Saturday, March 31, 2012

Weblogic login module test - Firefox plugin to modify HTTP request header (also possible with Opera cookie editor)

Modify Headers Firefox plugin
https://addons.mozilla.org/en-US/firefox/addon/modify-headers/


Modify HTTP header


Capture HTTP headers




Weblogic Identity Assertion Concepts
http://docs.oracle.com/cd/E21764_01/web.1111/e13718/ia.htm#autoId0

Weblogic log of test Identity Asserter
SimpleSampleIdentityAsserterProviderImpl.assertIdentity
Type = SamplePerimeterAtnToken
Token = [B@f99f26
userName = dave



weblogic.xml assigns role to group
<?xml version="1.0" encoding="UTF-8"?>
<weblogic-web-app
xmlns="http://www.bea.com/ns/weblogic/90"
xmlns:j2ee="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">

<security-role-assignment>
<role-name>SamplePerimeterAtnRole</role-name>
<principal-name>SamplePerimeterAtnUsers</principal-name>
</security-role-assignment>

</weblogic-web-app>


web.xml configures web resource as secured
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<!-- Specifies the security settings for the SamplePerimeterAtn web app.

This webapp is used to demonstrate how to use identity assertion to
perform perimeter authentication (where someone outside WLS is
responsible for authenticating the user).

Copyright (c) 2005 by BEA Systems, Inc. All Rights Reserved.
-->

<security-constraint>

<!-- all the pages in this webapp are secured -->
<web-resource-collection>
<web-resource-name>SecuredPages</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>

<!-- only users in the SamplePerimeterAtnRole will
be granted access to the pages in this webapp
-->
<auth-constraint>
<role-name>
SamplePerimeterAtnRole
</role-name>
</auth-constraint>

<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>

</security-constraint>

<!-- Use weblogic.xml to map the SamplePerimeterAtnRole
to the SamplePerimeterAtnUsers group. As a result,
"SamplePerimterAtnUsers" will be granted the role
for this webapp (thus be able to access its pages)
-->
<security-role>
<role-name>
SamplePerimeterAtnRole
</role-name>
</security-role>

<!-- turn on identity assertion

The webapp only specifies that identity assertion should be
used. It does not dictate what kind of tokens to use. Rather,
the client and the identity asserter have to agree on the token
type and format.

- the client is responsible sending in a token that identifies the user

- the identity asserter is responsible for converting that token
to a user name.

- the authenticators are responsible for putting that user
and its groups into the subject

The realm name is not used so set it to "NoSuchRealm". It
has nothing to do with the realm names in the console.

Set the auth method to CLIENT-CERT to turn on identity
assertion for this webapp.
-->
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>NoSuchRealm</realm-name>
</login-config>

</web-app>




Error without modified header

Error 401--Unauthorized
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.



Result page with added header
SamplePerimeterAtn.jsp Subject: Principal: dave Principal: SamplePerimeterAtnUsers Private Credential: dave 


Authorized access with configured Identity Asserter


Modify SimpleSampleIdentityAsserter - set Base64DecodingRequired to false
http://docs.oracle.com/cd/E21764_01/web.1111/e13718/ia.htm#autoId15

 
<MBeanAttribute
Name = "Base64DecodingRequired"
Type = "boolean"
Writeable = "false"
Default = "false"
Description = "See MyIdentityAsserter-doc.xml."
/>


Capture HTTP headers
http://localhost:7001/samplePerimeterAtnWebApp/SamplePerimeterAtn.jsp

GET /samplePerimeterAtnWebApp/SamplePerimeterAtn.jsp HTTP/1.1
Host: localhost:7001
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ADMINCONSOLESESSION=0X41P3rh1pbcCGhBn8nJ5yB55R9zds3v6fjD68QMjT5F6cYZqFGJ!-863651884; JSESSIONID=WVJXP3rJnc1tpjTn5SHW4TC5tRLGhgDBgBDTvZqTQGSR67r88XDR!-863651884
SamplePerimeterAtnToken: username=dave

HTTP/1.1 200 OK
Date: Sat, 31 Mar 2012 16:17:46 GMT
Content-Length: 116
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/3.0 JSP/2.2



To change user it is necessary to remove cookie with JSESSIONID

Cookie: JSESSIONID=pZrFP3yQQpFLnJvPLGSTpcgnGRqCQtYJfdfpySLYJG1gd3QCTGWz!-863651884


In Firefox this is done using about:permissions


Opera allows to edit existing cookies
Cookie Information


Cookie Manager



IdentityAsserter MBean in WLS Admin console


All Weblogic users are assigned to group users. This can be used to allow access to authorized application for all authenticated users by mapping role to users principal in web.xml


 weblogic.security.Security.getCurrentSubject()


returns
SamplePerimeterAtn.jsp Subject: Principal: dave Private Credential: dave 



weblogic.xml
<?xml version="1.0" encoding="UTF-8"?>
<weblogic-web-app
xmlns="http://www.bea.com/ns/weblogic/90"
xmlns:j2ee="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">

<security-role-assignment>
<role-name>authusers</role-name>
<principal-name>users</principal-name>
</security-role-assignment>

</weblogic-web-app>



web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

<!-- Specifies the security settings for the SamplePerimeterAtn web app.

This webapp is used to demonstrate how to use identity assertion to
perform perimeter authentication (where someone outside WLS is
responsible for authenticating the user).

Copyright (c) 2005 by BEA Systems, Inc. All Rights Reserved.
-->

<security-constraint>

<!-- all the pages in this webapp are secured -->
<web-resource-collection>
<web-resource-name>SecuredPages</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>

<!-- all authenticated users in the authusers will
be granted access to the pages in this webapp
-->
<auth-constraint>
<role-name>authusers</role-name>
</auth-constraint>

<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>

</security-constraint>

<!-- Use weblogic.xml to map the authusers
to the users group. As a result,
"users" will be granted the role
for this webapp (thus be able to access its pages)
-->
<security-role>
<role-name>
authusers
</role-name>
</security-role>

<!-- turn on identity assertion

The webapp only specifies that identity assertion should be
used. It does not dictate what kind of tokens to use. Rather,
the client and the identity asserter have to agree on the token
type and format.

- the client is responsible sending in a token that identifies the user

- the identity asserter is responsible for converting that token
to a user name.

- the authenticators are responsible for putting that user
and its groups into the subject

The realm name is not used so set it to "NoSuchRealm". It
has nothing to do with the realm names in the console.

Set the auth method to CLIENT-CERT to turn on identity
assertion for this webapp.
-->
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>NoSuchRealm</realm-name>
</login-config>

<servlet>
<description></description>
<display-name>AuthenticationSnoop</display-name>
<servlet-name>AuthenticationSnoop</servlet-name>
<servlet-class>dave.AuthenticationSnoop</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AuthenticationSnoop</servlet-name>
<url-pattern>/AuthenticationSnoop</url-pattern>
</servlet-mapping>

</web-app>

No comments:

Post a Comment