oracle® fusion middleware weblogic server 12c · pdf fileoracle® fusion middleware...

Click here to load reader

Post on 11-Sep-2019

28 views

Category:

Documents

3 download

Embed Size (px)

TRANSCRIPT

  • Oracle® Fusion Middleware Developing Security Providers for Oracle WebLogic Server 12c

    12c (12.2.1.3.0) E80446-01 August 2017

  • Oracle Fusion Middleware Developing Security Providers for Oracle WebLogic Server 12c, 12c (12.2.1.3.0)

    E80446-01

    Copyright © 2017, Oracle and/or its affiliates. All rights reserved.

    This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

    The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

    If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable:

    U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency- specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.

    This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

    Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

    Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

    This software or hardware and documentation may provide access to or information about content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services unless otherwise set forth in an applicable agreement between you and Oracle. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services, except as set forth in an applicable agreement between you and Oracle.

  • Contents

    Preface Documentation Accessibility xiii

    Conventions xiii

    1 Introduction and Roadmap 1.1 Document Scope 1-1

    1.2 Documentation Audience 1-1

    1.3 Guide to this Document 1-1

    1.4 Related Information 1-3

    1.5 New and Changed Features in this Release 1-3

    2 Introduction to Developing Security Providers for WebLogic Server 2.1 Prerequisites for This Guide 2-1

    2.2 Overview of the Development Process 2-1

    2.2.1 Designing the Custom Security Provider 2-1

    2.2.2 Creating Runtime Classes for the Custom Security Provider by Implementing SSPIs 2-2

    2.2.3 Generating an MBean Type to Configure and Manage the Custom Security Provider 2-3

    2.2.4 Writing Console Extensions 2-3

    2.2.5 Configuring the Custom Security Provider 2-4

    2.2.6 Providing Management Mechanisms for Security Policies, Security Roles, and Credential Maps 2-5

    3 Design Considerations 3.1 General Architecture of a Security Provider 3-1

    3.2 Security Services Provider Interfaces (SSPIs) 3-2

    3.2.1 Understand Two Important Restrictions 3-2

    3.2.2 Understand the Purpose of the Provider SSPIs 3-3

    3.2.3 Understand the Purpose of the Bulk Access Providers 3-4

    3.2.4 Determine Which Provider Interface You Will Implement 3-4

    iii

  • 3.2.4.1 The DeployableAuthorizationProviderV2 SSPI 3-5

    3.2.4.2 The DeployableRoleProviderV2 SSPI 3-5

    3.2.4.3 The DeployableCredentialProvider SSPI 3-5

    3.2.5 Understand the SSPI Hierarchy and Determine Whether You Will Create One or Two Runtime Classes 3-6

    3.2.6 SSPI Quick Reference 3-8

    3.3 Security Service Provider Interface (SSPI) MBeans 3-9

    3.3.1 Understand Why You Need an MBean Type 3-10

    3.3.2 Determine Which SSPI MBeans to Extend and Implement 3-10

    3.3.3 Understand the Basic Elements of an MBean Definition File (MDF) 3-11

    3.3.3.1 Custom Providers and Classpaths 3-12

    3.3.3.2 Throwing Exceptions from MBean Operations 3-13

    3.3.3.3 Specifying Non-Clear Text Values for MBean Attributes 3-13

    3.3.4 Understand the SSPI MBean Hierarchy and How It Affects the Administration Console 3-13

    3.3.5 Understand What the WebLogic MBeanMaker Provides 3-15

    3.3.5.1 About the MBean Information File 3-16

    3.3.6 SSPI MBean Quick Reference 3-17

    3.4 Security Data Migration 3-19

    3.4.1 Migration Concepts 3-20

    3.4.1.1 Formats 3-20

    3.4.1.2 Constraints 3-20

    3.4.1.3 Migration Files 3-20

    3.4.2 Adding Migration Support to Your Custom Security Providers 3-21

    3.4.3 Administration Console Support for Security Data Migration 3-22

    3.5 Management Utilities Available to Developers of Security Providers 3-24

    3.6 Security Providers and WebLogic Resources 3-25

    3.6.1 The Architecture of WebLogic Resources 3-26

    3.6.2 Types of WebLogic Resources 3-27

    3.6.3 WebLogic Resource Identifiers 3-27

    3.6.3.1 The toString() Method 3-27

    3.6.3.2 Resource IDs and the getID() Method 3-28

    3.6.4 Creating Default Groups for WebLogic Resources 3-29

    3.6.5 Creating Default Security Roles for WebLogic Resources 3-29

    3.6.6 Creating Default Security Policies for WebLogic Resources 3-30

    3.6.7 Looking Up WebLogic Resources in a Security Provider's Runtime Class 3-31

    3.6.8 Single-Parent Resource Hierarchies 3-32

    3.6.8.1 Pattern Matching for URL Resources 3-33

    3.6.9 ContextHandlers and WebLogic Resources 3-34

    3.6.9.1 Providers and Interfaces that Support Context Handlers 3-37

    3.7 Initialization of the Security Provider Database 3-39

    iv

  • 3.7.1 Best Practice: Create a Simple Database If None Exists 3-40

    3.7.2 Best Practice: Configure an Existing Database 3-40

    3.7.3 Best Practice: Delegate Database Initialization 3-42

    3.7.4 Best Practice: Use the JDBC Connection Security Service API to Obtain Database Connections 3-42

    3.7.4.1 Implementing a JDBC Connection Security Service: Main Steps 3-43

    3.8 Differences In Attribute Validators 3-44

    3.8.1 Differences In Attribute Validators for Custom Validators 3-44

    4 Authentication Providers 4.1 Authentication Concepts 4-1

    4.1.1 Users and Groups, Principals and Subjects 4-1

    4.1.1.1 Providing Initial Users and Groups 4-3

    4.1.2 LoginModules 4-3

    4.1.2.1 The LoginModule Interface 4-4

    4.1.2.2 LoginModules and Multipart Authentication 4-4

    4.1.3 Java Authentication and Authorization Service (JAAS) 4-5

    4.1.3.1 How JAAS Works With the WebLogic Security Framework 4-6

    4.1.3.2 Example: Standalone T3 Application 4-7

    4.2 The Authentication Process 4-9

    4.3 Do You Need to Develop a Custom Authentication Provider? 4-10

    4.4 How to Develop a Custom Authentication Provider 4-11

    4.4.1 Create Runtime Classes Using the Appropriate SSPIs 4-11

    4.4.1.1 Implement the AuthenticationProviderV2 SSPI 4-11

    4.4.1.2 Implement the JAAS LoginModule Interface 4-13

    4.4.1.3 Throwing Custom Exceptions from LoginModules 4-14

    4.4.1.4 Example: Creating the Runtime Classes for the Sample Authentication Provider 4-15

    4.4.2 Configure the Custom Authentication Provider Using the Administration Console 4-20

    4.4.2.1 Managing User Lockouts 4-21

    4.4.2.2 Specifying the Order of Authentication Providers 4-22

    5 Identity Assertion Providers 5.1 Identity Assertion Concepts 5-1

    5.1.1 Identity Assertion Providers and LoginModules 5-1

    5.1.2 Identity Assertion and Tokens 5-2

    5.1.2.1 How to Create New Token Types 5-2

    5.1.2.2 How to Make New Token Types Available for Identity Assertion Provider Configurations 5-3

    v

  • 5.1.3 Passing Tokens for Perimeter Authentication 5-4

    5.1.4 Common Secure Interoperability Version 2 (CSIv2) 5-5

    5.2 The Identity Assertion Process 5-5

    5.3 Do You Need to Develop a Custom I