Security Realms 4-9 Principal Validation providers are discussed in more detail in Principal Validation Providers in Developing Security Providers for Oracle WebLogic Server.

4.6.2.4 Authorization Providers

Authorization providers control access to WebLogic resources based on the security role a user or group is granted, and the security policy assigned to the requested WebLogic resource. For more information about WebLogic resources, security roles, and security policies, see Securing Resources Using Roles and Policies for Oracle WebLogic Server. An Access Decision is the part of the Authorization provider that actually determines whether a subject has permission to perform a given operation on a WebLogic resource. For more information about, see Principal Validation Providers in Developing Security Providers for Oracle WebLogic Server. You must have at least one Authorization provider in a security realm, and you can configure multiple Authorization providers in a security realm. Having multiple Authorization providers allows you to follow a more modular design. For example, you may want to have one Authorization provider that handles Web application and Enterprise JavaBean EJB permissions and another that handles permissions for other types of WebLogic resources. Another example might be to have one Authorization provider that handles domestic employees, and another that handles permissions for overseas employees. WebLogic Server includes bulk access versions of the following Authorization provider SSPI interfaces: ■ BulkAuthorizationProvider ■ BulkAccessDecision The bulk access SSPI interfaces allow Authorization providers to receive multiple decision requests in one call rather than through multiple calls, typically in a for loop. The intent of the bulk SSPI variants is to allow provider implementations to take advantage of internal performance optimizations, such as detecting that many of the passed-in Resource objects are protected by the same policy and will generate the same decision result. Authorization providers and Access Decisions are discussed in more detail in Authorization Providers in Developing Security Providers for Oracle WebLogic Server.

4.6.2.5 Adjudication Providers

As part of an Authorization provider, an Access Decision determines whether a subject has permission to access a given WebLogic resource. Therefore, if multiple Authorization providers are configured, each may return a different answer to the is access allowed? question. These answers may be PERMIT, DENY, or ABSTAIN. Determining what to do if multiple Authorization providers Access Decisions do not agree on an answer is the function of an Adjudication provider. The Adjudication provider resolves authorization conflicts by weighing each Access Decisions answer and returning a final result. If you only have one Authorization provider and no Note: You cannot use the WebLogic Server Administration Console to configure Principal Validation providers directly. WebLogic Server configures the required Principal Validation providers for you when you configure your Authentication providers. 4-10 Understanding Security for Oracle WebLogic Server Adjudication provider, then an ABSTAIN returned from the single Authorization providers Access Decision is treated like a DENY. You must configure an Adjudication provider in a security realm only if you have multiple Authorization providers configured. You can have only one Adjudication provider in a security realm. WebLogic Server includes bulk access versions of the following Adjudication provider SSPI interfaces: ■ BulkAdjudicationProvider ■ BulkAdjudicator The bulk access SSPI interfaces allow Adjudication providers to receive multiple decision requests in one call rather than through multiple calls, typically in a for loop. The intent of the bulk SSPI variants is to allow provider implementations to take advantage of internal performance optimizations, such as detecting that many of the passed-in Resource objects are protected by the same policy and will generate the same decision result. Adjudication providers are discussed in more detail in Adjudication Providers in Developing Security Providers for Oracle WebLogic Server.

4.6.2.6 Role Mapping Providers