Servlet Authentication Filters 13-5

13.4.1 Create Runtime Classes Using the Appropriate SSPIs

Before you start creating runtime classes, you should first: ■ Section 3.2.2, Understand the Purpose of the Provider SSPIs ■ Section 3.2.5, Understand the SSPI Hierarchy and Determine Whether You Will Create One or Two Runtime Classes When you understand this information and have made your design decisions, create the runtime classes for your Servlet Authentication Filter by following these steps: ■ Section 5.4.1.1, Implement the AuthenticationProviderV2 SSPI or Section 5.4.1.2, Implement the IdentityAsserterV2 SSPI ■ Section 13.4.2, Implement the Servlet Authentication Filter SSPI ■ Section 13.4.3, Implement the Filter Interface Methods For an example of how to create a runtime class for a custom Servlet Authentication Filter provider, see Section 13.4.5, Generate an MBean Type Using the WebLogic MBeanMaker.

13.4.2 Implement the Servlet Authentication Filter SSPI

You implement the ServletAuthenticationFilter interface as part of an Authentication provider to signal that the Authentication provider has authentication filters that it wants the servlet container to invoke during the authentication process. To implement the Servlet Authentication Filter SSPI, provide an implementation for the following method: ■ get Servlet Authentication Filters public Filter[] getServletAuthenticationFilters The getServletAuthenticationFilters method returns an ordered list of the javax.servlet.Filters that are executed during the authentication process of the Servlet container. The container may call this method multiple times to get multiple instances of the Servlet Authentication Filter. On each call, this method should return a list of new instances of the filters.

13.4.3 Implement the Filter Interface Methods

To implement the Filter interface methods, provide implementations for the following methods. In typical use, you would call init once, doFilter possibly many times, and destroy once. ■ destroy public void destroy The destroy method is called by the web container to indicate to a filter that it is being taken out of service. This method is only called once all threads within the filters doFilter method have exited, or after a timeout period has passed. After the web container calls this method, it does not call the doFilter method again on this instance of the filter. This method gives the filter an opportunity to clean up any resources that are being held for example, memory, file handles, threads and make sure that any persistent state is synchronized with the filters current state in memory ■ doFilter 13-6 Developing Security Providers for Oracle WebLogic Server public void doFilterServletRequest request, ServletResponse response, FilterChain chain The doFilter method of the Filter is called by the container each time a requestresponse pair is passed through the chain due to a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and response to the next entity in the chain. A typical implementation of this method would follow the following pattern: 1. Examine the request. 2. Optionally, wrap the request object with a custom implementation to filter content or headers for input filtering. 3. Optionally, wrap the response object with a custom implementation to filter content or headers for output filtering. 4. Either invoke the next entity in the chain using the FilterChain object chain.doFilter, or do not pass on the requestresponse pair to the next entity in the filter chain to block the request processing. 5. Directly set headers on the response after invocation of the next entity in the filter chain. ■ init public void initFilterConfig filterConfig The init method is called by the web container to indicate to a filter that it is being placed into service. The servlet container calls the init method exactly once after instantiating the filter. The init method must complete successfully before the filter is asked to do any filtering work.

13.4.4 Implementing Challenge Identity Assertion from a Filter