Monday, August 6, 2012

Debug Identity Assertion on Weblogic


Debug Identity Assertion on Weblogic 


Identity Assertion Providers
http://docs.oracle.com/cd/E21764_01/web.1111/e13718/ia.htm#autoId7

 Enable DebugSecurityAtn and Redirect stdout logging enabled in Weblogic console


[dave@dave logs]$ grep newuser *
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236861> <BEA-000000> <userName    = newuser> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236865> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity returning newuser> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236865> <BEA-000000> <com.bea.common.security.internal.service.IdentityCacheServiceImpl.getCachedIdentity(newuser)> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236865> <BEA-000000> <com.bea.common.security.internal.service.IdentityCacheServiceImpl.getCachedIdentity(newuser) returning null> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236872> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=newuser> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236872> <BEA-000000> <LDAP Atn Login username: newuser> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236872> <BEA-000000> <userExists? user:newuser> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236873> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=base_domain", "(&(uid=newuser)(objectclass=person))", base DN & below)> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236874> <BEA-000000> <DN for user newuser: null> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236874> <BEA-000000> <user does not exist, user:newuser> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236878> <BEA-000000> <javax.security.auth.login.LoginException: [Security:090300]Identity Assertion Failed: User newuser does not exist
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236887> <BEA-000000> <LoginModule: getUserName userName    = newuser&gt; 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236888> <BEA-000000> <login: userName=newuser> 
AdminServer.log:    Principal: newuser
AdminServer.log:    Principal = class weblogic.security.principal.WLSUserImpl("newuser")
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236892> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=newuser> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236893> <BEA-000000> <Generated signature and signed WLS principal newuser> 
AdminServer.log:    Principal = class weblogic.security.principal.WLSUserImpl("newuser")
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236897> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user newuser, Identity=Subject: 3
AdminServer.log:    Principal = class weblogic.security.principal.WLSUserImpl("newuser")
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236897> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and newuser was not previously locked out> 
AdminServer.log:    Principal = class weblogic.security.principal.WLSUserImpl("newuser")
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236900> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=newuser> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236901> <BEA-000000> <Validate WLS principal newuser returns true> 
AdminServer.log:    Principal = class weblogic.security.principal.WLSUserImpl("newuser")
AdminServer.log:    Principal = weblogic.security.principal.WLSUserImpl("newuser")
AdminServer.log:####<Aug 6, 2012 11:23:57 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288237047> <BEA-000000> <23:23:57,047  INFO TestSlf4jLogger:53 - Hello World- principalnewuser> 
AdminServer.log:####<Aug 6, 2012 11:23:57 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288237048> <BEA-000000> <23:23:57,048  INFO TestSlf4jLogger:57 - Hello World- subject[newuser, SamplePerimeterAtnUsers, DaveUsers]> 
base_domain.log:####<Aug 6, 2012 11:23:56 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236861> <BEA-000000> <userName    = newuser> 
base_domain.log:####<Aug 6, 2012 11:23:56 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236887> <BEA-000000> <LoginModule: getUserName userName    = newuser> 
base_domain.log:####<Aug 6, 2012 11:23:56 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236888> <BEA-000000> <login: userName=newuser> 
base_domain.log:####<Aug 6, 2012 11:23:57 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288237047> <BEA-000000> <23:23:57,047  INFO TestSlf4jLogger:53 - Hello World- principalnewuser> 
base_domain.log:####<Aug 6, 2012 11:23:57 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288237048> <BEA-000000> <23:23:57,048  INFO TestSlf4jLogger:57 - Hello World- subject[newuser, SamplePerimeterAtnUsers, DaveUsers]> 


web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
  <display-name>testSLF4JWAR</display-name>
  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
    <welcome-file>default.html</welcome-file>
    <welcome-file>default.htm</welcome-file>
    <welcome-file>default.jsp</welcome-file>
  </welcome-file-list>
  <!-- Specifies the security settings for the SamplePerimeterAtn web app.

     This webapp is used to demonstrate how to use identity assertion to
     perform perimeter authentication (where someone outside WLS is
     responsible for authenticating the user).

