Hi, i'm new on java ranch, so nice to meet you all
I have an EE app deployed in my weblogic server that use the jaas authentication method to log users in. All the users that want to authenticate themselves are inside a db. I've configured a new Authenticator (SQL Authenticator) inside weblogic console and i can see it's properly setted up because i can see my users listed in the users/groups list.
In my app, when i try to do the login operation, if i use weblogic administrator account (the one i use to get inside the weblogic console), i can log into my app with success. I have some custom roles declared inside my web.xml (and mapped inside weblogic.xml), so, when i try to do some operation with this account, i get 403 errors everywhere.
The problem is: How can i set the authenticators (Default one and custom one) in order to get it work only with the users on my db? Is it possible, via order changing and proper jaas control flag, to solve my problem? I don't want to create new realms or deploy my app on other servers...
This issues occurs because by default the DefaultAuthenticator's JAAS control flag is set to REQUIRED . And hence it is failing if the users are not present in the WebLogic Server's internal LDAP.
You need to change the JAAS Control flag for the DefaultAuthenticator and the SQLAuthenticator.
1. Go to Security Realm --> MyRealm --> Providers Tab --> Authentication subtab
2. Click on the configured Authentication Providers.
3. From the Drop down list of the control flags, select 'SUFFICIENT' for both the providers.
Note: This change would require a server re-start.
Follow us on facebook:
Joined: Feb 24, 2011
Thanks for the reply and the welcome Anandraj .
I'm new to wl and all these sort of things. Initially i've set up my 2 providers with SUFFICIENT control flag, but in that way i can always authenticate my weblogic administrator into my app.
After one day full of curses and god knows what else ( ) i came up with an answer: in every way you set up all the control flags and the order of the providers, your weblogic account will always pass the authentication. So i have to "secure" my app's actions, servlets and jsp from weblogic account.
The only thing i can do is to limit all the authentications: the first authentication provider will be the SQLAuthenticator and the second one will be the Default one. My app will always have more accesses (and in that way more authentications) than the weblogic console, so, in that way, i can save my server resources.