WebLogic Security Service Architecture 5-3 Validation provider. For more information on Principal Validation providers, see Section 5.5.8, WebLogic Principal Validation Provider . After successfully proving a callers identity, an authentication context is established, which allows an identified user or system to be authenticated to other entities. Authentication contexts may also be delegated to an application component, allowing that component to call another application component while impersonating the original caller.

5.1.2 The Identity Assertion Process

Identity Assertion providers are used as part of perimeter authentication process. When perimeter authentication is used see Figure 5–3 , a token from outside of the WebLogic Server domain is passed to an Identity Assertion provider in a security realm that is responsible for validating tokens of that type and that is configured as active. If the token is successfully validated, the Identity Assertion provider maps the token to a WebLogic Server username, and sends that username back to WebLogic Server, which then continues the authentication process. Specifically, the username is sent via a JAAS CallbackHandler and passed to each configured Authentication providers LoginModule so that the LoginModule can populate the subject with the appropriate principals. Figure 5–3 Perimeter Authentication As Figure 5–3 also shows, perimeter authentication requires the same components as the authentication process, but also adds an Identity Assertion provider.

5.1.3 The Principal Validation Process

As shown in Figure 5–4 , a user attempts to log into a system using a usernamepassword combination. WebLogic Server establishes trust by calling the configured Authentication providers LoginModule, which validates the users Note: To use the WebLogic Identity Assertion provider for X.501 and X.509 certificates, you have the option of using either the default user name mapper that is supplied with the WebLogic Server product weblogic.security.providers.authentication. DefaultUserNameMapperImpl or your own implementation of the weblogic.security.providers.authentication.UserNameM apper interface. See Do You Need to Develop a Custom Identity Assertion Provider? in Developing Security Providers for Oracle WebLogic Server. 5-4 Understanding Security for Oracle WebLogic Server username and password and returns a subject that is populated with principals per JAAS requirements. Figure 5–4 The Principal Validation Process WebLogic Server then passes the subject to the specified Principal Validation provider, which signs the principals and returns them to the client application via WebLogic Server. Whenever the principals stored within the subject are required for other security operations, the same Principal Validation provider will verify that the principals stored within the subject have not been modified since they were signed.

5.1.4 The Authorization Process

Figure 5–5 illustrates how Authorization providers and the associated Adjudication and Role Mapping providers interact with the WebLogic Security Framework during the authorization process. Figure 5–5 Authorization Process The authorization process is initiated when a user or system process requests a WebLogic resource on which it will attempt to perform a given operation. The resource container that handles the type of WebLogic resource being requested receives the request for example, the EJB container receives the request for an EJB resource. The resource container calls the WebLogic Security Framework and passes in the request parameters, including information such as the subject of the request and the WebLogic resource being requested. The WebLogic Security Framework calls the configured Role Mapping providers and passes in the request parameters in a format that the Role Mapping providers can use. The Role Mapping providers use the request parameters to compute a list of roles to which the subject making the request is entitled and passes the list of applicable roles back to the WebLogic Security Framework. The Authorization provider determines whether the subject is entitled to perform the WebLogic Security Service Architecture 5-5 requested action on the WebLogic resource, that is, the Authorization provider makes the Access Decision. If there are multiple Authorization providers configured, the WebLogic Security Framework delegates the job of reconciling any conflicts in the Access Decisions rendered by the Authorization providers to the Adjudication provider and the Adjudication provider determines the ultimate outcome of the authorization decision.

5.1.5 The Adjudication Process