Identity Asserter / Token always decoded / WLS 7.0

Hello,
i am implementing a perimeter authentication. A user/password is passed as a cookie.
Cookies are identified with SP1 now as token and passed to the identity asserter.
The problem is only, that the tokens are always base64 decoded by the web-container
out of my control, even if the cookie itsself is not base64 encoded.
Thanks.
Frank

Hi Frank
I just made some tests with WLS 7.0 SP1, an identity asserter and
HTTP-Unit-test as client.
With encoding the cookie it works. Without encoding it doesn't work.
Your're right the WLS security framework always base64-decodes the cookie
value.
The WLS framework presumes that the cookie value is encoded.
This is also written in the comment of the sample in
SamplePerimeterAtnClient.java:
// base 64 encode it. The webapp container (that is, internal WLS code)
will
// base 64 decode the token. The decoded string will be passed to the..
You MUST send a base64-encoded cookie value to a WLS 7.0!. or wait for a
patch.
Alain
"Frank Arendt" <Frank,.[email protected]> wrote in message
news:3dbee0b3$[email protected]..
>
Hello,
i am implementing a perimeter authentication. A user/password is passed asa cookie.
Cookies are identified with SP1 now as token and passed to the identityasserter.
The problem is only, that the tokens are always base64 decoded by theweb-container
out of my control, even if the cookie itsself is not base64 encoded.
Thanks.
Frank

Similar Messages

Identity Asserter is not invoked

Hi,
I am trying to write a custom identity asserter. I deployed the jar file to the MbenTypes directory, added asserter to the providers list under realm, chose correct token. I followed the every step in the document.
But the assertIdentity method is never get called. It always goes into
public AppConfigurationEntry getLoginModuleConfiguration() {
and it seems that wls treats the asserter as an authenticator.
Any clue? At least how can I debug it? I have no idea what happened behinde the scene.
Your help is very much appreciated.
-Wei

Sorry for the intrusion, but how do you verify the token matches the application user?
In my scenario, I have an MS.NET IIS application running as an "sso partner" application. On another j2ee server, I have deployed a set of web services that expose some custom security methods, as well as retrieve information from the SSO/LDAP repository (the user profile and some other attributes). I don't want want the MS app to simply make calls to these services without providing some form of identity information. If they could pass the currently logged in user, that really wouldn't mean much, because they could pass any name. What would validate it?
I don't know how they could pass the username AND password, as that password, I'm assuming, is not accessible as that was posted to the SSO server. I thought about using some of the request headers that the SSO server sets, but I don't know of any APIs that come into play to use these.
Does anyone have any suggestions as to what kind of security might be appropriate for these services?
Thanks a bunch,
Eric

