3-34 Developing Security Providers for Oracle WebLogic Server

3.7 Initialization of the Security Provider Database

At minimum, you must initialize security providers databases with the default users, groups, security policies, security roles, or credentials that your Authentication, Authorization, Role Mapping, and Credential Mapping providers expect. You will need to initialize a given security providers database before the security provider can be used, and should think about how this will work as you are writing the runtime classes for your custom security providers. The method you use to initialize a security providers database depends upon many factors, including whether or not an externally administered database will be used to store the user, group, security policy, security role, or credential information, and whether or not the database already exists or needs to be created. The following sections explain some best practices for initializing a security provider database: ■ Section 3.7.1, Best Practice: Create a Simple Database If None Exists ■ Section 3.7.2, Best Practice: Configure an Existing Database ■ Section 3.7.3, Best Practice: Delegate Database Initialization ■ Section 3.7.4, Best Practice: Use the JDBC Connection Security Service API to Obtain Database Connections

3.7.1 Best Practice: Create a Simple Database If None Exists

The first time an Authentication, Authorization, Role Mapping, or Credential Mapping provider is used, it attempts to locate a database with the information it needs to RoleMapper.getRoles The getRoles method accepts a ContextHandler object that can optionally be used by the Role Mapping provider to obtain additional information that may be used in making the authorization decision. If the caller is unable to provide additional information, a null value should be specified. URLCallbackHandler and SimpleCallbackHandler Classes As of WebLogic Server version 9.0, the weblogic.security.URLCallbackHandler and weblogic.security.SimpleCallbackHandle r classes were updated to handle the ContextHandler. URLCallbackHandler is a CallbackHandler used by application developers for returning a username, password, URL, and ContextHandler as part of the Authenticate API. SimpleCallbackHandler is a simple CallbackHandler used by application developers for returning a username, password and ContextHandler as part of the Authenticate API. Note: Prior to reviewing this section, be sure you have read Security Provider Databases in the Understanding Security for Oracle WebLogic Server. Table 3–12 Cont. Methods and Classes that Support Context Handlers Method Description Design Considerations 3-35 provide its security service. If the security provider fails to locate the database, you can have it create one and automatically populate it with the default users, groups, security policies, security roles, and credentials. This option may be useful for development and testing purposes. Both the WebLogic security providers and the sample security providers follow this practice. The WebLogic Authentication, Authorization, Role Mapping, and Credential Mapping providers store the user, group, security policy, security role, and credential information in the embedded LDAP server. If you want to use any of these WebLogic security providers, you will need to follow the Configuring the Embedded LDAP Server instructions in Securing Oracle WebLogic Server.

3.7.2 Best Practice: Configure an Existing Database