12-10 Developing Security Providers for Oracle WebLogic Server To work around this, the providers runtime implementation can cache the SecurityServices object and use a provider-specific mechanism to pass it to the providers MBean implementation. This allows the provider to audit its MBean operations. The Manageable Sample Authentication Provider available at https:codesamples.samplecode.oracle.comservletstracking?id=S 224 on the Oracle Technology Network Web site shows one way to accomplish this task. The sample provider contains three major implementation classes: ■ ManageableSampleAuthenticationProviderImpl contains its security runtime implementation. ■ ManageableSampleAuthenticatorImpl contains its MBean implementation. ■ UserGroupDatabase is a helper class used by ManageableSampleAuthenticationProviderImpl and ManageableSampleAuthenticatorImpl. The code flow to cache and obtain the SecurityServices object is as follows: 1. The ManageableSampleAuthenticationProviderImpls initialize method is passed a SecurityServices object. 2. The initialize method creates a UserGroupDataBase object and passes it the SecurityServices object. 3. The UserGroupDataBaseObject caches the SecurityServices object. The initialize method also puts the UserGroupDatabase object into a hash table using the realms name as the lookup key. 4. The ManageableSampleAuhenticatorImpls init method finds its realm name from its MBean. 5. The init method uses the realm name to find the corresponding UserGroupDataBase object from the hash table. 6. The init method then retrieves the SecurityServices object from the UserGroupDatabase object, and uses its auditor to audit management operations such as createUser.

12.2.2.3 Example: Auditing Management Operations from a Providers MBean

Example 12–3 illustrates how the ManageableSampleAuhenticatorImpls init method finds its realm name from its MBean, how it uses the realm name to find the corresponding UserGroupDataBase object from the hash table via the UserGroupDatabase helper class, and how it then retrieves the SecurityServices object from the UserGroupDatabase object. Example 12–3 also shows how ManageableSampleAuhenticatorImpl uses its auditor to audit management operations such as createUser. Note: A providers runtime implementation is initialized only if the provider is part of the default realm when the server is booted. Therefore, if the provider is not in the default realm when the server is booted, its runtime implementation is never initialized, and the providers MBean implementation cannot gain access to the SecurityServices object. That is, if the provider is not in the default realm when the server is booted, the provider cannot audit its MBean operations. Auditing Events From Custom Security Providers 12-11 Example 12–3 ManageableSampleAuthenticatorImpl.java package examples.security.providers.authentication.manageable; import java.util.Enumeration; import javax.management.MBeanException; import javax.management.modelmbean.ModelMBean; import weblogic.management.security.authentication.AuthenticatorImpl; import weblogic.management.utils.AlreadyExistsException; import weblogic.management.utils.InvalidCursorException; import weblogic.management.utils.NotFoundException; import weblogic.security.spi.AuditorService; import weblogic.security.spi.SecurityServices; public class ManageableSampleAuthenticatorImpl extends AuthenticatorImpl { Manages the user and group definitions for this provider: private UserGroupDatabase database; Manages active queries see listUsers, listGroups, listMemberGroups: private ListManager listManager = new ListManager; The name of the realm containing this provider: private String realm; The name of this provider: private String provider; The auditor for auditing usergroup management operations. This is only available if this provider was configured in the default realm when the server was booted. private AuditorService auditor; public ManageableSampleAuthenticatorImplModelMBean base throws MBeanException { superbase; } private synchronized void init throws MBeanException { if database == null { try { ManageableSampleAuthenticatorMBean myMBean = ManageableSampleAuthenticatorMBeangetProxy; database = UserGroupDatabase.getDatabasemyMBean; realm = myMBean.getRealm.getName; provider = myMBean.getName; SecurityServices services = database.getSecurityServices; auditor = services = null ? services.getAuditorService : null; } catchException e { throw new MBeanExceptione, SampleAuthenticatorImpl.init failed; } } } ... public void createUserString user, String password, String description throws MBeanException, AlreadyExistsException { init; String details = auditor = null ? createUseruser = + user + , password = + password + , description = + description + : null; 12-12 Developing Security Providers for Oracle WebLogic Server try { we dont support descriptions so just ignore it database.checkDoesntExistuser; database.getUseruser.createpassword; database.updatePersistentState; auditOperationSucceededdetails; } catch AlreadyExistsException e { auditOperationFaileddetails, e; throw e; } catch IllegalArgumentException e { auditOperationFaileddetails, e; throw e; } } ... private void auditOperationSucceededString details { if auditor = null { auditor.providerAuditWriteEvent new ManageableSampleAuthenticatorManagementEventrealm, provider, details, null ; } } ... private void auditOperationFailedString details, Exception failureException { if auditor = null { auditor.providerAuditWriteEvent new ManageableSampleAuthenticatorManagementEventrealm, provider, details, failureException ; } } }

12.2.3 Best Practice: Posting Audit Events from a Providers MBean