Security Realms 4-9 Principal Validation providers are discussed in more detail in Principal Validation Providers in Developing Security Providers for Oracle WebLogic Server.

4.6.2.4 Authorization Providers

Authorization providers control access to WebLogic resources based on the security role a user or group is granted, and the security policy assigned to the requested WebLogic resource. For more information about WebLogic resources, security roles, and security policies, see Securing Resources Using Roles and Policies for Oracle WebLogic Server. An Access Decision is the part of the Authorization provider that actually determines whether a subject has permission to perform a given operation on a WebLogic resource. For more information about, see Principal Validation Providers in Developing Security Providers for Oracle WebLogic Server. You must have at least one Authorization provider in a security realm, and you can configure multiple Authorization providers in a security realm. Having multiple Authorization providers allows you to follow a more modular design. For example, you may want to have one Authorization provider that handles Web application and Enterprise JavaBean EJB permissions and another that handles permissions for other types of WebLogic resources. Another example might be to have one Authorization provider that handles domestic employees, and another that handles permissions for overseas employees. WebLogic Server includes bulk access versions of the following Authorization provider SSPI interfaces: ■ BulkAuthorizationProvider ■ BulkAccessDecision The bulk access SSPI interfaces allow Authorization providers to receive multiple decision requests in one call rather than through multiple calls, typically in a for loop. The intent of the bulk SSPI variants is to allow provider implementations to take advantage of internal performance optimizations, such as detecting that many of the passed-in Resource objects are protected by the same policy and will generate the same decision result. Authorization providers and Access Decisions are discussed in more detail in Authorization Providers in Developing Security Providers for Oracle WebLogic Server.

4.6.2.5 Adjudication Providers