First off, anyone else find the whole group/role thing really obscure, backward and confusing?
Question: How do I need to configure LDAP/and Or Weblogic to associate users in the External LDAP tree with a particular role so that the j_security_check will not give me a 403 when trying to access a protected resource that is associated with a role.
For the most part, I have the j_security_check working but I had to do an ugly hack that I believe there should be a more elegant way to do this.
<principal-name>ContractorA</principal-name> <-- Hard Wiring : Associating Users with Roles, might be good if LDAP is DOWN for emergency access, but I don't want to hand type 1000 users in an XML file.
So I half-expected some sort of configuration in Weblogic when I configure my External LDAP to point to a roles DN or equivalent that would associate a collection of users with a role or group...something. Once j_security_check validated the login/password, it would retrieve this role/group and validate it against the protected resources role criteria and allow access.
What's the best way to configure Weblogic j_security_check with an External LDAP server using some sort of roles based permissions system in the LDAP tree. Or should I just write my own login handler using the JNDI API or UnboundLDAP API to validate the user and grant access?
One option is to use and configure the weblogic LDAP authentication provider to read from an external LDAP
So, first you configure an external LDAP with the users and groups. You can define administator groups and access groups there. Once done, you can create an LDAP authentication provider in your webloic console and set the control flag as sufficient (Read more about LDAP authentication providers here: http://datalinks.nl/wordpress/?p=1131 ). Once you login with this user the groups will be automatically pulled in. Finally, you could protect your application and make it accessible only to users that have a specific role. The mapping of role to groups ned to go in the web.xml. This forum post should give you more pointers https://forums.oracle.com/forums/thread.jspa?messageID=6359503
P.S: Make sure you backup your config.xml (<DOMAIN_HOME>/config folder in your weblogic) so you can revert your changes just in case