5-8 Developing Security Providers for Oracle WebLogic Server 1. Section 5.4.1, Create Runtime Classes Using the Appropriate SSPIs 2. Section 5.4.2, Generate an MBean Type Using the WebLogic MBeanMaker 3. Section 5.4.3, Configure the Custom Identity Assertion Provider Using the Administration Console 4. Consider whether you need to implement Challenge Identity Assertion, as described in Section 5.4.4, Challenge Identity Assertion.

5.4.1 Create Runtime Classes Using the Appropriate SSPIs

Before you start creating runtime classes, you should first: ■ Section 3.2.2, Understand the Purpose of the Provider SSPIs ■ Section 3.2.5, Understand the SSPI Hierarchy and Determine Whether You Will Create One or Two Runtime Classes When you understand this information and have made your design decisions, create the runtime classes for your custom Identity Assertion provider by following these steps: ■ Section 5.4.1.1, Implement the AuthenticationProviderV2 SSPI ■ Section 5.4.1.2, Implement the IdentityAsserterV2 SSPI For an example of how to create a runtime class for a custom Identity Assertion provider, see Section 5.4.1.3, Example: Creating the Runtime Class for the Sample Identity Assertion Provider.

5.4.1.1 Implement the AuthenticationProviderV2 SSPI

To implement the AuthenticationProviderV2 SSPI, provide implementations for the methods described in Section 3.2.2, Understand the Purpose of the Provider SSPIs and the following methods: ■ getLoginModuleConfiguration public AppConfigurationEntry getLoginModuleConfiguration The getLoginModuleConfiguration method obtains information about the Authentication providers associated LoginModule, which is returned as an AppConfigurationEntry. The AppConfigurationEntry is a Java Authentication and Authorization Service JAAS class that contains the classname of the LoginModule; the LoginModules control flag which was passed in via the Authentication providers associated MBean; and a configuration options map for Note: If you want to create a separate LoginModule for your custom Identity Assertion provider that is, not use the LoginModule from your Authentication provider, you also need to implement the JAAS LoginModule interface, as described in Section 4.4.1.2, Implement the JAAS LoginModule Interface. Note: The AuthenticationProvider SSPI is deprecated in this release of WebLogic Server. Use the AuthenticationProviderV2 SSPI instead. Identity Assertion Providers 5-9 the LoginModule which allows other configuration information to be passed into the LoginModule. For more information about the AppConfigurationEntry class located in the javax.security.auth.login package and the control flag options for LoginModules, see the J2SE 6.0 API Specification for the AppConfigurationEntry class http:java.sun.comjavase6docsapijavaxsecurityauthlo ginAppConfigurationEntry.html and the Configuration class http:java.sun.comjavase6docsapijavaxsecurityauthlo ginConfiguration.html . For more information about LoginModules, see Section 4.1.2, LoginModules. For more information about security providers and MBeans, see Section 3.3.1, Understand Why You Need an MBean Type. ■ getAssertionModuleConfiguration public AppConfigurationEntry getAssertionModuleConfiguration The getAssertionModuleConfiguration method obtains information about an Identity Assertion providers associated LoginModule, which is returned as an AppConfigurationEntry. The AppConfigurationEntry is a JAAS class that contains the classname of the LoginModule; the LoginModules control flag which was passed in via the Identity Assertion providers associated MBean; and a configuration options map for the LoginModule which allows other configuration information to be passed into the LoginModule. The LoginModules in this configuration must populate the Subject with required Principals, such as those of type WLSGroup, and must trust that the user has submitted sufficient proof to login and not require a password or some other proof material. ■ getPrincipalValidator public PrincipalValidator getPrincipalValidator The getPrincipalValidator method obtains a reference to the Principal Validation providers runtime class that is, the PrincipalValidator SSPI implementation. For more information, see Chapter 6, Principal Validation Providers. ■ getIdentityAsserter public IdentityAsserterV2 getIdentityAsserter The getIdentityAsserter method obtains a reference to the Identity Assertion providers runtime class that is, the IdentityAsserterV2 SSPI Note: The assertIdentity method of an Identity Assertion provider is called every time identity assertion occurs, but the LoginModules may not be called if the Subject is cached. The -Dweblogic.security.identityAssertionTTL flag can be used to affect this behavior for example, to modify the default TTL of 5 minutes or to disable the cache by setting the flag to -1. It is the responsibility of the Identity Assertion provider to ensure not just that the token is valid, but also that the user is still valid for example, the user has not been deleted. 5-10 Developing Security Providers for Oracle WebLogic Server implementation. For more information, see Section 5.4.1.2, Implement the IdentityAsserterV2 SSPI. For more information about the AuthenticationProvider SSPI and the methods described above, see the WebLogic Server API Reference Javadoc.

