jQuery in Action, 2nd edition*
The moose likes BEA/Weblogic and the fly likes Problems with multiple Authenticators Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » BEA/Weblogic
Bookmark "Problems with multiple Authenticators" Watch "Problems with multiple Authenticators" New topic
Author

Problems with multiple Authenticators

Marco Agostino
Greenhorn

Joined: Feb 24, 2011
Posts: 3
Hi, i'm new on java ranch, so nice to meet you all

Introduction:

I have an EE app deployed in my weblogic server that use the jaas authentication method to log users in. All the users that want to authenticate themselves are inside a db. I've configured a new Authenticator (SQL Authenticator) inside weblogic console and i can see it's properly setted up because i can see my users listed in the users/groups list.

Problem:

In my app, when i try to do the login operation, if i use weblogic administrator account (the one i use to get inside the weblogic console), i can log into my app with success. I have some custom roles declared inside my web.xml (and mapped inside weblogic.xml), so, when i try to do some operation with this account, i get 403 errors everywhere.
The problem is: How can i set the authenticators (Default one and custom one) in order to get it work only with the users on my db? Is it possible, via order changing and proper jaas control flag, to solve my problem? I don't want to create new realms or deploy my app on other servers...
anandraj tadkal
Ranch Hand

Joined: Feb 22, 2011
Posts: 98

Hi Marco,

Welcome to the forum.

This issues occurs because by default the DefaultAuthenticator's JAAS control flag is set to REQUIRED . And hence it is failing if the users are not present in the WebLogic Server's internal LDAP.

You need to change the JAAS Control flag for the DefaultAuthenticator and the SQLAuthenticator.

1. Go to Security Realm --> MyRealm --> Providers Tab --> Authentication subtab
2. Click on the configured Authentication Providers.
3. From the Drop down list of the control flags, select 'SUFFICIENT' for both the providers.

Note: This change would require a server re-start.

Cheers,
Anandraj,
http://weblogic-wonders.com/


Regards,
Anandraj
http://weblogic-wonders.com
Follow us on facebook:
https://www.facebook.com/weblogicwonders
Marco Agostino
Greenhorn

Joined: Feb 24, 2011
Posts: 3
Thanks for the reply and the welcome Anandraj .

I'm new to wl and all these sort of things. Initially i've set up my 2 providers with SUFFICIENT control flag, but in that way i can always authenticate my weblogic administrator into my app.
After one day full of curses and god knows what else ( ) i came up with an answer: in every way you set up all the control flags and the order of the providers, your weblogic account will always pass the authentication. So i have to "secure" my app's actions, servlets and jsp from weblogic account.
The only thing i can do is to limit all the authentications: the first authentication provider will be the SQLAuthenticator and the second one will be the Default one. My app will always have more accesses (and in that way more authentications) than the weblogic console, so, in that way, i can save my server resources.
anandraj tadkal
Ranch Hand

Joined: Feb 22, 2011
Posts: 98

Yes Marco. You are right, re-ordering of the providers help in reducing the number of accesses.

Thanks for sharing your solution.

Cheers,
Anandraj
http://weblogic-wonders.com
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Problems with multiple Authenticators