7-14 Developing Security Providers for Oracle WebLogic Server
ComponentType componentType; SampleDeployPolicyHandleString app, String comp, ComponentType type
{ this.application = app;
this.component = comp; this.componentType = type;
this.date = new Date; }
public String getApplication { return application; } public String getComponent { return component; }
public ComponentType getComponentType { return componentType; }
public String toString {
String name = component; if componentType == ComponentType.APPLICATION
name = application; return componentType + + name + [+ date.toString +];
} }
}
7.5.2 Policy Consumer SSPI
WebLogic Server implements a policy consumer for JMX MBean default policies and Web service annotations. This release of WebLogic Server includes an SSPI that
Authorization providers can use to obtain the policy collections.
The PolicyConsumer SSPI is optional; only those Authorization providers that implement the SSPI are called to consume a policy collection.
The SSPI supports both the delivery of initial policy collections and the delivery of updated policy collections.
All Authorization providers that support the PolicyConsumer SSPI are called to consume a policy collection. Each Authorization provider can choose to skip or obtain
the policy collection for a given policy set. In the case where a provider persists policy, the provider need only collect the policy once. However, providers keeping policy in
memory can obtain the policy collection again.
The out-of-the-box WebLogic Server Authorization providers persist the policy into LDAP.
7.5.2.1 Required SSPI Interfaces
If you want your custom Authorization provider to support the delivery of policy collections, you must implement three interfaces:
■
weblogic.security.spi.PolicyConsumerFactory
■
weblogic.security.spi.PolicyConsumer
■
weblogic.security.spi.PolicyCollectionHandler
■
These interfaces are described in the sections that follow.
Authorization Providers 7-15
7.5.2.2 Implement the PolicyConsumerFactory SSPI Interface
An Authorization provider implements the PolicyConsumerFactory interface so that an instance of a PolicyConsumer is available to the WebLogic Security
Framework. The WebLogic Security Framework calls your PolicyConsumerFactory implementation to obtain the providers implementation
of the policy consumer.
The PolicyConsumerFactory SSPI has one method, which returns your implementation of the PolicyConsumer SSPI interface.
public interface PolicyConsumerFactory {
Obtain the implementation of the PolicyConsumer security service provider interface SSPI.
return a PolicyConsumer SSPI implementation. public PolicyConsumer getPolicyConsumer;
}
7.5.2.3 Implement the PolicyConsumer SSPI Interface
The PolicyConsumer SSPI returns a policy collection handler for consumption of a policy collection. It has one method, getPolicyCollectionHandler, which
takes a PolicyCollectionInfo implementation as an argument and returns your implementation of the PolicyCollectionHandler interface.
public interface PolicyConsumer {
Obtain a policy handler for consumption of a policy set. param info the PolicyCollectionInfo for the policy set.
return a PolicyCollectionHandler or NULL which indicates that the policy set is not needed.
exception ConsumptionException if an error occurs obtaining the handler and the policy set cannot be consumed.
public PolicyCollectionHandler getPolicyCollectionHandler PolicyCollectionInfo info
throws ConsumptionException; }
The WebLogic Security Framework calls the getPolicyCollectionHandler method and passes data about a policy collection to a security provider as an
implementation of the PolicyCollectionInfo interface. This interface implementation is provided for you, you do not have to implement it.
You use the PolicyCollectionInfo getName, getVersion, getTimestamp, and getResourceTypes methods to discover information
about this policy set. You then return a PolicyCollectionHandler, or NULL to indicate that the policy collection is not needed.
public interface PolicyCollectionInfo {
Get the name of the collection.
7-16 Developing Security Providers for Oracle WebLogic Server
public String getName; Get the runtime version of the policy.
public String getVersion;
Get the timestamp of the policy. public String getTimestamp;
Get the resource types used in the policy collection. public Resource[] getResouceTypes;
}
7.5.2.4 Implement the PolicyCollectionHandler SSPI Interface
The PolicyConsumer.getPolicyCollectionHandler method returns your implementation of the PolicyCollectionHandler interface.
PolicyCollectionHandler has three methods: setPolicy, setUncheckedPolicy, and done. The setPolicy method takes a resource
and role names and sets a policy based on the role. The setUncheckedPolicy method opens access to everyone.
The done method signals the completion of the policy collection. We recommend that the done method remove all old policies for the policy set.
public interface PolicyCollectionHandler {
Set a policy for the specified resource. public void setPolicyResource resource, String[] roleNames
throws ConsumptionException;
Sets a policy which always grants access. public void setUncheckedPolicyResource resource
throws ConsumptionException;
Signals the completion of the policy collection. public void done
throws ConsumptionException;
}
7.5.2.5 Supporting an Updated Policy Collection
To support the delivery of an updated policy collection, all Authorization providers that support the PolicyConsumer SSPI need to examine the contents of the
PolicyCollectionInfo passed in the PolicyConsumer.getPolicyCollectionHandler method to determine if a
Authorization Providers 7-17
policy set has changed. Each provider must decide possibly by configuration how to perform conflict resolution with the initial policy collection and any customized policy
received outside of the SSPI.
For the WebLogic Server supplied Authorization providers, customized policy will not be replaced by the updated policy collection: all policy from the initial policy collection
will be removed and only the customized policies, plus the updated policy collection, will be in effect. If the policy collection info has a different timestamp or version, its
treated as an updated policy collection. The collection name is used as a persistence key.
7.5.2.6 The PolicyConsumerMBean
Authorization providers that implement the Policy Consumer SSPI must also implement the
weblogic.management.security.authorization.PolicyConsumerMBean to indicate that the provider supports policy consumption.
7.5.3 PolicyStoreMBean