5-6 Understanding Security for Oracle WebLogic Server The result of the dynamic role association performed by the Role Mapping providers is a set of roles that apply to the principals stored in a subject at a given moment. These roles can then be used to make authorization decisions for protected WebLogic resources, as well as for resource container and application code. For example, an Enterprise JavaBean EJB could use the Java EE isCallerInRole method to retrieve fields from a record in a database, without having knowledge of the business policies that determine whether access is allowed.

5.1.7 The Auditing Process

Figure 5–7 shows how Auditing providers interact with the WebLogic Security Framework and other types of security providers using an Authentication provider as an example. Figure 5–7 Auditing Process The auditing process is initiated when a resource container passes a users authentication information for example, a usernamepassword combination to the WebLogic Security Framework as part of a login request. The WebLogic Security Framework passes the information associated with the login request to the configured Authentication provider. If, in addition to providing authentication services, the Authentication provider is designed to post audit events, the Authentication provider instantiates an AuditEvent object. The AuditEvent object includes information such as the event type to be audited and an audit severity level. The Authentication provider then calls the Auditor Service in the WebLogic Security Framework, passing in the AuditEvent object. The Auditor Service passes the AuditEvent object to the configured Auditing providers runtime classes, enabling audit event recording. The Auditing providers runtime classes use the information obtained from the AuditEvent object to control audit record content. When the criteria for auditing specified by the Authentication providers in the AuditEvent object is met, the appropriate Auditing providers runtime class writes out audit records. Depending on the Auditing provider implementation, audit records may be written to a file, a database, or some other persistent storage medium.

5.1.8 The Credential Mapping Process

Figure 5–8 illustrates how Credential Mapping providers interact with the WebLogic Security Framework during the credential mapping process. WebLogic Security Service Architecture 5-7 Figure 5–8 Credential Mapping Process The credential mapping process is initiated when application components, such as JavaServer Pages JSPs, servlets, Enterprise JavaBeans EJBs, or Resource Adapters call into the WebLogic Security Framework through the appropriate resource container to access an Enterprise Information System EIS, for example, some relational database like Oracle, SQL Server, and so on. As part of the call, the application component passes in the subject that is, the who making the request, the WebLogic resource that is, the what that is being requested and information about the type of credentials needed to access the WebLogic resource. The WebLogic Security Framework sends the application components request for credentials to a configured Credential Mapping provider that handles the type of credentials needed by the application component. The Credential Mapping provider consults its database to obtain a set of credentials that match those requested by the application component and returns the credentials to the WebLogic Security Framework. The WebLogic Security Framework passes the credentials back to the requesting application component through the resource container. The application component uses the credentials to access the external system.

5.1.9 The Certificate Lookup and Validation Process