Configuring custom database authentication in Weblogic 10

Similar Messages

• Configuring OID 10g authenticator in Weblogic 10.3.5

  Hi,
  I have user1, user2..user1000 in OID 10g
  some of the user belong to 'OBIEE_users' group in OID for example user1,user2,user3,user4 belong to this group.
  I have configured OID as authentication provider in weblogic.
  can anyone please let me know what filter to use so that only users belonging to 'OBIEE_user' group (i.e. user1,user2,user3,user4) are visible in weblogic.

  Can anyone please help me with their thoughts on this

• How to use a custom database authentication with APEX_AUTHENTICATION??

  i have Custom user authentication method.
  create or replace function user_check(username varchar2,password varchar2) return boolem
  is
  check_out integer;
  begin
  select count(*) into check_out from "user" where USER_EMAIL=username and USER_PASS=password;
  if check_out >0 then
  return true;
  else
  return false;
  end if;
  end;
  apex_authentication.login() how to use. And how to make apex_authentication.login() use my method Verify User Login

  You can't mix custom authentication and the internal APEX authentication functions.. So either you use the pre-built user authentication in APEX or you can build your own CUSTOM authentication...
  Many examples of custom authentication are out there...
  Thank you,
  Tony Miller
  Ruckersville, VA

• SecurityException (Invalid Subject) with custom database authentication provider WLS 7.0

  Hello
  I have implemented a custom authentication provider using a
  database. The login module works fine. It check the username and
  password, add the user as a WLSUser-principal and add the groups
  relatated to the user as WLSGroup-principals to the subject. I
  am able to start the WLS only using my authentication provider,
  but if i want to login into the console i get following
  SecurityException:
  java.lang.SecurityException: Invalid Subject: principals=
  [system, Administrators]
  at weblogic.security.service.SecurityServiceManager.seal
  (SecurityServiceManager.java:893)
  at weblogic.security.service.RoleManager.getRoles
  (RoleManager.java:269)
  at
  weblogic.security.service.AuthorizationManager.isAccessAllowed
  (AuthorizationManager.java:608)
  at
  weblogic.servlet.security.internal.WebAppSecurity.hasPermission
  (WebAppSecurity.java:370)
  at
  weblogic.servlet.security.internal.SecurityModule.checkPerm
  (SecurityModule.java:125)
  at
  weblogic.servlet.security.internal.FormSecurityModule.checkUserPe
  rm(FormSecurityModule.java:328)
  at
  weblogic.servlet.security.internal.SecurityModule.beginCheck
  (SecurityModule.java:179)
  at
  weblogic.servlet.security.internal.FormSecurityModule.checkA
  (FormSecurityModule.java:167)
  at
  weblogic.servlet.security.internal.ServletSecurityManager.checkAc
  cess(ServletSecurityManager.java:185)
  at
  weblogic.servlet.internal.WebAppServletContext.invokeServlet
  (WebAppServletContext.java:2960)
  at weblogic.servlet.internal.ServletRequestImpl.execute
  (ServletRequestImpl.java:2466)
  at weblogic.kernel.ExecuteThread.execute
  (ExecuteThread.java:152)
  at weblogic.kernel.ExecuteThread.run
  (ExecuteThread.java:133)
  Seems to me, that the default role manager does not map the
  group Administrators to the role Admin, which is allowed to
  access the resource console. So, what i do wrong? Must i set
  additional credentials to the subject? Or must i use a special
  Principal class? Who can help me?
  Thanks in advance & greetings
  Dirk Fellenstein

  I have solved it. The Problem was that the two Principal implementations, one that
  implements WLSGroup and one that implements WLSUser, need a common principal base
  class. The principal validator class, method getPrincipalBaseClass() must then return
  the common principal base class.
  "Dirk Fellenstein" <[email protected]> wrote:
  >
  Hello
  I have implemented a custom authentication provider using a
  database. The login module works fine. It check the username and
  password, add the user as a WLSUser-principal and add the groups
  relatated to the user as WLSGroup-principals to the subject. I
  am able to start the WLS only using my authentication provider,
  but if i want to login into the console i get following
  SecurityException:
  java.lang.SecurityException: Invalid Subject: principals=
  [system, Administrators]
  at weblogic.security.service.SecurityServiceManager.seal
  (SecurityServiceManager.java:893)
  at weblogic.security.service.RoleManager.getRoles
  (RoleManager.java:269)
  at
  weblogic.security.service.AuthorizationManager.isAccessAllowed
  (AuthorizationManager.java:608)
  at
  weblogic.servlet.security.internal.WebAppSecurity.hasPermission
  (WebAppSecurity.java:370)
  at
  weblogic.servlet.security.internal.SecurityModule.checkPerm
  (SecurityModule.java:125)
  at
  weblogic.servlet.security.internal.FormSecurityModule.checkUserPe
  rm(FormSecurityModule.java:328)
  at
  weblogic.servlet.security.internal.SecurityModule.beginCheck
  (SecurityModule.java:179)
  at
  weblogic.servlet.security.internal.FormSecurityModule.checkA
  (FormSecurityModule.java:167)
  at
  weblogic.servlet.security.internal.ServletSecurityManager.checkAc
  cess(ServletSecurityManager.java:185)
  at
  weblogic.servlet.internal.WebAppServletContext.invokeServlet
  (WebAppServletContext.java:2960)
  at weblogic.servlet.internal.ServletRequestImpl.execute
  (ServletRequestImpl.java:2466)
  at weblogic.kernel.ExecuteThread.execute
  (ExecuteThread.java:152)
  at weblogic.kernel.ExecuteThread.run
  (ExecuteThread.java:133)
  Seems to me, that the default role manager does not map the
  group Administrators to the role Admin, which is allowed to
  access the resource console. So, what i do wrong? Must i set
  additional credentials to the subject? Or must i use a special
  Principal class? Who can help me?
  Thanks in advance & greetings
  Dirk Fellenstein

