Security realm - Security:097533 - Developing own authentication provider

Similar Messages

• How to configure security realm for Active Directory ?

  Hi,
  Can any body suggest how to configure security realm in weblogic 8.1
  I have simple login page where in user can enter his credentials, and i have MS-Active Directory where we maintain all users.
  users who loged into web application has to be authenticated from Active Directory.
  please suggest what are the steps that we need to follow
  thanks in advance

  Hi Sankar,
  You can login to the weblogic server admin console and create a new realm.
  Once you have created the realm you can add the authentication provider.You add the Active Authentication Provider.But you must have the the configuration inforamation of MS AD.You can read my blog http://dev2dev.bea.com/blog/bishnu_kumar/
  where the integration is with iPlanet LDAP.Steps will be similar.
  You must have a login portlet in your portal application and that should have been in accordance with j2ee security standards.For example you may use basic authentication or userlogin control or p13n API
  Regards
  Bishnu

• Is this possible to use no default security realm?

  Hi,
  I created new security ReadOnlySQLAuthentication provider in the default realm and it works. Now I have all the users from all applications in one realm. If they use the same enterprise roles, user can log to one application with login and password from another application. To prevent it I created another security realm. I've added ReadOnlySQLAuthentication provider, set in my application new realm name - in jazn-data.xml and web.xml. But it doesn't work. My questions are:
  It is possible to use few realms? So one application will use default realm, another no default realm.
  If so, how to bind an application to no default realm?
  Bart

  Hi,
  A WLS instance only supports a single realm. So the answer unfortunately is no (was different with OC4J)
  Frank

• Authentication Provider in WebLogic 7.0

  Hi
  I am trying to understand the Security Frame-work in WLS 7.0.
  I found out that WLS 7.0 uses embedded LDAP server to store users information. It also supports external LDAP. But for our application, I want to keep users info in a database.
  Is there any suggestion to solve this problem. Do I need to create my own Authentication Provider? or is there any other way to do this?
  I will appreciate any help
  Thanks
  Virender Sandhu

  does anybody know where a production ready copy of rdbmls realm is on the
  net? I did a search and didnt find much?
  thanks
  Joel
  "PaulF" <[email protected]> wrote in message
  news:[email protected]..
  Virender Sandhu <[email protected]> wrote in
  news:3cdab13c$[email protected]:
  Hi
  I am trying to understand the Security Frame-work in WLS 7.0.
  I found out that WLS 7.0 uses embedded LDAP server to store users
  information. It also supports external LDAP. But for our application,
  I want to keep users info in a database. Is there any suggestion to
  solve this problem. Do I need to create my own Authentication
  Provider? or is there any other way to do this?
  I will appreciate any help
  Thanks
  Virender Sandhu
  I think that you have two choices: 1) you can configure a Compatibility
  Realm, take the RDBMS example, tweak it so that it is production ready (or
  grab a production ready copy from someplace out on the net...I think
  they're out there), or 2) create your own provider that talks directly to
  your database.
  Paul F.

• Extend WL Authentication Provider Password Validation

  Hi folks
  I'm looking for any advice on how to extend the OOB password validation that is available and documented here:
  http://docs.oracle.com/cd/E12840_01/wls/docs103/secmanage/atn.html#wp1212100
  Specifically we'd like to test whether the desired password has been used in the last 8 they've used and also to enforce that it expire after x days. Any pointers would be much appreciated.
  Thanks,
  Paul

  1- How can an authentication provider supports password validation providers ?
  We decided to make our own authentication provider so I doubt we support it
  Yes, your custom authentication provider will not support it.
  2- How it is suppose to work ?
  Now, when a user change his password (or any of his attributes), we call a stored procedure (DB) which updates the user table ...
  The way I see it, the web application should call the password validation provider before (or instead and then the provider will call the stored procedure)
  Have u configured the a databse authenticator? Looks like you are modifying the password in the database directly ( using stored procedures) so Password Validator will not come in picture at all.

• Security realms - provider - LDAP (OID) - error: autentication denied

  I follow the link http://www.oracle.com/technology/products/jdev/tips/fnimphius/oidconfig/index.html to configure OID authentication in weblogic server. I am able to see all the OID user in the security realms (users and groups page). I change the control flag to SUFFICIENT. however, I still could not login as orcladmin. I got "The username and password has been refused by WebLogic Server". Could someone assist further on troubleshooting this issue?

