12 Auditing Events From Custom Security Providers 12-1 12 Auditing Events From Custom Security Providers As described in Chapter 10, Auditing Providers auditing is the process whereby information about operating requests and the outcome of those requests are collected, stored, and distributed for the purposes of non-repudiation. Auditing providers provide this electronic trail of computer activity. Each type of security provider can call the configured Auditing providers with a request to write out information about security-related events, before or after these events take place. For example, if a user attempts to access a withdraw method in a bank account application to which they should not have access, the Authorization provider can request that this operation be recorded. Security-related events are only recorded when they meet or exceed the severity level specified in the configuration of the Auditing providers. The following sections provide the background information you need to understand before adding auditing capability to your custom security providers, and provide step-by-step instructions for adding auditing capability to a custom security provider: ■ Section 12.1, Security Services and the Auditor Service ■ Section 12.2, How to Audit From a Custom Security Provider

12.1 Security Services and the Auditor Service

The SecurityServices interface, located in the weblogic.security.spi package, is a repository for security services currently just the Auditor Service. As such, the SecurityServices interface is responsible for supplying callers with a reference to the Auditor Service via the following method: ■ getAuditorService public AuditorService getAuditorService The getAuditorService method returns the AuditService if an Auditing provider is configured. The AuditorService interface, also located in the weblogic.security.spi package, provides other types of security providers for example, Authentication providers with limited write-only auditing capabilities. In other words, the Auditor Service fans out invocations of each configured Auditing providers writeEvent method, which simply writes an audit record based on the information specified in the AuditEvent object that is passed in. For more information about the writeEvent method, see Section 10.5.1.2, Implement the AuditChannel SSPI. For more information about AuditEvent 12-2 Developing Security Providers for Oracle WebLogic Server objects, see Section 12.2.1, Create an Audit Event. The AuditorService interface includes the following method: ■ providerAuditWriteEvent public void providerAuditWriteEvent AuditEvent event The providerAuditWriteEvent method gives security providers write access to the object in the WebLogic Security Framework that calls the configured Auditing providers. The event parameter is an AuditEvent object that contains the audit criteria, including the type of event to audit and the audit severity level. For more information about Audit Events and audit severity levels, see Section 12.2.1, Create an Audit Event and Section 12.2.1.3, Audit Severity, respectively. The Auditor Service can be called to write audit events before or after those events have taken place, but does not maintain context in between pre and post operations. Security providers designed with auditing capabilities will need to obtain the Auditor Service as described in Section 12.2.2, Obtain and Use the Auditor Service to Write Audit Events. For more information about these interfaces and their methods, see the WebLogic Server API Reference Javadoc for the SecurityServices interface and the AuditorService interface.

12.2 How to Audit From a Custom Security Provider