X509 message level authentication - Unable to validate identity assertions

Hi All,
I am creating a proxy service that will authenticate a soap request with incoming x509 certificate.
I configured weblogic server following the below blog post
http://tim.blackamber.org.uk/?p=831
I also setup SSL and keystore tab in the weblogic server by following steps in the the below URL
http://biemond.blogspot.com/2009/06/ws-security-in-osb.html
In my proxy service I am using pre-defined policy "Auth.xml"
The proxy service is attached below
I am running the proxy service from test console. I have a security provider created pointing the keystore and selected while running the proxy service from test console ( no user name/password provided)
I was expecting that proxy service will read the security token and map the CN name correspons to the security token key (my default User name mapper attribute is CN) to an user created in weblogic server and able to authenticate it.
But I am getting following error. Please suggest.
<An error ocurred during web service security inbound request processing [error-code: Fault, message-id: 1345281693794990467-5e61805e.1324a2f888f.-7f8a, proxy: myPrototypes/ProxyService/ProxyServiceExtBizV2, operation: null]
--- Error message:
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"><env:Header/><env:Body><env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><Code xmlns="http://www.w3.org/2003/05/soap-envelope"><Value>env:Sender</Value><Subcode><Value>wsse:InvalidSecurity</Value></Subcode></Code><Reason xmlns="http://www.w3.org/2003/05/soap-envelope"><Text xml:lang="en-US">Unable to validate identity assertions.</Text></Reason></env:Fault></env:Body></env:Envelope>
weblogic.xml.crypto.wss.WSSecurityException: Unable to validate identity assertions.
*     at weblogic.wsee.security.wss.SecurityPolicyValidator.doIdentity(SecurityPolicyValidator.java:144)*
*     at weblogic.wsee.security.wss.SecurityPolicyValidator.processIdentity(SecurityPolicyValidator.java:107)*
     at weblogic.wsee.security.wss.SecurityPolicyValidator.processInbound(SecurityPolicyValidator.java:78)
     at weblogic.wsee.security.WssServerPolicyHandler.processInbound(WssServerPolicyHandler.java:54)
     at weblogic.wsee.security.WssServerPolicyHandler.processRequest(WssServerPolicyHandler.java:30)
     at weblogic.wsee.security.WssHandler.handleRequest(WssHandler.java:74)
     at com.bea.wli.sb.security.wss.wls.Wls92InboundHandler.processRequest(Wls92InboundHandler.java:164)
     at com.bea.wli.sb.security.wss.WssHandlerImpl.doInboundRequest(WssHandlerImpl.java:223)
     at com.bea.wli.sb.context.BindingLayerImpl.addRequest(BindingLayerImpl.java:289)
     at com.bea.wli.sb.pipeline.MessageProcessor.processRequest(MessageProcessor.java:87)
     at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:593)
     at com.bea.wli.sb.pipeline.RouterManager$1.run(RouterManager.java:591)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
     at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
     at com.bea.wli.sb.security.WLSSecurityContextService.runAs(WLSSecurityContextService.java:55)
     at com.bea.wli.sb.pipeline.RouterManager.processMessage(RouterManager.java:590)
     at com.bea.wli.sb.test.service.ServiceMessageSender.send0(ServiceMessageSender.java:332)
     at com.bea.wli.sb.test.service.ServiceMessageSender.access$000(ServiceMessageSender.java:79)
     at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessageSender.java:137)
     at com.bea.wli.sb.test.service.ServiceMessageSender$1.run(ServiceMessageSender.java:135)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
     at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:146)
proxy service definition:
<?xml version="1.0" encoding="UTF-8"?>
<xml-fragment xmlns:ser="http://www.bea.com/wli/sb/services" xmlns:tran="http://www.bea.com/wli/sb/transports" xmlns:env="http://www.bea.com/wli/config/env" xmlns:http="http://www.bea.com/wli/sb/transports/http" xmlns:con="http://www.bea.com/wli/sb/services/security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:con1="http://www.bea.com/wli/sb/pipeline/config" xmlns:con2="http://www.bea.com/wli/sb/stages/logging/config" xmlns:con3="http://www.bea.com/wli/sb/stages/config" xmlns:con4="http://www.bea.com/wli/sb/stages/publish/config">
<ser:coreEntry isProxy="true" isEnabled="true">
<ser:serviceProvider ref="myPrototypes/x509keyprovider"/>
<ser:security>
<con:inboundWss processWssHeader="true"/>
</ser:security>
<ser:binding type="abstract SOAP" isSoap12="true" xsi:type="con:AnySoapBindingType" xmlns:con="http://www.bea.com/wli/sb/services/bindings/config"/>
<ser:monitoring isEnabled="false">
<ser:aggregationInterval>10</ser:aggregationInterval>
<ser:pipelineMonitoringLevel>Pipeline</ser:pipelineMonitoringLevel>
</ser:monitoring>
<ser:reporting>true</ser:reporting>
<ser:logging isEnabled="true">
<ser:logLevel>debug</ser:logLevel>
</ser:logging>
<ser:sla-alerting isEnabled="true">
<ser:alertLevel>normal</ser:alertLevel>
</ser:sla-alerting>
<ser:pipeline-alerting isEnabled="true">
<ser:alertLevel>normal</ser:alertLevel>
</ser:pipeline-alerting>
<ser:ws-policy>
<ser:binding-mode>service-policy-bindings</ser:binding-mode>
<ser:policies>
<ser:service-policy>
<ser:predefined-policy>Auth.xml</ser:predefined-policy>
</ser:service-policy>
</ser:policies>
</ser:ws-policy>
</ser:coreEntry>
<ser:endpointConfig>
<tran:provider-id>http</tran:provider-id>
<tran:inbound>true</tran:inbound>
<tran:URI>
<env:value>/myPrototypes/ProxyService/ProxyServiceExtBizV2</env:value>
</tran:URI>
<tran:inbound-properties/>
<tran:all-headers>true</tran:all-headers>
<tran:provider-specific>
<http:inbound-properties/>
</tran:provider-specific>
</ser:endpointConfig>
<ser:router>
<con1:pipeline type="request" name="PipelinePairNode1_request">
<con1:stage name="stage1">
<con1:context/>
<con1:actions>
<con2:log>
<con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-7e09</con3:id>
<con2:logLevel>info</con2:logLevel>
<con2:expr>
<con3:xqueryText>$header</con3:xqueryText>
</con2:expr>
<con2:message>osb_extbiz_log:request side:hdr is</con2:message>
</con2:log>
<con4:route>
<con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-7866</con3:id>
<con4:service ref="myPrototypes/BizService/BizServiceExtBiz" xsi:type="ref:BusinessServiceRef" xmlns:ref="http://www.bea.com/wli/sb/reference"/>
<con4:outboundTransform/>
</con4:route>
</con1:actions>
</con1:stage>
</con1:pipeline>
<con1:pipeline type="response" name="PipelinePairNode1_response">
<con1:stage name="stage1">
<con1:context/>
<con1:actions>
<con2:log>
<con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-7cd6</con3:id>
<con2:logLevel>info</con2:logLevel>
<con2:expr>
<con3:xqueryText>$header</con3:xqueryText>
</con2:expr>
<con2:message>osb_extbiz_log:response side:hdr is</con2:message>
</con2:log>
<con2:log>
<con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-79d3</con3:id>
<con2:logLevel>info</con2:logLevel>
<con2:expr>
<con3:xqueryText>$outbound</con3:xqueryText>
</con2:expr>
<con2:message>osb_extbiz_log:response side:outbound is</con2:message>
</con2:log>
<con2:log>
<con3:id>_ActionId-3973507234039169612-4f70a750.1323cbeae66.-79b6</con3:id>
<con2:logLevel>info</con2:logLevel>
<con2:expr>
<con3:xqueryText>$inbound</con3:xqueryText>
</con2:expr>
<con2:message>osb_extbiz_log:response side:inbound is</con2:message>
</con2:log>
</con1:actions>
</con1:stage>
</con1:pipeline>
<con1:flow>
<con1:pipeline-node name="PipelinePairNode1">
<con1:request>PipelinePairNode1_request</con1:request>
<con1:response>PipelinePairNode1_response</con1:response>
</con1:pipeline-node>
</con1:flow>
</ser:router>
</xml-fragment>
Edited by: 818591 on Sep 8, 2011 4:47 PM