     Copyright (c) 2005 by BEA Systems, Inc.  All Rights Reserved.
-->

  <security-constraint>

    <!-- all the pages in this webapp are secured -->
    <web-resource-collection>
      <web-resource-name>SecuredPages</web-resource-name>
        <url-pattern>/</url-pattern>
    </web-resource-collection>

    <!-- only users in the SamplePerimeterAtnRole will
         be granted access to the pages in this webapp
    -->
    <auth-constraint>
      <role-name>
        SamplePerimeterAtnRole
      </role-name>
    </auth-constraint>

    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>

  </security-constraint>

  <!-- Use weblogic.xml to map the SamplePerimeterAtnRole
       to the SamplePerimeterAtnUsers group. As a result,
       "SamplePerimterAtnUsers" will be granted the role
       for this webapp (thus be able to access its pages)
  -->
  <security-role>
    <role-name>
      SamplePerimeterAtnRole
    </role-name>
  </security-role>    

  <!-- turn on identity assertion

       The webapp only specifies that identity assertion should be
       used.  It does not dictate what kind of tokens to use.  Rather,
       the client and the identity asserter have to agree on the token
       type and format.

       - the client is responsible sending in a token that identifies the user

       - the identity asserter is responsible for converting that token
         to a user name.

       - the authenticators are responsible for putting that user
         and its groups into the subject

       The realm name is not used so set it to "NoSuchRealm".  It
       has nothing to do with the realm names in the console.

       Set the auth method to CLIENT-CERT to turn on identity
       assertion for this webapp.
  -->
  <login-config>
    <auth-method>CLIENT-CERT</auth-method> 
    <realm-name>NoSuchRealm</realm-name> 
  </login-config>
  
</web-app>

weblogic.xml


<wls:weblogic -web-app="-web-app" xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-web-app" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemalocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.4/weblogic-web-app.xsd">
    <wls:weblogic -version="-version">12.1.1</wls:weblogic>
    <wls:context -root="-root">testSLF4JWAR</wls:context>
    <wls:container -descriptor="-descriptor">
            <wls:prefer -application-packages="-application-packages">
                <wls:package -name="-name">org.slf4j</wls:package>
            </wls:prefer>
     </wls:container>
     <wls:security -role-assignment="-role-assignment">
        <wls:role-name=">SamplePerimeterAtnRole</wls:role-name>
        <wls:principal-name="">SamplePerimeterAtnUsers</wls:principal-name>
      </wls:security>
</wls:weblogic>
</div>

Friday, August 3, 2012

Configure slf4j with log4j on Weblogic



It is neccessary to use filtering classloader to avoid discovery of Weblogic own version of slf4j jars. With prefer-application-packages option application classloader loads org.slf4j packages from application instead of Weblogic installation

Annoying SLF4J problem in Weblogic server 12c http://blog.terrencemiao.com/archives/annoying-slf4j-problem-in-weblogic-server-12c

 prefer-application-packages
Used for filtering ClassLoader configuration. Specifies a list of packages for classes that must always be loaded from the application. http://docs.oracle.com/cd/E24329_01/web.1211/e21049/weblogic_xml.htm#autoId24

