Sunday, October 9, 2011

Weblogic Custom Role Mapping Provider

Developing Security Providers for Oracle WebLogic Server 11g Release 1 (10.3.3)
Role Mapping Providers
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13718/rm.htm

The sample security providers (available at https://codesamples.samplecode.oracle.com/servlets/tracking?id=S224 on the Oracle Technology Network Web site)

Build process for Identity Asserter
http://weblogic-wonders.com/weblogic/2010/03/15/custom-identity-asserter-for-weblogic-server/


Build process for Role Mapping Provider
- download Weblogic Sample Security Providers
- unzip SampleSecurityProviders91
- set WLS environment
. /app/wlserver_10.3/server/bin/setWLSEnv.sh 

- create ant build script build.xml
- copy commo.dtd to build dir
 find /app/wlserver_10.3/ commo.dtd 
cp /app/wlserver_10.3/server/lib/commo.dtd .

- run ant
- copy created jar to $WL_HOME/server/lib/mbeantypes
cp SimpleSampleRoleMapper.jar /usr/app/wlserver_10.3/server/lib/mbeantypes/

- restart server
- create new Role Mapper using WLS console


Configure new Role Mapper



Files in build dir

build.xml  
SimpleSampleRoleMapper.jar
SimpleSampleRoleMapper.xml
commo.dtd
SimpleSampleRoleMapperDatabase.java
SimpleSampleSecurityRoleImpl.java


build.xml
<project name="Expenselink Build" default="all" basedir=".">
<property name="fileDir" value="test" />

<target name="all" depends="build"/>

<target name="build" depends="clean,build.mdf,build.mjf"/>

<target name="clean">
<delete dir="${fileDir}" failonerror="false"/>
<delete file="SimpleSampleRoleMapper.jar" failonerror="false"/>
<echo message="Clean finish" />
</target>

<!-- helper to build an MDF (mbean definition file) -->
<target name="build.mdf">
<java dir="${basedir}" fork="false" classname="weblogic.management.commo.WebLogicMBeanMaker">
<arg line="-files ${fileDir}" />
<arg value="-createStubs" />
<arg line="-MDF SimpleSampleRoleMapper.xml" />
</java>
<echo message="Created Supporting Classes" />
</target>

<target name="build.mjf">

<copy todir="${fileDir}" flatten="true">
<fileset dir=".">
<include name="*.java" />
</fileset>
</copy>

<java dir="${basedir}" fork="false" classname="weblogic.management.commo.WebLogicMBeanMaker">
<arg line="-MJF SimpleSampleRoleMapper.jar" />
<arg line="-files ${fileDir}" />
</java>
<echo message="Created Mbean Jar" />
</target>

</project>



AdminServer log - IdentityAsserter and RoleMapper
SimpleSampleIdentityAsserterProviderImpl.assertIdentity
Type = SamplePerimeterAtnToken
Token = [B@9a9036
userName = dave
SimpleSampleRoleMapperProviderImpl.getRoles
subject = Subject:
Principal: dave
Principal: DaveGroup
Private Credential: dave

resource = type=<url>, application=_auto_generated_ear_, contextPath=/daveWeb, uri=/AuthenticationSnoop, httpMethod=GET
roles = {Anonymous=Anonymous, DaveRole=DaveRole}
SimpleSampleRoleMapperProviderImpl.getRoles
subject = Subject:
Principal: dave
Principal: DaveGroup
Private Credential: dave

resource = type=<url>, application=_auto_generated_ear_, contextPath=/daveWeb, uri=/
roles = {Anonymous=Anonymous, DaveRole=DaveRole}



DaveRole in Weblogic LDAP - using JXplorer LDAP browser

Weblogic Embedded LDAP

Configuration steps for LDAP connection to Weblogic domain
http://weblogic-wonders.com/weblogic/2010/05/20/connecting-to-weblogic-server-embedded-ldap-using-ldap-browser/

