I could not find a full example of custom weblogic asserter using maven. I got some examples using ant, but i dont like that... it never works for me for some reason, so i simply create a maven project using the sources of [1] getting some ideas of this github snippet wiht the "WebLogic MBean Maker" pom.xml [2], and most important the explanation on the creation of a custom authenticator in the book "Securing WebLogic Server 12c" chapter 4 (really recommended if you want to understand what you are doing).
There are lots of blogs with the same sources (SimpleSampleIdentityAsserterProviderImpl), so you are going to find the same example over and over again on internet, based in a really old sample used with Bea-server. In some moment in time the authenticator sources came with a sample web application to test it but you could not find that application anymore.
I don't want to extend to much with this, so i'll try to remark only the most important, and give you the basic instructions to make it work.
You also need to configure your web application with the protected resources, the roles and the principal mapping.
In your web.xml add something like this (add the "login-config", the "security-role" and a "security-constraint")
In your weblogic.xml add the mapping between the role and the principals.
**** For a beautiful example with the sources of the web application see [9]
The project is on github https://github.com/carlgira/soa-utils/tree/master/http-token-authenticator
1. Simple Sample Custom Identity Asserter for Weblogic Server 12c http://weblogic-wonders.com/weblogic/2014/01/13/simple-sample-custom-identity-asserter-weblogic-server-12c/
2. WebLogic MBean Maker. https://gist.github.com/kares/356576
3 Creating a wlfullclient.jar. https://docs.oracle.com/cd/E12840_01/wls/docs103/client/jarbuilder.html
4. Securing WebLogic Server 12c,
5. Why do I need an Authenticator when I have an Identity Asserter?, Oracle A-team http://www.ateam-oracle.com/why-do-i-need-an-authenticator-when-i-have-an-identity-asserter/
6. Do You Need to Develop a Custom Authentication Provider?http://docs.oracle.com/cd/E21764_01/web.1111/e13718/atn.htm#DEVSP220
7. Weblogic Identity Asserter and Athorization Provider in one! http://darylwiest.blogspot.com.es/2015/02/weblogic-identity-asserter-and.html
Extends the mbean to an authenticator
8. Passing Tokens for Perimeter Authentication http://docs.oracle.com/cd/E21764_01/web.1111/e13718/ia.htm#DEVSP254
9. SiteMinder WebLogic Security Provider Mock, https://gibaholms.wordpress.com/2015/01/21/siteminder-weblogic-security-provider-mock/
10. Mock Weblogic Login module - Identity Asserter and Authenticator, http://danielveselka.blogspot.com.es/2012/04/mock-weblogic-login-module-identity.html
There are lots of blogs with the same sources (SimpleSampleIdentityAsserterProviderImpl), so you are going to find the same example over and over again on internet, based in a really old sample used with Bea-server. In some moment in time the authenticator sources came with a sample web application to test it but you could not find that application anymore.
I don't want to extend to much with this, so i'll try to remark only the most important, and give you the basic instructions to make it work.
- First understand the difference between and authenticator and a asserter. The asserter is a way to "translate" a key or token to a set of credentials, that can be used to authenticate (lets say a cookie, http header or a certificate). The authenticator has the responsibility to check if with those credentials the user can continue to the protected resource. (A better explanation can be found in the A-team blog about asserters [5])
Why this is important? Because on many internet sources you are only going to get the asserter and not the full authenticator (the asserter plus the LoginModule). If you only get the asserter you are half way. Check [6] to get the LoginModule or this one [7] to extend your already mbean asserter to an authenticator provider.
- The second thing was to test it. It was funny, it was harder to find the right configuration for the web application than the sources of the authenticator.
You also need to configure your web application with the protected resources, the roles and the principal mapping.
In your web.xml add something like this (add the "login-config", the "security-role" and a "security-constraint")
CLIENT-CERT LoggedUsers Protected resources protected/* GET POST LoggedUsers
In your weblogic.xml add the mapping between the role and the principals.
LoggedUsers users
**** For a beautiful example with the sources of the web application see [9]
CONFIGURE
The project is on github https://github.com/carlgira/soa-utils/tree/master/http-token-authenticator
- In the pom.xml configure the "mdw.home" with your Middleware path (on the 11g or 12c profile)
- According with your version probably you'll have to change some jar paths.
- Execute maven install (11.1.1.7 or 12.1.3)
- mvn -Dsoa-version=12.1.3 clean install
- mvn -Dsoa-version=11.1.1.7 clean install
- Copy the jar to the path Middleware\wlserver_10.3\server\lib\mbeantypes
- Reboot your server
- Go to Security Realms->myrealm->Providers and create a SimpleSampleIdentityAsserter.
- Make sure to put all the authenticators flags to "SUFFICENT"
- Reorder your authenticators and put the new one the last.
- Reboot your server
TEST A PROTECTED APPLICATION
I use the firebug add-on of Firefox to test it. Just create a custom cookie named "PerimeterAtnToken" and value "username=weblogic".
You can also make a http request with a http header named "PerimeterAtnToken" and with a value of "username=weblogic".
You can also make a http request with a http header named "PerimeterAtnToken" and with a value of "username=weblogic".
That should be enough, if not, make sure to check the "References" read the book and all the examples.
Thanks!
REFERENCES
1. Simple Sample Custom Identity Asserter for Weblogic Server 12c http://weblogic-wonders.com/weblogic/2014/01/13/simple-sample-custom-identity-asserter-weblogic-server-12c/
2. WebLogic MBean Maker. https://gist.github.com/kares/356576
3 Creating a wlfullclient.jar. https://docs.oracle.com/cd/E12840_01/wls/docs103/client/jarbuilder.html
4. Securing WebLogic Server 12c,
5. Why do I need an Authenticator when I have an Identity Asserter?, Oracle A-team http://www.ateam-oracle.com/why-do-i-need-an-authenticator-when-i-have-an-identity-asserter/
6. Do You Need to Develop a Custom Authentication Provider?http://docs.oracle.com/cd/E21764_01/web.1111/e13718/atn.htm#DEVSP220
7. Weblogic Identity Asserter and Athorization Provider in one! http://darylwiest.blogspot.com.es/2015/02/weblogic-identity-asserter-and.html
Extends the mbean to an authenticator
8. Passing Tokens for Perimeter Authentication http://docs.oracle.com/cd/E21764_01/web.1111/e13718/ia.htm#DEVSP254
9. SiteMinder WebLogic Security Provider Mock, https://gibaholms.wordpress.com/2015/01/21/siteminder-weblogic-security-provider-mock/
10. Mock Weblogic Login module - Identity Asserter and Authenticator, http://danielveselka.blogspot.com.es/2012/04/mock-weblogic-login-module-identity.html
No hay comentarios:
Publicar un comentario