5-8 Developing Security Providers for Oracle WebLogic Server
1.
Section 5.4.1, Create Runtime Classes Using the Appropriate SSPIs
2.
Section 5.4.2, Generate an MBean Type Using the WebLogic MBeanMaker
3.
Section 5.4.3, Configure the Custom Identity Assertion Provider Using the Administration Console
4.
Consider whether you need to implement Challenge Identity Assertion, as described in
Section 5.4.4, Challenge Identity Assertion.
5.4.1 Create Runtime Classes Using the Appropriate SSPIs
Before you start creating runtime classes, you should first:
■
Section 3.2.2, Understand the Purpose of the Provider SSPIs
■
Section 3.2.5, Understand the SSPI Hierarchy and Determine Whether You Will Create One or Two Runtime Classes
When you understand this information and have made your design decisions, create the runtime classes for your custom Identity Assertion provider by following these
steps:
■
Section 5.4.1.1, Implement the AuthenticationProviderV2 SSPI
■
Section 5.4.1.2, Implement the IdentityAsserterV2 SSPI
For an example of how to create a runtime class for a custom Identity Assertion provider, see
Section 5.4.1.3, Example: Creating the Runtime Class for the Sample Identity Assertion Provider.
5.4.1.1 Implement the AuthenticationProviderV2 SSPI
To implement the AuthenticationProviderV2 SSPI, provide implementations for the methods described in
Section 3.2.2, Understand the Purpose of the Provider SSPIs
and the following methods:
■
getLoginModuleConfiguration public AppConfigurationEntry getLoginModuleConfiguration
The getLoginModuleConfiguration method obtains information about the Authentication providers associated LoginModule, which is returned as an
AppConfigurationEntry. The AppConfigurationEntry is a Java Authentication and Authorization Service JAAS class that contains the classname
of the LoginModule; the LoginModules control flag which was passed in via the Authentication providers associated MBean; and a configuration options map for
Note: If you want to create a separate LoginModule for your custom
Identity Assertion provider that is, not use the LoginModule from your Authentication provider, you also need to implement the JAAS
LoginModule interface, as described in Section 4.4.1.2, Implement
the JAAS LoginModule Interface.
Note: The AuthenticationProvider SSPI is deprecated in this
release of WebLogic Server. Use the AuthenticationProviderV2 SSPI instead.
Identity Assertion Providers 5-9
the LoginModule which allows other configuration information to be passed into the LoginModule.
For more information about the AppConfigurationEntry class located in the javax.security.auth.login package and the control flag options for
LoginModules, see the J2SE 6.0 API Specification for the AppConfigurationEntry class
http:java.sun.comjavase6docsapijavaxsecurityauthlo ginAppConfigurationEntry.html
and the Configuration class http:java.sun.comjavase6docsapijavaxsecurityauthlo
ginConfiguration.html . For more information about LoginModules, see
Section 4.1.2, LoginModules. For more information about security providers and
MBeans, see Section 3.3.1, Understand Why You Need an MBean Type.
■
getAssertionModuleConfiguration public AppConfigurationEntry
getAssertionModuleConfiguration The getAssertionModuleConfiguration method obtains information about
an Identity Assertion providers associated LoginModule, which is returned as an AppConfigurationEntry. The AppConfigurationEntry is a JAAS class that
contains the classname of the LoginModule; the LoginModules control flag which was passed in via the Identity Assertion providers associated MBean; and
a configuration options map for the LoginModule which allows other configuration information to be passed into the LoginModule.
The LoginModules in this configuration must populate the Subject with required Principals, such as those of type WLSGroup, and must trust that the user has
submitted sufficient proof to login and not require a password or some other proof material.
■
getPrincipalValidator public PrincipalValidator getPrincipalValidator
The getPrincipalValidator method obtains a reference to the Principal Validation providers runtime class that is, the PrincipalValidator SSPI
implementation. For more information, see Chapter 6, Principal Validation
Providers.