Weblogic log without prefer-application-packages and after redeploy with the option set in weblogic.xml
Aug 3, 2012 11:20:03 PM dave.TestSlf4jLogger doGet
INFO: Hello World- info
Aug 3, 2012 11:20:04 PM dave.TestSlf4jLogger doGet
INFO: Hello World- info
Aug 3, 2012 11:20:05 PM dave.TestSlf4jLogger doGet
INFO: Hello World- info
Aug 3, 2012 11:20:05 PM dave.TestSlf4jLogger doGet
INFO: Hello World- info
Aug 3, 2012 11:20:05 PM dave.TestSlf4jLogger doGet
INFO: Hello World- info
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/app/weblogic121/modules/org.slf4j.jdk14_1.6.1.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [zip:/home/dave/workspace38/testSLF4JWAR/WebContent/WEB-INF/lib/slf4j-log4j12-1.6.6.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
log4j: Parsing for [root] with value=[DEBUG, file, stdout].
log4j: Level token is [DEBUG].
log4j: Category root set to DEBUG
log4j: Parsing appender named "file".
log4j: Parsing layout options for "file".
log4j: Setting property [conversionPattern] to [%d{ABSOLUTE} %5p %c{1}:%L - %m%n].
log4j: End of parsing for "file".
log4j: Setting property [file] to [/tmp/testSLF4j.log].
log4j: Setting property [maxBackupIndex] to [1].
log4j: Setting property [maxFileSize] to [1MB].
log4j: setFile called: /tmp/testSLF4j.log, true
log4j: setFile ended
log4j: Parsed "file" options.
log4j: Parsing appender named "stdout".
log4j: Parsing layout options for "stdout".
log4j: Setting property [conversionPattern] to [%d{ABSOLUTE} %5p %c{1}:%L - %m%n].
log4j: End of parsing for "stdout".
log4j: Setting property [target] to [System.out].
log4j: Parsed "stdout" options.
log4j: Finished configuring.
23:23:07,943 DEBUG TestSlf4jLogger:41 - Hello World - debug
23:23:07,949  INFO TestSlf4jLogger:42 - Hello World- info
23:23:08,590 DEBUG TestSlf4jLogger:41 - Hello World - debug
23:23:08,592  INFO TestSlf4jLogger:42 - Hello World- info
23:23:09,386 DEBUG TestSlf4jLogger:41 - Hello World - debug
23:23:09,387  INFO TestSlf4jLogger:42 - Hello World- info

log file created
[dave@dave testSLF4JWAR]$ more /tmp/testSLF4j.log 
23:23:07,943 DEBUG TestSlf4jLogger:41 - Hello World - debug
23:23:07,949  INFO TestSlf4jLogger:42 - Hello World- info
23:23:08,590 DEBUG TestSlf4jLogger:41 - Hello World - debug
23:23:08,592  INFO TestSlf4jLogger:42 - Hello World- info
23:23:09,386 DEBUG TestSlf4jLogger:41 - Hello World - debug
23:23:09,387  INFO TestSlf4jLogger:42 - Hello World- info

libraries in project
[dave@dave testSLF4JWAR]$ ls -1 WebContent/WEB-INF/lib/ 
log4j-1.2.16.jar
slf4j-api-1.6.6.jar
slf4j-log4j12-1.6.6.jar


slf4j libraries in Weblogic
[dave@dave testSLF4JWAR]$ find /app/weblogic121/ -name "*slf4j*"
/app/weblogic121/modules/org.slf4j.jdk14_1.6.1.0.jar
/app/weblogic121/modules/org.slf4j.ext_1.6.1.0.jar
/app/weblogic121/modules/org.slf4j.api_1.6.1.0.jar

log4j.properties
log4j.debug=true

# Root logger option
log4j.rootLogger=DEBUG, file, stdout

# Direct log messages to a log file
log4j.appender.file=org.apache.log4j.RollingFileAppender
log4j.appender.file.File=/tmp/testSLF4j.log
log4j.appender.file.MaxFileSize=1MB
log4j.appender.file.MaxBackupIndex=1
log4j.appender.file.layout=org.apache.log4j.PatternLayout
log4j.appender.file.layout.ConversionPattern=%d{ABSOLUTE} %5p %c{1}:%L - %m%n

# Direct log messages to stdout
log4j.appender.stdout=org.apache.log4j.ConsoleAppender
log4j.appender.stdout.Target=System.out
log4j.appender.stdout.layout=org.apache.log4j.PatternLayout
log4j.appender.stdout.layout.ConversionPattern=%d{ABSOLUTE} %5p %c{1}:%L - %m%n

weblogic.xml
<?xml version="1.0" encoding="UTF-8"?>
<wls:weblogic-web-app xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-web-app" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.4/weblogic-web-app.xsd">
    <wls:weblogic-version>12.1.1</wls:weblogic-version>
    <wls:context-root>testSLF4JWAR</wls:context-root>
    <wls:container-descriptor>
            <wls:prefer-application-packages>
                <wls:package-name>org.slf4j</wls:package-name>
            </wls:prefer-application-packages>
     </wls:container-descriptor>
</wls:weblogic-web-app>
Test servlet
package dave;

import java.io.IOException;
import java.io.PrintWriter;

import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;