• OBIEE 11.1.1.1.6.0 Configuring a Database as the Authentication Provider

  Hi Experts,
  In oracle DB, we have created Users table which store whole users' information, and we want to display related information derived from DB in weblogc console according to the following link: http://docs.tpu.ru/docs/oracle/en/fmw/11.1.1.6.0/bi.1111/e10543/privileges.htm#CHDFHDBE
  (Note: use '3.4.3 Configuring a Database as the Authentication Provider')
  After all steps, restart all services, we can see all user in db who showed in console and author user can login EM and Console page, However,we can not open presentation sevices
  Log message as below:
  Are you facing the same issue?
  2012-08-29T23:19:18.000+08:00] [OBIPS] [ERROR:10] [] [saw.security.odbcuserpopulationimpl.searchidentities] [ecid: ] [tid: ] Odbc driver returned an error (SQLExecDirectW).
  State: HY000. Code: 10058. [NQODBC] [SQL_STATE: HY000] [nQSError: 10058] A general error has occurred.
  [nQSError: 43113] Message returned from OBIS.
  [nQSError: 13049] User 'author' with 'empty' permission can not query user population. (HY000)
  SQL Issued: {call NQSSearchIdentities('BOTH','GUID=0198E2F1D34011E1BF5F4B3F7C7118D6')}[[
  File:odbcuserpoploaderimpl.cpp
  Line:708
  Location:
  saw.security.odbcuserpopulationimpl.searchidentities
  saw.security.userpopulationmanagerimpl.getaccountdetailsbyid
  saw.subsystem.catalog.repaircatalogsecurity
  saw.subsystem.catalog.initialize
  saw.subsystems.catalogbootstrapper.loadcatalog
  saw.webextensionbase.init
  saw.sawserver
  saw.sawserver.initializesawserver
  saw.sawserver
  ecid:
  [2012-08-29T23:19:18.000+08:00] [OBIPS] [ERROR:10] [] [saw.security.odbcuserpopulationimpl.searchidentities] [ecid: ] [tid: ] {call NQSSearchIdentities('BOTH','GUID=0198E2F1D34011E1BF5F4B3F7C7118D6')}[[
  File:odbcuserpoploaderimpl.cpp
  Line:709
  Location:
  saw.security.odbcuserpopulationimpl.searchidentities
  saw.security.userpopulationmanagerimpl.getaccountdetailsbyid
  saw.subsystem.catalog.repaircatalogsecurity
  saw.subsystem.catalog.initialize
  saw.subsystems.catalogbootstrapper.loadcatalog
  saw.webextensionbase.init
  saw.sawserver
  saw.sawserver.initializesawserver
  saw.sawserver
  ecid:
  ]]

  You most probably haven't set Application Roles in EM for external users.
  Users belonging to application roles are only allowed to access OBI.
  Check the existing BIConsumer application role, see if you can add external users, and if not, use 'Create Like'.

• SP 2013 Upgrade error - web application is configured with claims authentication mode however the content database you are trying to attach is intended to be used against a windows classic authentication mode.

  Hi there,
  I get this error when I perform a DB Attach upgrade from SharePoint 2010 to SharePoint 2013. 
  "web application is configured with claims authentication mode however the content database you are trying to attach is intended to be used against a windows classic authentication mode."
  Any help is appreciated. Thanks.