  I had a cheat sheet that got me through this topic which seems to have disappeared since Oracle has taken over BEA... maybe someone can help us find it again (or a similar reference) but this was the old link:
  Link: [https://support.bea.com/application_content/product_portlets/support_patterns/wls/UnderstandingLDAPGroupMembershipSearchPattern.html]
  In short, there are three patterns for authentication that are recognized as the defacto standards for implementation and your directory structure must conform to one of these three patterns into order for the authentication schemes to work. You have not provided enough information in your post for me to say whether or not you have met the criteria. If you can find these three patterns, you can determine if you meet them. If you fail, you will need to write a custom security authenticatio module (documented in the Weblogic documentation somewhere) to enable WL use your setup.
  Hope it gets you in the right direction at least....
  Keith

• Authentication via weblogic security realm

            My servlet needs to access a session bean. The action in the session bean requires
            that a user has been authorized, i.e. at some point the session been calls
            String name = d_ctx.getCallerPrincipal().getName()
            This name may not be null at this time.
            What I would like to have is that the user executing the URL gets authenticated
            by my server realm 'myrealm' and that the associated prinicpal gets passed to
            the session bean. Is this possible. If so, how can the user pass along the username
            and password as this query is executed programmatically?
            markus
            

  http://www.weblogic.com/docs51/classdocs/API_acl.html
  Michael Girdley
  BEA Systems Inc
  "gennot" <[email protected]> wrote in message
  news:[email protected]..
  Could you send me the complete URL of these example, please?
  Thanks
  Enrico
  Michael Girdley <[email protected]> wrote in message
  39b87078$[email protected]..
  The passing of the client's certificate should be automatic to WebLogic.We
  have an example of getting the client side certificate from inside of
  WebLogic in our documentation.
  This does not require for SSL to be used from the Web server to
  WebLogic.
  >>
  Thanks,
  Michael
  Michael Girdley
  BEA Systems Inc
  "Bob Simonoff" <[email protected]> wrote in message
  news:[email protected]..
  I have read through the docs and haven't found anything that would
  address
  the following confusion:
  Suppose I want to use Apache or IPlanet as the webserver with WebLogicas
  the back end application server (obviously). I have the need to use 2way
  SSL authentication. As I understand it the following applies:
  Client (browser) has a certificate as does the web server. Theyauthenticate
  each other.
  Now, the web server and weblogic need to communicate. WebLogic, in our
  environment does authentication via the security realm.
  What do I have to do to get the the web server (Apache or IPlanet) to
  communicate the client's certificate to WebLogic so the WebLogic canperform
  the authentication?
  Does the communication between the web server and WebLogic also need
  to
  be
  SSL?
  Thanks
  Bob Simonoff

• How can one use one specific security realm per application ? The realm-name attribute of the login-config tag of web.xml does not make any difference

  Hi,
  I have different sets of users coming from different databases and using different
  roles mapping for each of my web applications. I would like to configure a specific
  security realm per application in my weblogic server 7.0 . Is it possible ?
  I try to specify the realm-name of the login-config tag from the web-xml deployement
  descriptor but it doesn't make any difference. The default realm is always used.
  I also would like to tell the Weblogic server to use the default realm in case
  the realm isn't specified or isn't found. For example, the default would contains
  my admin users.
  Thanks a lot for your answer.
  Iz

  I thik this is a common mistake the ralm-name tag in the deployment descriptor is used
  just by the browser for display purposes (when it opens the basic auth dialog box) so as
  of now there is only 1 active realm which can have multiple providers as Kevin pointed
  out
  Kevin Lewis wrote:
  WebLogic 7 now ignores the realm-name tag (I found that out yesterday).
  My understanding is that there is only one realm active at a time for a domain
  (I would be interested in being contradicted in this).
  However, you can have multiple providers in each category of a realm: authentication,
  authorization, etc. Therefore, what you can do is key authentication, et al,
  off of some other information. We have our users enter their company, for example,
  and use the TextInputCallback to get it. You could also encode something in the
  initial page, based on the URL they hit, or whatever, and get that back in your
  callback.
  You can store that information in your own Principal implementation, and key off
  of that in your authorization provider, going to a different database as appropriate,
  or abstaining when a specific provider doesn’t have anything to say about a subject.
  Anyway, there should be a way to do it, even if it's more complex than you would
  have hoped.
  --Kevin

• Proper security realm for ecommerce user

  I would like to use j2ee security on our ecommerce site (isUserInRole, getUserPrincipal,
  web.xml declarative functionality to protect resources), but my problem is not
  knowing what security realm to I use to manage the user. The site has thousands
  of users and they need the ability to create an account which will determine their
  "role" based on what membership fee they paid. After they have an account they
  can login an have access to sections of the site that are permitted to them based
  on role. All the examples I've seen about weblogic security is using LDAPs or
  their internal RDMS. How can I have weblogic use our own database or is there
  a best practice to accomplish the task I need? Any information would be helpful!!