Download LDAP browser
http://jxplorer.org/

DaveGroup
DaveGroup
ldap:///ou=people,ou=myrealm,dc=base_domain??sub?(&(objectclass=person)(wlsMemberOf=cn=DaveGroup,ou=groups,ou=myrealm,dc=base_domain))



dave
dave user
cn=DaveGroup,ou=groups,ou=myrealm,dc=base_domain


DaveRole

Saturday, October 8, 2011

Weblogic Custom Identity Asserter

JAAS Authentication Tutorial
http://download.oracle.com/javase/6/docs/technotes/guides/security/jaas/tutorials/GeneralAcnOnly.html

JAAS Authorization Tutorial
http://download.oracle.com/javase/6/docs/technotes/guides/security/jaas/tutorials/GeneralAcnAndAzn.html

JavaTM Authentication and Authorization Service (JAAS)
LoginModule Developer's Guide
http://download.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASLMDevGuide.html




This describes how to add Identity Asserter into Weblogic.
This is needed when identity of user is authenticated at external component. User id is provided as token in HTTP header of request.

Code is taken from Weblogic samples
code-sample ID S224: Sample Security Providers for WLS 9.1
https://codesamples.samplecode.oracle.com/servlets/tracking?id=S224

The same code is described in WLS documentation here
Developing Security Providers for Oracle WebLogic Server 11g Release 1 (10.3.3)
Identity Assertion Providers
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13718/ia.htm#i1176936
http://download.oracle.com/docs/cd/E14571_01/web.1111/e13718/ia.htm#i1176936

O'Reilly Book Excerpts: WebLogic: The Definitive Guide
Java and Security, Part 2
http://onjava.com/pub/a/onjava/excerpt/weblogic_chap17/index1.html?page=1

Build process is decribed here
Custom Identity Asserter for Weblogic Server
http://weblogic-wonders.com/weblogic/2010/03/15/custom-identity-asserter-for-weblogic-server

http://java4pro.typepad.com/enterprise_solution_in_ja/2007/10/jaas-implementa.html

Identity Asserter is created as Weblogic MBean.
<?xml version="1.0" ?>
<!DOCTYPE MBeanType SYSTEM "commo.dtd">

<!-- MBean Definition File (MDF) for the Simple Sample Identity Asserter.

Copyright (c) 2002 by BEA Systems, Inc. All Rights Reserved.
-->

<!-- Declare your mbean.

Since it is for an identity asserter, it must extend the
weblogic.management.security.authentication.IdentityAsserter mbean.

The Name and DisplayName must be the same.
They specify the name that will appear on the
console for this provider.

Set the PeristPolicy to "OnUpdate" so that if an attribute
value is changed, the new value is written to disk immediately.
See the "Developing Security Services" manual for more info.

Note that since this is an xml document, you can't use double
quotes directly. Instead you need to use &quot;

Note that setting "Writeable" to "false" on an attribute
makes the attribute read-only. The default is read-write.
-->

<MBeanType
Name = "SimpleSampleIdentityAsserter"
DisplayName = "SimpleSampleIdentityAsserter"
Package = "examples.security.providers.identityassertion.simple"
Extends = "weblogic.management.security.authentication.IdentityAsserter"
PersistPolicy = "OnUpdate"
>

<!-- You must set the value of the ProviderClassName attribute
(inherited from the weblogic.management.security.Provider mbean)
to the name of the java class you wrote that implements the
weblogic.security.spi.AuthenticationProvider interface.

You can think of the provider's mbean as the factory
for your provider's runtime implementation.
-->
<MBeanAttribute
Name = "ProviderClassName"
Type = "java.lang.String"
Writeable = "false"
Preprocessor = "weblogic.management.configuration.LegalHelper.checkClassName(value)"
Default = "&quot;examples.security.providers.identityassertion.simple.SimpleSampleIdentityAsserterProviderImpl&quot;"
/>

<!-- You must set the value of the Description attribute
(inherited from the weblogic.management.security.Provider mbean)
to a brief description of your provider.
It is displayed in the console.
-->
<MBeanAttribute
Name = "Description"
Type = "java.lang.String"
Writeable = "false"
Default = "&quot;WebLogic Simple Sample Identity Asserter Provider&quot;"
/>

<!-- You must set the value of the Version attribute
(inherited from the weblogic.management.security.Provider mbean)
to your provider's version. There is no required format.
-->
<MBeanAttribute
Name = "Version"
Type = "java.lang.String"
Writeable = "false"
Default = "&quot;1.0&quot;"
/>

<!-- You must set the value of the SupportedTypes attribute
(inherited from the
weblogic.management.security.authentication.IdentityAsserter mbean)
to the list of token types that your identity asserter supports.

