not include the code necessary to receive your exceptions. ■ For typed exceptions, you must throw only the exact types from the throw clause of your MBeans method, as opposed to deriving and throwing your own exception type from that type. ■ For nested exceptions, you must throw only JDK exception types or weblogic.management.utils exceptions. ■ For runtime exceptions, you must throw or pass through only JDK exceptions.

3.3.3.3 Specifying Non-Clear Text Values for MBean Attributes

As described in Table A.2 , you can use the Encrypted attribute to specify that the value of an MBean attribute should not be displayed as clear text. For example, you encrypt the value of the MBean attribute when getting input for a password. The following code fragment shows an example of using the Encrypted attribute: MBeanAttribute Name = PrivatePassPhrase Type = java.lang.String Encrypted = true Default = quot;quot; Description = The Keystore password.

3.3.4 Understand the SSPI MBean Hierarchy and How It Affects the Administration Console