6-4 Developing Security Providers for Oracle WebLogic Server random seed and computes a digest based on that random seed. For more information about the PrincipalValidator SSPI, see Section 6.4.1, Implement the PrincipalValidator SSPI.

6.3.1 How to Use the WebLogic Principal Validation Provider

If you have simple user and group principals that is, they only have a name, and you want to use the WebLogic Principal Validation provider: ■ Use the weblogic.security.principal.WLSUserImpl and weblogic.security.principal.WLSGroupImpl classes. ■ Use the weblogic.security.provider.PrincipalValidatorImpl class. If you have user or group principals with extra data members that is, in addition to a name, and you want to use the WebLogic Principal Validation provider: ■ Write your own UserImpl and GroupImpl classes. ■ Extend the weblogic.security.principal.WLSAbstractPrincipal class. ■ Implement the weblogic.security.spi.WLSUser and weblogic.security.spi.WLSGroup interfaces. ■ Implement the equals method to include your extra data members. Your implementation should call the super.equals method when complete so the WLSAbstractPrincipal can validate the remaining data. ■ Use the weblogic.security.provider.PrincipalValidatorImpl class. If you have your own validation scheme and do not want to use the WebLogic Principal Validation provider, or if you want to provide validation for principals other than WebLogic Server principals, then you need to develop a custom Principal Validation provider.

6.4 How to Develop a Custom Principal Validation Provider

To develop a custom Principal Validation provider: ■ Write your own UserImpl and GroupImpl classes by: – Implementing the weblogic.security.spi.WLSUser and weblogic.security.spi.WLSGroup interfaces. – Implementing the java.io.Serializable interfaces. ■ Write your own PrincipalValidationImpl class by implementing the weblogic.security.spi.PrincipalValidator SSPI. See Section 6.4.1, Implement the PrincipalValidator SSPI.

6.4.1 Implement the PrincipalValidator SSPI

To implement the PrincipalValidator SSPI, provide implementations for the following methods: ■ validate Note: By default, only the user or group name will be validated. If you want to validate your extra data members as well, then implement the getSignedData method. Principal Validation Providers 6-5 public boolean validatePrincipal principal throws SecurityException; The validate method takes a principal as an argument and attempts to validate it. In other words, this method verifies that the principal was not altered since it was signed. ■ sign public boolean signPrincipal principal; The sign method takes a principal as an argument and signs it to assure trust. This allows the principal to later be verified using the validate method. Your implementation of the sign method should be a secret algorithm that malicious individuals cannot easily recreate. You can include that algorithm within the sign method itself, have the sign method call out to a server for a token it should use to sign the principal, or implement some other way of signing the principal. ■ getPrincipalBaseClass public Class getPrincipalBaseClass; The getPrincipalBaseClass method returns the base class of principals that this Principal Validation provider knows how to validate and sign. For more information about the PrincipalValidator SSPI and the methods described above, see the WebLogic Server API Reference Javadoc. 6-6 Developing Security Providers for Oracle WebLogic Server 7 Authorization Providers 7-1 7 Authorization Providers Authorization is the process whereby the interactions between users and WebLogic resources are controlled, based on user identity or other information. In other words, authorization answers the question, What can you access? In WebLogic Server, an Authorization provider is used to limit the interactions between users and WebLogic resources to ensure integrity, confidentiality, and availability. The following sections describe Authorization provider concepts and functionality, and provide step-by-step instructions for developing a custom Authorization provider: ■ Section 7.1, Authorization Concepts