11 Credential Mapping Providers 11-1 11 Credential Mapping Providers Credential mapping is the process whereby a legacy systems database is used to obtain an appropriate set of credentials to authenticate users to a target resource. In WebLogic Server, a Credential Mapping provider is used to provide credential mapping services and bring new types of credentials into the WebLogic Server environment. The following sections describe Credential Mapping provider concepts and functionality, and provide step-by-step instructions for developing a custom Credential Mapping provider: ■ Section 11.1, Credential Mapping Concepts ■ Section 11.2, The Credential Mapping Process ■ Section 11.3, Do You Need to Develop a Custom Credential Mapping Provider? ■ Section 11.4, How to Develop a Custom Credential Mapping Provider

11.1 Credential Mapping Concepts

A subject, or source of a WebLogic resource request, has security-related attributes called credentials. A credential may contain information used to authenticate the subject to new services. Such credentials include usernamepassword combinations, Kerberos tickets, and public key certificates. Credentials might also contain data that allows a subject to perform certain activities. Cryptographic keys, for example, represent credentials that enable the subject to sign or encrypt data. A credential map is a mapping of credentials used by WebLogic Server to credentials used in a legacy or any remote system, which tell WebLogic Server how to connect to a given resource in that system. In other words, credential maps allow WebLogic Server to log in to a remote system on behalf of a subject that has already been authenticated. You can map credentials in this way by developing a Credential Mapping provider.

11.2 The Credential Mapping Process

Figure 11–1 illustrates how Credential Mapping providers interact with the WebLogic Security Framework during the credential mapping process, and an explanation follows. 11-2 Developing Security Providers for Oracle WebLogic Server Figure 11–1 Credential Mapping Providers and the Credential Mapping Process Generally, credential mapping is performed in the following manner:

1. Application components, such as JavaServer Pages JSPs, servlets, Enterprise

JavaBeans EJBs, or Resource Adapters call into the WebLogic Security Framework through the appropriate resource container. As part of the call, the application component passes in the subject that is, the who making the request, the WebLogic resource that is, the what that is being requested and information about the type of credentials needed to access the WebLogic resource.

2. The WebLogic Security Framework sends the application components request for

credentials to a configured Credential Mapping provider. It is up to the credential mapper to decide whether it supports the token or not. If it supports the token, it performs its processing.

3. The Credential Mapping provider consults the legacy systems database to obtain

a set of credentials that match those requested by the application component.

4. The Credential Mapping provider returns the credentials to the WebLogic Security

Framework.

5. The WebLogic Security Framework passes the credentials back to the requesting

application component through the resource container. The application component uses the credentials to access the external system. The external system might be a database resource, such as an Oracle or SQL Server. 11.3 Do You Need to Develop a Custom Credential Mapping Provider?