For anyone watching this thread for any relevant information,
after adding sign.xml policy, it started working

V8 SP4 SPNEGO Identity Asserter problem

I configured my domain to authenticate against AD using the SPNEGO Identity Asserter.
Two questions.
1) How do I do authorization ? Do I enter the name of an AD group in the webapps weblogic.xml under Principal-Name? Or use weblogic groups (if so, how do the userids get matched) ?
2) It doesn't work - I get challenged for userid/pwd/domain.
In debug, I get:
"Found NTLM token when expecting SPNEGO"
What can I do about this ?
Some lines from debug...
<PrincipalAuthenticator.assertIdentity - Token Type: Authorization>
####<11-Feb-2005 18:03:27 o'clock GMT> <Debug> <SecurityDebug> <UKAPD285093> <admin> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Found NTLM token when expecting SPNEGO>
####<11-Feb-2005 18:03:27 o'clock GMT> <Debug> <SecurityDebug> <UKAPD285093> <admin> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <PrincipalAuthenticator.assertIdentity - IdentityAssertionException>
####<11-Feb-2005 18:03:27 o'clock GMT> <Debug> <SecurityDebug> <UKAPD285093> <admin> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <RoleManager.getRoles subject: Subject: 0
Resource: type=<url>, application=earspnegodemo, contextPath=/earspnegodemo, uri=/index.jsp, httpMethod=GET>
####<11-Feb-2005 18:03:27 o'clock GMT> <Debug> <SecurityDebug> <UKAPD285093> <admin> <ExecuteThread: '13' for queue: 'weblogic.kernel.Default'> <<WLS Kernel>> <> <000000> <Default RoleMapper getRoles(): input arguments:
Subject: 0
Thanks,
Mike

