lunes, 23 de mayo de 2016

Full Weblogic Custom Authenticator (11g, 12c)

I could not find a full example of custom weblogic asserter using maven. I got some examples using ant, but i dont like that... it never works for me for some reason, so i simply create a maven project using the sources of [1] getting some ideas of this github snippet wiht the "WebLogic MBean Maker" pom.xml [2], and most important the explanation on the creation of a custom authenticator in the book "Securing WebLogic Server 12c" chapter 4  (really recommended if you want to understand what you are doing).

There are lots of blogs with the same sources (SimpleSampleIdentityAsserterProviderImpl), so you are going to find the same example over and over again on internet, based in a really old sample used with Bea-server. In some moment in time the authenticator sources came with a sample web application to test it but you could not find that application anymore.

I don't want to extend to much with this, so i'll try to remark only the most important, and give you the basic instructions to make it work.
  • First understand the difference between and authenticator and a asserter. The asserter is a way to "translate" a key or token to a set of credentials, that can be used to authenticate (lets say a cookie, http header or a certificate). The authenticator has the responsibility to check if with those credentials  the user can continue to the protected resource. (A better explanation can be found in the A-team blog about asserters [5])
          Why this is important? Because on many internet sources you are only going to get the asserter and not the full authenticator (the asserter plus the LoginModule). If you only get the asserter you are half way. Check [6] to get the LoginModule or this one [7] to extend your already mbean asserter to an authenticator provider.

  • The second thing was to test it. It was funny, it was harder to find the right configuration for the web application than the sources of the authenticator. 
          With the authenticator we create a custom token. The key that the user must use, so the asserter gets activated.  A token can be a cookie, a http header or a certificate [8], so to test your application you must send the token the correct way (i use the cookie and the http header and both works fine)

        You also need to configure your web application with the protected resources, the roles and the principal mapping.

        In your web.xml add something like this (add the "login-config", the "security-role" and a "security-constraint")
 
  CLIENT-CERT
 

 
  LoggedUsers
 

 
  
   Protected resources
   protected/*
   GET
   POST
  
  
   LoggedUsers
  
 

       In your weblogic.xml add the mapping between the role and the principals.
        
  LoggedUsers
  users
 

**** For a beautiful example with the sources of the web application see [9]

CONFIGURE


The project is on github  https://github.com/carlgira/soa-utils/tree/master/http-token-authenticator
  • In the pom.xml configure the "mdw.home" with your Middleware path (on the 11g or 12c profile)
  • According with your version probably you'll have to change some jar paths.
  • Execute maven install (11.1.1.7 or 12.1.3)
    • mvn -Dsoa-version=12.1.3 clean install
    • mvn -Dsoa-version=11.1.1.7 clean install
  • Copy the jar to the path Middleware\wlserver_10.3\server\lib\mbeantypes
  • Reboot your server
  • Go to Security Realms->myrealm->Providers and create a SimpleSampleIdentityAsserter.
  •  Make sure to put all the authenticators flags to "SUFFICENT"
  • Reorder your authenticators and put the new one the last.
  • Reboot your server

TEST A PROTECTED APPLICATION

I use the firebug add-on of Firefox to test it. Just create a custom cookie named "PerimeterAtnToken" and value "username=weblogic".

You can also make a http request with a http header named "PerimeterAtnToken" and with a value of "username=weblogic".


That should be enough, if not, make sure to check the "References" read the book and all the examples.

Thanks!

REFERENCES


1. Simple Sample Custom Identity Asserter for Weblogic Server 12c http://weblogic-wonders.com/weblogic/2014/01/13/simple-sample-custom-identity-asserter-weblogic-server-12c/
2. WebLogic MBean Maker. https://gist.github.com/kares/356576
3 Creating a wlfullclient.jar. https://docs.oracle.com/cd/E12840_01/wls/docs103/client/jarbuilder.html
4. Securing WebLogic Server 12c,
5. Why do I need an Authenticator when I have an Identity Asserter?, Oracle A-team http://www.ateam-oracle.com/why-do-i-need-an-authenticator-when-i-have-an-identity-asserter/
6. Do You Need to Develop a Custom Authentication Provider?http://docs.oracle.com/cd/E21764_01/web.1111/e13718/atn.htm#DEVSP220
7. Weblogic Identity Asserter and Athorization Provider in one! http://darylwiest.blogspot.com.es/2015/02/weblogic-identity-asserter-and.html
Extends the mbean to an authenticator
8. Passing Tokens for Perimeter Authentication http://docs.oracle.com/cd/E21764_01/web.1111/e13718/ia.htm#DEVSP254
9. SiteMinder WebLogic Security Provider Mock, https://gibaholms.wordpress.com/2015/01/21/siteminder-weblogic-security-provider-mock/
10. Mock Weblogic Login module - Identity Asserter and Authenticator,  http://danielveselka.blogspot.com.es/2012/04/mock-weblogic-login-module-identity.html


No hay comentarios: