11
Credential Mapping Providers 11-1
11
Credential Mapping Providers
Credential mapping is the process whereby a legacy systems database is used to
obtain an appropriate set of credentials to authenticate users to a target resource. In WebLogic Server, a Credential Mapping provider is used to provide credential
mapping services and bring new types of credentials into the WebLogic Server environment.
The following sections describe Credential Mapping provider concepts and functionality, and provide step-by-step instructions for developing a custom
Credential Mapping provider:
■
Section 11.1, Credential Mapping Concepts
■
Section 11.2, The Credential Mapping Process
■
Section 11.3, Do You Need to Develop a Custom Credential Mapping Provider?
■
Section 11.4, How to Develop a Custom Credential Mapping Provider
11.1 Credential Mapping Concepts
A subject, or source of a WebLogic resource request, has security-related attributes called credentials. A credential may contain information used to authenticate the
subject to new services. Such credentials include usernamepassword combinations, Kerberos tickets, and public key certificates. Credentials might also contain data that
allows a subject to perform certain activities. Cryptographic keys, for example, represent credentials that enable the subject to sign or encrypt data.
A credential map is a mapping of credentials used by WebLogic Server to credentials used in a legacy or any remote system, which tell WebLogic Server how to connect to
a given resource in that system. In other words, credential maps allow WebLogic Server to log in to a remote system on behalf of a subject that has already been
authenticated. You can map credentials in this way by developing a Credential Mapping provider.
11.2 The Credential Mapping Process
Figure 11–1 illustrates how Credential Mapping providers interact with the WebLogic
Security Framework during the credential mapping process, and an explanation follows.
11-2 Developing Security Providers for Oracle WebLogic Server
Figure 11–1 Credential Mapping Providers and the Credential Mapping Process
Generally, credential mapping is performed in the following manner:
1. Application components, such as JavaServer Pages JSPs, servlets, Enterprise
JavaBeans EJBs, or Resource Adapters call into the WebLogic Security Framework through the appropriate resource container. As part of the call, the
application component passes in the subject that is, the who making the request, the WebLogic resource that is, the what that is being requested and
information about the type of credentials needed to access the WebLogic resource.
2. The WebLogic Security Framework sends the application components request for
credentials to a configured Credential Mapping provider. It is up to the credential mapper to decide whether it supports the token or not. If it supports the token, it
performs its processing.
3. The Credential Mapping provider consults the legacy systems database to obtain
a set of credentials that match those requested by the application component.
4. The Credential Mapping provider returns the credentials to the WebLogic Security
Framework.
5. The WebLogic Security Framework passes the credentials back to the requesting
application component through the resource container. The application component uses the credentials to access the external system. The
external system might be a database resource, such as an Oracle or SQL Server.
11.3 Do You Need to Develop a Custom Credential Mapping Provider?