  There is other way of fixing this issue apart from what Amit mentioned. Create a classic based web application in SP 2013 using PowerShell.
  New-SPWebApplication -Name "TestApplication" -ApplicationPool "TestApplicationAppPool" -AuthenticationMethod "NTLM" -ApplicationPoolAccount (Get-SPManagedAccount "sppoc\spfarm") -Port 100 -URL "http://sp2013demo"
  Now mount the content database from SP 2010 on to the web application created above 
  Mount-SPContentDatabase WSS_Content_100 -DatabaseServer SQL2012Demo -WebApplication http://sp2013demo:100
  Once the mount is complete, convert the web application to use claims and migrate the user to use claims identity.
  Convert-SPWebApplication -Identity "http://sp2013demo:100" -To Claims –RetainPermissions -Force
  $w = Get-SPWebApplication "http://sp2013demo:100"
  $w.MigrateUsers($True)
  See my blog post about it: http://www.sharepointnadeem.com/2014/01/upgrade-from-sharepoint-2010-classic.html
  Please remember to up-vote or mark the reply as answer if you find it helpful.

• Configure Database Connection to Weblogic 8.1 Connection Pool

  Hi,
  I've got an ADF BC web application which is working find for an embedded JDBC Oracle Database connection. It's Jdeveloper 10.1.2 deployed to Weblogic 8.1.
  Now I'm trying to change the Database connection so it can point to a weblogic connection pool through its JNDI name. The goal is to make .ear file transportable through different weblogic domains and databases, without recompile application.
  I've been trying to configure an "OracleConnectionPoolDataSource" selecting "third party driver" in Database connection wizard, but Jdeveloper throws error: Java Cast Exception, and don't let continue. What else have to do?
  thanks.

  I did that, but WebLogic ignores whatever I configure in Services->JDB->Connection Pools and Data Sources. Even if I remove them the application keeps on running.
  Because the server only reads the connection defined from JDeveloper, which is configured in the connections.xml file placed inside the deployed .ear file.
  I need to change this behaviour, and configure connections.xml pointing to Weblogic Datasource.
  Thanks for your attention.

• Step-by-step custom Credential Mapping using weblogic 10.3 SSPI

  Folks,
  I am trying to implement custom Credential Mapping using weblogic 10.3 SSPI. Am sure that few of you have already implemented the same. But here my questions in reagrds with the implementation
  Right now, I have below
  1.MyCredentialMapperImpl implements CredentialMapperV2
  1.Overridden getCredential and gerCredentials method.But I am not sure what are all the other methods , I should implement here.
  2.MyCredentialMapperProviderImpl implements CredentialProviderV2
  Questions.
  1.How to get ContextHandler to pass as param in MyCredentialMapperImpl -->gerCredentials method.
  2.Should I need set up a database after deploying the MBean ?
  3.How do I execute above implementation ?
  4.Can I see the SAML Token in my client ?
  If possible Please send me the step-by-step custom Credential Mapping implementation.
  Thanks in advance.
  Ravi

  Hi John,
  I would like magic of course. However, in this case I want something special: my authentication provider uses special means and contents of headers, cookies and service from external identity management systems to determine the user's identity.
  I do not want the application to present the login dialog! I want to derive the identity and the fact that the user is logged in from whatever the authentication provider returns in terms of Subject.
  Ideally, the flow is something like:
  - user accesses an unprotected resource - resource is shown, no interaction with authentication provider
  - user presses a link or button that takes him/her to a protected resource
  - the authentication provider is contacted to work with the identity asserter to establish the identity of the current user and create a subject object for this user
  - the application can access the subject and principals
  - ADF Security recognizes the identity and the roles (based on the principals) and coordinates access based on this.
  the authentication method is client certificate. presumably this prompts WebLogic/OPS to use an identity asserter to work with custom headers and cookies ("... when you configure a web application to use CLIENT-CERT authentication. In this case, WebLogic can perform identity assertion based on values from request headers and cookies. If the header name or cookie name matches the active token type for the provider, the value is passed to the provider."). No login form should be presented to the user, as all information required to perform the authentication is already available.
  I am trying to understand what I must do to have the ADF application adopt the subject set by the authentication provider - if anything?!
  If you more ideas to share - I would love to hear them.
  best regards,
  Lucas

• Custom DB authentication to an application from Oracle Portal not working.

  Hi All,
  We have a Portal customized and integrated to LDAP for SSO.
  From the portal, we have a link that takes to another custom application that requires another level of authentication. We have implemented this authentication as custom Database based authentication.
  When user login to the portal and access this link, he will be directed for authentication again. This custom application has been installed on a different OC4J instance while Oracle Portal is running in a different OC4J instance.
  Issue is though user details are being propagated to the custom application page, we are receiving an error saying authentication failed.
  In the OC4J instance specific for this custom application, we have configured jazn.xml to use custom authentication.
  Below is the code:
  <?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
  <!DOCTYPE jazn PUBLIC "JAZN Config" "http://xmlns.oracle.com/ias/dtds/jazn-9_04.dtd">
  <jazn provider="XML" location="./jazn-data.xml" default-realm="jazn.com">
  <property name="role.mapping.dynamic" value="true"/>
  <property name="custom.loginmodule.provider" value="true"/>
  </jazn>
  and in jazn-data.xml, we gave the role mapping.
  But the problem is when the link to the custom application is accessed, it seems like the custom autentication mechanism is not working.
  Can anyone throw light on this?
  Do we need to give the same configuration in the j2ee/home/config directory files also?
  Can we use both LDAP and custom DB authentication with in the same OAS setup. Remember as of now, Portal and custom application are running in different OC4J instances but within the same OAS.
  Any help in this regard will be highely appreciated.
  Thanks,
  Sasi Bhushan

