Sunday, October 9, 2011

Weblogic Custom Role Mapping Provider

Developing Security Providers for Oracle WebLogic Server 11g Release 1 (10.3.3)
Role Mapping Providers
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13718/rm.htm

The sample security providers (available at https://codesamples.samplecode.oracle.com/servlets/tracking?id=S224 on the Oracle Technology Network Web site)

Build process for Identity Asserter
http://weblogic-wonders.com/weblogic/2010/03/15/custom-identity-asserter-for-weblogic-server/


Build process for Role Mapping Provider
- download Weblogic Sample Security Providers
- unzip SampleSecurityProviders91
- set WLS environment 
. /app/wlserver_10.3/server/bin/setWLSEnv.sh

- create ant build script build.xml
- copy commo.dtd to build dir
 find /app/wlserver_10.3/ commo.dtd 
  cp /app/wlserver_10.3/server/lib/commo.dtd .

- run ant
- copy created jar to $WL_HOME/server/lib/mbeantypes
cp SimpleSampleRoleMapper.jar /usr/app/wlserver_10.3/server/lib/mbeantypes/

- restart server
- create new Role Mapper using WLS console


Configure new Role Mapper



Files in build dir
build.xml  
SimpleSampleRoleMapper.jar
SimpleSampleRoleMapper.xml     
commo.dtd
SimpleSampleRoleMapperDatabase.java
SimpleSampleSecurityRoleImpl.java


build.xml 
<project name="Expenselink Build" default="all" basedir=".">
<property name="fileDir" value="test" />

<target name="all" depends="build"/>

<target name="build" depends="clean,build.mdf,build.mjf"/>

<target name="clean">
<delete dir="${fileDir}" failonerror="false"/>
<delete file="SimpleSampleRoleMapper.jar" failonerror="false"/>
<echo message="Clean finish" />
</target>

<!-- helper to build an MDF (mbean definition file) -->
<target name="build.mdf">
<java dir="${basedir}" fork="false" classname="weblogic.management.commo.WebLogicMBeanMaker">
<arg line="-files ${fileDir}" />
<arg value="-createStubs" />
<arg line="-MDF SimpleSampleRoleMapper.xml" />
</java>
<echo message="Created Supporting Classes" />
</target>

<target name="build.mjf">

<copy todir="${fileDir}" flatten="true">
<fileset dir=".">
<include name="*.java" />
</fileset>
</copy>

<java dir="${basedir}" fork="false" classname="weblogic.management.commo.WebLogicMBeanMaker">
<arg line="-MJF SimpleSampleRoleMapper.jar" />
<arg line="-files ${fileDir}" />
</java>
<echo message="Created Mbean Jar" />
</target>

</project>



AdminServer log - IdentityAsserter and RoleMapper
SimpleSampleIdentityAsserterProviderImpl.assertIdentity
    Type        = SamplePerimeterAtnToken
    Token        = [B@9a9036
    userName    = dave
SimpleSampleRoleMapperProviderImpl.getRoles
    subject    = Subject:
    Principal: dave
    Principal: DaveGroup
    Private Credential: dave

    resource    = type=<url>, application=_auto_generated_ear_, contextPath=/daveWeb, uri=/AuthenticationSnoop, httpMethod=GET
    roles    = {Anonymous=Anonymous, DaveRole=DaveRole}
SimpleSampleRoleMapperProviderImpl.getRoles
    subject    = Subject:
    Principal: dave
    Principal: DaveGroup
    Private Credential: dave

    resource    = type=<url>, application=_auto_generated_ear_, contextPath=/daveWeb, uri=/
    roles    = {Anonymous=Anonymous, DaveRole=DaveRole}



DaveRole in Weblogic LDAP - using JXplorer LDAP browser
Posted by at
Labels: , , ,

5 comments:

  1. UnknownJuly 3, 2012 at 7:11 PM

    Daniel,
    I can´t find the example (Simple Sample RoleMapper) that you mentioned in this post. Can you tell me what is the current url that I can download it from ?
    Thanks

    ReplyDelete
    Replies
    1. kansOctober 14, 2012 at 7:47 PM

      Hi Did You find the link for SimpleSample ROleMaper?

      Delete
  2. kansOctober 14, 2012 at 7:46 PM

    Hi Daniel,
    Can you please provide the link where can we download Simple Sample RoleMaper?

    ReplyDelete
  3. UnknownJune 26, 2013 at 7:56 AM

    Where can I download simple sample role mapper mbean file?

    ReplyDelete
  4. Saurabh MathurSeptember 5, 2013 at 9:19 PM

    Hi Daniel,

    Thanks for such a crisp post. I have a small question - somewhat different than what you have shown above.
    I need to implement multi-tenancy in my weblogic server and to add to the complexity I am not using the embedded LDAP of weblogic server but my Roles and Groups are there in a SQL Database. Theoretically, this is how I assume multi-tenancy should work:

    1. Implement SSO in my environment
    2. Authenticate the User in WebLogic by registering a Relying party (I would most likely go with SAML)
    3. Get the Roles and Groups from the Database and pass to WebLogic - most likely a custom Authorization MBean

    Question is - I'm not sure if this is the correct way or even this is possible practically. Could you help if having a Custom MBean for Authorization (read Multi-tenancy) would work or there is some other work-around for it?

    I'm not sure if the MBean maker utility of WebLogic will do justice in my scenario since I would need greater level of control on MBean and what it returns to WebLogic.

    I would highly appreciate any help. Thanks in advance - Sam.

    ReplyDelete

Subscribe to: Post Comments (Atom)