Whoever is initiating the identity assertion (eg. a client sending
a perimeter authentication token via an HTTP request header), must
use the same token type.
-->
<MBeanAttribute
Name = "SupportedTypes"
Type = "java.lang.String[]"
Writeable = "false"
Default = "new String[] { &quot;SamplePerimeterAtnToken&quot; }"
/>
<!-- The ActiveTypes attribute (a settable attribute inherited from the
weblogic.management.security.authentication.IdentityAsserter mbean)
contains the subset of your mbean's SupportedTypes that are active
in the realm.

Which way you should default the active types attribute depends
on your token types. The basic rule is that for any token
type, there must only be one identity asserter in the realm with
that token type as an active type. In short, you can only have
one identity asserter turned on for a given type.

If your token types are commonly implemented by other identity
asserters (eg. X509 certificates), then you should not set them
as default active types. Otherwise, it would be very easy for
an administrator to configure an invalid realm where more than
one identity asserter has the same type turned on. Best
practice is that all the identity asserters turn off the type
by default then the administrator manually turns on the
type in one of the identity asserters that support it.
Look at the weblogic.security.spi.IdentityAsserter javadoc
for some standard token types.

On the other hand, if you have a custom token type that no
other identity asserter will ever implement, you may default the
active types attribute to include your token type. If you do,
then the adminstrator doesn't have to manually turn on your token
type.

Since the simple sample identity asserter's token type is very specific
to the sample (instead of a common type like X509), turn on the
token type by default.
-->
<MBeanAttribute
Name = "ActiveTypes"
Type = "java.lang.String[]"
Default = "new String[] { &quot;SamplePerimeterAtnToken&quot; }"
/>

<!-- Add any custom attributes for your provider here.

The simple sample identity asserter does not have any custom attributes.

Note: custom attributes do not appear in the
console in WLS 7.0. Use the admin command line tool
(java weblogic.Admin) to view and set their values.

Refer to the "Developing Security Services" manual
for more info on defining custom attributes.
-->

</MBeanType>



Implementation of Identity Asserter
package examples.security.providers.identityassertion.simple;

import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import weblogic.management.security.ProviderMBean;
import weblogic.security.service.ContextHandler;
import weblogic.security.spi.AuthenticationProviderV2;
import weblogic.security.spi.IdentityAsserterV2;
import weblogic.security.spi.IdentityAssertionException;
import weblogic.security.spi.PrincipalValidator;
import weblogic.security.spi.SecurityServices;

/**
* The simple sample identity asserter's runtime implementation.
*
* It looks for tokens of type "SamplePerimeterAtnToken"
* whose matching token is an array of bytes containing a
* string in the form "username=someusername".
*
* It extracts the username from the token and stores it
* in a SimpleSampleCallbackHandlerImpl. This is returned to the
* security framework who hands it to the authenticators'
* login modules. The login modules can use a NameCallback
* to retrieve the user name from the simple sample identity
* asserter's callback handler.
*
* Since it is an identity asserter, it must implement
* the weblogic.security.spi.AuthenticationProvider and
* the weblogic.security.spi.IdentityAsserter interfaces.
*
* It can either implement two classes, and use the
* provider implementation as the factory as the
* factory for the identity asserter, or it can implement
* both interfaces in one class. The simple sample identity
* asserter implments both interfaces in one class.
*
* Note: The simple sample identity asserter's mbean's ProviderClassName
* attribute must be set the the name of this class.
*
* @author Copyright (c) 2002 by BEA Systems. All Rights Reserved.
*/
public final class SimpleSampleIdentityAsserterProviderImpl implements AuthenticationProviderV2, IdentityAsserterV2
{
final static private String TOKEN_TYPE = "SamplePerimeterAtnToken"; // the kind of token's we handle
final static private String TOKEN_PREFIX = "username="; // the token contains a string in the form "username=someusername"

private String description; // a description of this provider

/**
* Initialize the simple sample identity asserter.
*
* @param mbean A ProviderMBean that holds the simple sample identity asserter's
* configuration data. This mbean must be an instance of the simple sample
* identity asserter's mbean.
*
* @param services The SecurityServices gives access to the auditor
* so that the provider can to post audit events.
* The simple sample role mapper doesn't use this parameter.
*
* @see SecurityProvider
*/
public void initialize(ProviderMBean mbean, SecurityServices services)
{
System.out.println("SimpleSampleIdentityAsserterProviderImpl.initialize");
SimpleSampleIdentityAsserterMBean myMBean = (SimpleSampleIdentityAsserterMBean)mbean;
description = myMBean.getDescription() + "\n" + myMBean.getVersion();
}