  Hi All,
  We have a Portal customized and integrated to LDAP for SSO.
  From the portal, we have a link that takes to another custom application that requires another level of authentication. We have implemented this authentication as custom Database based authentication.
  When user login to the portal and access this link, he will be directed for authentication again. This custom application has been installed on a different OC4J instance while Oracle Portal is running in a different OC4J instance.
  Issue is though user details are being propagated to the custom application page, we are receiving an error saying authentication failed.
  In the OC4J instance specific for this custom application, we have configured jazn.xml to use custom authentication.
  Below is the code:
  <?xml version = '1.0' encoding = 'UTF-8' standalone = 'yes'?>
  <!DOCTYPE jazn PUBLIC "JAZN Config" "http://xmlns.oracle.com/ias/dtds/jazn-9_04.dtd">
  <jazn provider="XML" location="./jazn-data.xml" default-realm="jazn.com">
  <property name="role.mapping.dynamic" value="true"/>
  <property name="custom.loginmodule.provider" value="true"/>
  </jazn>
  and in jazn-data.xml, we gave the role mapping.
  But the problem is when the link to the custom application is accessed, it seems like the custom autentication mechanism is not working.
  Can anyone throw light on this?
  Do we need to give the same configuration in the j2ee/home/config directory files also?
  Can we use both LDAP and custom DB authentication with in the same OAS setup. Remember as of now, Portal and custom application are running in different OC4J instances but within the same OAS.
  Any help in this regard will be highely appreciated.
  Thanks,
  Sasi Bhushan

• Active Directory Authentication in Weblogic 8.1

  Hi,
  We want to do authentication from Microsoft Active Directory using weblogic 8.1.
  I have created a Active directory and
  configured weblogic from console to use it. But it is still not working. Your
  help with these question would be highly
  appreciated.
  1. Is there anyone in group who have tried this before. Please let me know how
  to proceed.
  2. Is there any tool by which I can get to know the different attribute asked
  for configuration in Weblogic?
  3. I am not able to login to my application after configuration. Is there any
  other way to come to know whether it is working
  or not?
  There could be plethora of reason but nothing which can come to my mind. Everything
  seems to be configured correctly. Here is
  portion of my config.xml related with authentication:
  <FileRealm Name="wl_default_file_realm"/>
  <PasswordPolicy Name="wl_default_password_policy"/>
  <Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
  <Security GuestDisabled="false" Name="vendavo-dev"
  PasswordPolicy="wl_default_password_policy"
  Realm="wl_default_realm" RealmSetup="true">
  <weblogic.security.providers.authentication.DefaultAuthenticator
  ControlFlag="SUFFICIENT"
  Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authentication.DefaultIdentityAsserter
  ActiveTypes="AuthenticatedUser"
  Name="Security:Name=myrealmDefaultIdentityAsserter" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authorization.DefaultRoleMapper
  Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authorization.DefaultAuthorizer
  Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authorization.DefaultAdjudicator
  Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.credentials.DefaultCredentialMapper
  Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
  <weblogic.management.security.authentication.UserLockoutManager
  Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
  <weblogic.management.security.Realm
  Adjudicator="Security:Name=myrealmDefaultAdjudicator"
  AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security:Name=myrealmDefaultIdentityAsserter|Security:Name
  =myrealmADAuthenticator"
  Authorizers="Security:Name=myrealmDefaultAuthorizer"
  CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
  DefaultRealm="true" DisplayName="myrealm"
  Name="Security:Name=myrealm"
  RoleMappers="Security:Name=myrealmDefaultRoleMapper"
  UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>
  <weblogic.security.providers.pk.DefaultKeyStore
  Name="Security:Name=myrealmDefaultKeyStore" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
  ControlFlag="SUFFICIENT" Credential="{3DES}hvEo4sy7g1E="
  DisplayName="ADAuthenticator" FollowReferrals="false"
  GroupBaseDN="ou=ou=Groups,dc=devdc,dc=com" Host="venper5"
  Name="Security:Name=myrealmADAuthenticator"
  Principal="vendev" Realm="Security:Name=myrealm" UserBaseDN="ou=Users,dc=devdc,dc=com"/>
  </Security>
  First, of all is it possible to use Active Directory authentication in Weblogic
  without writing any custom code. If yes, how?
  Thanks in advance,
  Amit Tyagi