The documentation on dev2dev appears to change all the time and without notice. I run Google beta which caches all visited web pages and one of the documents for WL enterprise security has three different versions in my cache each with slightly different implementation instructions.
Anyway, I have implemented SSO using WL and AD using a third party Spnego identity asserter in the past and I presume the asserter which is now built in to sp4 works in the same way. You need to set up an active directory authenticator to enable weblogic to 'see' the users and roles in the AD domain.
When you access the protected web application from the client pc (the one in the AD domain) the url used has to contain the SPN name
eg http://domainname.project.net/test where domainname is the SPN.
and not http://192.168.7.2:7001/test
I think this is what triggers IE to send the kerberos ticket during the negotiate step.
The order of the identity asserters (in the WL console) is important the SPNEGO one should be first and the AD one should be second and have a value of SUFFICIENT for the control flag.
I have done all of the above and it still doesn't work but I think that there should be a servlet to handle the kerberos negotiation. A previous version of the WLES documentation does mention a negotiate servlet but has since been removed. I have sent an email to one of the security gurus at BEA, but as I am out of the office all week I don't know if I have a reply.
I don't know if the above is of any use but I will post more info as I get it.
Stephen

My custom identity asserter is ignored - what did I miss?

Hello -
My custom identity asserter's assertIdentity method is never called - even though I've verified that the correct token is added to the request header. I am hoping for some guidance as to what I am missing.
1. I downloaded this sample app which uses ADF security: http://jdevsamples.googlecode.com/files/ADFSecurityWL.zip
I changed the app to:
- add a filter to dump request headers to System.out so I could verify that the token is correctly added to the request headers
- changed the auth-method in web.xml from BASIC to CLIENT-CERT
2. I also downloaded the sample authentication providers (for WLS 9.1) from here: https://codesamples.samplecode.oracle.com/servlets/tracking?id=S224
and created a custom identity asserter based on the sample identity asserter provider in the app.
3. I created an EAR file for the app and an mbean jar for the custom identity assertion provider.
4. I added the mbean jar to the correct directory under weblogic, restarted weblogic, and created an instance of my provider in the security realm. I also reordered the providers so mine would be first (not sure if that matters). Then I restarted weblogic again. I verified that my provider was in the list of providers and that the chosen "Active Types" included my token type.
5. I deployed the app EAR file to weblogic.
6. I created a test program based on the test program in the sample providers download (above) and connected to the deployed app. I verified that the test program added the correct token to the request. My app's filter dumped the headers and I could see the token there.
7. My custom identity assertion provider has System.out.println calls in the initialize() and assertIdentity() methods. I can see that the initialize() method is called when I start weblogic. However, I never see the assertIdentity() method's calls to System.out.println when I try to reach the app and those calls are the 1st thing in the method.
8. I am using WebLogic Server version 10.3.3.0
So, is there some obvious step I missed? (I am new to using WLS so it wouldn't surprise me if I got something really obvious wrong...)
Thanks for reading my question,
-- Scott

Thanks Faisal.
When I compared my mbean declaration with yours I discovered that I had set the Extends attribute to "weblogic.management.security.authentication.Authenticator" instead of "weblogic.management.security.authentication.IdentityAsserter". Using the correct value fixed my problem.