/**
* Get the simple sample identity asserter's description.
*
* @return A String containing a brief description of the simple sample identity asserter.
*
* @see SecurityProvider
*/
public String getDescription()
{
return description;
}

/**
* Shutdown the simple sample identity asserter.
*
* A no-op.
*
* @see SecurityProvider
*/
public void shutdown()
{
System.out.println("SimpleSampleIdentityAsserterProviderImpl.shutdown");
}

/**
* Gets the simple sample identity assertion provider's identity asserter object.
*
* @return The simple sample identity assertion provider's IdentityAsserter object.
*
* @see AuthenticationProvider
*/
public IdentityAsserterV2 getIdentityAsserter()
{
return this;
}

/**
* Assert identity given a token that identifies the user.
*
* @param type A String containing the token type. The simple sample identity
* asserter only supports tokens of type "SamplePerimeterAtnToken".
* Also, the simple sample identity asserter's mbean's "ActiveTypes" attribute
* must be set to "SamplePerimeterAtnToken" (which is done by default
* when the mbean is created).
*
* @param token An Object containing the token that identifies the user.
* The simple sample identity asserter's token must be an array of bytes
* containing a String of the form "username=someusername".
*
* @param handler A ContextHandler object that can optionally
* be used to obtain additional information that may be used in
* asserting the identity. If the caller is unable to provide additional
* information, a null value should be specified. This sample
* ignores the handler.
*
* While, for simplicity, this sample does not validate the
* contents of the token, identity asserters typically should do
* this (to prevent someone from forging a token). For
* example, when using Kerberos, the token may be generated
* and "signed" by a Kerberos server and the identity asserter
* hands the token back to the Kerberos server to get it
* validated. Another example: when asserting identity from
* X509 certificates, then identity asserter should validate the
* certificate - that it hasn't been tampered, that it's been
* signed by a trusted CA, that it hasn't expired or revoked, etc.
*
* @return a CallbackHandler that stores the username from the token.
* The username can only be retrieved from the callback handler by
* passing in a NameCallback. The sample returns an instance of
* its CallbackHandler implementation (SimpleSampleCallbackHandlerImpl).
*
* @throws IdentityAssertionException if another token type is passed
* in or the token doesn't have the correct form.
*/
public CallbackHandler assertIdentity(String type, Object token, ContextHandler context) throws IdentityAssertionException
{
System.out.println("SimpleSampleIdentityAsserterProviderImpl.assertIdentity");
System.out.println("\tType\t\t= " + type);
System.out.println("\tToken\t\t= " + token);

// check the token type
if (!(TOKEN_TYPE.equals(type))) {
String error =
"SimpleSampleIdentityAsserter received unknown token type \"" + type + "\"." +
" Expected " + TOKEN_TYPE;
System.out.println("\tError: " + error);
throw new IdentityAssertionException(error);
}

// make sure the token is an array of bytes
if (!(token instanceof byte[])) {
String error =
"SimpleSampleIdentityAsserter received unknown token class \"" + token.getClass() + "\"." +
" Expected a byte[].";
System.out.println("\tError: " + error);
throw new IdentityAssertionException(error);
}

// convert the array of bytes to a string
byte[] tokenBytes = (byte[])token;
if (tokenBytes == null || tokenBytes.length < 1) {
String error =
"SimpleSampleIdentityAsserter received empty token byte array";
System.out.println("\tError: " + error);
throw new IdentityAssertionException(error);
}

String tokenStr = new String(tokenBytes);

