Prior to Java EE 6 and the introduction of the SecurityContext interface in Java EE Connector Architecture (JCA) 1.6 specification (see the SecurityContext interface in JCA 1.6 specifications at http://jcp.org/en/jsr/detail?id=322), there were no standard ways to map the current SecurityContext security object to the ConnectionSpec interface of a resource adapter.
This could mean the following two things:
- No end-to-end Single Sign-On from the user to the EIS
- Code into application components that implement mapping of credentials
WebLogic Security Framework supports the mapping of credentials from the current authenticated user to a format that can be understood by the resource adapter/EIS.
The implementation is really straightforward. Before calling the execute()method on the interaction in the ConnectionSpec interface, the Mapper is asked to convert the current Credentials stored into the Subject into one or more Credentials valid for the remote system.
Currently, if BasicPassword is the current authentication mechanism type and PasswordCredential is the interface that has to be used for the communication, it's sufficient for the developer of the custom Credentials Mapping provider to write a function that maps the local security space to that of the called EIS.
Conceptually, this is not much different from what is done with Identity Assertion and Perimeter Authentication; but this time the trust is between WebLogic and an external system, with the former responsible for security. Of course, there may also be Mappings that are able to make full authentication, but in both cases the weak link is the Java Application Server that has the chance to authenticate users to a remote system.