How to configure ADF application to use OAM Identity Assertion ? web.xml

We have a web application developed using ADF (application development framework) and deployed on WebCenter 11.1.1.2 (weblogic 10.3.2)
OID Authentication and OAM identity assertion is configured in WebLogic 10.3.2 .
How to configure security in ADF application (web.xml or weblogic.xml) so that it uses OAM identity assertion (already configured as authentication providers in weblogic server)
Any pointers or documentation so that application (developed using ADF) check for identity tocken and verifies it with one of identity assertion providers.

John,
I have to concur. With OAM you don't need this. OAM intercepts the calls and inserts a cookie for WLS to get user information from.
I strongly advise to go through the above mention OFM Security Guide. Esp. Chapter 10 tells you in every detail how to implement OAM SSO with WLS (with or without OHS as a proxy).
Reading this chapter saves you time and turnarounds on this topic...
--olaf

OAM Identity Asserter Provider Error:Unable to create the AccessGate entry

Hi All,
I have installed Oracle Access Manager and trying to protect an application deployed on weblogic application server.
I have added the jar oamAuthnProvider in weblogic server lib mbeantypes and configured an OAM Identity Asserter Provider in myrealm. When I restart the weblogic server, I encounter the following error:
<Error> <> <BEA-000000> <OAMAP-60516:Unableto create the AccessGate entry for identity assertion/authentication.>
<Error> <Security> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException
: com.bea.common.engine.ServiceInitializationException: java.lang.RuntimeException.weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: java.lang.RuntimeException
When I remove the following section from config.xml, the server starts fine:
<sec:authentication-provider xmlns:ext="http://www.bea.com/ns/weblogic/90/security/extension" xsi:type="ext:oam-identity-asserterType">
<n1:name xmlns:n1="http://www.bea.com/ns/weblogic/90/security">OAMID</n1:name>
<n2:control-flag xmlns:n2="http://www.bea.com/ns/weblogic/90/security">REQUIRED</n2:control-flag>
<ext:access-gate-name>MYAPP</ext:access-gate-name>
<ext:primary-access-server>AccessServer</ext:primary-access-server>
<ext:application-domain>MYDOMAIN.com</ext:application-domain>
<ext:access-gate-password-encrypted>{AES}P3UIYbQpYupPs=</ext:access-gate-password-encrypted>
</sec:authentication-provider>
Has anyone come across this error before? Please suggest a workaround..
Software versions being used:
OAM 10.1.4.3
Weblogic: 10.3.2
Thanks
Joe

I am having the same problem on my WLS 10.3.4. running OSB 11g. I get the following error:
tuning)'> <<WLS Kernel>> <> <> <1296595010528> <BEA-000000> <OAMAP-60516:Unable to create the AccessGate entry for identity assertion/authentication.>
####<Feb 1, 2011 1:16:50 PM PST> <Info> <Security> <WD-OR14P5A5W624> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1296595010528> <BEA-090511> <The following exception has occurred:
com.bea.common.engine.ServiceInitializationException: java.lang.RuntimeException
     at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
     at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
     at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
     at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
     at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:47)
     at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:300)
     at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:222)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1784)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:445)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:870)
     at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1030)
     at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:881)
     at weblogic.security.SecurityService.start(SecurityService.java:142)
     at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
I looked the error number up and it says:
OAMAP-60516: Unable to create the AccessGate entry for identity assertion/authentication.
Cause: AccessGate instance creation failed.
Action: See the Identity Asserter/Authenticator log for details.
Level: 1
Type: ERROR
Impact: Configuration
This seems to indication my identity assertion is incorrect. My oam authentication provider is pretty simple.
I am using OPEN transport security so the provider config is pretty simple. I provided an AccessGate pwd, primary and secondary access gate servers and Access Gate name provided by my administrator.
I'm not sure about what the Application Domain field refers to. Can someone provide guidance on that?