■
getIdentityAsserter public IdentityAsserterV2 getIdentityAsserter
The getIdentityAsserter method obtains a reference to the Identity Assertion providers runtime class that is, the IdentityAsserterV2 SSPI
Note: The assertIdentity method of an Identity Assertion
provider is called every time identity assertion occurs, but the LoginModules may not be called if the Subject is cached. The
-Dweblogic.security.identityAssertionTTL flag can be used to affect this behavior for example, to modify the default TTL of
5 minutes or to disable the cache by setting the flag to -1.
It is the responsibility of the Identity Assertion provider to ensure not just that the token is valid, but also that the user is still valid for
example, the user has not been deleted.
5-10 Developing Security Providers for Oracle WebLogic Server
implementation. For more information, see Section 5.4.1.2, Implement the
IdentityAsserterV2 SSPI.
For more information about the AuthenticationProvider SSPI and the methods described above, see the WebLogic Server API Reference Javadoc.
5.4.1.2 Implement the IdentityAsserterV2 SSPI
To implement the IdentityAsserterV2 SSPI, provide implementations for the following method:
■
assertIdentity public CallbackHandler assertIdentityString type, Object token, ContextHandler
handler throws IdentityAssertionException; The assertIdentity method asserts an identity based on the token identity
information that is supplied. In other words, the purpose of this method is to validate any tokens that are not currently trusted against trusted client principals.
The type parameter represents the token type to be used for the identity assertion. Note that identity assertion types are case insensitive. The token
parameter contains the actual identity information. The handler parameter is a ContextHandler object that can optionally be used to obtain additional
information that may be used in asserting the identity. The CallbackHandler returned from the assertIdentity method is passed to all configured
Authentication providers LoginModules to perform principal mapping, and should contain the asserted username. If the CallbackHandler is null, this
signifies that the anonymous user should be used.
A CallbackHandler is a highly-flexible JAAS standard that allows a variable number of arguments to be passed as complex objects to a method. For more
information about CallbackHandlers, see the J2SE 6.0 API Specification for the CallbackHandler interface
http:java.sun.comjavase6docsapijavaxsecurityauthca llbackCallbackHandler.html
.
Note: When the LoginModule used for the Identity Assertion
provider is the same as that used for an existing Authentication provider, implementations for the methods in the
AuthenticationProviderV2 SSPI excluding the getIdentityAsserter method for Identity Assertion providers
can just return null. An example of this is shown in
Example 5–4 .
Note:
The IdentityAsserterV2 SSPI includes additional token types and a handler parameter to the assertIdentity method
that can optionally be used to obtain additional information when asserting the identity. Although the IdentityAsserter SSPI is still
supported, you should consider using the IdentityAsserterV2 SSPI instead.
Identity Assertion Providers 5-11
For more information about the IdentityAsserterV2 SSPI and the method described above, see the WebLogic Server API Reference Javadoc.
5.4.1.3 Example: Creating the Runtime Class for the Sample Identity Assertion Provider
Example 5–4 shows the SampleIdentityAsserterProviderImpl.java class,
which is the runtime class for the sample Identity Assertion provider. This runtime class includes implementations for:
■
The three methods inherited from the SecurityProvider interface: initialize, getDescription, and shutdown as described in
Section 3.2.2, Understand the Purpose of the Provider SSPIs.
■
The four methods in the AuthenticationProviderV2 SSPI: the getLoginModuleConfiguration, getAssertionModuleConfiguration,
getPrincipalValidator, and getIdentityAsserter methods as described in
Section 5.4.1.1, Implement the AuthenticationProviderV2 SSPI.
■
The method in the IdentityAsserterV2 SSPI: the assertIdentity method described in
Section 5.4.1.2, Implement the IdentityAsserterV2 SSPI .
