File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Security and the fly likes Weblogic, j_security_check, external LDAP Roles Authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Engineering » Security
Bookmark "Weblogic, j_security_check, external LDAP Roles Authentication" Watch "Weblogic, j_security_check, external LDAP Roles Authentication" New topic
Author

Weblogic, j_security_check, external LDAP Roles Authentication

Shane Chambers
Greenhorn

Joined: Feb 27, 2013
Posts: 1
Hi All,

First off, anyone else find the whole group/role thing really obscure, backward and confusing?

Question: How do I need to configure LDAP/and Or Weblogic to associate users in the External LDAP tree with a particular role so that the j_security_check will not give me a 403 when trying to access a protected resource that is associated with a role.

For the most part, I have the j_security_check working but I had to do an ugly hack that I believe there should be a more elegant way to do this.

The Hack:

weblogic.xml:
<security-role-assignment>
<role-name>Admin</role-name>
<principal-name>testuser</principal-name>
<principal-name>ContractorA</principal-name> <-- Hard Wiring : Associating Users with Roles, might be good if LDAP is DOWN for emergency access, but I don't want to hand type 1000 users in an XML file.
</security-role-assignment>

So I half-expected some sort of configuration in Weblogic when I configure my External LDAP to point to a roles DN or equivalent that would associate a collection of users with a role or group...something. Once j_security_check validated the login/password, it would retrieve this role/group and validate it against the protected resources role criteria and allow access.

web.xml:

<security-constraint>
<display-name>Constraint-0</display-name>
<web-resource-collection>
<web-resource-name>Constraint-0</web-resource-name>
<url-pattern>protected/*</url-pattern>
</web-resource-collection>

<auth-constraint>
<role-name>Admin</role-name> <-- This role needs to be associated with the logged in user in order to access this resource.
</auth-constraint>

<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

What's the best way to configure Weblogic j_security_check with an External LDAP server using some sort of roles based permissions system in the LDAP tree. Or should I just write my own login handler using the JNDI API or UnboundLDAP API to validate the user and grant access?

Any relevant input much appreciated!



Diwakar Shenoy
Greenhorn

Joined: Feb 01, 2012
Posts: 4

Hello Shane,

One option is to use and configure the weblogic LDAP authentication provider to read from an external LDAP

So, first you configure an external LDAP with the users and groups. You can define administator groups and access groups there. Once done, you can create an LDAP authentication provider in your webloic console and set the control flag as sufficient (Read more about LDAP authentication providers here: http://datalinks.nl/wordpress/?p=1131 ). Once you login with this user the groups will be automatically pulled in. Finally, you could protect your application and make it accessible only to users that have a specific role. The mapping of role to groups ned to go in the web.xml. This forum post should give you more pointers https://forums.oracle.com/forums/thread.jspa?messageID=6359503

P.S: Make sure you backup your config.xml (<DOMAIN_HOME>/config folder in your weblogic) so you can revert your changes just in case


Hope this helps.

Diwakar
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Weblogic, j_security_check, external LDAP Roles Authentication
 
Similar Threads
Problem with security constraint
WebLogic Form-Based Authentication Problem
Role = User mapping
EJB and Security (JAAS)
web.xml <security-constraint> accept any role