Need Help with Identity Asserter and Authenticator

First I have build custom authentication provider and configured in Web logic without Assertion and deployed as MBean --
Then I build one Custom Identity Assertion separately and deployed on Web Logic with below configuration. Now my problem is that even though I pass TOKEN in header , but still weblogic prompts for username / password . Though it successfully prints Token on console inside Asserter.
Also I have set below in config.xml to avoid
<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>
Web.xml
<security-constraint>
          <display-name></display-name>
          <web-resource-collection>
               <web-resource-name>anything</web-resource-name>
               <url-pattern>/*</url-pattern>
               <http-method>GET</http-method>
               <http-method>PUT</http-method>
               <http-method>HEAD</http-method>
               <http-method>POST</http-method>
          </web-resource-collection>
          <auth-constraint>
               <description>user </description>
               <role-name>myuser</role-name>
          </auth-constraint>
     </security-constraint>
     <login-config>
          <auth-method>CLIENT-CERT</auth-method>
          <realm-name>myrealm</realm-name>
     </login-config>
     <security-role>
          <role-name>myuser</role-name>
     </security-role>
where do I need to define myuser in weblogic admin console ?

hello!
I've been trying to find a working example for creating
a custom Identity Assert...but the links to such resources in the old BEA
docs are now broken...
can you point me towards a source of working code examples
for an Identity Asserter?
thank you!

Test custom Identity Asserter

Hello.
I've been trying to use the SampleIdentityAsserter that is available in the dev2dev site, and i've been able to create the provider jar, add it in the console and configure it. But when i try to reach a protected resource (defining CLIENT-CERT in the web.xml) nothing seems to happen and I get a 401 (Unauthorized) error.
The code i'm using to connect to the protected resource is:
try{
URL u = new URL(url);
URLConnection uc = u.openConnection();
//encodedToken is a String value that represents the value of the token that is configured in the identity Asserter as pkcs7
uc.setRequestProperty("pkcs7",encodedToken);
HttpURLConnection connection = (HttpURLConnection)uc;
connection.setDoOutput(true);
connection.setDoInput(true);
InputStreamReader ireader =
new InputStreamReader(connection.getInputStream());
BufferedReader in = new BufferedReader(ireader);
String inputLine;
while ((inputLine = in.readLine()) != null)
System.out.println(inputLine);
in.close();
connection.disconnect();
} catch(Exception e){
e.printStackTrace();
Any clue on how to test this?
thanks in advance!

enable SecurityATN debug and mail me the log file
[email protected]

Combine Identity Asserter and Auth hosts filter

Hi,
I'd like to incorporate the functionality of an auth hosts filter within my Identity Asserter, so valid hosts can be defined per extend client rather than for any client.
In order to achieve this i need access to the client's address within the identity asserter, and i cannot find a way to access it. Is it available anywhere, perhaps via the Service that is passed to assertIdentity?
If it's not available, i was considering other options, such as storing the address in a threadlocal within the auth hosts filter and then retrieving it in the asserter.
Currently on version 12.1.2.0.1

In WLS 7.0 you must write an implementation of the weblogic.security.providers.authentication.UserNameMapper
interface in order to return a username from the X.509 certificate.
WLS 8.1 supplies a DefaultUserNameMapper that can be configured when adding the
default identity asserter.
Yesh <[email protected]> wrote:
Hi Sheri
You have to configure a "UserNameMapper" class .
http://e-docs.bea.com/wls/docs70/javadocs/weblogic/security/providers/authentication/UserNameMapper.html
Hope this helps
yesh
Sheri G. wrote:
I am trying to use the default realm to authenticate a user based ontwo way SSL
and X.509. I need to know all of the steps to take to do this. I havedone the
following steps but I receive an Error 401: Unauthorized using:
1. Added the Audit Default Provider.
2. Added the Default Identity Asserter and set active types to X.509.
3. Set up one user, group, and a role.
4. Added the <login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config> to the web.xml file.
5. Deployed my application to the server.
6. Set the policy based on a users group.
7.Restarted the server.
After all this I try to access the page and get the Error 401. I havetwo-way
ssl set up already. Is there anything I am missing. Also, I am usingWebLogic
7.0. Are there any know bugs with this? How does the identity asserterknow what
field to authenticate against (ie CN, C, etc). I have seen in the demoof 8.1
that you specify which to use. How is this done in WebLogic 7.0.
Thanks in Advance,
Sheri

