aspose file tools*
The moose likes BEA/Weblogic and the fly likes SAML and CLIENT-CERT for webservice application deployed in WL 10.3.5 Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » BEA/Weblogic
Bookmark "SAML and CLIENT-CERT for webservice application deployed in WL 10.3.5 " Watch "SAML and CLIENT-CERT for webservice application deployed in WL 10.3.5 " New topic
Author

SAML and CLIENT-CERT for webservice application deployed in WL 10.3.5

Prabhakar Digumarthi
Greenhorn

Joined: Aug 29, 2008
Posts: 3
Hi All
We have developed a JAX-WS WebService and deployed it on a WL 10.3.5 server. The authentication for the web application is based on SAML 2.0. The token is provided by GetAccess IDP.The application is working fine. However, we want to add another layer of authetication for the application which is CLIENT-CERT based. For the same, I have created user (CN1) on Weblogic with the same name as the CN of the client certificate. I have created a group (G1) and added the user CN1 to the group. I have also created a policy (P1) and used criteria to allow only CN1 and G1 to allow access using the User and Group predicates. The following piece of code is also added to the web.xml file deployed on the application.

<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>

When we are passing a correct certificate and a correct SAML token, we are getting the error - "Client Authentication failed". In the logs, we are able to see successful parsing of the SAML token to retrieve the group. After that we see the following:

<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><S:Fault xmlns:ns4="http://www.w3.org/2003/05/soap-envelope"><faultcode>S:Client.Authentication</faultcode><faultstring>Access denied to operation getContentbyID</faultstring><detail><java:string xmlns:java="java.io">weblogic.wsee.util.AccessException: Access denied to operation getContentbyID
</java:string></detail></S:Fault></S:Body></S:Envelope>

The User and group principal created by the Default Mapper class is getting overrided by the SAML user and group.


Is it not possible to use both SAML2.0 and CLIENT-CERT on the same application? Is there any solution to have both SAML2.0 and CLIENT-CERT
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: SAML and CLIENT-CERT for webservice application deployed in WL 10.3.5