5-2 Understanding Security for Oracle WebLogic Server The primary function of the WebLogic Security Framework is to provide a simplified application programming interface API that can be used by security and application developers to define security services. Within that context, the WebLogic Security Framework also acts as an intermediary between the WebLogic containers Web and EJB, the Resource containers, and the security providers. The following sections describe the interactions between the WebLogic containers and Resource containers and each of the security providers via the WebLogic Security Framework: ■ Section 5.1.1, The Authentication Process ■ Section 5.1.2, The Identity Assertion Process ■ Section 5.1.3, The Principal Validation Process ■ Section 5.1.4, The Authorization Process ■ Section 5.1.5, The Adjudication Process ■ Section 5.1.6, The Role Mapping Process ■ Section 5.1.7, The Auditing Process ■ Section 5.1.8, The Credential Mapping Process ■ Section 5.1.9, The Certificate Lookup and Validation Process

5.1.1 The Authentication Process

Figure 5–2 shows the authentication process for a fat-client login. JAAS runs on the server to perform the login. Even in the case of a thin-client login that is, a Web browser client JAAS is still run on the server. Figure 5–2 The Authentication Process When a user attempts to log into a system using a usernamepassword combination, WebLogic Server establishes trust by validating that users username and password, and returns a subject that is populated with principals per JAAS requirements. As Figure 5–2 also shows, this process requires the use of a LoginModule and a Principal Note: Only developers of custom Authentication providers will be involved with this JAAS process directly. The client application could either use a JNDI Initial Context or JAAS to initiate the passing of the username and password. WebLogic Security Service Architecture 5-3 Validation provider. For more information on Principal Validation providers, see Section 5.5.8, WebLogic Principal Validation Provider . After successfully proving a callers identity, an authentication context is established, which allows an identified user or system to be authenticated to other entities. Authentication contexts may also be delegated to an application component, allowing that component to call another application component while impersonating the original caller.

5.1.2 The Identity Assertion Process

Identity Assertion providers are used as part of perimeter authentication process. When perimeter authentication is used see Figure 5–3 , a token from outside of the WebLogic Server domain is passed to an Identity Assertion provider in a security realm that is responsible for validating tokens of that type and that is configured as active. If the token is successfully validated, the Identity Assertion provider maps the token to a WebLogic Server username, and sends that username back to WebLogic Server, which then continues the authentication process. Specifically, the username is sent via a JAAS CallbackHandler and passed to each configured Authentication providers LoginModule so that the LoginModule can populate the subject with the appropriate principals. Figure 5–3 Perimeter Authentication As Figure 5–3 also shows, perimeter authentication requires the same components as the authentication process, but also adds an Identity Assertion provider.

5.1.3 The Principal Validation Process