// make sure the string contains "username=someusername
if (!(tokenStr.startsWith(TOKEN_PREFIX))) {
String error =
"SimpleSampleIdentityAsserter received unknown token string \"" + type + "\"." +
" Expected " + TOKEN_PREFIX + "username";
System.out.println("\tError: " + error);
throw new IdentityAssertionException(error);
}

// extract the username from the token
String userName = tokenStr.substring(TOKEN_PREFIX.length());
System.out.println("\tuserName\t= " + userName);

// store it in a callback handler that authenticators can use
// to retrieve the username.
return new SimpleSampleCallbackHandlerImpl(userName);
}

/**
* Return how to call the login module to perform authentication.
*
* @return A null AppConfigurationEntry since the simple sample identity
* asserter is not an authenticator (thus doesn't have a login module).
*/
public AppConfigurationEntry getLoginModuleConfiguration()
{
return null;
}

/**
* Return how to call the login module to complete identity
* assertion (where the identity asserter finds the user name
* and the authenticator puts the user and its groups into the
* subject).
*
* @return A null AppConfigurationEntry since the simple sample identity
* asserter is not an authenticator (thus doesn't have a login module).
*/
public AppConfigurationEntry getAssertionModuleConfiguration()
{
return null;
}

/**
* Return an object that can validate principals (eg. users
* and groups) that this provider puts into the subject.
*
* @return A null PrincipalValidator since the simple sample identity asserter
* is not an authenticator (thus doesn't put principals into the subject).
*/
public PrincipalValidator getPrincipalValidator()
{
return null;
}
}



Implementation of Callback Handler - this is called by LoginModule to obtain username
Callback is registed when LoginModule is created
package examples.security.providers.identityassertion.simple;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;

/**
* The simple sample identity asserter's implementation of the
* CallbackHandler interface.
*
* It is used to make the name of the user from the identity
* assertion token available to the authenticators (who, in
* turn, will populate the subject with the user and the user's
* groups).
*
* This class is internal to the simple sample identity asserter.
* It is not a public class.
*
* @author Copyright (c) 2002 by BEA Systems. All Rights Reserved.
*/
/*package*/ class SimpleSampleCallbackHandlerImpl implements CallbackHandler
{
private String userName; // the name of the user from the identity assertion token

/**
* Create a callback handler that stores the user name.
*
* @param user A String containing the name of the user
* from the identity assertion token
*/
/*package*/ SimpleSampleCallbackHandlerImpl(String user)
{
userName = user;
}

/**
* Used by the authenticators' login modules to get the user name
* that the identity asserter extracted from the identity assertion token.
* This name can only be retrieved via a NameCallback.
*
* @param callbacks An array of Callback objects indicating what data
* the login module is trying to extract from this callback handler.
* It must only contain NameCallbacks.
*
* @exception UnsupportedCallbackException thrown if any of the callbacks
* aren't NameCallbacks.
*
* @see CallbackHandler
*/
public void handle(Callback[] callbacks) throws UnsupportedCallbackException
{
// loop over the callbacks
for (int i = 0; i < callbacks.length; i++) {

Callback callback = callbacks[i];

// we only handle NameCallbacks
if (!(callback instanceof NameCallback)) {
throw new UnsupportedCallbackException(callback, "Unrecognized Callback");
}

// send the user name to the name callback:
NameCallback nameCallback = (NameCallback)callback;
nameCallback.setName(userName);
}
}
}



ant build script used to create jar file which has to be copied into $WL_HOME/server/lib/mbeantypes
<project name="Expenselink Build" default="all" basedir=".">
<property name="fileDir" value="test" />

<target name="all" depends="build"/>

<target name="build" depends="clean,build.mdf,build.mjf"/>

<target name="clean">
<delete dir="${fileDir}" failonerror="false"/>
<delete file="SimpleSampleIdentityAsserter.jar" failonerror="false"/>
<echo message="Clean finish" />
</target>

<!-- helper to build an MDF (mbean definition file) -->
<target name="build.mdf">
<java dir="${basedir}" fork="false" classname="weblogic.management.commo.WebLogicMBeanMaker">
<arg line="-files ${fileDir}" />
<arg value="-createStubs" />
<arg line="-MDF SimpleSampleIdentityAsserter.xml" />
</java>
<echo message="Created Supporting Classes" />
</target>

