Design Considerations 3-9
they are created, you can configure and manage the custom security provider using the MBean instance, through the Administration Console.
3.3.2 Determine Which SSPI MBeans to Extend and Implement
You use MBean interfaces called SSPI MBeans to create MBean types. There are two types of SSPI MBeans you can use to create an MBean type for a custom security
provider:
■
Required SSPI MBeans , which you must extend because they define the basic
methods that allow a security provider to be configured and managed within the WebLogic Server environment.
■
Optional SSPI MBeans , which you can implement because they define additional
methods for managing security providers. Different types of security providers are able to use different optional SSPI MBeans.
For more information, see Section 3.3.6, SSPI MBean Quick Reference.
3.3.3 Understand the Basic Elements of an MBean Definition File MDF
An MBean Definition File MDF is an XML file used by the WebLogic MBeanMaker utility to generate the Java files that comprise an MBean type. All MDFs must extend a
required SSPI MBean that is specific to the type of the security provider you have created, and can implement optional SSPI MBeans.
Example 3–1 shows a sample MBean Definition File MDF, and an explanation of its
content follows. Specifically, it is the MDF used to generate an MBean type for the WebLogic Credential Mapping provider. Note that the DeployableCredentialProvider
interface is deprecated in this release of WebLogic Server.
Example 3–1 DefaultCredentialMapper.xml
MBeanType Name = DefaultCredentialMapper
DisplayName = DefaultCredentialMapper Package = weblogic.security.providers.credentials
Extends = weblogic.management.security.credentials. DeployableCredentialMapper
Implements = weblogic.management.security.credentials. UserPasswordCredentialMapEditor, weblogic.management.security.credentials.UserPasswordCredentialMapExtendedReader,
weblogic.management.security.ApplicationVersioner, weblogic.management.security.Import,
weblogic.management.security.Export PersistPolicy = OnUpdate
Description = This MBean represents configuration attributes for the WebLogic Credential Mapping provider.lt;pgt;
Note: All MBean instances are aware of their parent type, so if you
modify the configuration of an MBean type, all instances that you or an administrator may have created using the Administration Console
will also update their configurations. For more information, see Section 3.3.4, Understand the SSPI MBean Hierarchy and How It
Affects the Administration Console.
Note: A complete reference of MDF element syntax is available in
Appendix A, MBean Definition File MDF Element Syntax.
3-10 Developing Security Providers for Oracle WebLogic Server
MBeanAttribute Name = ProviderClassName
Type = java.lang.String Writeable = false
Default = quot;weblogic.security.providers.credentials.
DefaultCredentialMapperProviderImplquot; Description = The name of the Java class that loads the WebLogic Credential Mapping
provider. MBeanAttribute
Name = Description Type = java.lang.String
Writeable = false Default = quot;Provider that performs Default Credential Mappingquot;
Description = A short description of the WebLogic Credential Mapping provider. MBeanAttribute
Name = Version Type = java.lang.String
Writeable = false Default = quot;1.0quot;
Description = The version of the WebLogic Credential Mapping provider. :
: MBeanType
The bold attributes in the MBeanType tag show that this MDF is named DefaultCredentialMapper and that it extends the required SSPI MBean called
DeployableCredentialMapper. It also includes additional management capabilities by implementing the UserPasswordCredentialMapEditor optional
SSPI MBean.
The ProviderClassName, Description, and Version attributes defined in the MBeanAttribute tags are required in any MDF used to generate MBean types for
security providers because they define the security providers basic configuration methods, and are inherited from the base required SSPI MBean called Provider see
Figure 3–5 . The ProviderClassName attribute is especially important. The value for
the ProviderClassName attribute is the Java filename of the security providers runtime class that is, the implementation of the appropriate SSPI ending in
Provider. The example runtime class shown in Example 3–1
is DefaultCredentialMapperProviderImpl.java.
While not shown in Example 3–1
, you can include additional attributes and operations in an MDF using the MBeanAttribute and MBeanOperation tags. Most
custom attributes will automatically appear in the Provider Specific tab for your custom security provider in the WebLogic Server Administration Console. To display
custom operations, however, you need to write a console extension. See Section 2.2.4,
Writing Console Extensions.
Note: The Sample Auditing provider available at
https:codesamples.samplecode.oracle.comservletst racking?id=S224
on the Oracle Technology Network Web site provides an example of adding a custom attribute.
Design Considerations 3-11
3.3.3.1 Custom Providers and Classpaths
Classes loaded from WL_HOME\server\lib\mbeantypes are not visible to other JAR and EAR files deployed on WebLogic Server. If you have common utility classes
that you want to share, you must place them in the system classpath.
3.3.3.2 Throwing Exceptions from MBean Operations
Your custom provider MBeans must throw only JDK exception types or weblogic.management.utils exception types. Otherwise, JMX clients may not
include the code necessary to receive your exceptions.
■
For typed exceptions, you must throw only the exact types from the throw clause of your MBeans method, as opposed to deriving and throwing your own
exception type from that type.
■
For nested exceptions, you must throw only JDK exception types or weblogic.management.utils exceptions.
■
For runtime exceptions, you must throw or pass through only JDK exceptions.
3.3.3.3 Specifying Non-Clear Text Values for MBean Attributes
As described in Table A.2
, you can use the Encrypted attribute to specify that the value of an MBean attribute should not be displayed as clear text. For example, you encrypt
the value of the MBean attribute when getting input for a password. The following code fragment shows an example of using the Encrypted attribute:
MBeanAttribute Name = PrivatePassPhrase
Type = java.lang.String Encrypted = true
Default = quot;quot; Description = The Keystore password.
3.3.4 Understand the SSPI MBean Hierarchy and How It Affects the Administration Console