5-22 Understanding Security for Oracle WebLogic Server

5.5.8 WebLogic Principal Validation Provider

The default active security realm for WebLogic Server includes a WebLogic Principal Validation provider. This provider signs and verifies WebLogic Server principals. In other words, it signs and verifies principals that represent WebLogic Server users or WebLogic Server groups. The WebLogic Principal Validation provider includes implementations of the WLSUser and WLSGroup interfaces, named WLSUserImpl and WLSGroupImpl. These are located in the weblogic.security.principal package. It also includes an implementation of the PrincipalValidator SSPI called PrincipalValidatorImpl . For more information about the PrincipalValidator SSPI, see Implement the PrincipalValidator SSPI in Developing Security Providers for Oracle WebLogic Server. Much as an Identity Assertion provider supports a specific type of token, a Principal Validation provider signs and verifies the authenticity of a specific type of principal. Therefore, you can use the WebLogic Principal Validation provider to sign and verify principals that represent WebLogic Server users or WebLogic Server groups.

5.5.9 WebLogic Authorization Provider

As of version 9.1, WebLogic Server includes an Authorization provider that supports the eXtensible Access Control Markup Language XACML 2.0 standard from OASIS. WebLogic This provider can import, export, persist and execute policy expressed using all standard XACML 2.0 functions, attributes, and schema elements. New domains created using WebLogic Server 9.1 and later will default to using the XACML Authorization provider. Existing domains, upgraded WebLogic Server 9.1 and later, will continue to use the Authorization provider currently specified, such as third-party partner providers or the original WebLogic Server proprietary providers. If you use the WebLogic Server Administration Console to add a new Authorization provider, you can add the new provider as a DefaultAuthorizer or as a XACML provider. Custom XACML providers are not supported in this release. Version 9.1 of WebLogic Server also included the default WebLogic Authorization provider. This provider supplied the default enforcement of authorization for versions of WebLogic Server prior to 9.1. Using a policy-based authorization engine, the WebLogic Authorization provider returns an access decision to determine if a particular user is allowed access to a protected WebLogic resource. The WebLogic Authorization provider also supports the deployment and undeployment of security policies within the system. Note: You can use the WLSPrincipals class located in the weblogic.security package to determine whether a principal user or group has special meaning to WebLogic Server that is, whether it is a predefined WebLogic Server user or WebLogic Server group. Furthermore, any principal that is going to represent a WebLogic Server user or group needs to implement the WLSUser and WLSGroup interfaces available in the weblogic.security.spi package. WebLogic Security Service Architecture 5-23

5.5.10 WebLogic Adjudication Provider