  It sounds like you have many users in your database, but not that many roles
  & policies.
  Probably you can use the DefaultRoleMapper and DefaultAuthorizer for your
  roles & policies.
  You need a database based authentication provider. Check out the sample
  dbms authentication provider on the dev2dev center:
  http://dev2dev.bea.com/codelibrary/code/sec_rdbms.jsp
  -tm
  "fed " <[email protected]> wrote in message
  news:4010111d$[email protected]..
  >
  I would like to use j2ee security on our ecommerce site (isUserInRole,getUserPrincipal,
  web.xml declarative functionality to protect resources), but my problem isnot
  knowing what security realm to I use to manage the user. The site hasthousands
  of users and they need the ability to create an account which willdetermine their
  "role" based on what membership fee they paid. After they have an accountthey
  can login an have access to sections of the site that are permitted tothem based
  on role. All the examples I've seen about weblogic security is usingLDAPs or
  their internal RDMS. How can I have weblogic use our own database or isthere
  a best practice to accomplish the task I need? Any information would behelpful!!

• RDBMS Security realm 6.1-8.1 migration

  I am trying to migrate a RDBMS security realm from WLS6.1 to WLS8.1.
  Having followed the instructions in http://e-docs.bea.com/wls/docs81/upgrade/upgrade6xto81.html#1066711
  I am now able to boot WLS8.1 and see encouraging signs such as the 'Compatibility
  Security' node appearing in the left-hand console pane. The contents of the Users
  and Groups nodes visible under this node look correct (ie as defined in the underlying
  database).
  However, to get to this point I had to initially hardwire the values for the database
  driver, url, user and password as these were null when obtained from the associated
  RDBMSRealmMBean object, causing the server to fail to start. This enabled me
  to bootstrap the process so that I could use the console to enter these values
  on the Database tab for the Realm I had defined for Compatibility Security. I
  see no mention of this step in the instructions referred to above and therefore
  missed out this vital step.
  When WLS8.1 starts it displays:
  <date&time> <Notice> <Security> <BEA-090082> <Security initializing using security
  realm myrealm.>
  myrealm is a Realm listed under Security but I would have expected the realm to
  be the specially-defined realm associated with Compatibility Security. So, question
  number 1 - does this output from WLS indicate that it is using the Compatibility
  Security realm or the default realm?
  Although the console displays the expected set of users and groups , my application
  is failing to associate a user with a 'role' - the Groups node shows that user
  U is in group G but when the application invokes the SessionContext method isCallerInRole(String
  role) where the caller is U and the role is G the result of the invocation is
  false. Question number 2 - why does this not return true in this case?
  Note, this code (that I have inherited) worked fine in WLS6.1 and the only significant
  change I needed to make for WLS8.1 is in the wrapper classes, in particular the
  code to get the required RDBMSRealmMBean. Having now successfully got hold of
  this object I would have expected the rest of the code to work fine (ok, 'expected'
  is a bit optimisitic - but I'm not aware that there are any functional differences
  beyond obtaining the RDBMSRealmMBean object).
  Many thanks in advance for any assistance with this.
  David

