9-30 Developing Security Providers for Oracle WebLogic Server ■ Section 9.5.7.1, Option 1: Develop a Stand-Alone Tool for Security Role Management ■ Section 9.5.7.2, Option 2: Integrate an Existing Security Role Management Tool into the Administration Console

9.5.7.1 Option 1: Develop a Stand-Alone Tool for Security Role Management

You would typically select this option if you want to develop a tool that is entirely separate from the WebLogic Server Administration Console. For this option, you do not need to write any console extensions for your custom Role Mapping provider, nor do you need to develop any management MBeans. However, your tool needs to:

1. Determine the WebLogic resources ID, since it is not automatically provided to

you by the console extension. For more information, see Section 3.6.3, WebLogic Resource Identifiers.

2. Determine how to represent the expressions that make up a security role. This

representation is entirely up to you and need not be a string.

3. Read and write the expressions from and to the custom Role Mapping providers

database. 9.5.7.2 Option 2: Integrate an Existing Security Role Management Tool into the Administration Console You would typically select this option if you have a tool that is separate from the WebLogic Server Administration Console, but you want to launch that tool from the Administration Console. For this option, your tool needs to: 1. Determine the WebLogic resources ID, since it is not automatically provided to you by the console extension. For more information, see Section 3.6.3, WebLogic Resource Identifiers. 2. Determine how to represent the expressions that make up a security role. This representation is entirely up to you and need not be a string. 3. Read and write the expressions from and to the custom Role Mapping providers database. 4. Link into the Administration Console using basic console extension techniques, as described in Extending the Administration Console for Oracle WebLogic Server. 10 Auditing Providers 10-1 10 Auditing Providers Auditing is the process whereby information about operating requests and the outcome of those requests are collected, stored, and distributed for the purposes of non-repudiation. In WebLogic Server, an Auditing provider provides this electronic trail of computer activity. The following sections describe Auditing provider concepts and functionality, and provide step-by-step instructions for developing a custom Auditing provider: ■ Section 10.1, Auditing Concepts ■ Section 10.2, The Auditing Process ■ Section 10.3.3, Extend weblogic.management.security.audit.ContextHandlerImpl ■ Section 10.5, How to Develop a Custom Auditing Provider ■ Section 10.6, Security Framework Audit Events

10.1 Auditing Concepts

Before you develop an Auditing provider, you need to understand the following concepts: ■ Section 10.1.1, Audit Channels ■ Section 10.1.2, Auditing Events From Custom Security Providers

10.1.1 Audit Channels

An Audit Channel is the component of an Auditing provider that determines whether a security event should be audited, and performs the actual recording of audit information based on Quality of Service QoS policies.

10.1.2 Auditing Events From Custom Security Providers

Each type of security provider can call the configured Auditing providers with a request to write out information about security-related events, before or after these events take place. For example, if a user attempts to access a withdraw method in a bank account application to which they should not have access, the Authorization provider can request that this operation be recorded. Security-related events are only recorded when they meet or exceed the severity level specified in the configuration of the Auditing providers. Note: For more information about Audit Channels, see Section 10.5.1.2, Implement the AuditChannel SSPI.