Monday, August 6, 2012

Debug Identity Assertion on Weblogic


Debug Identity Assertion on Weblogic 


Identity Assertion Providers
http://docs.oracle.com/cd/E21764_01/web.1111/e13718/ia.htm#autoId7

 Enable DebugSecurityAtn and Redirect stdout logging enabled in Weblogic console


[dave@dave logs]$ grep newuser *
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236861> <BEA-000000> <userName    = newuser> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236865> <BEA-000000> <com.bea.common.security.internal.service.IdentityAssertionCallbackServiceImpl.assertIdentity returning newuser> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236865> <BEA-000000> <com.bea.common.security.internal.service.IdentityCacheServiceImpl.getCachedIdentity(newuser)> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236865> <BEA-000000> <com.bea.common.security.internal.service.IdentityCacheServiceImpl.getCachedIdentity(newuser) returning null> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236872> <BEA-000000> <com.bea.common.security.internal.service.CallbackHandlerWrapper.handle got username from callbacks[0], UserName=newuser> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236872> <BEA-000000> <LDAP Atn Login username: newuser> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236872> <BEA-000000> <userExists? user:newuser> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236873> <BEA-000000> <getDNForUser search("ou=people,ou=myrealm,dc=base_domain", "(&(uid=newuser)(objectclass=person))", base DN & below)> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236874> <BEA-000000> <DN for user newuser: null> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236874> <BEA-000000> <user does not exist, user:newuser> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236878> <BEA-000000> <javax.security.auth.login.LoginException: [Security:090300]Identity Assertion Failed: User newuser does not exist
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236887> <BEA-000000> <LoginModule: getUserName userName    = newuser&gt; 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236888> <BEA-000000> <login: userName=newuser> 
AdminServer.log:    Principal: newuser
AdminServer.log:    Principal = class weblogic.security.principal.WLSUserImpl("newuser")
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236892> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.sign(Principal) Principal=newuser> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236893> <BEA-000000> <Generated signature and signed WLS principal newuser> 
AdminServer.log:    Principal = class weblogic.security.principal.WLSUserImpl("newuser")
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236897> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user newuser, Identity=Subject: 3
AdminServer.log:    Principal = class weblogic.security.principal.WLSUserImpl("newuser")
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236897> <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and newuser was not previously locked out> 
AdminServer.log:    Principal = class weblogic.security.principal.WLSUserImpl("newuser")
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236900> <BEA-000000> <com.bea.common.security.internal.service.PrincipalValidationServiceImpl.validate(Principal) Principal=newuser> 
AdminServer.log:####<Aug 6, 2012 11:23:56 PM CEST> <Debug> <SecurityAtn> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236901> <BEA-000000> <Validate WLS principal newuser returns true> 
AdminServer.log:    Principal = class weblogic.security.principal.WLSUserImpl("newuser")
AdminServer.log:    Principal = weblogic.security.principal.WLSUserImpl("newuser")
AdminServer.log:####<Aug 6, 2012 11:23:57 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288237047> <BEA-000000> <23:23:57,047  INFO TestSlf4jLogger:53 - Hello World- principalnewuser> 
AdminServer.log:####<Aug 6, 2012 11:23:57 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288237048> <BEA-000000> <23:23:57,048  INFO TestSlf4jLogger:57 - Hello World- subject[newuser, SamplePerimeterAtnUsers, DaveUsers]> 
base_domain.log:####<Aug 6, 2012 11:23:56 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236861> <BEA-000000> <userName    = newuser> 
base_domain.log:####<Aug 6, 2012 11:23:56 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236887> <BEA-000000> <LoginModule: getUserName userName    = newuser> 
base_domain.log:####<Aug 6, 2012 11:23:56 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288236888> <BEA-000000> <login: userName=newuser> 
base_domain.log:####<Aug 6, 2012 11:23:57 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288237047> <BEA-000000> <23:23:57,047  INFO TestSlf4jLogger:53 - Hello World- principalnewuser> 
base_domain.log:####<Aug 6, 2012 11:23:57 PM CEST> <Notice> <Stdout> <dave> <AdminServer> <[ACTIVE] ExecuteThread: '6' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1344288237048> <BEA-000000> <23:23:57,048  INFO TestSlf4jLogger:57 - Hello World- subject[newuser, SamplePerimeterAtnUsers, DaveUsers]> 


web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0">
  <display-name>testSLF4JWAR</display-name>
  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
    <welcome-file>default.html</welcome-file>
    <welcome-file>default.htm</welcome-file>
    <welcome-file>default.jsp</welcome-file>
  </welcome-file-list>
  <!-- Specifies the security settings for the SamplePerimeterAtn web app.

     This webapp is used to demonstrate how to use identity assertion to
     perform perimeter authentication (where someone outside WLS is
     responsible for authenticating the user).

     Copyright (c) 2005 by BEA Systems, Inc.  All Rights Reserved.
-->

  <security-constraint>

    <!-- all the pages in this webapp are secured -->
    <web-resource-collection>
      <web-resource-name>SecuredPages</web-resource-name>
        <url-pattern>/</url-pattern>
    </web-resource-collection>

    <!-- only users in the SamplePerimeterAtnRole will
         be granted access to the pages in this webapp
    -->
    <auth-constraint>
      <role-name>
        SamplePerimeterAtnRole
      </role-name>
    </auth-constraint>

    <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>

  </security-constraint>

  <!-- Use weblogic.xml to map the SamplePerimeterAtnRole
       to the SamplePerimeterAtnUsers group. As a result,
       "SamplePerimterAtnUsers" will be granted the role
       for this webapp (thus be able to access its pages)
  -->
  <security-role>
    <role-name>
      SamplePerimeterAtnRole
    </role-name>
  </security-role>    

  <!-- turn on identity assertion

       The webapp only specifies that identity assertion should be
       used.  It does not dictate what kind of tokens to use.  Rather,
       the client and the identity asserter have to agree on the token
       type and format.

       - the client is responsible sending in a token that identifies the user

       - the identity asserter is responsible for converting that token
         to a user name.

       - the authenticators are responsible for putting that user
         and its groups into the subject

       The realm name is not used so set it to "NoSuchRealm".  It
       has nothing to do with the realm names in the console.

       Set the auth method to CLIENT-CERT to turn on identity
       assertion for this webapp.
  -->
  <login-config>
    <auth-method>CLIENT-CERT</auth-method> 
    <realm-name>NoSuchRealm</realm-name> 
  </login-config>
  
</web-app>

weblogic.xml


<wls:weblogic -web-app="-web-app" xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-web-app" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemalocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.4/weblogic-web-app.xsd">
    <wls:weblogic -version="-version">12.1.1</wls:weblogic>
    <wls:context -root="-root">testSLF4JWAR</wls:context>
    <wls:container -descriptor="-descriptor">
            <wls:prefer -application-packages="-application-packages">
                <wls:package -name="-name">org.slf4j</wls:package>
            </wls:prefer>
     </wls:container>
     <wls:security -role-assignment="-role-assignment">
        <wls:role-name=">SamplePerimeterAtnRole</wls:role-name>
        <wls:principal-name="">SamplePerimeterAtnUsers</wls:principal-name>
      </wls:security>
</wls:weblogic>
</div>

No comments:

Post a Comment