  Mehrshad
  I wasn't involved in the original WL6.1 code development but this is based on
  the example code that BEA provide with the WLS6.1 installation - it should therefore
  be visible at ~bea/wlserver6.1/samples/examples/security/rdbmsrealm
  HTH
  David
  "Mehrshad Setayesh" <[email protected]> wrote:
  >
  David:
  I am trying to do the same thing and can not find which RealmClassName
  to use
  in 8.1. In our previous version, 6.1, I was using com.bea.wlpi.rdbmsrealm.RDBMSRealm.
  What is the mapping
  Java class in 8.1? Thanks.
  Regards
  Mehrshad
  "David Franklin" <[email protected]> wrote:
  I am trying to migrate a RDBMS security realm from WLS6.1 to WLS8.1.
  Having followed the instructions in http://e-docs.bea.com/wls/docs81/upgrade/upgrade6xto81.html#1066711
  I am now able to boot WLS8.1 and see encouraging signs such as the 'Compatibility
  Security' node appearing in the left-hand console pane. The contents
  of the Users
  and Groups nodes visible under this node look correct (ie as defined
  in the underlying
  database).
  However, to get to this point I had to initially hardwire the values
  for the database
  driver, url, user and password as these were null when obtained from
  the associated
  RDBMSRealmMBean object, causing the server to fail to start. This enabled
  me
  to bootstrap the process so that I could use the console to enter these
  values
  on the Database tab for the Realm I had defined for Compatibility Security.
  I
  see no mention of this step in the instructions referred to above and
  therefore
  missed out this vital step.
  When WLS8.1 starts it displays:
  <date&time> <Notice> <Security> <BEA-090082> <Security initializingusing
  security
  realm myrealm.>
  myrealm is a Realm listed under Security but I would have expected the
  realm to
  be the specially-defined realm associated with Compatibility Security.
  So, question
  number 1 - does this output from WLS indicate that it is using the Compatibility
  Security realm or the default realm?
  Although the console displays the expected set of users and groups ,
  my application
  is failing to associate a user with a 'role' - the Groups node shows
  that user
  U is in group G but when the application invokes the SessionContextmethod
  isCallerInRole(String
  role) where the caller is U and the role is G the result of the invocation
  is
  false. Question number 2 - why does this not return true in this case?
  Note, this code (that I have inherited) worked fine in WLS6.1 and the
  only significant
  change I needed to make for WLS8.1 is in the wrapper classes, in particular
  the
  code to get the required RDBMSRealmMBean. Having now successfully got
  hold of
  this object I would have expected the rest of the code to work fine(ok,
  'expected'
  is a bit optimisitic - but I'm not aware that there are any functional
  differences
  beyond obtaining the RDBMSRealmMBean object).
  Many thanks in advance for any assistance with this.
  David

• Accessing Custom Security Realm and NotOwnerException.

  I have installed the RDBMS example security realm, which appears to work fine. However when I attempt to access this realm from a Servlet via Realm.getRealm("name") I get an NotOwnerException being thrown.
  Ideas ?
  regards,
  Jeff.

  We did something similar in a past project, and it turned out to be more of a mess than
  it was worth it (not only the "chicken-egg" dilemma with system, guest, administrator
  users, etc., but also with various lookup and threading issues.) We ended up ripping
  out the code and writing a new one which does not use an EJB.
  EJB are supposed to be written in terms of container services (which security being one
  of the services the container provides) but in this scenario you'd be writing one of the
  container services in terms of EJBs, so it "breaks" the proper layering.
  In our case, we wanted to "encapsulate" our security code from Weblogic's propreitary
  realm mechanism, at the end we still achieved without having to create a session bean
  (sometimes regular Java classes work just fine) :-)
  regards,
  -Ade
  "watscheck" <[email protected]> wrote in message news:[email protected]..
  >
  Hi,
  i want to use a sessonEJB as my security store for the custom security realm in
  weblogic server 6.1.
  Has anyone experience with that?
  First i have to pass all filerealm users through my custom realm (csr) because
  it is not possible to authenticate the system and guest users before the sessionEJB
  itself is loaded.
  OK, but my problem is the authentication of the csr at the sessionEJB, which is
  itself secured by method-permission in it's assemblydesciptor. So i have to get
  an initialcontext with an authorized user for the sessionEJB an invoke all protected
  methods with this principal.
  But Bea WLS has a problem with propagating this user back to the actual application.
  Is there a way that the application (web-app and ejbs) is not affected by the
  authentification of the csr at the sessionEJB (security store)?
  And is it right that the new initialcontext in the csr always overrides the bea
  context and with that the servlet request of the web-app?
  thanks in advance
  watscheck

• WL Security realm

            All,
            where should we put WL security realm classes for clustering WLS? (global or cluster weblogic.properties)? As we know WL security realm uses session to keep information available thru connection cycle, how does WL handle failed over to next available node?
            Brian
            

  Hi Steven
  1. What you want is totally possible BUT you can have your Users only in one Security Provider. To access bpm/workspace, all the users will be referred in the first top most security provider. So make sure, your AD Authenticator is in the Top Most and also all these providers should be set to SUFFICIENT / OPTIONAL.
  Below these 2 posts should give more details:
  Weblogic administrator account is inactive after enabling DB Authenticator
  Re: BPM 11g workspace not show user from OVD - top most authentication provider
  Thanks
  Ravi Jegga

• How to retrieve Global Roles in a the current security realm?

