4 Authentication Providers 4-1 4 Authentication Providers Authentication is the mechanism by which callers prove that they are acting on behalf of specific users or systems. Authentication answers the question, Who are you? using credentials such as usernamepassword combinations. In WebLogic Server, Authentication providers are used to prove the identity of users or system processes. Authentication providers also remember, transport, and make that identity information available to various components of a system via subjects when needed. During the authentication process, a Principal Validation provider provides additional security protections for the principals users and groups contained within the subject by signing and verifying the authenticity of those principals. For more information, see Chapter 6, Principal Validation Providers. The following sections describe Authentication provider concepts and functionality, and provide step-by-step instructions for developing a custom Authentication provider: ■ Section 4.1, Authentication Concepts ■ Section 4.2, The Authentication Process ■ Section 4.3, Do You Need to Develop a Custom Authentication Provider? ■ Section 4.4, How to Develop a Custom Authentication Provider

4.1 Authentication Concepts

Before delving into the specifics of developing custom Authentication providers, it is important to understand the following concepts: ■ Section 4.1.1, Users and Groups, Principals and Subjects ■ Section 4.1.2, LoginModules ■ Section 4.1.3, Java Authentication and Authorization Service JAAS

4.1.1 Users and Groups, Principals and Subjects

A user is similar to an operating system user in that it represents a person. A group is a category of users, classified by common traits such as job title. Categorizing users into groups makes it easier to control the access permissions for large numbers of Note: An Identity Assertion provider is a specific form of Authentication provider that allows users or system processes to assert their identity using tokens. For more information, see Chapter 5, Identity Assertion Providers. 4-2 Developing Security Providers for Oracle WebLogic Server users. For more information about users and groups, see Users, Groups, and Security Roles in Securing Resources Using Roles and Policies for Oracle WebLogic Server. Both users and groups can be used as principals by application servers like WebLogic Server. A principal is an identity assigned to a user or group as a result of authentication. The Java Authentication and Authorization Service JAAS requires that subjects be used as containers for authentication information, including principals. Each principal stored in the same subject represents a separate aspect of the same users identity, much like cards in a persons wallet. For example, an ATM card identifies someone to their bank, while a membership card identifies them to a professional organization to which they belong. For more information about JAAS, see Section 4.1.3, Java Authentication and Authorization Service JAAS. Figure 4–1 illustrates the relationships among users, groups, principals, and subjects. Figure 4–1 Relationships Among Users, Groups, Principals and Subjects As part of a successful authentication, principals are signed and stored in a subject for future use. A Principal Validation provider signs principals, and an Authentication providers LoginModule actually stores the principals in the subject. Later, when a caller attempts to access a principal stored within a subject, a Principal Validation provider verifies that the principal has not been altered since it was signed, and the principal is returned to the caller assuming all other security conditions are met. Any principal that is going to represent a WebLogic Server user or group needs to implement the WLSUser and WLSGroup interfaces, which are available in the weblogic.security.spi package.

4.1.1.1 Providing Initial Users and Groups

Authentication providers need a list of users and groups before they can be used to perform authentication in a running WebLogic Server. Some Authentication providers let the administrator configure an external database for example, add the users and Note: Subjects replace WebLogic Server 6.x users. Note: For more information about Principal Validation providers and LoginModules, see Chapter 6, Principal Validation Providers and Section 4.1.2, LoginModules, respectively. Authentication Providers 4-3 groups to an LDAP server or a DBMS and then configure the provider to use that database. These providers dont have to worry about how the users and groups are populated because the administrator does that first, using the external databases tools. However, some Authentication providers create and manage their own list of users and groups. This is the case for the ManageableSampleAuthenticator provider available at https:codesamples.samplecode.oracle.comservletstracking?id=S 224 on the Oracle Technology Network Web site. These providers need to worry about how their initial set of users and groups is populated. One way to handle this is for the providers initialize method to notice that the users and groups dont exist yet, and then populate the list with an initial set of users and groups. Note that some providers have a separate list of users and groups for each security realm, and therefore need to create an initial set of users and groups the first time the list is used in a new realm. For example, the ManageableSampleAuthenticator provider creates a separate properties file of users and groups for each realm. Its initialize method gets the realm name, determines whether the properties file for that realm exists and, if not, creates one, populating it with its initial set of users and groups.

4.1.2 LoginModules