7-28 Developing Security Providers for Oracle WebLogic Server Example 7–6 Sample weblogic.xml File weblogic-web-app security-role-assignment role-namedevelopersrole-name principal-namemyGroupprincipal-name security-role-assignment weblogic-web-app

7.5.6.2 Enabling Security Policy Deployment

If you implemented the DeployableAuthorizationProviderV2 SSPI as part of developing your custom Authorization provider and want to support deployable security policies, the person configuring the custom Authorization provider that is, you or an administrator must be sure that the Policy Deployment Enabled check box in the WebLogic Server Administration Console is checked. Otherwise, deployment for the Authorization provider is considered turned off. Therefore, if multiple Authorization providers are configured, the Policy Deployment Enabled check box can be used to control which Authorization provider is used for security policy deployment.

7.5.7 Provide a Mechanism for Security Policy Management

While configuring a custom Authorization provider via the WebLogic Server Administration Console makes it accessible by applications requiring authorization services, you also need to supply administrators with a way to manage this security providers associated security policies. The WebLogic Authorization provider, for example, supplies administrators with a Policy Editor page that allows them to add, modify, or remove security policies for various WebLogic resources. Neither the Policy Editor page nor access to it is available to administrators when you develop a custom Authorization provider. Therefore, you must provide your own mechanism for security policy management. This mechanism must read and write security policy data that is, expressions to and from the custom Authorization providers database. You can accomplish this task in one of three ways: ■ Section 7.5.7.1, Option 1: Develop a Stand-Alone Tool for Security Policy Management ■ Section 7.5.7.2, Option 2: Integrate an Existing Security Policy Management Tool into the Administration Console

7.5.7.1 Option 1: Develop a Stand-Alone Tool for Security Policy Management

You would typically select this option if you want to develop a tool that is entirely separate from the WebLogic Server Administration Console. For this option, you do not need to write any console extensions for your custom Authorization provider, nor do you need to develop any management MBeans. However, your tool needs to: 1. Determine the WebLogic resources ID, since it is not automatically provided to you by the console extension. For more information, see Section 3.6.3, WebLogic Resource Identifiers. 2. Determine how to represent the expressions that make up a security policy. This representation is entirely up to you and need not be a string. Authorization Providers 7-29 3. Read and write the expressions from and to the custom Authorization providers database. 7.5.7.2 Option 2: Integrate an Existing Security Policy Management Tool into the Administration Console You would typically select this option if you have a tool that is separate from the WebLogic Server Administration Console, but you want to launch that tool from the Administration Console. For this option, your tool needs to: 1. Determine the WebLogic resources ID, since it is not automatically provided to you by the console extension. For more information, see Section 3.6.3, WebLogic Resource Identifiers. 2. Determine how to represent the expressions that make up a security policy. This representation is entirely up to you and need not be a string. 3. Read and write the expressions from and to the custom Authorization providers database. 4. Link into the Administration Console using basic console extension techniques, as described in Extending the Administration Console for Oracle WebLogic Server. 7-30 Developing Security Providers for Oracle WebLogic Server 8 Adjudication Providers 8-1 8 Adjudication Providers Adjudication involves resolving any authorization conflicts that may occur when more than one Authorization provider is configured, by weighing the result of each Authorization providers Access Decision. In WebLogic Server, an Adjudication provider is used to tally the results that multiple Access Decisions return, and determines the final PERMIT or DENY decision. An Adjudication provider may also specify what should be done when an answer of ABSTAIN is returned from a single Authorization providers Access Decision. The following sections describe Adjudication provider concepts and functionality, and provide step-by-step instructions for developing a custom Adjudication provider: ■ Section 8.1, The Adjudication Process ■ Section 8.2, Do You Need to Develop a Custom Adjudication Provider? ■ Section 8.3, How to Develop a Custom Adjudication Provider

8.1 The Adjudication Process

The use of Adjudication providers is part of the authorization process, and is described in Section 7.2, The Authorization Process. 8.2 Do You Need to Develop a Custom Adjudication Provider? The default that is, active security realm for WebLogic Server includes a WebLogic Adjudication provider. The WebLogic Adjudication provider is responsible for adjudicating between potentially differing results rendered by multiple Authorization providers Access Decisions, and rendering a final verdict on whether or not access will be granted to a WebLogic resource. The WebLogic Adjudication provider has an attribute called Require Unanimous Permit that governs its behavior. By default, the Require Unanimous Permit attribute is set to TRUE, which causes the WebLogic Adjudication provider to act as follows: ■ If all the Authorization providers Access Decisions return PERMIT, then return a final verdict of TRUE that is, permit access to the WebLogic resource. ■ If some Authorization providers Access Decisions return PERMIT and others return ABSTAIN, then return a final verdict of FALSE that is, deny access to the WebLogic resource. ■ If any of the Authorization providers Access Decisions return ABSTAIN or DENY, then return a final verdict of FALSE that is, deny access to the WebLogic resource.