Saturday, March 31, 2012

Weblogic login module test - Firefox plugin to modify HTTP request header (also possible with Opera cookie editor)

Modify Headers Firefox plugin
https://addons.mozilla.org/en-US/firefox/addon/modify-headers/


Modify HTTP header


Capture HTTP headers




Weblogic Identity Assertion Concepts
http://docs.oracle.com/cd/E21764_01/web.1111/e13718/ia.htm#autoId0

Weblogic log of test Identity Asserter
SimpleSampleIdentityAsserterProviderImpl.assertIdentity
    Type        = SamplePerimeterAtnToken
    Token        = [B@f99f26
    userName    = dave



weblogic.xml assigns role to group
<?xml version="1.0" encoding="UTF-8"?>
<weblogic-web-app
  xmlns="http://www.bea.com/ns/weblogic/90"
  xmlns:j2ee="http://java.sun.com/xml/ns/j2ee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">

  <security-role-assignment>
    <role-name>SamplePerimeterAtnRole</role-name>
    <principal-name>SamplePerimeterAtnUsers</principal-name>
  </security-role-assignment>

</weblogic-web-app>


web.xml configures web resource as secured
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4"
  xmlns="http://java.sun.com/xml/ns/j2ee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<!-- Specifies the security settings for the SamplePerimeterAtn web app.

     This webapp is used to demonstrate how to use identity assertion to
     perform perimeter authentication (where someone outside WLS is
     responsible for authenticating the user).

     Copyright (c) 2005 by BEA Systems, Inc.  All Rights Reserved.
-->

  <security-constraint>

    <!-- all the pages in this webapp are secured -->
    <web-resource-collection>
      <web-resource-name>SecuredPages</web-resource-name>
        <url-pattern>/</url-pattern>
    </web-resource-collection>

    <!-- only users in the SamplePerimeterAtnRole will
         be granted access to the pages in this webapp
    -->
    <auth-constraint>
      <role-name>
        SamplePerimeterAtnRole
      </role-name>
    </auth-constraint>

    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>

  </security-constraint>

  <!-- Use weblogic.xml to map the SamplePerimeterAtnRole
       to the SamplePerimeterAtnUsers group. As a result,
       "SamplePerimterAtnUsers" will be granted the role
       for this webapp (thus be able to access its pages)
  -->
  <security-role>
    <role-name>
      SamplePerimeterAtnRole
    </role-name>
  </security-role>    

  <!-- turn on identity assertion

       The webapp only specifies that identity assertion should be
       used.  It does not dictate what kind of tokens to use.  Rather,
       the client and the identity asserter have to agree on the token
       type and format.

       - the client is responsible sending in a token that identifies the user

       - the identity asserter is responsible for converting that token
         to a user name.

       - the authenticators are responsible for putting that user
         and its groups into the subject

       The realm name is not used so set it to "NoSuchRealm".  It
       has nothing to do with the realm names in the console.

       Set the auth method to CLIENT-CERT to turn on identity
       assertion for this webapp.
  -->
  <login-config>
    <auth-method>CLIENT-CERT</auth-method> 
    <realm-name>NoSuchRealm</realm-name> 
  </login-config>

</web-app>




Error without modified header

Error 401--Unauthorized
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.



Result page with added header
SamplePerimeterAtn.jsp Subject: Principal: dave Principal: SamplePerimeterAtnUsers Private Credential: dave


Authorized access with configured Identity Asserter


Modify SimpleSampleIdentityAsserter - set Base64DecodingRequired to false
http://docs.oracle.com/cd/E21764_01/web.1111/e13718/ia.htm#autoId15

 
 <MBeanAttribute
  Name         = "Base64DecodingRequired"
  Type         = "boolean"
  Writeable    = "false"
  Default      = "false"
  Description  = "See MyIdentityAsserter-doc.xml."
/>


Capture HTTP headers
http://localhost:7001/samplePerimeterAtnWebApp/SamplePerimeterAtn.jsp

