6 Principal Validation Providers 6-1 6 Principal Validation Providers Authentication providers rely on Principal Validation providers to sign and verify the authenticity of principals users and groups contained within a subject. Such verification provides an additional level of trust and may reduce the likelihood of malicious principal tampering. Verification of the subjects principals takes place during the WebLogic Servers demarshalling of RMI client requests for each invocation. The authenticity of the subjects principals is also verified when making authorization decisions. The following sections describe Principal Validation provider concepts and functionality, and provide step-by-step instructions for developing a custom Principal Validation provider: ■ Section 6.1, Principal Validation Concepts ■ Section 6.2, The Principal Validation Process ■ Section 6.3, Do You Need to Develop a Custom Principal Validation Provider? ■ Section 6.4, How to Develop a Custom Principal Validation Provider

6.1 Principal Validation Concepts

Before you develop a Principal Validation provider, you need to understand the following concepts: ■ Section 6.1.1, Principal Validation and Principal Types ■ Section 6.1.2, How Principal Validation Providers Differ From Other Types of Security Providers ■ Section 6.1.3, Security Exceptions Resulting from Invalid Principals

6.1.1 Principal Validation and Principal Types

Like Identity Assertion providers support specific types of tokens, Principal Validation providers support specific types of principals. For example, the WebLogic Principal Validation provider described in Section 6.3, Do You Need to Develop a Custom Principal Validation Provider? signs and verifies the authenticity of WebLogic Server principals. The Principal Validation provider that is associated with the configured Authentication provider as described in Section 6.1.2, How Principal Validation Providers Differ From Other Types of Security Providers will sign and verify all the principals stored in the subject that are of the type the Principal Validation provider is designed to support. 6-2 Developing Security Providers for Oracle WebLogic Server

6.1.2 How Principal Validation Providers Differ From Other Types of Security Providers

A Principal Validation provider is a special type of security provider that primarily acts as a helper to an Authentication provider. The main function of a Principal Validation provider is to prevent malicious individuals from tampering with the principals stored in a subject. The AuthenticationProvider SSPI as described in Section 4.4.1.1, Implement the AuthenticationProviderV2 SSPI includes a method called getPrincipalValidator. In this method, you specify the Principal Validation providers runtime class to be used with the Authentication provider. The Principal Validation providers runtime class can be the one Oracle provides called the WebLogic Principal Validation provider or one you develop called a custom Principal Validation provider. An example of using the WebLogic Principal Validation provider in an Authentication providers getPrincipalValidator method is shown in Example 4–1, Relationships Among Users, Groups, Principals and Subjects . Because you generate MBean types for Authentication providers and configure Authentication providers using the WebLogic Server Administration Console, you do not have to perform these steps for a Principal Validation provider.

6.1.3 Security Exceptions Resulting from Invalid Principals