7-14 Developing Security Providers for Oracle WebLogic Server ComponentType componentType; SampleDeployPolicyHandleString app, String comp, ComponentType type { this.application = app; this.component = comp; this.componentType = type; this.date = new Date; } public String getApplication { return application; } public String getComponent { return component; } public ComponentType getComponentType { return componentType; } public String toString { String name = component; if componentType == ComponentType.APPLICATION name = application; return componentType + + name + [+ date.toString +]; } } }

7.5.2 Policy Consumer SSPI

WebLogic Server implements a policy consumer for JMX MBean default policies and Web service annotations. This release of WebLogic Server includes an SSPI that Authorization providers can use to obtain the policy collections. The PolicyConsumer SSPI is optional; only those Authorization providers that implement the SSPI are called to consume a policy collection. The SSPI supports both the delivery of initial policy collections and the delivery of updated policy collections. All Authorization providers that support the PolicyConsumer SSPI are called to consume a policy collection. Each Authorization provider can choose to skip or obtain the policy collection for a given policy set. In the case where a provider persists policy, the provider need only collect the policy once. However, providers keeping policy in memory can obtain the policy collection again. The out-of-the-box WebLogic Server Authorization providers persist the policy into LDAP.

7.5.2.1 Required SSPI Interfaces

If you want your custom Authorization provider to support the delivery of policy collections, you must implement three interfaces: ■ weblogic.security.spi.PolicyConsumerFactory ■ weblogic.security.spi.PolicyConsumer ■ weblogic.security.spi.PolicyCollectionHandler ■ These interfaces are described in the sections that follow. Authorization Providers 7-15

7.5.2.2 Implement the PolicyConsumerFactory SSPI Interface

An Authorization provider implements the PolicyConsumerFactory interface so that an instance of a PolicyConsumer is available to the WebLogic Security Framework. The WebLogic Security Framework calls your PolicyConsumerFactory implementation to obtain the providers implementation of the policy consumer. The PolicyConsumerFactory SSPI has one method, which returns your implementation of the PolicyConsumer SSPI interface. public interface PolicyConsumerFactory { Obtain the implementation of the PolicyConsumer security service provider interface SSPI. return a PolicyConsumer SSPI implementation. public PolicyConsumer getPolicyConsumer; }

7.5.2.3 Implement the PolicyConsumer SSPI Interface

The PolicyConsumer SSPI returns a policy collection handler for consumption of a policy collection. It has one method, getPolicyCollectionHandler, which takes a PolicyCollectionInfo implementation as an argument and returns your implementation of the PolicyCollectionHandler interface. public interface PolicyConsumer { Obtain a policy handler for consumption of a policy set. param info the PolicyCollectionInfo for the policy set. return a PolicyCollectionHandler or NULL which indicates that the policy set is not needed. exception ConsumptionException if an error occurs obtaining the handler and the policy set cannot be consumed. public PolicyCollectionHandler getPolicyCollectionHandler PolicyCollectionInfo info throws ConsumptionException; } The WebLogic Security Framework calls the getPolicyCollectionHandler method and passes data about a policy collection to a security provider as an implementation of the PolicyCollectionInfo interface. This interface implementation is provided for you, you do not have to implement it. You use the PolicyCollectionInfo getName, getVersion, getTimestamp, and getResourceTypes methods to discover information about this policy set. You then return a PolicyCollectionHandler, or NULL to indicate that the policy collection is not needed. public interface PolicyCollectionInfo { Get the name of the collection. 7-16 Developing Security Providers for Oracle WebLogic Server public String getName; Get the runtime version of the policy. public String getVersion; Get the timestamp of the policy. public String getTimestamp; Get the resource types used in the policy collection. public Resource[] getResouceTypes; }

7.5.2.4 Implement the PolicyCollectionHandler SSPI Interface

The PolicyConsumer.getPolicyCollectionHandler method returns your implementation of the PolicyCollectionHandler interface. PolicyCollectionHandler has three methods: setPolicy, setUncheckedPolicy, and done. The setPolicy method takes a resource and role names and sets a policy based on the role. The setUncheckedPolicy method opens access to everyone. The done method signals the completion of the policy collection. We recommend that the done method remove all old policies for the policy set. public interface PolicyCollectionHandler { Set a policy for the specified resource. public void setPolicyResource resource, String[] roleNames throws ConsumptionException; Sets a policy which always grants access. public void setUncheckedPolicyResource resource throws ConsumptionException; Signals the completion of the policy collection. public void done throws ConsumptionException; }

7.5.2.5 Supporting an Updated Policy Collection

To support the delivery of an updated policy collection, all Authorization providers that support the PolicyConsumer SSPI need to examine the contents of the PolicyCollectionInfo passed in the PolicyConsumer.getPolicyCollectionHandler method to determine if a Authorization Providers 7-17 policy set has changed. Each provider must decide possibly by configuration how to perform conflict resolution with the initial policy collection and any customized policy received outside of the SSPI. For the WebLogic Server supplied Authorization providers, customized policy will not be replaced by the updated policy collection: all policy from the initial policy collection will be removed and only the customized policies, plus the updated policy collection, will be in effect. If the policy collection info has a different timestamp or version, its treated as an updated policy collection. The collection name is used as a persistence key.

7.5.2.6 The PolicyConsumerMBean

Authorization providers that implement the Policy Consumer SSPI must also implement the weblogic.management.security.authorization.PolicyConsumerMBean to indicate that the provider supports policy consumption.

7.5.3 PolicyStoreMBean