/**
 * Servlet implementation class TestSlf4jLogger
 */
@WebServlet("/TestSlf4jLogger")
public class TestSlf4jLogger extends HttpServlet {
    private static final long serialVersionUID = 1L;
    
    final Logger logger = LoggerFactory.getLogger(TestSlf4jLogger.class);
            
    /**
     * @see HttpServlet#HttpServlet()
     */
    public TestSlf4jLogger() {
        super();
        // TODO Auto-generated constructor stub
    }

    /**
     * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
     *      response)
     */
    protected void doGet(HttpServletRequest request,
            HttpServletResponse response) throws ServletException, IOException {
        PrintWriter out = response.getWriter();
        out.println("Hello World");
        logger.debug("Hello World - debug");
        logger.info("Hello World- info");
        
    }

    /**
     * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse
     *      response)
     */
    protected void doPost(HttpServletRequest request,
            HttpServletResponse response) throws ServletException, IOException {
        // TODO Auto-generated method stub
    }

}

Weblogic log with added ejb module
LF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/app/weblogic121/modules/org.slf4j.jdk14_1.6.1.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [zip:/home/dave/workspace38/testSLF4jEAR/EarContent/APP-INF/lib/slf4j-log4j12-1.6.6.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [zip:/home/dave/workspace38/testSLF4JWAR/WebContent/WEB-INF/lib/slf4j-log4j12-1.6.6.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
log4j: Parsing for [root] with value=[DEBUG, file, stdout].
log4j: Level token is [DEBUG].
log4j: Category root set to DEBUG
log4j: Parsing appender named "file".
log4j: Parsing layout options for "file".
log4j: Setting property [conversionPattern] to [%d{ABSOLUTE} %5p %c{1}:%L - %m%n].
log4j: End of parsing for "file".
log4j: Setting property [file] to [/tmp/testSLF4j.log].
log4j: Setting property [maxBackupIndex] to [1].
log4j: Setting property [maxFileSize] to [1MB].
log4j: setFile called: /tmp/testSLF4j.log, true
log4j: setFile ended
log4j: Parsed "file" options.
log4j: Parsing appender named "stdout".
log4j: Parsing layout options for "stdout".
log4j: Setting property [conversionPattern] to [%d{ABSOLUTE} %5p %c{1}:%L - %m%n].
log4j: End of parsing for "stdout".
log4j: Setting property [target] to [System.out].
log4j: Parsed "stdout" options.
log4j: Finished configuring.
00:07:24,873 DEBUG TestSlf4jLogger:46 - Hello World - debug
00:07:24,928  INFO TestSlf4jLogger:47 - Hello World- info
TestSLF4JService: Hello World
Aug 4, 2012 12:07:25 AM dave.TestSLF4JBean testLogger
INFO: TestSLF4JService: Hello World- info

Weblogic log after adding prefer-application-packages into weblogic-application.xml descriptor
00:14:48,273 DEBUG TestSlf4jLogger:46 - Hello World - debug
00:14:48,277  INFO TestSlf4jLogger:47 - Hello World- info
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/app/weblogic121/modules/org.slf4j.jdk14_1.6.1.0.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [zip:/home/dave/workspace38/testSLF4jEAR/EarContent/APP-INF/lib/slf4j-log4j12-1.6.6.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
TestSLF4JService: Hello World
00:14:48,297 DEBUG TestSLF4JBean:26 - TestSLF4JService: Hello World - debug
00:14:48,297  INFO TestSLF4JBean:27 - TestSLF4JService: Hello World- info

