4
Authentication Providers 4-1
4
Authentication Providers
Authentication is the mechanism by which callers prove that they are acting on behalf
of specific users or systems. Authentication answers the question, Who are you? using credentials such as usernamepassword combinations.
In WebLogic Server, Authentication providers are used to prove the identity of users or system processes. Authentication providers also remember, transport, and make
that identity information available to various components of a system via subjects when needed. During the authentication process, a Principal Validation provider
provides additional security protections for the principals users and groups contained within the subject by signing and verifying the authenticity of those
principals. For more information, see
Chapter 6, Principal Validation Providers. The following sections describe Authentication provider concepts and functionality,
and provide step-by-step instructions for developing a custom Authentication provider:
■
Section 4.1, Authentication Concepts
■
Section 4.2, The Authentication Process
■
Section 4.3, Do You Need to Develop a Custom Authentication Provider?
■
Section 4.4, How to Develop a Custom Authentication Provider
4.1 Authentication Concepts
Before delving into the specifics of developing custom Authentication providers, it is important to understand the following concepts:
■
Section 4.1.1, Users and Groups, Principals and Subjects
■
Section 4.1.2, LoginModules
■
Section 4.1.3, Java Authentication and Authorization Service JAAS
4.1.1 Users and Groups, Principals and Subjects
A user is similar to an operating system user in that it represents a person. A group is a category of users, classified by common traits such as job title. Categorizing users
into groups makes it easier to control the access permissions for large numbers of
Note: An Identity Assertion provider is a specific form of
Authentication provider that allows users or system processes to assert their identity using tokens. For more information, see
Chapter 5, Identity Assertion Providers.
4-2 Developing Security Providers for Oracle WebLogic Server
users. For more information about users and groups, see Users, Groups, and Security Roles in Securing Resources Using Roles and Policies for Oracle WebLogic Server.
Both users and groups can be used as principals by application servers like WebLogic Server. A principal is an identity assigned to a user or group as a result of
authentication. The Java Authentication and Authorization Service JAAS requires that subjects be used as containers for authentication information, including
principals. Each principal stored in the same subject represents a separate aspect of the same users identity, much like cards in a persons wallet. For example, an ATM card
identifies someone to their bank, while a membership card identifies them to a professional organization to which they belong. For more information about JAAS,
see
Section 4.1.3, Java Authentication and Authorization Service JAAS.
Figure 4–1 illustrates the relationships among users, groups, principals, and subjects.
Figure 4–1 Relationships Among Users, Groups, Principals and Subjects
As part of a successful authentication, principals are signed and stored in a subject for future use. A Principal Validation provider signs principals, and an Authentication
providers LoginModule actually stores the principals in the subject. Later, when a caller attempts to access a principal stored within a subject, a Principal Validation
provider verifies that the principal has not been altered since it was signed, and the principal is returned to the caller assuming all other security conditions are met.
Any principal that is going to represent a WebLogic Server user or group needs to implement the WLSUser and WLSGroup interfaces, which are available in the
weblogic.security.spi package.
4.1.1.1 Providing Initial Users and Groups
Authentication providers need a list of users and groups before they can be used to perform authentication in a running WebLogic Server. Some Authentication providers
let the administrator configure an external database for example, add the users and
Note: Subjects replace WebLogic Server 6.x users.
Note: For more information about Principal Validation providers
and LoginModules, see Chapter 6, Principal Validation Providers
and Section 4.1.2, LoginModules,
respectively.
Authentication Providers 4-3
groups to an LDAP server or a DBMS and then configure the provider to use that database. These providers dont have to worry about how the users and groups are
populated because the administrator does that first, using the external databases tools.
However, some Authentication providers create and manage their own list of users and groups. This is the case for the ManageableSampleAuthenticator provider
available at https:codesamples.samplecode.oracle.comservletstracking?id=S
224 on the Oracle Technology Network Web site. These providers need to worry
about how their initial set of users and groups is populated. One way to handle this is for the providers initialize method to notice that the users and groups dont exist yet,
and then populate the list with an initial set of users and groups.
Note that some providers have a separate list of users and groups for each security realm, and therefore need to create an initial set of users and groups the first time the
list is used in a new realm. For example, the ManageableSampleAuthenticator provider creates a separate properties file of users and groups for each realm. Its
initialize method gets the realm name, determines whether the properties file for that realm exists and, if not, creates one, populating it with its initial set of users and
groups.
4.1.2 LoginModules