  Amit,
  We have successfully used WLS 8.1 sp1 with AD - but not without our share of ups
  and downs though.
  |
  |
  1) First, make sure you are sending right LDAP queries to AD. To verify this,
  we used free 3rd party LDAP browser from Softerra. There is also java based free
  browser from Univ of Michigan. Personally, I like Softerra's LDAP browser better.
  Play with your LDAP settings using this and make sure AD is returning the right
  data.
  |
  2) AD has some default settings that makes it return only the top 1000 users.
  Use ntdsutil.exe to modify these default settings
  |
  3) AD needs to have the right set of users and groups. To configure this, refer
  to WLS docs. This is very well documented in WLS docs. Also refer to this article
  http://dev2dev.bea.com/products/wlportal/whitepapers/wlp70_MSADS.jsp as additional
  reference
  |
  4) Also, there are some bugs with 8.1 portal sp1 and AD. It cannot take more than
  one Authentication provider. sp2 is supposed to have fixed it. For sp1 we used
  another product AD/AM (AD in Application Mode) in combination with MIIS server.
  But if you are using sp2, you shouldn't be worry about this.
  |
  5) In your providers, you might want to get rid of the DefaultAuthentication provider,
  once you are able to establish a connection with your ActiveDirectoryAuthentication
  provider. The DefaultAuthentication provider causes some problems and does not
  let ActiveDirectoryAuthentication provider to behave properly. We haven't fully
  investgated the root of this prob. When we deleted DefaultAuthentication provider,
  everything worked normally - so we didn't really care that much :-)
  |
  6) Make sure you have your JAAS options set to OPTIONAL initially and make sure
  your are able to authenticate talk to your AD.
  |
  These are the ones I could think of. Hope this helps..
  Regards,
  Anant
  "Amit" <[email protected]> wrote:
  >
  Hi,
  We want to do authentication from Microsoft Active Directory using weblogic
  8.1.
  I have created a Active directory and
  configured weblogic from console to use it. But it is still not working.
  Your
  help with these question would be highly
  appreciated.
  1. Is there anyone in group who have tried this before. Please let me
  know how
  to proceed.
  2. Is there any tool by which I can get to know the different attribute
  asked
  for configuration in Weblogic?
  3. I am not able to login to my application after configuration. Is there
  any
  other way to come to know whether it is working
  or not?
  There could be plethora of reason but nothing which can come to my mind.
  Everything
  seems to be configured correctly. Here is
  portion of my config.xml related with authentication:
  <FileRealm Name="wl_default_file_realm"/>
  <PasswordPolicy Name="wl_default_password_policy"/>
  <Realm FileRealm="wl_default_file_realm" Name="wl_default_realm"/>
  <Security GuestDisabled="false" Name="vendavo-dev"
  PasswordPolicy="wl_default_password_policy"
  Realm="wl_default_realm" RealmSetup="true">
  <weblogic.security.providers.authentication.DefaultAuthenticator
  ControlFlag="SUFFICIENT"
  Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authentication.DefaultIdentityAsserter
  ActiveTypes="AuthenticatedUser"
  Name="Security:Name=myrealmDefaultIdentityAsserter" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authorization.DefaultRoleMapper
  Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authorization.DefaultAuthorizer
  Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authorization.DefaultAdjudicator
  Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.credentials.DefaultCredentialMapper
  Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
  <weblogic.management.security.authentication.UserLockoutManager
  Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
  <weblogic.management.security.Realm
  Adjudicator="Security:Name=myrealmDefaultAdjudicator"
  AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security:Name=myrealmDefaultIdentityAsserter|Security:Name
  =myrealmADAuthenticator"
  Authorizers="Security:Name=myrealmDefaultAuthorizer"
  CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
  DefaultRealm="true" DisplayName="myrealm"
  Name="Security:Name=myrealm"
  RoleMappers="Security:Name=myrealmDefaultRoleMapper"
  UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>
  <weblogic.security.providers.pk.DefaultKeyStore
  Name="Security:Name=myrealmDefaultKeyStore" Realm="Security:Name=myrealm"/>
  <weblogic.security.providers.authentication.ActiveDirectoryAuthenticator
  ControlFlag="SUFFICIENT" Credential="{3DES}hvEo4sy7g1E="
  DisplayName="ADAuthenticator" FollowReferrals="false"
  GroupBaseDN="ou=ou=Groups,dc=devdc,dc=com" Host="venper5"
  Name="Security:Name=myrealmADAuthenticator"
  Principal="vendev" Realm="Security:Name=myrealm" UserBaseDN="ou=Users,dc=devdc,dc=com"/>
  </Security>
  First, of all is it possible to use Active Directory authentication in
  Weblogic
  without writing any custom code. If yes, how?
  Thanks in advance,
  Amit Tyagi

