We have developed a JAX-WS WebService and deployed it on a WL 10.3.5 server. The authentication for the web application is based on SAML 2.0. The token is provided by GetAccess IDP.The application is working fine. However, we want to add another layer of authetication for the application which is CLIENT-CERT based. For the same, I have created user (CN1) on Weblogic with the same name as the CN of the client certificate. I have created a group (G1) and added the user CN1 to the group. I have also created a policy (P1) and used criteria to allow only CN1 and G1 to allow access using the User and Group predicates. The following piece of code is also added to the web.xml file deployed on the application.
When we are passing a correct certificate and a correct SAML token, we are getting the error - "Client Authentication failed". In the logs, we are able to see successful parsing of the SAML token to retrieve the group. After that we see the following:
<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><S:Fault xmlns:ns4="http://www.w3.org/2003/05/soap-envelope"><faultcode>S:Client.Authentication</faultcode><faultstring>Access denied to operation getContentbyID</faultstring><detail><java:string xmlns:java="java.io">weblogic.wsee.util.AccessException: Access denied to operation getContentbyID
The User and group principal created by the Default Mapper class is getting overrided by the SAML user and group.
Is it not possible to use both SAML2.0 and CLIENT-CERT on the same application? Is there any solution to have both SAML2.0 and CLIENT-CERT