<target name="build.mjf">

<copy todir="${fileDir}" flatten="true">
<fileset dir=".">
<include name="*.java" />
</fileset>
</copy>

<java dir="${basedir}" fork="false" classname="weblogic.management.commo.WebLogicMBeanMaker">
<arg line="-MJF SimpleSampleIdentityAsserter.jar" />
<arg line="-files ${fileDir}" />
</java>
<echo message="Created Mbean Jar" />
</target>

</project>


Copy SimpleSampleIdentityAsserter.jar to WLS home

[dave@dave simple]$ cp  SimpleSampleIdentityAsserter.jar /app/weblogic121/wlserver_12.1/server/lib/mbeantypes/
[dave@dave simple]$



New Identity Asserter must be defined using WLS console in Security Realms/myrealm/Providers/Authentication/


Detail of new Identity Asserter



Client which adds username=dave into HTTP header of request
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.net.URL;
import java.net.URLConnection;
import weblogic.utils.encoders.BASE64Encoder;

/**
* This class is a java program that is used to demonstrate
* perimeter authentication / identity assertion.
*
* Normally, the authenticators configured in WLS are
* responsible for authenticating users (eg. checking
* a password). If the user can be authenticated, then
* the authenticators put the user, and the user's groups,
* into the subject. The subject is used later on for
* access checks (authorization).
*
* When using perimeter authentication, someone calling
* WLS is responsible for authenticating the users. A
* token, containing info that identifies the user, is passed
* into WLS. The identity asserter extracts the user name from
* the token and makes it available to the authenticators.
* The authenticators, instead of authenticating the user,
* directly put the user and the user's groups, into the
* subject. Again, the subject is user later on for
* access checks (authorization).
*
* The perimeter authentication sample has the following parts:
*
* - A webapp that has a jsp which requires identity assertion.
* its pages can only be accessed by users or groups whose name
* is "SamplePerimterAtnUsers". The relative URL of this jsp
* to where WLS is running is
* "SamplePerimeterAtnWebApp/SamplePerimeterAtn.jsp".
*
* - A sample identity asserter who handles tokens whose
* type is "SamplePerimterAtnToken". The tokens are arrays
* of bytes containing a string in the form "username=someusername".
*
* - A sample authenticator that automatically creates a group
* named "SamplePerimeterAtnUsers" and the users
* "SamplePerimeterAtnUser1" (who is a member is
* "SamplePerimeterAtnUsers") and "SamplePerimeterAtnUser2"
* (who is not a member of "SamplerPerimeterAtnUsers").
*
* - This client that takes the WLS URL (eg. http://localhost:7001)
* and a user name (eg. SamplePerimeterAtnUser1) on the command line.
* The client addes "SamplePerimeterAtnWebApp/SamplePerimeterAtn.jsp"
* to the WLS URL to get the URL of the sample perimter atn jsp.
*
* This client creates a SamplePerimterAtnToken that contains the
* user name, puts the token in to a HTTP request header, then sends
* a HTTP GET request to the jsp. If the user is a member of the
* SamplePerimeterAtnUsers group, then access is granted to the
* page and its contents are returned. If not, access is denied
* and this client gets a 401 error. When access is granted, the
* jsp prints the subject (that contains the user name and the
* user's groups) into the page it returns and the client prints
* it out.
*
* @author Copyright (c) 2002 by BEA Systems. All Rights Reserved.
*/
public class SamplePerimeterAtnClient
{
// constants for the token type and format.
// must match the kind of tokens the sample identity asserter uses
final static private String TOKEN_TYPE = "SamplePerimeterAtnToken";
final static private String TOKEN_PREFIX = "username=";

/**
* runs the sample perimeter atn client.
*
* @param an array of String that contains the command line
* args sent to this program. It must have exactly two entries.
* The first is the base WLS URL and the second is the user name.
*
* @throws Exception if any errors occur.
*/
public static void main(String[] args) throws Exception
{
// syntax check:
if (args.length != 2) {
System.out.println("Syntax: java SamplePerimeterAtnClient wls_url (eg. http://localhost:7001) username");
System.exit(1);
return;
}

// get the base url and the user name from the command line args
URL base = new URL(args[0]);
String username = args[1];