Example 5–4 SampleIdentityAsserterProviderImpl.java
package examples.security.providers.identityassertion.simple; import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry; import weblogic.management.security.ProviderMBean;
import weblogic.security.service.ContextHandler; import weblogic.security.spi.AuthenticationProviderV2;
import weblogic.security.spi.IdentityAsserterV2; import weblogic.security.spi.IdentityAssertionException;
import weblogic.security.spi.PrincipalValidator; import weblogic.security.spi.SecurityServices;
public final class SimpleSampleIdentityAsserterProviderImpl implements AuthenticationProviderV2,
IdentityAsserterV2 {
final static private String TOKEN_TYPE = SamplePerimeterAtnToken; final static private String TOKEN_PREFIX = username=;
private String description; public void initializeProviderMBean mbean, SecurityServices services
{ System.out.printlnSimpleSampleIdentityAsserterProviderImpl.initialize;
Notes: The assertIdentity method of an Identity Assertion
provider is called every time identity assertion occurs, but the LoginModules may not be called if the Subject is cached. The
-Dweblogic.security.identityAssertionTTL flag can be used to affect this behavior for example, to modify the default TTL of
5 minutes or to disable the cache by setting the flag to -1.
It is the responsibility of the Identity Assertion provider to ensure not just that the token is valid, but also that the user is still valid for
example, the user has not been deleted.
Note: The bold face code in
Example 5–4 highlights the class
declaration and the method signatures.
5-12 Developing Security Providers for Oracle WebLogic Server
SimpleSampleIdentityAsserterMBean myMBean = SimpleSampleIdentityAsserterMBeanmbean; description = myMBean.getDescription + \n + myMBean.getVersion;
} public String getDescription
{ return description;
} public void shutdown
{ System.out.printlnSimpleSampleIdentityAsserterProviderImpl.shutdown;
} public IdentityAsserterV2 getIdentityAsserter
{ return this;
} public CallbackHandler assertIdentityString type, Object token, ContextHandler context throws
IdentityAssertionException {
System.out.printlnSimpleSampleIdentityAsserterProviderImpl.assertIdentity; System.out.println\tType\t\t= + type;
System.out.println\tToken\t\t= + token; if TOKEN_TYPE.equalstype {
String error = SimpleSampleIdentityAsserter received unknown token type \ + type + \. + Expected + TOKEN_TYPE;
System.out.println\tError: + error; throw new IdentityAssertionExceptionerror;
} if token instanceof byte[] {
String error = SimpleSampleIdentityAsserter received unknown token class \ + token.getClass + \. + Expected a byte[].;
System.out.println\tError: + error; throw new IdentityAssertionExceptionerror;
} byte[] tokenBytes = byte[]token;
if tokenBytes == null || tokenBytes.length 1 { String error = SimpleSampleIdentityAsserter received empty token byte array;
System.out.println\tError: + error; throw new IdentityAssertionExceptionerror;
} String tokenStr = new StringtokenBytes;
if tokenStr.startsWithTOKEN_PREFIX { String error = SimpleSampleIdentityAsserter received unknown token string \
+ type + \. + Expected + TOKEN_PREFIX + username; System.out.println\tError: + error;
throw new IdentityAssertionExceptionerror; }
String userName = tokenStr.substringTOKEN_PREFIX.length; System.out.println\tuserName\t= + userName;
return new SimpleSampleCallbackHandlerImpluserName; }
public AppConfigurationEntry getLoginModuleConfiguration {
return null; }
public AppConfigurationEntry getAssertionModuleConfiguration {
return null; }
public PrincipalValidator getPrincipalValidator {
Identity Assertion Providers 5-13
return null; }
} Example 5–5
shows the sample CallbackHandler implementation that is used along with the SampleIdentityAsserterProviderImpl.java runtime class. This
CallbackHandler implementation is used to send the username back to an Authentication providers LoginModule.
Example 5–5 SampleCallbackHandlerImpl.java
package examples.security.providers.identityassertion.simple; import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback; import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException; package class SimpleSimpleSampleCallbackHandler implements CallbackHandler
{ private String userName;
package SimpleSampleCallbackHandlerImplString user {
userName = user; }
public void handleCallback[] callbacks throws UnsupportedCallbackException {
for int i = 0; i callbacks.length; i++ { Callback callback = callbacks[i];
if callback instanceof NameCallback { throw new UnsupportedCallbackExceptioncallback, Unrecognized
Callback; }
NameCallback nameCallback = NameCallbackcallback; nameCallback.setNameuserName;
} }
}
5.4.2 Generate an MBean Type Using the WebLogic MBeanMaker