Weblogic identity assertion provider for apache

I am using apache reverse proxy to handle the user authentication. My work env. is
a) apache reverse proxy
b) mod_auth_tkt (single sign on module for apache)
c) weblogic portal server
once the user is authenticated against mod_auth_tkt/active directory, apache generates cookie/ticket based on MD5 checksum.
I need to pass the credentials from apache to weblogic.
My question is
a) Can I use any weblogic identity assertion provider which comes weblogic server product or do i have to develop custom weblogic identity assertion provider. Please advise
Thanks
Prabu

*1-Can you please double check that your latest version of your web application is deployed ?*
I have checked the application and can confirm that the correct application is deployed. With the auth-method as just BASIC (no CLIENT-CERT) I see the following behaviour:
- With a Negotiate Identity Asserter Provider I see both WWW-Authenticate: Negotiate and WWW-Authenticate: Basic
- Without a Negotiate Identity Asserter Provider I see just WWW-Authenticate: Basic
*2-I believe there is no intermediary web server (like IIS) between your client and WLS ? A third part may add additional authentication request in the http header. If there is an intermediary exist, can you please avoid it for your tests.*
I can confirm that there is no intermediary server between me and Weblogic.
*3-Can you please check "weblogic.security.enableNegotiate" system parameter value. If it is true can you please set it to false and test your app again ?*
I have weblogic.security.enableNegotiate set to true. I tried setting it to false and it seems I still see the same behaviour I described above in my answer to question 1.
*3-Although I'm quite sure that Negotiate Identity Assertion Provider would not work for your app, can you please remove it and repeat your tests again. If you detect that it's because of the Negotiate Identity Assertion Provider, that you can consider open a bug request in Oracle Support system.*
When I remove the Negotiate Identity Assertion Provider, I no longer see a WWW-Authenticate: Negotiate challenge in the response.
Edited by: user1992925 on 16/05/2010 17:06

OSSO Identity Asserter problem with SecurityServiceRuntimeException

I'm having issues bringing up a managed 10.3.1 WLS with an OSSO Identity Asserter configured. I have applied the Java Required Files to the domain, and have created an OID Authenticator (login module) and an OSSO Identity Asserter via the admin console in the security realm. I have even tried to apply the JRF to the managed server via the WLST.
However, when I try to bring up the managed server, the following error appears in the managed server's log file:
####<Nov 9, 2009 12:13:41 PM PST> <Error> <Security> <mycomputer.us.oracle.com> <AppServer1> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1257797621586> <BEA-090870> <The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for OSSOAuthenticator is not specified..
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for OSSOAuthenticator is not specified.
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:342)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:221)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1783)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:869)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1028)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for OSSOAuthenticator is not specified.
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:47)
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:300)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:221)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1783)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:869)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1028)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for OSSOAuthenticator is not specified.
at com.bea.common.security.internal.legacy.service.SecurityProviderImpl.init(SecurityProviderImpl.java:47)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:363)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
at weblogic.security.service.internal.WLSIdentityServiceImpl.initialize(WLSIdentityServiceImpl.java:47)
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:300)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:221)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1783)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealms(CommonSecurityServiceManagerDelegateImpl.java:869)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1028)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:875)
at weblogic.security.SecurityService.start(SecurityService.java:141)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
>
What do I need to do to be able to bring up the managed server? Is there an issue with the JRF version of the OSSO Identity Asserter and, if so, where can I download one that works?

