7-28 Developing Security Providers for Oracle WebLogic Server
Example 7–6 Sample weblogic.xml File
weblogic-web-app security-role-assignment
role-namedevelopersrole-name principal-namemyGroupprincipal-name
security-role-assignment weblogic-web-app
7.5.6.2 Enabling Security Policy Deployment
If you implemented the DeployableAuthorizationProviderV2 SSPI as part of developing your custom Authorization provider and want to support deployable
security policies, the person configuring the custom Authorization provider that is, you or an administrator must be sure that the Policy Deployment Enabled check box
in the WebLogic Server Administration Console is checked. Otherwise, deployment for the Authorization provider is considered turned off. Therefore, if multiple
Authorization providers are configured, the Policy Deployment Enabled check box can be used to control which Authorization provider is used for security policy
deployment.
7.5.7 Provide a Mechanism for Security Policy Management
While configuring a custom Authorization provider via the WebLogic Server Administration Console makes it accessible by applications requiring authorization
services, you also need to supply administrators with a way to manage this security providers associated security policies. The WebLogic Authorization provider, for
example, supplies administrators with a Policy Editor page that allows them to add, modify, or remove security policies for various WebLogic resources.
Neither the Policy Editor page nor access to it is available to administrators when you develop a custom Authorization provider. Therefore, you must provide your own
mechanism for security policy management. This mechanism must read and write security policy data that is, expressions to and from the custom Authorization
providers database.
You can accomplish this task in one of three ways:
■
Section 7.5.7.1, Option 1: Develop a Stand-Alone Tool for Security Policy Management
■
Section 7.5.7.2, Option 2: Integrate an Existing Security Policy Management Tool into the Administration Console
7.5.7.1 Option 1: Develop a Stand-Alone Tool for Security Policy Management
You would typically select this option if you want to develop a tool that is entirely separate from the WebLogic Server Administration Console.
For this option, you do not need to write any console extensions for your custom Authorization provider, nor do you need to develop any management MBeans.
However, your tool needs to:
1.
Determine the WebLogic resources ID, since it is not automatically provided to you by the console extension. For more information, see
Section 3.6.3, WebLogic Resource Identifiers.
2.
Determine how to represent the expressions that make up a security policy. This representation is entirely up to you and need not be a string.
Authorization Providers 7-29
3.
Read and write the expressions from and to the custom Authorization providers database.
7.5.7.2 Option 2: Integrate an Existing Security Policy Management Tool into the Administration Console
You would typically select this option if you have a tool that is separate from the WebLogic Server Administration Console, but you want to launch that tool from the
Administration Console.
For this option, your tool needs to:
1.
Determine the WebLogic resources ID, since it is not automatically provided to you by the console extension. For more information, see
Section 3.6.3, WebLogic Resource Identifiers.
2.
Determine how to represent the expressions that make up a security policy. This representation is entirely up to you and need not be a string.
3.
Read and write the expressions from and to the custom Authorization providers database.
4.
Link into the Administration Console using basic console extension techniques, as described in Extending the Administration Console for Oracle WebLogic Server.
7-30 Developing Security Providers for Oracle WebLogic Server
8
Adjudication Providers 8-1
8
Adjudication Providers
Adjudication involves resolving any authorization conflicts that may occur when
more than one Authorization provider is configured, by weighing the result of each Authorization providers Access Decision. In WebLogic Server, an Adjudication
provider is used to tally the results that multiple Access Decisions return, and determines the final PERMIT or DENY decision. An Adjudication provider may also
specify what should be done when an answer of ABSTAIN is returned from a single Authorization providers Access Decision.
The following sections describe Adjudication provider concepts and functionality, and provide step-by-step instructions for developing a custom Adjudication provider:
■
Section 8.1, The Adjudication Process
■
Section 8.2, Do You Need to Develop a Custom Adjudication Provider?
■
Section 8.3, How to Develop a Custom Adjudication Provider
8.1 The Adjudication Process
The use of Adjudication providers is part of the authorization process, and is described in
Section 7.2, The Authorization Process.
8.2 Do You Need to Develop a Custom Adjudication Provider?
The default that is, active security realm for WebLogic Server includes a WebLogic Adjudication provider. The WebLogic Adjudication provider is responsible for
adjudicating between potentially differing results rendered by multiple Authorization providers Access Decisions, and rendering a final verdict on whether or not access
will be granted to a WebLogic resource.
The WebLogic Adjudication provider has an attribute called Require Unanimous Permit that governs its behavior. By default, the Require Unanimous Permit attribute
is set to TRUE, which causes the WebLogic Adjudication provider to act as follows:
■
If all the Authorization providers Access Decisions return PERMIT, then return a final verdict of TRUE that is, permit access to the WebLogic resource.
■
If some Authorization providers Access Decisions return PERMIT and others return ABSTAIN, then return a final verdict of FALSE that is, deny access to the
WebLogic resource.
■
If any of the Authorization providers Access Decisions return ABSTAIN or DENY, then return a final verdict of FALSE that is, deny access to the WebLogic
resource.