weblogic-application.xml descriptor
<?xml version="1.0" encoding="UTF-8"?>
<wls:weblogic-application xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-application" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/javaee_5.xsd http://xmlns.oracle.com/weblogic/weblogic-application http://xmlns.oracle.com/weblogic/weblogic-application/1.4/weblogic-application.xsd">
    <!--weblogic-version:12.1.1-->
    <wls:application-param>
        <wls:param-name>webapp.encoding.default</wls:param-name>
        <wls:param-value>UTF-8</wls:param-value>
    </wls:application-param>
    <wls:prefer-application-packages>
        <wls:package-name>org.slf4j</wls:package-name>
    </wls:prefer-application-packages>
</wls:weblogic-application>
EAR content
dave@dave workspace38]$ ls testSLF4jEAR/EarContent/APP-INF/lib
log4j-1.2.16.jar  slf4j-api-1.6.6.jar  slf4j-log4j12-1.6.6.jar
[dave@dave workspace38]$ ls -1 testSLF4jEAR/EarContent/APP-INF/lib
log4j-1.2.16.jar
slf4j-api-1.6.6.jar
slf4j-log4j12-1.6.6.jar
[dave@dave workspace38]$ ls -1 testSLF4jEAR/EarContent/META-INF
weblogic-application.xml

test Session Bean
package dave;

import javax.ejb.Stateless;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/**
 * Session Bean implementation class TestSLF4JService
 */
@Stateless
public class TestSLF4JBean implements TestSLF4JService {
    
    final Logger logger = LoggerFactory.getLogger(TestSLF4JBean.class);

    /**
     * Default constructor. 
     */
    public TestSLF4JBean() {
        // TODO Auto-generated constructor stub
    }
    
    public void testLogger(){
        
        System.out.println("TestSLF4JService: Hello World");
        logger.debug("TestSLF4JService: Hello World - debug");
        logger.info("TestSLF4JService: Hello World- info");
        
    }

}

injection of Session Bean in Servlet

    @EJB
    TestSLF4JService service;
    
    
    /**
     * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse
     *      response)
     */
    protected void doGet(HttpServletRequest request,
            HttpServletResponse response) throws ServletException, IOException {
        PrintWriter out = response.getWriter();
        out.println("Hello World");
        logger.debug("Hello World - debug");
        logger.info("Hello World- info");
        
        service.testLogger();
        
    }

Thursday, August 2, 2012

WebLogic X509 Certificate Authentication

Securing Web Applications http://docs.oracle.com/cd/E14571_01/web.1111/e13711/thin_client.htm#i1044688

How to Set Up X509 Certificate Authentication for Oracle WebLogic Server http://www.oracle.com/technetwork/articles/damo-howto-091164.html

Installing and Configuring the Apache HTTP Server Plug-In
http://docs.oracle.com/cd/E14571_01/web.1111/e14395/apache.htm Certificate is send by Weblogic plugin in WL-Proxy-Client-Cert HTTP header

in weblogic.xml
client-cert-proxy-enabled The element default value is true. When set to true, WebLogic Server passes identity certificates from the clients to the backend servers. Also, WebLogic Server is notified whether to honor or discard the incoming WL-Proxy-Client-Cert header. A proxy-server plugin encodes each identity certification in the WL-Proxy-Client-Cert header and passes it to the backend WebLogic Server instances. Each WebLogic Server instance takes the certificate information from the header, ensures it came from a secure source, and uses that information to authenticate the user. For the background WebLogic Server instances, this parameter must be set to true (either at the cluster/server level or at the Web application level). If you set this element to true, use a weblogic.security.net.ConnectionFilter to ensure that each WebLogic Server instance accepts connections only from the machine on which the proxy-server plugin is running. If you specify true without using a connection filter, a potential security vulnerability is created because the WL-Proxy-Client-Cert header can be spoofed.

web.xml http://docs.oracle.com/cd/E23943_01/web.1111/e13712/web_xml.htm
  
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Faces Servlet</web-resource-name>
      <url-pattern>/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>AppUser</role-name>
    </auth-constraint>
    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <login-config>
    <auth-method>CLIENT-CERT</auth-method> 
    <realm-name>NoSuchRealm</realm-name> 
  </login-config>
  <security-role>
        <role-name>AppUser</role-name>
  </security-role>
  
</web-app>
weblogic.xml http://docs.oracle.com/cd/E14571_01/web.1111/e13712/weblogic_xml.htm

    <wls:security-role-assignment>
        <wls:role-name>AppUser</wls:role-name>
        <wls:principal-name>AppUsers</wls:principal-name>
    </wls:security-role-assignment>