5.4.1.2 Implement the IdentityAsserterV2 SSPI

To implement the IdentityAsserterV2 SSPI, provide implementations for the following method: ■ assertIdentity public CallbackHandler assertIdentityString type, Object token, ContextHandler handler throws IdentityAssertionException; The assertIdentity method asserts an identity based on the token identity information that is supplied. In other words, the purpose of this method is to validate any tokens that are not currently trusted against trusted client principals. The type parameter represents the token type to be used for the identity assertion. Note that identity assertion types are case insensitive. The token parameter contains the actual identity information. The handler parameter is a ContextHandler object that can optionally be used to obtain additional information that may be used in asserting the identity. The CallbackHandler returned from the assertIdentity method is passed to all configured Authentication providers LoginModules to perform principal mapping, and should contain the asserted username. If the CallbackHandler is null, this signifies that the anonymous user should be used. A CallbackHandler is a highly-flexible JAAS standard that allows a variable number of arguments to be passed as complex objects to a method. For more information about CallbackHandlers, see the J2SE 6.0 API Specification for the CallbackHandler interface http:java.sun.comjavase6docsapijavaxsecurityauthca llbackCallbackHandler.html . Note: When the LoginModule used for the Identity Assertion provider is the same as that used for an existing Authentication provider, implementations for the methods in the AuthenticationProviderV2 SSPI excluding the getIdentityAsserter method for Identity Assertion providers can just return null. An example of this is shown in Example 5–4 . Note: The IdentityAsserterV2 SSPI includes additional token types and a handler parameter to the assertIdentity method that can optionally be used to obtain additional information when asserting the identity. Although the IdentityAsserter SSPI is still supported, you should consider using the IdentityAsserterV2 SSPI instead. Identity Assertion Providers 5-11 For more information about the IdentityAsserterV2 SSPI and the method described above, see the WebLogic Server API Reference Javadoc.

