Identity Assertion Providers 5-17 a. Locate and open the MBean implementation file. The MBean implementation file generated by the WebLogic MBeanMaker is named MBeanNameImpl.java. For example, for the MDF named SampleIdentityAsserter, the MBean implementation file to be edited is named SampleIdentityAsserterImpl.java. b. Open your existing MBean implementation file which you saved to a temporary directory in step 1. c. Synchronize the existing MBean implementation file with the MBean implementation file generated by the WebLogic MBeanMaker. Accomplishing this task may include, but is not limited to: copying the method implementations from your existing MBean implementation file into the newly-generated MBean implementation file or, alternatively, adding the new methods from the newly-generated MBean implementation file to your existing MBean implementation file, and verifying that any changes to method signatures are reflected in the version of the MBean implementation file that you are going to use for methods that exist in both MBean implementation files. d. If you modified the MDF to implement optional SSPI MBeans that were not in the original MDF, implement each method. Be sure to also provide implementations for any methods that the optional SSPI MBean inherits. 5. If you modified the MDF to include any custom operations that were not in the original MDF, implement the methods using the method stubs. 6. Save the version of the MBean implementation file that is complete that is, has all methods implemented. 7. Copy this MBean implementation file into the directory where the WebLogic MBeanMaker placed the intermediate files for the MBean type. You specified this as filesdir in step 3. You will be overriding the MBean implementation file generated by the WebLogic MBeanMaker as a result of step 3. 8. Proceed to Section 5.4.2.3, Use the WebLogic MBeanMaker to Create the MBean JAR File MJF.

5.4.2.2.3 About the Generated MBean Interface File The MBean interface file is the

client-side API to the MBean that your runtime class or your MBean implementation will use to obtain configuration data. It is typically used in the initialize method as described in Section 3.2.2, Understand the Purpose of the Provider SSPIs. Because the WebLogic MBeanMaker generates MBean types from the MDF you created, the generated MBean interface file will have the name of the MDF, plus the text MBean appended to it. For example, the result of running the SampleIdentityAsserter MDF through the WebLogic MBeanMaker will yield an MBean interface file called SampleIdentityAsserterMBean.java.

5.4.2.3 Use the WebLogic MBeanMaker to Create the MBean JAR File MJF

Once your have run your MDF through the WebLogic MBeanMaker to generate your intermediate files, and you have edited the MBean implementation file to supply implementations for the appropriate methods within it, you need to package the MBean files and the runtime classes for the custom Identity Assertion provider into an MBean JAR File MJF. The WebLogic MBeanMaker also automates this process. To create an MJF for your custom Identity Assertion provider, follow these steps: 1. Create a new DOS shell. 5-18 Developing Security Providers for Oracle WebLogic Server 2. Type the following command: java -DMJF=jarfile -Dfiles=filesdir weblogic.management.commo.WebLogicMBeanMaker where the -DMJF flag indicates that the WebLogic MBeanMaker should build a JAR file containing the new MBean types, jarfile is the name for the MJF and filesdir is the location where the WebLogic MBeanMaker looks for the files to JAR into the MJF. Compilation occurs at this point, so errors are possible. If jarfile is provided, and no errors occur, an MJF is created with the specified name. The resulting MJF can be installed into your WebLogic Server environment, or distributed to your customers for installation into their WebLogic Server environments.

5.4.2.4 Install the MBean Type Into the WebLogic Server Environment

To install an MBean type into the WebLogic Server environment, copy the MJF into the WL_HOME\server\lib\mbeantypes directory, where WL_HOME is the top-level installation directory for WebLogic Server. This deploys your custom Identity Assertion provider—that is, it makes the custom Identity Assertion provider manageable from the WebLogic Server Administration Console. Note: When you create a JAR file for a custom security provider, a set of XML binding classes and a schema are also generated. You can choose a namespace to associate with that schema. Doing so avoids the possibility that your custom classes will conflict with those provided by Oracle. The default for the namespace is vendor. You can change this default by passing the -targetNameSpace argument to the WebLogicMBeanMaker or the associated WLMBeanMaker ant task. If you want to update an existing MJF, simply delete the MJF and regenerate it. The WebLogic MBeanMaker also has a -DIncludeSource option, which controls whether source files are included into the resulting MJF. Source files include both the generated source and the MDF itself. The default is false. This option is ignored when -DMJF is not used. Identity Assertion Providers 5-19 You can create instances of the MBean type by configuring your custom Identity Assertion provider see Section 5.4.3, Configure the Custom Identity Assertion Provider Using the Administration Console , and then use those MBean instances from a GUI, from other Java code, or from APIs. For example, you can use the WebLogic Server Administration Console to get and set attributes and invoke operations, or you can develop other Java objects that instantiate MBeans and automatically respond to information that the MBeans supply. We recommend that you back up these MBean instances.

5.4.3 Configure the Custom Identity Assertion Provider Using the Administration Console

Configuring a custom Identity Assertion provider means that you are adding the custom Identity Assertion provider to your security realm, where it can be accessed by applications requiring identity assertion services. Configuring custom security providers is an administrative task, but it is a task that may also be performed by developers of custom security providers.

5.4.4 Challenge Identity Assertion

The Challenge Identity Asserter interface supports challenge response schemes in which multiple challenges, responses messages, and state are required. The Challenge Identity Asserter interface allows Identity Assertion providers to support authentication protocols such as Microsofts Windows NT ChallengeResponse Note: WL_HOME\server\lib\mbeantypes is the default directory for installing MBean types. Beginning with 9.0, security providers can be loaded from ...\domaindir\lib\mbeantypes as well. However, if you want WebLogic Server to look for MBean types in additional directories, use the -Dweblogic.alternateTypesDirectory=dir command-line flag when starting your server, where dir is a comma-separated list of directory names. When you use this flag, WebLogic Server will always load MBean types from WL_ HOME\server\lib\mbeantypes first, then will look in the additional directories and load all valid archives present in those directories regardless of their extension. For example, if -Dweblogic.alternateTypesDirectory = dirX,dirY, WebLogic Server will first load MBean types from WL_ HOME\server\lib\mbeantypes, then any valid archives present in dirX and dirY. If you instruct WebLogic Server to look in additional directories for MBean types and are using the Java Security Manager, you must also update the weblogic.policy file to grant appropriate permissions for the MBean type and thus, the custom security provider. For more information, see Using Java Security to Protect WebLogic Resources in Programming Security for Oracle WebLogic Server. Note: The steps for configuring a custom Identity Assertion provider using the WebLogic Server Administration Console are described under Configuring WebLogic Security Providers in Securing Oracle WebLogic Server.