Security Fundamentals 3-17 Currently, three types of WebLogic resource containers pass ContextHandlers to the WebLogic Security Framework: the Servlet, EJB, and Web service containers. Thus, URL Web, EJB, and Web service resource types have different context elements whose values Adjudication, Identity Assertion, Authorization Credential Mapping, and Role Mapping providers and the LoginModules used by an Authentication provider can inspect. An implementation of the AuditContext interface used when a security provider is implemented to post audit events may also examine the values of context elements. For more information about the values of particular context elements, see ContextHandlers and WebLogic Resources in Developing Security Providers for Oracle WebLogic Server.

3.5.4 Access Decisions

Like LoginModules for Authentication providers, an Access Decision is the component of an Authorization provider that actually answers the is access allowed? question. Specifically, an Access Decision is asked whether a subject has permission to perform a given operation on a WebLogic resource, with specific parameters in an application. Given this information, the Access Decision responds with a result of PERMIT , DENY, or ABSTAIN.

3.5.5 Adjudication

Adjudication involves resolving any authorization conflicts that may occur when more than one Authorization provider is configured in a security realm, by weighing the result of each Authorization providers Access Decision. In WebLogic Server, an Adjudication provider is used to tally the results that multiple Access Decisions return, and determines the final PERMIT or DENY decision. An Adjudication provider may also specify what should be done when an answer of ABSTAIN is returned from a single Authorization providers Access Decision.

3.6 Identity and Trust

Private keys, digital certificates, and trusted certificate authority certificates establish and verify identity and trust in the WebLogic Server environment. The public key is embedded into a digital certificate. A private key and digital certificate provide identity. The trusted certificate authority CA certificate establishes trust for a certificate. Certificates and certificate chains need to be validated before a trust relationship is established. This topic details the concepts associated with identity and trust. For more information, see: ■ Section 3.6.1, Private Keys ■ Section 3.6.2, Digital Certificates ■ Section 3.6.3, Certificate Authorities ■ Section 3.6.4, Certificate Lookup and Validation

3.6.1 Private Keys

WebLogic Server uses public key encryption technology for authentication. With public key encryption, a public key and a private key are generated for a server. The keys are related such that data encrypted with the public key can only be decrypted 3-18 Understanding Security for Oracle WebLogic Server using the corresponding private key and vice versa. The private key is carefully protected so that only the owner can decrypt messages that were encrypted using the public key.

3.6.2 Digital Certificates

Digital certificates are electronic documents used to verify the unique identities of principals and entities over networks such as the Internet. A digital certificate securely binds the identity of a user or entity, as verified by a trusted third party known as a certificate authority, to a particular public key. The combination of the public key and the private key provides a unique identity to the owner of the digital certificate. Digital certificates enable verification of the claim that a specific public key does in fact belong to a specific user or entity. A recipient of a digital certificate can use the public key in a digital certificate to verify that a digital signature was created with the corresponding private key. If such verification is successful, this chain of reasoning provides assurance that the corresponding private key is held by the subject named in the digital certificate, and that the digital signature was created by that subject. A digital certificate typically includes a variety of information, such as the following: ■ The name of the subject holder, owner and other information required to confirm the unique identity of the subject, such as the URL of the Web server using the digital certificate, or an individuals e-mail address ■ The subjects public key ■ The name of the certificate authority that issued the digital certificate ■ A serial number ■ The validity period or lifetime of the digital certificate defined by a start date and an end date The most widely accepted format for digital certificates is defined by the ITU-T X.509 international standard. Digital certificates can be read or written by any application complying with the X.509 standard. The public key infrastructure PKI in WebLogic Server recognizes digital certificates that comply with X.509 version 3, or X.509v3. Oracle recommends obtaining digital certificates from a certificate authority such as Verisign or Entrust. For more information, see Configuring SSL in Securing Oracle WebLogic Server.

3.6.3 Certificate Authorities