Hi there. I have a scenario where I need to change how Weblogic authenticates users. Currently it is using its internal LDAP only. This means all users, passwords and groups are managed within the app server.
The proposed scenario is to use Active Directory and smart cards. Effectively removing all users and passwords from the Weblogic LDAP. The general flow would go as follows:
1. User requests secure resource via browser 2. Java applet is downloaded to client which reads smart card 2a. Applet prompts for PIN to ensure the owner of the card is making the request. 2b. If sucessful PIN validation, then extract username from card and return it to Weblogic. 3. Weblogic then authenticates the user in Active Directory.
I've read quite a bit of documentation and am either overlooking something or simply not understanding it.
My question is, when Weblogic authenticates the username against Active Directory, is it going to also attempt to validate a password or some other credential?
At this point, the only reason to authenticate agains the AD is to get authorize the user based on their group membership.