  Is there a WLS API available that obtains a list of mapped global roles (defined in a security realm) from an application?
  I want to be able to do a getRoles call against an authenticated user. So far, I'm only able to use isUserInRole. What I need is a list of all global roles mapped to a user's group.
  Thanks all...
  Message was edited by:
  raymondng

  You can refer to the api
  http://e-docs.bea.com/wls/docs81/javadocs/weblogic/management/security/authorization/RoleReaderMBean.html#getRoleExpression
  -Ramkumar

• Errors encountered while using a Custom Security Realm on a Platform Domain

  Hi,
  We have created a WebLogic Platform Domain. A WebLogic Portal application(Portal
  7.0) and some Web Service apps are running on this domain.
  We have created a Custom Security Realm b'cos of our application requirements
  and now when I startup the Platform Domain, I see lot of errors.
  Some of the errors typically are
  "<Jan 16, 2003 4:07:02 PM EST> <Error> <HTTP> <101256> <The run-as user: wlisystem,
  for the servlet: ApplicationView for the webapp: /WLI_AI_Workshop_Control_Web,
  could not be resolved to a valid user in the system. Please check if the user
  exists.
  javax.security.auth.login.LoginException: Authentication Failed: User wlisystem
  denied in Realm Adapter realm weblogic"
  or
  Unable to deploy EJB: wlai-eventprocessor-ejb.jar from wlai-eventprocessor-ejb.jar:weblogic.ejb20.WLDeploymentException:
  weblogic.ejb20.interfaces.PrincipalNotFoundException: Authentication Failed: User
  wlisystem denied in Realm Adapter realm weblogic
  Do we have to create any predefined user accounts in the Security Store to get
  rid of these errors. I would appreciate if anyone can suggest some tips or workarounds
  for configuring or creating a Custom Security Realm for Web Logic Platform Domain.
  Thanks
  Vikram

  Hello Vikram,
  Are you using the new WLS 7.0 security framework? It is not supported for
  Portal 7.0. For Portal 7.0 apps you have to use compatibility mode (6.x
  style) security.
  Ture Hoefner
  BEA Systems, Inc.
  www.bea.com
  "Vikram Datla" <[email protected]> wrote in message
  news:3e273015$[email protected]..
  >
  Hi,
  We have created a WebLogic Platform Domain. A WebLogic Portalapplication(Portal
  7.0) and some Web Service apps are running on this domain.
  We have created a Custom Security Realm b'cos of our applicationrequirements
  and now when I startup the Platform Domain, I see lot of errors.
  Some of the errors typically are
  "<Jan 16, 2003 4:07:02 PM EST> <Error> <HTTP> <101256> <The run-as user:wlisystem,
  for the servlet: ApplicationView for the webapp:/WLI_AI_Workshop_Control_Web,
  could not be resolved to a valid user in the system. Please check if theuser
  exists.
  javax.security.auth.login.LoginException: Authentication Failed: Userwlisystem
  denied in Realm Adapter realm weblogic"
  or
  Unable to deploy EJB: wlai-eventprocessor-ejb.jar fromwlai-eventprocessor-ejb.jar:weblogic.ejb20.WLDeploymentException:
  weblogic.ejb20.interfaces.PrincipalNotFoundException: AuthenticationFailed: User
  wlisystem denied in Realm Adapter realm weblogic
  Do we have to create any predefined user accounts in the Security Store toget
  rid of these errors. I would appreciate if anyone can suggest some tips orworkarounds
  for configuring or creating a Custom Security Realm for Web Logic PlatformDomain.
  >
  Thanks
  Vikram

• Use Microsoft Online Directory Services as a user authentication provider for our own SharePoint farm?

  Hi,
  I've managed to configure my farm so that  Microsoft Online Directory Services (Office 365 etc.) can be used for STS authentication, but what I'm actually trying to do is allow user authentication - that is, I'm hoping to be able to use the user's
  O365 credentials to authenticate them in my own farm so they can view certain parts of it. If I need to write my own login form or authentication provider or whatever that's fine, as long as the user doesn't need to enter anything when they access my farm
  (provided they already have cached O365 credentials in their browser session).
  FWIW I actually need to be able to support the possibility that users are coming from multiple O365 tenancies, whereby each site collection will be configured to allow users from a different O365 tenancy (more or less).
  If it's not possible to do with my own development farm on a PC, it is possible if the farm is hosted in Azure?
  Thanks
  Dylan

  Hi  Dylan,
  According to your description, my understanding is that you want to use Microsoft Online Directory Services as a user authentication provider for your SharePoint farm.
  For your demand, you can configure a hybrid topology for your SharePoint farm:
  http://technet.microsoft.com/en-us/library/jj838715(v=office.15).aspx
  http://technet.microsoft.com/en-us/library/dn197168(v=office.15).aspx
  Thanks,
  Eric
  Forum Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support,
  contact [email protected]
  Eric Tao
  TechNet Community Support