how can i setup security realm in weblogic 10.3? i wan't to add user roles and let weblogic server to check those users for what resources they can access. Where weblogic stores authentication data? how can authentication data can be accessed and updated by weblogic server automatically?
Thanks in advance.....
Your question is a bit vague since there are a lot of ways to configure security within Weblogic. Oracle's documentation would be a good starting point.
You can setup the security realm under Security Realms in the console. There are some default groups with specific roles that you could assign to user accounts (for example, monitor = readonly).
LDAP data is stored in the internal LDAP folder within the domain directory. However, you can configure it to use an external LDAP.
Related
We have a scenario where we have a java web application deployed at a weblogic instance and OBIEE in another. Now, what we want is to authenticate the OBIEE users from using our already existing user base from our webapp database table. I don't have much experience regarding OBIEE or weblogic server administration but by googling a little I have found that OBIEE by default uses the weblogic's embeded LDAP server for authenticating it's users. What we need is a way to configure obiee to use our existing database table users for authentication purpose. How do we achieve this? What are the necessary steps ? Do we need to create a custom weblogic authentication provider for this ? Any guidance is highly appreciated. Thanks in advance.
Database authentication is possible on OBIEE 11.1.1.5 and higher. I asume that you are good on that side.
Oracle documentation is quite good on this topic, you can check detailed scenario here
The basic idea is that you create a SQLAuthenticator that talks between a virtualised identity provider and your database where your users are defined.
It's important to notice that this method works with users/passwords defined in one of your tables and not with database accounts.
Good luck!
#adn.911,
After setting up your db authentication are you facing the login issue only on analytics or even on weblogic console and em?
If you are able to login to weblogic console but not to analytics, try setting the virtualize property to true and reset the BISystemUser password.
I am using MarkLogic version 8.04 on CentOS 6. I am trying to do external authentication/authorization using LDAP.
I've created an external security authentication object:
name ldap-config-simple
authentication ldap
authorization ldap
ldap server url ldap://<my server address>:389
ldap base ou=<mycompany>,dc=<info>,dc=<my org>
ldap attribute sAMAccountName
ldap default user cn=<user id>,ou=xxxx,ou=yyyyy,dc=<info>,dc=<my org>
ldap bind method simple
and associated it with an HTML App server (here are the pertinent settings):
authentication basic
internal security true
external security ldap-config-simple
And I have associated an LDAP group to a role (here are the pertinent settings):
external name cn=marklogic,ou=groups,dc=<info>,dc=<my org>
The problem is that authentication fails when I try to access the App server using my LDAP user. The log for the external LDAP server shows that the search string that MarkLogic sends looks like this:
(member=cn=marklogic,ou=groups,dc=<info>,dc=<my org>)
But the LDAP server is expecting the search to be:
(memberOf=cn=marklogic,ou=groups,dc=<info>,dc=<my org>)
The LDAP Server admin assures me that "memberOf" is the accepted standard for this type of query. We are using an OpenLDAP server - it is a pretty standard LDAP installation. Is there a way to have MarkLogic send "memberOf=" for the search rather than "member=" ?
Note that I was able to authenticate with my LDAP user ID through the App Server when I associated my user's DN in the LDAP server to a configured MarkLogic user. But I would prefer to use the Role based authentication since that puts the access controls in the LDAP server.
Any help appreciated.
Answering my own question. It is working now with the configuration above - although I didn't make any changes. MarkLogic support told me that a previous configuration may have been cached. In the process of debugging this I did a network packet trace to see exactly what MarkLogic was sending and it looks like it actually requests both the "memberOf" and "member" groups - I guess the LDAP admin only saw the latter in the logs.
I'm involved in an Java Web Application Migration project to IBM Websphere Portal (IBM WP) Platform.
The actual application in production environment validates manually user credentials (username and password) against a Database Table that stores the data. I understand that the idea behind a Portal application is that the Portal Container handles this Security issues, but I'm not sure how IBM WP can consume the credentials that now are on Database.
There's a brand new Tivoli Directory Server in the Company, and I'm aware that I can't connect IBM WP to this LDAP Server so, do I need to migrate every user in the Database to this LDAP Server, or there's a Way that Tivoli recognize the credentials that are on the database?
Trust Association Interceptor are powerful, but they totally override Websphere Authentication mechanisms, so be sure to write a quite robust one! As Carlos Gavidia suggested, I'd also give a look to Custom User Registry. I'd also suggest to consider Property Extenstion Repository (also know as Lookaside), so you can define your own attributes and read/write them directly from Portal API
http://www-01.ibm.com/support/docview.wss?uid=swg21248674
You can hook in any kind of custom authentication you need using a Trust Association Interceptor. Your custom authenticator would probably work a lot like the authentication code in your existing system. It would display a page prompting the user for their credentials, and then check them against the DB.
I'm not sure how this relates to your Tivoli LDAP, but there seems to be a provided TAI for TAM integration: Tivoli Access Manager Trust Association Interceptor (TAI++)
this is my first time trying spring security and ldap. I have couple of novice questions. My main confusions are:
How do we assign roles to users? Is it done on ldap server? or done via a configuration file in my webapp? By roles I mean, Couple of users would have all the access to webapp features(Admins), Regular users (Read only access to webapp data), Analytic group (Users which can run a report in webapp)
Currently application uses j_security_check for normal user authentication with ldap server. (Where is Websphere do we hook up ldap connection settings for this authentication?)
I found it confusing too, and developed my own module which ties in with Java EE Security.
Basically the webapp is set up with standard Java EE Security, and methods on spring beans can be given the #RolesAllowed annotation, in which case the logged in user's roles are checked against the required roles just before calling the method. See here for details.
You can use LDAP or a database or a file - where the roles and users are stored is up to you. Normally for production, you will use LDAP or a connector to some kind of directory server. Sorry I can't help with WebSphere - been a while since I set it up for security.
I am completely new to login and authentication concepts. I am working on a Glassfish web application that should present general content to any visitor, and some extra content for registered users logged in with username and password.
I have been reading the Java EE tutorial about security, and I thought that the Form-based or HTTP authentication would fulfill my needs ( the visitor is asked for credentials when trying to browse a secured content ).
However, my first guess was that the registred users should be stored in an external database along with their hashed and salted password.
The security for web application in Glassfish seems to rely on the realm populated manually directly on the application server ( defining user and groups and mapping them to the Roles in the application ).
Did I misunderstood what security on Glassfish is intented to ? Or can a realm be a external database outside the application server ? Any link to documentation on this topic would be useful to me.
Thank you in advance
Tart
It is actually possible.
In Glassfish, go to Configuration/Security/Realms, create a new realm and set the classname to com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm.
Indicate the JDBC Resource bound to the database, and indicate the table and the columns where username/password are stored. The database shall also contains a table for the groups which the user must belong to be granted access. Indicate those also.
In the application, set up the web.xml and sun-web.xml with the realm name as usual.
Here is an article about jdbc realm in glassfish with scenario you described: http://java-cookbook.blogspot.com/2011/02/jdbc-security-realm-with-glassfish-and.html