• Configuring PAM login modules with weblogic 6.1

  I am trying to configure my own PAM login module to work on the same JVM as weblogic.
  I have my own security policy that does not rely on weblogic however when trying
  to login after creating a specific login context :
  LoginContext loginContext = new LoginContext("XXLogin",subject,
  callbackHandler);
  loginContext.login();
  The JVM tries to invoke weblogic's own internal server login module. It looks
  for the callback the login module uses and then fails.
  The same problem ocurrs at weblogic startup. Weblogic appears to overide the -Djava.security.auth.login.config=jaas.config
  with their own login configuration file:WLHOME\lib\server.policy. Is this supposed
  to be a standard PAM login configuration file or weblogic's own interpretation
  of it ? (It is called a policy file which normally relates to grants and permissions
  in JAVA). Anyway we modified this file to include our own login module under a
  different AuthenticationConfigurationName. However weblogic attempted to use our
  login module as well as their own. According to the jaas api when creating a login
  context the application configuration name is specified however weblogic appears
  to be ignoring this !! Also we have found that a PAM configuration file that we
  had did not parse with weblogic, however it worked with the standard PAM configuration
  file parser. This implies that weblogic does not use the standard parser. Any
  help welcome !!

  Hi Parthasarathy,
  Thanks for the pointer. Your suggestion was the first step to getting our Security
  Model to be compatible with the WebLogic 6.1 model. As suggested I removed the
  the default LoginModule (ServerLoginModule) from the Server.policy file and replaced
  it with our Login Module. Then we defined JVM properties for the weblogic.management.password
  property in the startweblogic command file to supply the authentication information
  required by WebLogic.
  The next problem that I encountered was that we use files in the jaas.jar for
  Authorisation when I tried to access these files (e.g. javax.security.auth.Policy)
  I got a sealing violation as the JVM had previously loaded other class files in
  this package from the weblogic.jar (as weblogic uses these files for authorisation).
  It was possible to get around this problem by putting the jaas.jar ahead of the
  weblogic.jar in the classpath.
  After this I just needed to set up permissions in the weblogic.policy file for
  authorisation and we were there.
  Regards
  Paul
  Parthasarathy Seshadri <[email protected]> wrote:
  Please note from the documentation:
  http://e-docs.bea.com/wls/docs61//security/prog.html#1039659
  that WLS uses the default Login Module (weblogic.security.internal.ServerLoginModule)
  to gather authentication informatino
  during server initialization. To replace the default Login module, edit
  the Server.policy file and replace the name of the
  default Login module with the name of a custom Login module.
  Please inform whether the above information is useful. Thank you.
  Paul Petley wrote:
  I am trying to configure my own PAM login module to work on the sameJVM as weblogic.
  I have my own security policy that does not rely on weblogic howeverwhen trying
  to login after creating a specific login context :
  LoginContext loginContext = new LoginContext("XXLogin",subject,
  callbackHandler);
  loginContext.login();
  The JVM tries to invoke weblogic's own internal server login module.It looks
  for the callback the login module uses and then fails.
  The same problem ocurrs at weblogic startup. Weblogic appears to overidethe -Djava.security.auth.login.config=jaas.config
  with their own login configuration file:WLHOME\lib\server.policy. Isthis supposed
  to be a standard PAM login configuration file or weblogic's own interpretation
  of it ? (It is called a policy file which normally relates to grantsand permissions
  in JAVA). Anyway we modified this file to include our own login moduleunder a
  different AuthenticationConfigurationName. However weblogic attemptedto use our
  login module as well as their own. According to the jaas api when creatinga login
  context the application configuration name is specified however weblogicappears
  to be ignoring this !! Also we have found that a PAM configurationfile that we
  had did not parse with weblogic, however it worked with the standardPAM configuration
  file parser. This implies that weblogic does not use the standard parser.Any
  help welcome !!--
  Developer Relations Engineer
  BEA Support

• LDAP security authentication in weblogic sp4 (URGENT)