You need to make sure that you nuke the whole directory that you are specifying to the MBean marker generator. For example, I use the following command to generate the provider jar file.
java -Dfiles=$PRJROOT/ERModel/classes -DMDF=$PRJROOT/ERModel/classes/MyCustomAuthenticator.xml -DMJF=$PRJROOT/ERModel/custom-auth-provider.jar -DtargetNameSpace=http://xmlns.oracle.com/oracleas/schema/11/adf/sampleapp/weblogic/providers -DpreserveStubs=true -DcreateStubs=true weblogic.management.commo.WebLogicMBeanMaker1c
I need to nuke the directory in the -Dfile option i.e. 'rm -rf $PRJROOT/ERModel/classes/' each time I generate the jar file. If you don't, the jar file generates without any error but you will get a runtime exception.

Error deploying custom identity asserter

I'm getting the following error when trying to deploy my custom identity asserter.
An unexpected error occurred while setting Active Types Chooser to .
Partial stack trace is as follows:
[Management:145019]An error occurred while setting attribute:java.lang.NoSuchMethodException: com.foo.security.provider.FooIdentityAsserterImpl.validateActiveTypes([Ljava.lang.String;)
I've been back and forth through the mbean xml file and can't see anything wrong (despite the funky type in the dump).
I'm on 8.1 SP2.
Any ideas as to what would cause this?
Thanks,
Jim

The problem was with the name I was using for the implementation class of the identity asserter. Was calling it XXXIdentityAsserterImpl. This conflicted with the name of a class that was being generated by the MBean tool apparently. Changed it to XXXIdentityAsserterProviderImpl and the issue was resolved.

Publisher 11g and Identity Asserter

How do you integrate publisher 11g with a custom weblogic identity asserter? From what I have been told so far, integration cannot be performed via the publisher administrative interfaces. It must be performed via configuration files on the server. There is no documentation on this subject yet. Has anyone performed the configuration that would be willing to share their experiences and configurations?
FYI, any attempt to utilize the identity asserter in the default publisher configuration will result in java errors in the server log and a 500 error in the browser.

Any security configuration must be under certified products so you can be confident they should work 100%. Otherwise
any issues you find under NOT certified products may not work and Oracle Support will not be able to help you.
As you describe the configuration you are trying to set is not certified and therefore the issues you find will probably
never be resolved.
References:
1. Setting Security in BIEE 11g:
http://download.oracle.com/docs/cd/E14571_01/bi.1111/e10543/intromartin.htm#CJHFBCBA
2. List of Certified products for BIEE11g:
http://www.oracle.com/technetwork/middleware/bi-enterprise-edition/bi-11gr1certmatrix-166168.xls
(Non Oracle ID and Access Mgmt tab)
If you configure BI Publisher 11g as Standalone then the list of Security Modes are:
- Oracle DB
- Siebel
- EBusiness Suite
- BI Publisher
- LDAP
- Fusion Middleware
regards
Jorge

How to pass back Subject do Client app after authentication via identity assertion

I have developed an Identity Assertion Provider based on
SampleIdentityAsserterProviderImpl provided by BEA.
It seams that all works fine, but I don't now how to pass back authenticated
Subject to client application in order to call methods runAs(Subject,
PrivillegedAction). I have tried build Subject from
connection.getInputStream() but when I use Subject constructed in that way I
have received an error:
lava.lang.SecurityException: Invalid Subject: principals=[user, usergroup1,
usergroup1]
Thanks in advance for any suggestions.
Jerzy Nawrot

Hi,
as per the below comment.
We want to change this and do this dynamic way so that the XCM configuration application can read these dynamic parameters and behave accordingly(like customers with different languages, client systems etc). This is the 1st part .
You have to use different scanrios to be set in XCM like (customer specific to language, and client), and that to be passed in
Where language specifications should maintained in XCM settings only. also to be noted that Product catalog for those should also maintain in that specific language.
"/init.do?scenario=value2;
The 2nd part leading this scenario is after the portal user successfully lands into ISA application, if the user needs to go back to the WDP java screen, would the JSP based ISA application be able to navigate back to the original WD Java iView Screen. ? or would it open in a new window ? (probably this can be set to be launched in same window)
I am not sure, but if you go back to WD from ISA , ISA Session will die.
Let me know if you have any further queries.
Regards,
Devender V

Identity Asserter / Token always decoded / WLS 7.0

Similar Messages

Maybe you are looking for