3-2 Developing Security Providers for Oracle WebLogic Server Figure 3–1 shows the relationship between a single runtime class MyFooProviderImpl and an MBean type MyFooMBean you create when developing a custom security provider. The process begins when a WebLogic Server instance starts, and the WebLogic Security Framework: 1. Locates the MBean type associated with the security provider in the security realm. 2. Obtains the name of the security providers runtime class the one that implements the Provider SSPI, if there are two runtime classes from the MBean type. 3. Passes in the appropriate MBean instance, which the security provider uses to initialize read configuration data. Therefore, both the runtime class or classes and the MBean type form what is called the security provider.

3.2 Security Services Provider Interfaces SSPIs

As described in Section 2.2, Overview of the Development Process, you develop a custom security provider by first implementing a number of security services provider interfaces SSPIs to create runtime classes. This section helps you: ■ Section 3.2.1, Understand Two Important Restrictions ■ Section 3.2.2, Understand the Purpose of the Provider SSPIs ■ Section 3.2.3, Understand the Purpose of the Bulk Access Providers ■ Section 3.2.4, Determine Which Provider Interface You Will Implement ■ Section 3.2.5, Understand the SSPI Hierarchy and Determine Whether You Will Create One or Two Runtime Classes Additionally, this section provides Section 3.2.6, SSPI Quick Reference that indicates which SSPIs can be implemented for each type of security provider.

3.2.1 Understand Two Important Restrictions

Security providers must adhere to the following restrictions: ■ A custom security providers runtime class implementation must not contain any code that requires a security check to be performed by the WebLogic Security Framework. Doing so causes infinite recursion, because the security providers are the components of the WebLogic Security Framework that actually perform the security checks and grant access to WebLogic resources. Note: The SSPIs and the runtime classes that is, implementations you will create using the SSPIs are shown on the left side of Figure 3–1 and are .java files. Like the other files on the right side of Figure 3–1 , MyFooMBean begins as a .xml file, in which you will extend and optionally implement SSPI MBeans. When this MBean Definition File MDF is run through the WebLogic MBeanMaker utility, the utility generates the .java files for the MBean type, as described in Section 2.2.3, Generating an MBean Type to Configure and Manage the Custom Security Provider. Design Considerations 3-3 ■ No local where local refers to the same server, cluster, or domain Java Platform, Enterprise Edition Java EE Version 5 services are available for use within a security providers implementation. Any attempt to use them is unsupported. For example, this prohibits calling an EJB in the current domain from your security provider. Java EE services in other domains are accessible and can be used within a security provider.

3.2.2 Understand the Purpose of the Provider SSPIs