We have an existing Java EE application running under WebLogic and I want to authenticate a user programmatically as though the user was logged in via the existing web login process. That is to say, in the end, I want to have a valid session (cookie) that can be returned to the caller and later returned back the server without re-authentication. (This is to enable JAX-WS stateful Web Service calls).
We have a custom LoginModule that, when the user logs in via Forms Authentication, is eventually called via j_security_check. I guess what I'd like to do is to somehow get WebLogic to invoke that LoginModule on my behalf, ask me for the credentials, and yield an authenticated session and a valid subject etc. (i.e. all the JAAS goodness).
Is this a JAAS thing? Is there a WebLogic call?
You can do this using the HttpServletRequest#login method. This will trigger the same kind of login chain that would otherwise be executed if your used accessed a protected resource.
WebLogic security uses a security service plug-in (SSPI) architecture that allows you to implement security providers. Container (such as servlet) authentication is handled by authentication providers that use the SSPI. An authentication provider wraps a JAAS login module.
Writing and configuring security providers is extensively documented.
If you implement an authentication provider to wrap your login module and configure it for the WebLogic domain, it will be called automatically by the WebLogic security framework for all container authentication.
Related
I have successfully configured a SAML 2.0 Identity provider in a separate Weblogic domain
We have an ADF application deployed in Weblogic in another domain with non-SAML form-based authentication (ReadOnlySQLAuthenticator is used to verify credentials)
I want to configure the second domain as a Service Provider (to enable the existing application to login with the Identity provider.
I did the folowing:
Configure a SAML 2.0 Identity Asserter
Enable the Service Provider in the federated services for the server
Add and enable the "service provider partners" and exchange metadata on both IDP and SP side
Configure the "redirect URI" on the SP side
Add the SAML 2.0 Authenticator (the documentation doesn't mention this, but some blogs do)
This should be enough to make the SSO work, but it doesn't.
opening the application doesn't trigger a redirect to the IDP (even when the URL is configured in the provider partner config)
after logging into the application, other applications still have to log in with the IDP (SSO doesn't work)
The "other application" is the Spring SAML sample application and I verified that SSO works with 2 different instances of that app (which means the IDP side should be configured correctly).
We've had some Oracle experts come over to our company to solve various issues.
In the end even they could't help with this and suggested that SAML support may not really work that well.
They suggested that we try to use Oracle Access Manager, that's supposed to support both OAUTH and SAML. We didn't get to that yet and maybe never will.
Still if you need SSO in Weblogic, you could give it a go.
I'm trying to setup saml sso with openam and weblogic.
The reason why I want to use saml is that I have multiple application where I can't change the web.xml to use the j2ee agent.
My question is if there is a good document explaining the setup with weblogic and openam.
I have read several guides, but I'm still confused...
Just looking for a good howto!
My current setup is
openam on tomcat installed on host1
weblogic installed on host2.
Webapp deployed on host2
So openam will be the IdP and weblogic will be the SP? right?
I have configured the openam hosted IdP.
I have added the saml identity asserter on weblogic and configured a web sso identity provider partner.
You can configure WebLogic to enable SAML SSO implementation. This requires the following steps to be completed.
WebLogic and IDP(OpeanAM) should be coupled - you can register OpeanAM as an authentication service provider inside WebLogic container using the administration console.
This requires a SSL communication, hence ideally, it's better to install a SSL certificate inside the container.
WebLogic can be configured to implement SAML SP (Identity asserter and Assertion consumer) by configuring the required through the administration console.
In fact it can be configured to work as a Credential mapper and Assertion receiver on the same way.
All these steps can be done inside a single WebLogic instance or between instances using a WebLogic federation.
Please refer the below link for more details.
I don't think WebLogic itself can act as SAML SP. Every application has to implement an SAML SP. Doing this via Spring Security SAML extension is quite neat. If you want more efforts look at the OpenAM Fedlet (it's also a lightweight SP). However the sample app generated when creating the Fedlet is not too helpful. The 'Fedlet' is not the sample all ,but more or less the jars and metadata included in the sample app.
We are developing a web application that has its own SignOn mechanism (login mechanism using username and password). The SignOn mechanism is implemented using a Web Application Filter)
The web application container is Apache Tomcat 6.0
The User may also choose to login through Shibboleth authentication. That is, to access our Web Application, the user may choose either be authenticated using Shibboleth, or using our own SignOn mechanism which is web application filter-based.
Is it technically feasible to support both Shibboleth Authentication, and a Web Application Filter based SignOn mechanism?
If it's feasible, from the Web Application Filter side, how do we check if a user was authenticated already by Shibboleth? Is there some Shibboleth Authentication token, or Shibboleth User session?
Thanks.
I assume that you refer to Shibboleth SP (the Service Provider component) and also that you will need Shibboleth IdP (an Identity Provider) to provide the actual authentication.
...And yes, it is feasible and the two methods can easily coexist.
When the user is successfully authenticated by Shibboleth SP (using the Identity Provider) it place the well-known session attributes in the HTTP request attributes and headers.
You can view the session attributes visiting:
https://your-host/Shibboleth.sso/Session
So, Inside your application you can check the presence and the value of those attributes like:
request.getAttribute("NAME_OF_THE_ATTRIBUTE_IN_SESSION")
request.getHeader("NAME_OF_THE_ATTRIBUTE_IN_SESSION")
Then, using Shibboleth attributes you can do the necessary operations to allow or deny the user authentication.
See this official wiki to understand how "Shibbolize" an Application and this for accessing attributes.
I would recommend to start reading from the start this clear and comprehensive wiki on Shibboleth SP and IdP installation and configuration.
I don't understand well the process of authentication with Glassfish (V3 in my case).
With JSE simple application, we are using JAAS API to authenticate users with callback handler and login context.
With application servers like Glassfish, we are using realms to authenticate users. These realms use JAAS but implement some applicative logic code to plugin into Glassfish structure and credentials are passed via container to the realm to authenticate user. Credentials are obtained via "kind of" callback handler which are BASIC, FORM, DIGEST and CLIENT-CERT.
Is that right ?
Now, there are SAMs (Server Authentication Module) too and I don't know exactly at what time they occur in authentication process ? I think SAMs occur before realm in request process but I'm not sure...someone can confirm ? Are SAMs callback handlers ?
Thanks
Is there an apache module that implements Kerberos authentication for use by Tomcat and also supports Kerberos delegation?
I've already looked at mod_spnego and it throws away the SSPI context it creates only keeping the principal name. Instead, I'm looking for a module that would allow for the delegation of the ticket sent to Tomcat - that is, taking the service ticket sent for authentication and using it server side to access another service on behalf of the user.
EDIT: To clarify, I need to impersonate under Win32 using the GSS/SSPI context so when legacy code connects to another server, the delegated credentials are used.
WAFFLE (Windows Authentication Functional Framework) now provides that feature starting from v1.4beta.
It provides a ServletFilter that uses native Windows APIs to authenticate the user, either using Basic or Negotiate authentication. The user then can be impersonated, and native APIs calls will be performed with the access token of the impersonated user.
How about using the JAAS realm and using the kerberos 5 JAAS module?
http://tomcat.apache.org/tomcat-6.0-doc/realm-howto.html#JAASRealm
http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html
Looks like it might require a little coding, but the pieces should be there.
Here's a http://spnego.sourceforge.net/credential_delegation.html tutorial. It implements Kerberos/SPNEGO as an HTTP Servlet Filter and supports credential delegation.