GET /samplePerimeterAtnWebApp/SamplePerimeterAtn.jsp HTTP/1.1
Host: localhost:7001
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ADMINCONSOLESESSION=0X41P3rh1pbcCGhBn8nJ5yB55R9zds3v6fjD68QMjT5F6cYZqFGJ!-863651884; JSESSIONID=WVJXP3rJnc1tpjTn5SHW4TC5tRLGhgDBgBDTvZqTQGSR67r88XDR!-863651884
SamplePerimeterAtnToken: username=dave

HTTP/1.1 200 OK
Date: Sat, 31 Mar 2012 16:17:46 GMT
Content-Length: 116
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/3.0 JSP/2.2



To change user it is necessary to remove cookie with JSESSIONID

Cookie: JSESSIONID=pZrFP3yQQpFLnJvPLGSTpcgnGRqCQtYJfdfpySLYJG1gd3QCTGWz!-863651884


In Firefox this is done using about:permissions


Opera allows to edit existing cookies
Cookie Information


Cookie Manager



IdentityAsserter MBean in WLS Admin console


All Weblogic users are assigned to group users. This can be used to allow access to authorized application for all authenticated users by mapping role to users principal in web.xml


 weblogic.security.Security.getCurrentSubject()


returns 
SamplePerimeterAtn.jsp Subject: Principal: dave Private Credential: dave



weblogic.xml 
<?xml version="1.0" encoding="UTF-8"?>
<weblogic-web-app
  xmlns="http://www.bea.com/ns/weblogic/90"
  xmlns:j2ee="http://java.sun.com/xml/ns/j2ee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">

  <security-role-assignment>
    <role-name>authusers</role-name>
    <principal-name>users</principal-name>
  </security-role-assignment>

</weblogic-web-app>



web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4"
  xmlns="http://java.sun.com/xml/ns/j2ee"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<!-- Specifies the security settings for the SamplePerimeterAtn web app.

     This webapp is used to demonstrate how to use identity assertion to
     perform perimeter authentication (where someone outside WLS is
     responsible for authenticating the user).

     Copyright (c) 2005 by BEA Systems, Inc.  All Rights Reserved.
-->

  <security-constraint>

    <!-- all the pages in this webapp are secured -->
    <web-resource-collection>
      <web-resource-name>SecuredPages</web-resource-name>
        <url-pattern>/</url-pattern>
    </web-resource-collection>

    <!-- all authenticated  users in the authusers will
         be granted access to the pages in this webapp
    -->
    <auth-constraint>
        <role-name>authusers</role-name>
    </auth-constraint>

    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>

  </security-constraint>

  <!-- Use weblogic.xml to map the authusers
       to the users group. As a result,
       "users" will be granted the role
       for this webapp (thus be able to access its pages)
  -->
  <security-role>
    <role-name>
      authusers
    </role-name>
  </security-role>    

  <!-- turn on identity assertion

       The webapp only specifies that identity assertion should be
       used.  It does not dictate what kind of tokens to use.  Rather,
       the client and the identity asserter have to agree on the token
       type and format.

       - the client is responsible sending in a token that identifies the user

       - the identity asserter is responsible for converting that token
         to a user name.

       - the authenticators are responsible for putting that user
         and its groups into the subject

       The realm name is not used so set it to "NoSuchRealm".  It
       has nothing to do with the realm names in the console.

       Set the auth method to CLIENT-CERT to turn on identity
       assertion for this webapp.
  -->
  <login-config>
    <auth-method>CLIENT-CERT</auth-method> 
    <realm-name>NoSuchRealm</realm-name> 
  </login-config>
  
   <servlet>
    <description></description>
    <display-name>AuthenticationSnoop</display-name>
    <servlet-name>AuthenticationSnoop</servlet-name>
    <servlet-class>dave.AuthenticationSnoop</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>AuthenticationSnoop</servlet-name>
    <url-pattern>/AuthenticationSnoop</url-pattern>
  </servlet-mapping>

</web-app>

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)