Servlet Authentication Filters 13-7 Therefore, if you plan to implement multiple challengeresponse identity assertion from a filter, you need to implement the ChallengeIdentityAsserterV2 and ProviderChallengeContext interfaces, and then use the weblogic.security.services.Authentication methods and AppChallengeContect interface to invoke them from a Servlet Authentication Filter. The steps to accomplish this process are described in Chapter 5, Identity Assertion Providers and are summarized here: ■ Section 5.4.1.1, Implement the AuthenticationProviderV2 SSPI or Section 5.4.1.2, Implement the IdentityAsserterV2 SSPI ■ Section 5.4.4.4, Implement the ChallengeIdentityAsserterV2 Interface ■ Section 5.4.4.5, Implement the ProviderChallengeContext Interface ■ Section 5.4.4.6, Invoke the weblogic.security.services Challenge Identity Methods ■ Section 5.4.4.7, Invoke the weblogic.security.services AppChallengeContext Methods

13.4.5 Generate an MBean Type Using the WebLogic MBeanMaker

When you generate the MBean type for your custom Authentication provider as described in Chapter 4, Authentication Providers you must also implement the MBean for your Servlet Authentication Filter. The ServletAuthenticationFilter MBean extends the AuthenticationProvider MBean. The ServletAuthenticationFilter MBean is a marker interface and has no methods. ?xml version=1.0 ? DOCTYPE MBeanType SYSTEM commo.dtd MBeanType Name = ServletAuthenticationFilter Package = weblogic.management.security.authentication Extends = weblogic.management.security.authentication.AuthenticationProvider PersistPolicy = OnUpdate Abstract = true Description = The SSPI MBean that all Servlet Authentication Filter providers must extend. This MBean is just a marker interface. It has no methods on it. MBeanType

13.4.5.1 Use the WebLogic MBeanMaker to Create the MBean JAR File MJF

Once your have run your MDF through the WebLogic MBeanMaker to generate your intermediate files, and you have edited the MBean implementation file to supply implementations for the appropriate methods within it, you need to package the MBean files and the runtime classes for the custom Authentication provider, including the Servlet Authentication Filter, into an MBean JAR File MJF. These steps are described for the custom Authentication provider in Section 4.4.2.3, Use the WebLogic MBeanMaker to Create the MBean JAR File MJF. 13-8 Developing Security Providers for Oracle WebLogic Server

13.4.6 Configure the Authentication Provider Using Administration Console

Configuring a custom Authentication provider that implements a Servlet Authentication Filter means that you are adding the custom Authorization provider to your security realm, where it can be accessed by applications requiring authorization services. Configuring custom security providers is an administrative task, but it is a task that may also be performed by developers of custom security providers. The steps for configuring a custom Authorization provider using the WebLogic Server Administration Console are described under Configuring WebLogic Security Providers in Securing Oracle WebLogic Server. 14 Versionable Application Providers 14-1 14 Versionable Application Providers A versionable application is an application that has an application archive version specified in the manifest of the application archive EAR file. Versionable applications can be deployed side-by-side and active simultaneously. Versionable applications allow multiple versions of an application, where security constraints can vary between the application versions. The Versionable Application provider SSPI enables all security providers that support application versioning to be notified when versions are created and deleted. It also enables all security providers that support application versioning to be notified when non-versioned applications are removed. The following sections provide the background information you need to understand before adding application versioning capability to your custom security providers, and provide step-by-step instructions for adding application versioning capability to a custom security provider: ■ Section 14.1, Versionable Application Concepts