  We have a web application which interacts to the D/B to authenticate a user during our login process. Now we are trying to change the login to LDAP authentication. Here is the List I did on weblogic configuration correct me if this is correct or if am missing any thing.
  1. Created a Realm
  2. Created a NOVELL LDAP Authenticator (configured user, groups, members, Novell LDAP, Details)
  3. Created a X.509 certificates ????? Do I need to create this one for authentication. The only question is I am confused by these parameters and help me out in figuring out these:
  a. filter attributes = cn=$subj.cn
  b. username attribute = cn
  c. userCertificate;binary ??? ( I have a certificate idmtree.der where do I add configuration about this certificate in the console)>>>>>>>>
  d. certificate mapping : ou=user,ou=$subj.ou,o=$subj.o,c=$subj.c (IS THIS CORRECT)
  4. created a new Weblogic Default Authorizer...
  5. created a new Weblogic Default Role Mapper...
  6. created a new Weblogic Default Credential Mapper ...(Do I need to setup my certificate inside this credential mapper or not.)
  7. I made this realm as the DEFAULT realm and started the server
  I get the following exception.
  Initializing RoleMapper provider using LDIF template file C:\bea\user_projects\domains\mydomain\.\DefaultRoleMapperInit.ldift.>
  The RoleMapper provider has had its LDIF information loaded from: C:\bea\user_projects\domains\mydomain\.\DefaultRoleMapperInit.ldift>
  Initializing Authorizer provider using LDIF template file C:\bea\user_projects\domains\mydomain\.\DefaultAuthorizerInit.ldift.>
  The Authorizer provider has had its LDIF information loaded from: C:\bea\user_projects\domains\mydomain\.\DefaultAuthorizerInit.ldift>
  Loading trusted certificates from the jks keystore file C:\bea\weblogic81\server\lib\DemoTrust.jks.>
  Loading trusted certificates from the jks keystore file C:\bea\JDK142~1\jre\lib\security\cacerts.>
  Loading trusted certificates from the jks keystore file C:\bea\weblogic81\server\lib\DemoTrust.jks.>
  Loading trusted certificates from the jks keystore file C:\bea\JDK142~1\jre\lib\security\cacerts.>
  Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure.>
  Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
  [java.lang.reflect.InvocationTargetException - with target exception:
  [netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]
  weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
  [java.lang.reflect.InvocationTargetException - with target exception:
  [netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]
  at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:205)
  at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:262)
  at weblogic.security.service.SecurityServiceManagerDelegateImpl.doATN(SecurityServiceManagerDelegateImpl.java:581)
  at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealm(SecurityServiceManagerDelegateImpl.java:420)
  at weblogic.security.service.SecurityServiceManagerDelegateImpl.loadRealm(SecurityServiceManagerDelegateImpl.java:700)
  at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealms(SecurityServiceManagerDelegateImpl.java:733)
  at weblogic.security.service.SecurityServiceManagerDelegateImpl.initialize(SecurityServiceManagerDelegateImpl.java:876)
  at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:734)
  at weblogic.t3.srvr.T3Srvr.initializeHere(T3Srvr.java:822)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:670)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:344)
  at weblogic.Server.main(Server.java:32)
  >
  ####<Apr 6, 2006 10:42:55 AM CDT> <Emergency> <WebLogicServer> <DXPCHI029398> <myserver> <main> <<WLS Kernel>> <> <BEA-000342> <Unable to initialize the server: weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090294]could not get connection - with nested exception:
  [java.lang.reflect.InvocationTargetException - with target exception:
  [netscape.ldap.LDAPException: [Security:090477]Certificate chain received from ldapidv.merc.chicago.cme.com - 10.5.19.190 was not trusted causing SSL handshake failure. (91)]]>
  ANY HELP on this would be greatly appreciated am totally exhausted seeing these error messages from morning.
  I would like to know if I need a client for connecting to this LDAP authenticator. As am using the Novell API to access the LDAP directory. Let me know, and if so can some one provide me a snippet code.\
  Waiting for response.
  thanks in advance
  kiran

  Hi Christoper,
  Based on your description, this seems to be more of a security related question than a workshop one.
  Please post to the security newsgroup at http://forums.bea.com/bea/category.jspa?categoryID=2011
  with information on service pack installed
  Thanks
  Raj

• External database Authentication Issue

  Hello Experts
  I have omplemented external database authentication in my PC and somehow its not working
  Do we have to configure the details in NQSconfig file in the security section for implementing External Database Authentication .

  Hello Thanks for your concern .
  Steps i have followed
  *1)* use that table. If not, create the following table in your database.
  CREATE TABLE OBI_USER
  USERNAME VARCHAR2(255 BYTE),
  PASSWORD VARCHAR2(255 BYTE),
  GROUPNAME VARCHAR2(255 BYTE),
  DISPLAYNAME VARCHAR2(255 BYTE),
  LOGLEVEL NUMBER,
  CREATED_DT DATE sysdate,
  **2)**Created New ODBC Connection to use Separate Connection pool for OBIEE Security .
  *3)* Created New Session Initialization Block for Authentication and gave
  (SELECT USERNAME, GROUPNAME, DISPLAYNAME, LOGLEVEL FROM CPR_OBI_USER WHERE UPPER( USERNAME) =UPPER(':USER') AND UPPER(PASSWORD) =UPPER(':PASSWORD') ) by selection the new BI Security connection pool
  In the variable Traget i have defined 'USER', 'GROUP', 'LOGLEVEL','DISPLAYNAME'
  *4)* Created another Session Initialization Block for Authorization and gave (SELECT 'GROUP', GROUPNAME FROM OBI_USER WHERE UPPER( USERNAME) =UPPER(':USER'))
  And selected row wise initialization in variable target AND assigned Authentication Initialization block in the Execution Precedence .
  *5)* Created Groups in Manage-> Security-> Groups with the same group names as given in OBI_USER Table
  *6)* Added Groups in Manage Catalog and groups in Presentation Services .
  *7)* When i log on with the user which is assigned to the group in the OBI_USER Table then its giving
  (Unable to Log In     
  An invalid User Name or Password was entered.
  Please enter your User ID and Password below, and then press the Log In button.)
  Edited by: newbi on Sep 28, 2010 9:53 AM

