Debug Identity Assertion on Weblogic
Identity Assertion Providers
http://docs.oracle.com/cd/E21764_01/web.1111/e13718/ia.htm#autoId7Enable DebugSecurityAtn and Redirect stdout logging enabled in Weblogic console
[dave@dave logs]$ grep newuser *
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236861> <BEA-000000> <userName = newuser>
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236865> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity returning newuser>
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236865> <BEA-000000> <com.bea.common.security.internal.service.IdentityCacheServiceImpl.getCachedIdentity(newuser)>
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236865> <BEA-000000> <com.bea.common.security.internal.service.IdentityCacheServiceImpl.getCachedIdentity(newuser) returning null>
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236872> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=newuser>
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236872> <BEA-000000> <LDAP Atn Login username: newuser>
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236872> <BEA-000000> <userExists? user:newuser>
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236873> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=base_domain", "(&(uid=newuser)(objectclass=person))", base DN & below)>
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236874> <BEA-000000> <DN for user newuser: null>
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236874> <BEA-000000> <user does not exist, user:newuser>
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236878> <BEA-000000> <javax.security.auth.login.LoginException: [Security:090300]Identity Assertion Failed: User newuser does not exist
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236887> <BEA-000000> <LoginModule: getUserName userName = newuser>
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236888> <BEA-000000> <login: userName=newuser>
AdminServer.log: Principal: newuser
AdminServer.log: Principal = class weblogic.security.principal.WLSUserImpl("newuser")
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236892> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=newuser>
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236893> <BEA-000000> <Generated signature and signed WLS principal newuser>
AdminServer.log: Principal = class weblogic.security.principal.WLSUserImpl("newuser")
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236897> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user newuser, Identity=Subject: 3
AdminServer.log: Principal = class weblogic.security.principal.WLSUserImpl("newuser")
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236897> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and newuser was not previously locked out>
AdminServer.log: Principal = class weblogic.security.principal.WLSUserImpl("newuser")
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236900> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=newuser>
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236901> <BEA-000000> <Validate WLS principal newuser returns true>
AdminServer.log: Principal = class weblogic.security.principal.WLSUserImpl("newuser")
AdminServer.log: Principal = weblogic.security.principal.WLSUserImpl("newuser")
AdminServer.log:####<Aug 6, 2012 11:23:57 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288237047> <BEA-000000> <23:23:57,047 INFO TestSlf4jLogger:53 - Hello World- principalnewuser>
AdminServer.log:####<Aug 6, 2012 11:23:57 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288237048> <BEA-000000> <23:23:57,048 INFO TestSlf4jLogger:57 - Hello World- subject[newuser, SamplePerimeterAtnUsers, DaveUsers]>
base_domain.log:####<Aug 6, 2012 11:23:56 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236861> <BEA-000000> <userName = newuser>
base_domain.log:####<Aug 6, 2012 11:23:56 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236887> <BEA-000000> <LoginModule: getUserName userName = newuser>
base_domain.log:####<Aug 6, 2012 11:23:56 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236888> <BEA-000000> <login: userName=newuser>
base_domain.log:####<Aug 6, 2012 11:23:57 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288237047> <BEA-000000> <23:23:57,047 INFO TestSlf4jLogger:53 - Hello World- principalnewuser>
base_domain.log:####<Aug 6, 2012 11:23:57 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288237048> <BEA-000000> <23:23:57,048 INFO TestSlf4jLogger:57 - Hello World- subject[newuser, SamplePerimeterAtnUsers, DaveUsers]>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
<display-name>testSLF4JWAR</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<!-- Specifies the security settings for the SamplePerimeterAtn web app.
This webapp is used to demonstrate how to use identity assertion to
perform perimeter authentication (where someone outside WLS is
responsible for authenticating the user).
Copyright (c) 2005 by BEA Systems, Inc. All Rights Reserved.
-->
<security-constraint>
<!-- all the pages in this webapp are secured -->
<web-resource-collection>
<web-resource-name>SecuredPages</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<!-- only users in the SamplePerimeterAtnRole will
be granted access to the pages in this webapp
-->
<auth-constraint>
<role-name>
SamplePerimeterAtnRole
</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Use weblogic.xml to map the SamplePerimeterAtnRole
to the SamplePerimeterAtnUsers group. As a result,
"SamplePerimterAtnUsers" will be granted the role
for this webapp (thus be able to access its pages)
-->
<security-role>
<role-name>
SamplePerimeterAtnRole
</role-name>
</security-role>
<!-- turn on identity assertion
The webapp only specifies that identity assertion should be
used. It does not dictate what kind of tokens to use. Rather,
the client and the identity asserter have to agree on the token
type and format.
- the client is responsible sending in a token that identifies the user
- the identity asserter is responsible for converting that token
to a user name.
- the authenticators are responsible for putting that user
and its groups into the subject
The realm name is not used so set it to "NoSuchRealm". It
has nothing to do with the realm names in the console.
Set the auth method to CLIENT-CERT to turn on identity
assertion for this webapp.
-->
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>NoSuchRealm</realm-name>
</login-config>
</web-app>
weblogic.xml
<wls:weblogic -web-app="-web-app" xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-web-app" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemalocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.4/weblogic-web-app.xsd">
<wls:weblogic -version="-version">12.1.1</wls:weblogic>
<wls:context -root="-root">testSLF4JWAR</wls:context>
<wls:container -descriptor="-descriptor">
<wls:prefer -application-packages="-application-packages">
<wls:package -name="-name">org.slf4j</wls:package>
</wls:prefer>
</wls:container>
<wls:security -role-assignment="-role-assignment">
<wls:role-name=">SamplePerimeterAtnRole</wls:role-name>
<wls:principal-name="">SamplePerimeterAtnUsers</wls:principal-name>
</wls:security>
</wls:weblogic>
</div>