Follow Us on Twitter

Weblogic web application container security part 1

by Edwin Biemond on January 29, 2010 · 9 comments

With the  Weblogic server we have two ways to implement security on a J2EE web application. The first is the normal container security and the second is ADF Security. In part 1 I will explain the container security and in part 2 the ADF Security.
To test this, I first added a testuser called edwin and a test group called users to the DefaultAuthenticator Authentication Provider. The user edwin is member of the group users.
first step is to add a security constraint on a url and define that you need to have the role User_role to authenticate

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>sec</web-resource-name>
            <url-pattern>/</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>User_role</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
        <realm-name>myrealm</realm-name>
    </login-config>
    <security-role>
        <role-name>User_role</role-name>
    </security-role>

Because we don’t have the role User_role in Weblogic so we need to add a mapping between User_role role ( defined in the web.xml ) and the Weblogic group users. For this we need to add a weblogic.xml deployment descriptor (located in the WEB-INF )

<?xml version = '1.0' encoding = 'windows-1252'?>
<weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                  xsi:schemaLocation="http://www.bea.com/ns/weblogic/weblogic-web-app.xsd"
                  xmlns="http://www.bea.com/ns/weblogic/weblogic-web-app">
  <security-role-assignment>
    <role-name>User_role</role-name>
    <principal-name>users</principal-name>
  </security-role-assignment>
</weblogic-web-app>

We solved the Authentication part but the next step is Authorization part. For this we need to add a managed bean where we retrieve and evaluate the roles of the authenticated user. The hard part is that the principal does not give back the user roles. Off course we can evaluate is the user has a role ( with isUserInRole ), but then you need to know the role name ( in most cases this is enough). To get all the User roles, we need to retrieve the Weblogic Subject and get all the principals and look at the class of the principal ( it can be a instance of WLSGroupImpl or WLSUserImpl ). Be aware you will get the Weblogic groups and not the mapped names of the web.xml or weblogic.xml.
Here is the managed bean ( request scope)

package nl.whitehorses.sec.bean;

import java.security.Principal;

import java.util.ArrayList;
import java.util.Set;

import javax.faces.context.FacesContext;
import javax.security.auth.Subject;

import weblogic.security.Security;
import weblogic.security.SubjectUtils;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;

public class SecurityBean {

    public SecurityBean() {

        Subject subject = Security.getCurrentSubject();
        Set<Principal> allPrincipals = subject.getPrincipals();
        for (Principal principal : allPrincipals) {
            if ( principal instanceof WLSGroupImpl ) {
                System.out.println("found role: "+principal.getName());
                roles.add(principal.getName());
            }
            if ( principal instanceof WLSUserImpl ) {
                System.out.println("found user: "+principal.getName());
                user = principal.getName();
            }            
        }        
    }
    
    private ArrayList<String> roles = new ArrayList<String>();
    private String user = null;

    public String getCurrentUserRoles() {
        String curRoles = "";
        for (String role : roles) {
            curRoles = curRoles +", "+role;
        }
        return curRoles;
    }

    public boolean isWlsUserRole() {
     for (int i=0; i < roles.size() ; i++ ){
        if ( "users".equalsIgnoreCase(roles.get(i)) ){
           return true;
        }
      }
      return false;
    }

    public boolean isContainerUserRole() {
      if (FacesContext.getCurrentInstance().getExternalContext().isUserInRole("User_role")){
           return true;
      }
      return false;
    }

    public String getCurrentUser() {
        return user;
    }
}

and last the JSF page where I use this managed bean

<?xml version='1.0' encoding='windows-1252'?>
<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="2.1"
          xmlns:f="http://java.sun.com/jsf/core"
          xmlns:af="http://xmlns.oracle.com/adf/faces/rich">
  <jsp:directive.page contentType="text/html;charset=windows-1252"/>
  <f:view>
    <af:document id="d1">
      <af:form id="f1">
        <af:panelHeader text="Start" id="ph1">
          <af:panelFormLayout id="pfl1">
            <af:inputText label="User" id="it1"
                          value="#{SecurityBean.currentUser}"/>
            <af:inputText label="Roles" id="it2"
                          value="#{SecurityBean.currentUserRoles}"/>
            <af:inputText label="WLS Role" id="it3"
                          value="got the users role from weblogic"
                          rendered="#{SecurityBean.wlsUserRole}" columns="80"/>
            <af:inputText label="JAAS Role" id="it4"
                          value="got the User_role mapped by weblogic.xml"
                          rendered="#{SecurityBean.containerUserRole}"
                          columns="80"/>
          </af:panelFormLayout>
        </af:panelHeader>
      </af:form>
    </af:document>
  </f:view>
</jsp:root>

with this as result.

In Part 2 I will explain ADF Security and then you can see how easy Security is in ADF and that ADF has a lot more security options then the standard container security.

Weblogic web application container security part 1, 5.0 out of 5 based on 3 ratings

Ratings:
VN:F [1.9.22_1171]
Rating: 5.0/5 (3 votes cast)

{ 7 comments… read them below or add one }

Amr Gawish January 29, 2010 at 11:07 pm

A great introduction and start, but I think I’ll wait till you finish, and ask you some questions :)

waiting for Part2

Reply

Olufowobi Lawal September 25, 2010 at 10:52 pm

Simple and clean.

Reply

eric givler December 3, 2010 at 11:31 pm

I don’t know why I’m struggling with JDev 11g and the embedded weblogic container so much, but alas, I still can’t get it to allow me to login and view a protected resource. I was starting with the workspace (JaznMigration) from here (http://andrejusb.blogspot.com/2010/05/migrating-security-policies-from.html)

I then found your article and tried tweaking a few things. So far, all I’ve done is to change the url-pattern to “/”, and then mdified the jazn-data.xml to provide a new password to the scott user so I’d know what it is. NO LUCK.

What do you mean by: “To test this, I first added a testuser called edwin and a test group called users to the DefaultAuthenticator Authentication Provider.”?

I just need a way to run my application via Jdev 11g and authenticate “as before”, whatever that means. I’d appreciate any help you can provide.

Reply

Edwin Biemond December 4, 2010 at 12:43 am

Hi,

For embedded you dont need any migration , it works out of the box.
are you doing container security or doing ADF, for ADF follow part 2 and log in with weblogic first. this user is the default user in the default authenticator in the myrealm security realm in the wls console.

when you add an extra authenticator then make sure the control flag of every authentication provider is on sufficient

thanks

Reply

eric givler December 6, 2010 at 11:48 pm

This was user error. My jazn-data.xml file was NOT in the correct location. Once I put it in workspace\src\META-INF\jazn-data.xml instead of workspace\viewcontroller\src\META-NF\jazn-data.xml, the users an roles were created without an issue. Sorry for the posts.

Reply

carlos February 18, 2011 at 6:32 pm

Cant compile your sample because you didnt referenced the correct classpath. Where can I find weblogic security classes???????????

Reply

Luis September 13, 2011 at 5:03 pm

Simply great!

Thanks,

Luis

Reply

Leave a Comment

 

{ 2 trackbacks }

Previous post:

Next post:

About Whitehorses
Company profile
Services
Technology

Whitehorses website

Home page
Whitebooks
Jobs

Follow us
Blog post RSS
Comment RSS
Twitter