9-4 Developing Security Providers for Oracle WebLogic Server Generally, role mapping is performed in the following manner: 1. A user or system process requests a WebLogic resource on which it will attempt to perform a given operation. 2. The resource container that handles the type of WebLogic resource being requested receives the request for example, the EJB container receives the request for an EJB resource. 3. The resource container constructs a ContextHandler object that may be used by Role Mapping providers to obtain information associated with the context of the request. The resource container calls the WebLogic Security Framework, passing in the subject which already contains user and group principals, an identifier for the WebLogic resource, and optionally, the ContextHandler object to provide additional input.

4. The WebLogic Security Framework calls each configured Role Mapping provider

to obtain a list of the security roles that apply. This works as follows:

a. The Role Mapping providers use the ContextHandler to request various

pieces of information about the request. They construct a set of Callback objects that represent the type of information being requested. This set of Callback objects is then passed as an array to the ContextHandler using the handle method. The Role Mapping providers may call the ContextHandler more than once in order to obtain the necessary context information. The number of times a Role Mapping provider calls the ContextHandler is dependent upon its implementation.

b. Using the context information and their associated security provider databases

containing security policies, the subject, and the WebLogic resource, the Role Mapping providers determine whether the requestor represented by the user and group principals in the subject is entitled to a certain security role. The security policies are represented as a set of expressions or rules that are evaluated to determine if a given security role is to be granted. These rules may require the Role Mapping provider to substitute the value of context information obtained as parameters into the expression. In addition, the rules may also require the identity of a user or group principal as the value of an expression parameter. Note: The resource container could be the container that handles any one of the WebLogic Resources described in Section 3.6, Security Providers and WebLogic Resources. Note: For more information about ContextHandlers, see Section 3.6.9, ContextHandlers and WebLogic Resources. Note: For more information about subjects, see Section 4.1.1, Users and Groups, Principals and Subjects. For more information about resource identifiers, see Section 3.6.3, WebLogic Resource Identifiers. Role Mapping Providers 9-5 c. If a security policy specifies that the requestor is entitled to a particular security role, the security role is added to the list of security roles that are applicable to the subject. d. This process continues until all security policies that apply to the WebLogic resource or the resource container have been evaluated. 5. The list of security roles is returned to the WebLogic Security Framework, where it can be used as part of other operations, such as access decisions. 9.3 Is Your Custom Role Mapping Provider Thread Safe?