WebLogic Security Service Architecture 5-23

5.5.10 WebLogic Adjudication Provider

The default active security realm for WebLogic Server includes a WebLogic Adjudication provider. This provider would normally be responsible for tallying the potentially differing results rendered by multiple Authorization providers Access Decisions and rendering a final verdict on whether or not access will be granted to a WebLogic resource. However, because the default security realm only has one Authorization provider, only one Access Decision is produced so the WebLogic Adjudication provider is not used. The WebLogic Adjudication provider has an attribute called Require Unanimous Permit that governs its behavior. By default, the Require Unanimous Permit attribute is set to TRUE, which causes the WebLogic Adjudication provider to act as follows: ■ If all the Authorization providers Access Decisions return PERMIT, then return a final verdict of TRUE that is, permit access to the WebLogic resource. ■ If some Authorization providers Access Decisions return PERMIT and others return ABSTAIN, then return a final verdict of FALSE that is, deny access to the WebLogic resource. ■ If any of the Authorization providers Access Decisions return ABSTAIN or DENY, then return a final verdict of FALSE that is, deny access to the WebLogic resource. If you change the Require Unanimous Permit attribute to FALSE, the WebLogic Adjudication provider acts as follows: ■ If all the Authorization providers Access Decisions return PERMIT, then return a final verdict of TRUE that is, permit access to the WebLogic resource. ■ If some Authorization providers Access Decisions return PERMIT and others return ABSTAIN, then return a final verdict of TRUE that is, permit access to the WebLogic resource. ■ If any of the Authorization providers Access Decisions return DENY, then return a final verdict of FALSE that is, deny access to the WebLogic resource.

5.5.11 WebLogic Role Mapping Provider

As of version 9.1, WebLogic Server includes a Role Mapping provider that supports the eXtensible Access Control Markup Language XACML 2.0 standard from OASIS. WebLogic This provider can import, export, persist and execute policy expressed using all standard XACML 2.0 functions, attributes, and schema elements. New domains created using WebLogic Server 9.1 and later will default to using the XACML Role Mapping provider. Existing domains, upgraded to WebLogic Server 9.1 and later, will continue to use the Role Mapping provider currently specified, such as third-party partner providers or the original WebLogic Server proprietary providers. If you use the WebLogic Server Administration Console to add a new Role Mapping Note: The WebLogic Adjudication provider is used in the Compatibility realm, which has two Authorization providers. Note: You set the Require Unanimous Permit attributes when you configure the WebLogic Adjudication provider. For more information about configuring an Adjudication provider, see Configuring the WebLogic Adjudication Provider in Securing Oracle WebLogic Server 5-24 Understanding Security for Oracle WebLogic Server provider, you can add the new provider as a DefaultRoleMapper or as a XACML provider. Custom XACML providers are not supported in this release. Version 9.1 of WebLogic Server also included the default WebLogic Role Mapping provider. This provider supplied the default enforcement of role mapping for versions of WebLogic Server prior to WebLogic Server 9.1. This provider determines dynamic roles for a specific user subject with respect to a specific protected WebLogic resource for each of the default users and WebLogic resources. The WebLogic Role Mapping provider supports the deployment and undeployment of roles within the system. The WebLogic Role Mapping provider uses the same security policy engine as the WebLogic Authorization provider.

5.5.12 WebLogic Auditing Provider