4-10 Understanding Security for Oracle WebLogic Server Adjudication provider, then an ABSTAIN returned from the single Authorization providers Access Decision is treated like a DENY. You must configure an Adjudication provider in a security realm only if you have multiple Authorization providers configured. You can have only one Adjudication provider in a security realm. WebLogic Server includes bulk access versions of the following Adjudication provider SSPI interfaces: ■ BulkAdjudicationProvider ■ BulkAdjudicator The bulk access SSPI interfaces allow Adjudication providers to receive multiple decision requests in one call rather than through multiple calls, typically in a for loop. The intent of the bulk SSPI variants is to allow provider implementations to take advantage of internal performance optimizations, such as detecting that many of the passed-in Resource objects are protected by the same policy and will generate the same decision result. Adjudication providers are discussed in more detail in Adjudication Providers in Developing Security Providers for Oracle WebLogic Server.

4.6.2.6 Role Mapping Providers

A Role Mapping provider supports dynamic role associations by obtaining a computed set of security roles granted to a requestor for a given WebLogic resource. The WebLogic Security Framework determines which security roles if any apply to a particular subject at the moment that access is required for a given WebLogic resource by: ■ Obtaining security roles from the J2EE and WebLogic deployment descriptor files. ■ Using business logic and the current operation parameters to determine security roles. A Role Mapping provider supplies Authorization providers with this security role information so that the Authorization provider can answer the is access allowed? question for WebLogic resources that use role-based security that is, Web application and Enterprise JavaBean container resources. You set security roles in J2EE deployment descriptors, or create them using the WebLogic Server Administration Console. Security roles set in deployment descriptors are applied at deployment time unless you specifically choose to ignore deployment descriptors. Note: The WebLogic Adjudication provider supports the use of the WebLogic Server Administration Console to control whether an abstain is treated as a permit or a deny. Note: Because the default security realm has only one Authorization provider, it does not require an Adjudication provider, even though an Adjudication provider is provided. However, the Compatibility realm has two Authorization providers, so that realm does require an Adjudication provider. Security Realms 4-11 You must have at least one Role Mapping provider in a security realm, and you can configure multiple Role Mapping providers in a security realm. Having multiple Role Mapping providers allows you to work within existing infrastructure requirements for example, configuring one Role Mapping provider for each LDAP server that contains user and security role information, or follow a more modular design for example, configuring one Role Mapping provider that handles mappings for Web applications and Enterprise JavaBeans EJBs and another that handles mappings for other types of WebLogic resources. WebLogic Server includes bulk access versions of the following Role Mapping provider SSPI interfaces: ■ BulkRoleProvider ■ BulkRoleMapper The bulk access SSPI interfaces allow Role Mapping providers to receive multiple decision requests in one call rather than through multiple calls, typically in a for loop. The intent of the bulk SSPI variants is to allow provider implementations to take advantage of internal performance optimizations, such as detecting that many of the passed-in Resource objects are protected by the same policy and will generate the same decision result. Role Mapping providers are discussed in more detail in Role Mapping Providers in Developing Security Providers for Oracle WebLogic Server.

4.6.2.7 Auditing Providers