• Custom ldap authenticator to retrieve user bean ldap profile

  Hi,
  Wondering if we could use a custom ldap authenticator to get the user profile from Ldap and put the data bean into session.
  This will allow to use the same connection to Ldap and to benefit from Bea security authentication configuration.
  Any input on this ?
  Thank you

  Increasing the search limit is the only practical solution. Really, ~2000 entries is not that many.

• Error in custom OAM authentication plugin

  Hi All
  I am trying to build a custom OAM authentication plugin using JDeveloper. Here are the version information:
  OAM - 11.1.1.5 BP04
  WLS - 10.3.5
  Issue:
  I get the following error in the OAM logs when I try to activate the plugin.
  [2012-11-14T09:39:17.996-08:00] [oam_server1] [WARNING] [] [oracle.oam.extensibility.lifecycle] [tid: DistributedCache:DistributionCache:EventDispatcher] [userId: <anonymous>] [ecid: 0000Jfzyiy6EgKI5qrH7iY1GcxMc000002,0] [APP: oam_server] Activation failed due to felix bundle exception while installing and starting the bundle.Unresolved constraint in bundle oamCustomAuthPlugin [2]: Unable to resolve 2.0: missing requirement [2.0] package; (package=oracle.security.am.plugin.ExecutionStatus)[[
  org.osgi.framework.BundleException: Unresolved constraint in bundle oamCustomAuthPlugin [2]: Unable to resolve 2.0: missing requirement [2.0] package; (package=oracle.security.am.plugin.ExecutionStatus)
  at org.apache.felix.framework.Felix.resolveBundle(Felix.java:3404)
  The names of jar file, class file, plugin xml file etc are all same. My plugin code is very generic and I have the following values in the plugin's manifest and xml file
  Plugin xml file [oamCustomAuthPlugin.xml]:
  <Plugin name="oamCustomAuthPlugin" type="Authentication">
  <author>uid</author>
  <email>[email protected]</email>
  <creationDate>09:32:20, 2011-11-13</creationDate>
  <version>4</version>
  <description>OAM Custom Authentication plugin</description>
  <interface>oracle.security.am.plugin.authn.AbstractAuthenticationPlugIn</interface>
  <implementation>com.company.oam.oamCustomAuthPlugin</implementation>
  <configuration>
  <AttributeValuePair>
  <Attribute type="string" length="20">INPUT_PARAM1</Attribute>
  <mandatory>true</mandatory>
  <instanceOverride>false</instanceOverride>
  <globalUIOverride>true</globalUIOverride>
  <value>Param1</value>
  </AttributeValuePair>
  <AttributeValuePair>
  <Attribute type="string" length="20">INPUT_PARAM2</Attribute>
  <mandatory>true</mandatory>
  <instanceOverride>false</instanceOverride>
  <globalUIOverride>true</globalUIOverride>
  <value>Param2</value>
  </AttributeValuePair>
  </configuration>
  </Plugin>
  Manifest File [MANIFEST.MF]:
  Ant-Version: Apache Ant 1.7.1
  Bundle-Version: 1.0.0.4
  Bundle-Name: oamCustomAuthPlugin
  Bundle-Activator: oamCustomAuthPlugin
  Bundle-ManifestVersion: 2
  Created-By: 17.0-b17 (Sun Microsystems Inc.)
  Import-Package: oracle.security.am.plugin,oracle.security.am.plugin.authn
  Bundle-SymbolicName: oamCustomAuthPlugin
  Bundle-RequiredExecutionEnvironment: JavaSE-1.6
  Please let me know if you have faced a sinilar issues in the past. Please help !!

  Try with Import-Package: org.osgi.framework;version="1.3.0",oracle.security.am.plugin,oracle.security.am.plugin.authn,oracle.security.am.plugin.api If it doesn't work try with - Import-Package: org.osgi.framework;version="1.3.0",oracle.security.am.plugin,oracle.security.am.plugin.authn,oracle.security.am.plugin.api ,oracle.security.am.plugin.ExecutionStatus