5.4.1.3 Example: Creating the Runtime Class for the Sample Identity Assertion Provider

Example 5–4 shows the SampleIdentityAsserterProviderImpl.java class, which is the runtime class for the sample Identity Assertion provider. This runtime class includes implementations for: ■ The three methods inherited from the SecurityProvider interface: initialize, getDescription, and shutdown as described in Section 3.2.2, Understand the Purpose of the Provider SSPIs. ■ The four methods in the AuthenticationProviderV2 SSPI: the getLoginModuleConfiguration, getAssertionModuleConfiguration, getPrincipalValidator, and getIdentityAsserter methods as described in Section 5.4.1.1, Implement the AuthenticationProviderV2 SSPI. ■ The method in the IdentityAsserterV2 SSPI: the assertIdentity method described in Section 5.4.1.2, Implement the IdentityAsserterV2 SSPI . Example 5–4 SampleIdentityAsserterProviderImpl.java package examples.security.providers.identityassertion.simple; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.AppConfigurationEntry; import weblogic.management.security.ProviderMBean; import weblogic.security.service.ContextHandler; import weblogic.security.spi.AuthenticationProviderV2; import weblogic.security.spi.IdentityAsserterV2; import weblogic.security.spi.IdentityAssertionException; import weblogic.security.spi.PrincipalValidator; import weblogic.security.spi.SecurityServices; public final class SimpleSampleIdentityAsserterProviderImpl implements AuthenticationProviderV2, IdentityAsserterV2 { final static private String TOKEN_TYPE = SamplePerimeterAtnToken; final static private String TOKEN_PREFIX = username=; private String description; public void initializeProviderMBean mbean, SecurityServices services { System.out.printlnSimpleSampleIdentityAsserterProviderImpl.initialize; Notes: The assertIdentity method of an Identity Assertion provider is called every time identity assertion occurs, but the LoginModules may not be called if the Subject is cached. The -Dweblogic.security.identityAssertionTTL flag can be used to affect this behavior for example, to modify the default TTL of 5 minutes or to disable the cache by setting the flag to -1. It is the responsibility of the Identity Assertion provider to ensure not just that the token is valid, but also that the user is still valid for example, the user has not been deleted. Note: The bold face code in Example 5–4 highlights the class declaration and the method signatures. 5-12 Developing Security Providers for Oracle WebLogic Server SimpleSampleIdentityAsserterMBean myMBean = SimpleSampleIdentityAsserterMBeanmbean; description = myMBean.getDescription + \n + myMBean.getVersion; } public String getDescription { return description; } public void shutdown { System.out.printlnSimpleSampleIdentityAsserterProviderImpl.shutdown; } public IdentityAsserterV2 getIdentityAsserter { return this; } public CallbackHandler assertIdentityString type, Object token, ContextHandler context throws IdentityAssertionException { System.out.printlnSimpleSampleIdentityAsserterProviderImpl.assertIdentity; System.out.println\tType\t\t= + type; System.out.println\tToken\t\t= + token; if TOKEN_TYPE.equalstype { String error = SimpleSampleIdentityAsserter received unknown token type \ + type + \. + Expected + TOKEN_TYPE; System.out.println\tError: + error; throw new IdentityAssertionExceptionerror; } if token instanceof byte[] { String error = SimpleSampleIdentityAsserter received unknown token class \ + token.getClass + \. + Expected a byte[].; System.out.println\tError: + error; throw new IdentityAssertionExceptionerror; } byte[] tokenBytes = byte[]token; if tokenBytes == null || tokenBytes.length 1 { String error = SimpleSampleIdentityAsserter received empty token byte array; System.out.println\tError: + error; throw new IdentityAssertionExceptionerror; } String tokenStr = new StringtokenBytes; if tokenStr.startsWithTOKEN_PREFIX { String error = SimpleSampleIdentityAsserter received unknown token string \ + type + \. + Expected + TOKEN_PREFIX + username; System.out.println\tError: + error; throw new IdentityAssertionExceptionerror; } String userName = tokenStr.substringTOKEN_PREFIX.length; System.out.println\tuserName\t= + userName; return new SimpleSampleCallbackHandlerImpluserName; } public AppConfigurationEntry getLoginModuleConfiguration { return null; } public AppConfigurationEntry getAssertionModuleConfiguration { return null; } public PrincipalValidator getPrincipalValidator { Identity Assertion Providers 5-13 return null; } } Example 5–5 shows the sample CallbackHandler implementation that is used along with the SampleIdentityAsserterProviderImpl.java runtime class. This CallbackHandler implementation is used to send the username back to an Authentication providers LoginModule. Example 5–5 SampleCallbackHandlerImpl.java package examples.security.providers.identityassertion.simple; import javax.security.auth.callback.Callback; import javax.security.auth.callback.NameCallback; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.callback.UnsupportedCallbackException; package class SimpleSimpleSampleCallbackHandler implements CallbackHandler { private String userName; package SimpleSampleCallbackHandlerImplString user { userName = user; } public void handleCallback[] callbacks throws UnsupportedCallbackException { for int i = 0; i callbacks.length; i++ { Callback callback = callbacks[i]; if callback instanceof NameCallback { throw new UnsupportedCallbackExceptioncallback, Unrecognized Callback; } NameCallback nameCallback = NameCallbackcallback; nameCallback.setNameuserName; } } }

5.4.2 Generate an MBean Type Using the WebLogic MBeanMaker