It's all about Weblogic..!!

July 5, 2010

Introduction to Security – lets get the basics rit :)

Filed under: * Security — streethawkz @ 2:35 pm

WebLogic Security Service supports the following types of security providers :

  • Authentication :

It validates the username and password against a database and authenticates it.

It is mainly in clear text format – a username and password.

  • Identity Assertion :

Here the input is anything other than a username and password that is provided to authenticate a user. For example like a certificate or may be a face recognition/ fingerprint recognition where in the authentication is done based on pattern matching. ( this example is just to understand the concept of IA ).

So basically the authentication and the Identity Assertion do the same job – i.e authenticating a user.

The only difference is in the input format they accept.

  • Credential Mapping :

Credential mappings let you map WebLogic Server users to remote users.

It does the exact opposite job of an Identity Assertor.

It takes the authenticated user information and converts it into other formats.

Eg : x509 certificate format

  • Certificate Lookup and Validation (CLV) :

It mainly checks the chaining of certificates.

It also validates incoming certificates.

  • Auditor :

Logs all the events generated by other providers.

…………………………………………….

What is a pricipal ?

Principal is an authenticated user.

What is a subject ?

Subject is a collection of principals.

Eg :

If a user is in 2 groups then the subject would be 1 + 2 = 3.

So the subject for the above example is 3.

We can conclude that subject = n + 1 principals, where n is the number of groups.

As soon as user gets authenticated we get a subject.

…………………………………………..

Authorization and Role Mapping :

– It takes the subject as input.

– Before authorization happens Role Mapping has to be done so that roles that a user belongs-to is know.

– The signed subject along with information as to what resource / page is being requested by a user is sent to the Role Mapper.

– The Role Mapper now checks the user role and passes the following information to the Authorizer :

1. Information about the Role of the user

2. The resource / page he is requesting

3. And the signed subject.

– Now authorizer uses these information and locates the resource and answers the “is access allowed?” question.

In weblogic 9.1 and above two authorizers are enabled by default :

– DefaultAuthorizer

– XACML Authorization provider ( this is the default from WLS 9.1 and above )

Adjudication :

The WebLogic Adjudication provider has an attribute called Require Unanimous Permit that governs its behavior. By default, the Require Unanimous Permit attribute is set to TRUE, which causes the WebLogic Adjudication provider to act as follows:

  • If all the Authorization providers’ Access Decisions return PERMIT, then return a final verdict of TRUE (that is, permit access to the WebLogic resource).
  • If some Authorization providers’ Access Decisions return PERMIT and others return ABSTAIN, then return a final verdict of FALSE (that is, deny access to the WebLogic resource).
  • If any of the Authorization providers’ Access Decisions return ABSTAIN or DENY, then return a final verdict of FALSE (that is, deny access to the WebLogic resource).

If you change the Require Unanimous Permit attribute to FALSE, the WebLogic Adjudication provider acts as follows:

  • If all the Authorization providers’ Access Decisions return PERMIT, then return a final verdict of TRUE (that is, permit access to the WebLogic resource).
  • If some Authorization providers’ Access Decisions return PERMIT and others return ABSTAIN, then return a final verdict of TRUE (that is, permit access to the WebLogic resource).
  • If any of the Authorization providers’ Access Decisions return DENY, then return a final verdict of FALSE (that is, deny access to the WebLogic resource).

……………………………………….

Custom Providers :

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: