9-16 Developing Security Providers for Oracle WebLogic Server
return false; }
if were the same java object, were the same if this == genericRole {
return true; }
if the other role is not a simple sample role mapper role, were not the same
if genericRole instanceof SimpleSampleSecurityRoleImpl { return false;
}
Cast the other role to a simple sample role mapper role. SimpleSampleSecurityRoleImpl sampleRole =
SimpleSampleSecurityRoleImplgenericRole; if our names dont match, were not the same
if roleName.equalssampleRole.getName { return false;
} were the same
return true; }
public String toString {
return roleName; }
public int hashCode {
return hashCode; }
public String getName {
return roleName; }
public String getDescription {
return ; }
}
9.5.2 Role Consumer SSPI
WebLogic Server implements a role consumer for Web service annotations. This release of WebLogic Server includes an SSPI that Role Mapping providers can use to
obtain the role collections.
The RoleConsumer SSPI is optional; only those Role Mapping providers that implement the SSPI are called to consume a role collection.
The SSPI supports both the delivery of initial role collections and the delivery of updated role collections.
All Role Mapping providers that support the RoleConsumer SSPI are called to consume a role collection. Each Role Mapping provider can choose to skip or obtain
the role collection for a given role set. In the case where a provider persists roles, the
Role Mapping Providers 9-17
provider need only collect the role once. However, providers keeping roles in memory can obtain the role collection again.
The out-of-the-box WebLogic Server Role Mapping providers persist the role into LDAP.
9.5.2.1 Required SSPI Interfaces
If you want your custom Role Mapping provider to support the delivery of role collections, you must implement three interfaces:
■
weblogic.security.spi.RoleConsumerFactory
■
weblogic.security.spi.RoleConsumer
■
weblogic.security.spi.RoleCollectionHandler These interfaces are described in the sections that follow.
9.5.2.2 Implement the RoleConsumerFactory SSPI Interface
A Role Mapping provider implements the RoleConsumerFactory interface so that an instance of a RoleConsumer is available to the WebLogic Security Framework. The
WebLogic Security Framework calls your RoleConsumerFactory implementation to obtain the providers implementation of the role consumer.
The RoleConsumerFactory SSPI has one method, which returns your implementation of the RoleConsumer SSPI interface.
public interface RoleConsumerFactory {
Obtain the implementation of the RoleConsumer security service provider interface SSPI.P
return a RoleConsumer SSPI implementation.P public RoleConsumer getRoleConsumer;
}
9.5.2.3 Implement the RoleConsumer SSPI Interface
The RoleConsumer SSPI returns a role collection handler for consumption of a role collection. It has one method, getRoleCollectionHandler, which takes a
RoleCollectionInfo implementation as an argument and returns your implementation of the RoleCollectionHandler interface.
public interface RoleConsumer {
Obtain a role handler for consumption of a role collection. param info the RoleCollectionInfo for the role collection.
return a RoleCollectionHandler or NULL which indicates that the role collection is not needed.
exception ConsumptionException if an error occurs obtaining the handler and the role collection cannot be consumed.
public RoleCollectionHandler getRoleCollectionHandler RoleCollectionInfo info
9-18 Developing Security Providers for Oracle WebLogic Server
throws ConsumptionException; }
The WebLogic Security Framework calls the getRoleCollectionHandler method and passes data about a role collection to a security provider as an
implementation of the RoleCollectionInfo interface. This interface implementation is provided for you, you do not have to implement it.
You use the RoleCollectionInfo getName, getVersion, getTimestamp, and getResourceTypes methods to discover information
about this role collection. You then return a RoleCollectionHandler, or NULL to indicate that the role collection is not needed.
public interface RoleCollectionInfo {
Get the name of the collection. public String getName;
Get the runtime version of the role. public String getVersion;
Get the timestamp of the role. public String getTimestamp;
Get the resource types used in the role collection. public Resource[] getResouceTypes;
}
9.5.2.4 Implement the RoleCollectionHandler SSPI Interface
The RoleConsumer.getRoleCollectionHandler method returns your implementation of the RoleCollectionHandler interface.
RoleCollectionHandler has two methods: setRole and done. The setRole method takes a resource, a role name, and an array of user and group
names that defines what user names and group names are to be assigned to that role for the given resource.
The done method signals the completion of the role collection. public interface RoleCollectionHandler
{ Set a role for the specified resource.
public void setRoleResource resource, String roleName, String[] userAndGroupNames
throws ConsumptionException;
Signals the completion of the role collection.
Role Mapping Providers 9-19
public void done throws ConsumptionException;
}
9.5.2.5 Supporting an Updated Role Collection
To support the delivery of an updated role collection, all Role Mapping providers that support the RoleConsumer SSPI need to examine the contents of the
RoleCollectionInfo passed in the RoleConsumer.getRoleCollectionHandler method to determine if a role
collection has changed. Each provider must decide possibly by configuration how to perform conflict resolution with the initial role collection and any customized role
received outside of the SSPI.
For the WebLogic Server supplied Role Mapping providers, customized roles will not be replaced by the updated role collection: all roles from the initial role collection will
be removed and only the customized roles, plus the updated role collection, will be in effect. If the role collection info has a different timestamp or version, its treated as an
updated role collection. The collection name is used as a persistence key.
9.5.2.6 The RoleConsumerMBean
Role Mapping providers that implement the Role Consumer SSPI must also implement the
weblogic.management.security.authorization.RoleConsumerMBean to indicate that the provider supports policy consumption.
9.5.3 PolicyStoreMBean