System.out.println("------------------------------------------------------------");
System.out.println("Testing " + username);
System.out.println("------------------------------------------------------------");

// make the identity assertion token
String token = TOKEN_PREFIX + username;

// base 64 encode it. The webapp container (that is, internal WLS code) will
// base 64 decode the token. The decoded string will be passed to the
// sample identity asserter as an array of bytes.
BASE64Encoder encoder = new BASE64Encoder();
String encodedToken = encoder.encodeBuffer(token.getBytes());

// connect to the SamplePerimeterAtn jsp
URL url = new URL(base, "daveWeb/dave.jsp");
URLConnection connection = url.openConnection();

// put the identity assertion token into the HTTP header
connection.setRequestProperty(TOKEN_TYPE, encodedToken);

// Print out the returned page
BufferedReader in =
new BufferedReader(new InputStreamReader(connection.getInputStream()));

String inputLine;
while ((inputLine = in.readLine()) != null) {
System.out.println(inputLine);
}
in.close();

// connect to the SamplePerimeterAtn jsp
url = new URL(base, "daveWeb/AuthenticationSnoop");
connection = url.openConnection();

// put the identity assertion token into the HTTP header
connection.setRequestProperty(TOKEN_TYPE, encodedToken);

// Print out the returned page
in =
new BufferedReader(new InputStreamReader(connection.getInputStream()));

while ((inputLine = in.readLine()) != null) {
System.out.println(inputLine);
}
in.close();
}
}



Web application descriptors with added security definition
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5">
<display-name>daveWeb</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>SecuredPages</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>&#xA; DaveRole&#xA; </role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<role-name>
DaveRole
</role-name>
</security-role>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>NoSuchRealm</realm-name>
</login-config>
<servlet>
<description></description>
<display-name>AuthenticationSnoop</display-name>
<servlet-name>AuthenticationSnoop</servlet-name>
<servlet-class>dave.AuthenticationSnoop</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AuthenticationSnoop</servlet-name>
<url-pattern>/AuthenticationSnoop</url-pattern>
</servlet-mapping>
</web-app>


weblogic.xml
<?xml version="1.0" encoding="UTF-8"?>
<wls:weblogic-web-app xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-web-app" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.2/weblogic-web-app.xsd">
<wls:weblogic-version>10.3.4</wls:weblogic-version>
<wls:context-root>daveWeb</wls:context-root>
<wls:security-role-assignment>
<wls:role-name>DaveRole</wls:role-name>
<wls:principal-name>dave</wls:principal-name>
</wls:security-role-assignment>
</wls:weblogic-web-app>




- contains only jsp page and servlet to show user principal
<%@ page language="java" contentType="text/html; charset=UTF-8"
pageEncoding="UTF-8"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Dave</title>
</head>
<body>
<%= weblogic.security.Security.getCurrentSubject() %>
</body>
</html>


package dave;

import java.io.IOException;
import java.io.PrintWriter;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
* Servlet implementation class AuthenticationSnoop
*/
public class AuthenticationSnoop extends HttpServlet {
private static final long serialVersionUID = 1L;

/**
* @see HttpServlet#HttpServlet()
*/
public AuthenticationSnoop() {
super();
// TODO Auto-generated constructor stub
}

/**
* @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
*/
public void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
res.setContentType("text/html");
PrintWriter out = res.getWriter();

out.println("<HTML><BODY>");

out.println("<H1>This is a password protected resource</H1>");
out.println("<PRE>");
out.println("User Name: " + req.getRemoteUser());
String name = (req.getUserPrincipal() == null) ? null : req
.getUserPrincipal().getName();
out.println("Principal Name: " + name);
out.println("Authentication Type: " + req.getAuthType());
out.println("Is a Manager: " + req.isUserInRole("manager"));
out.println("</PRE>");
out.println("</BODY></HTML>");
}

/**
* @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
*/
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// TODO Auto-generated method stub
}

}





AdminServer log
SimpleSampleIdentityAsserterProviderImpl.assertIdentity
Type = SamplePerimeterAtnToken
Token = [B@34c31
userName = dave
SimpleSampleIdentityAsserterProviderImpl.assertIdentity
Type = SamplePerimeterAtnToken
Token = [B@1d26b41
userName = dave