0 Replies Latest reply: Oct 9, 2012 10:48 AM by 967173 RSS

    SAML and CLIENT-CERT for webservice application deployed in WL 10.3.5

    967173
      Hi All
      We have developed a JAX-WS WebService and deployed it on a WL 10.3.5 server. The authentication for the web application is based on SAML 2.0. The token is provided by GetAccess IDP.The application is working fine. However, we want to add another layer of authetication for the application which is CLIENT-CERT based. For the same, I have created user (CN1) on Weblogic with the same name as the CN of the client certificate. I have created a group (G1) and added the user CN1 to the group. I have also created a policy (P1) and used criteria to allow only CN1 and G1 to allow access using the User and Group predicates. The following piece of code is also added to the web.xml file deployed on the application.

      <login-config>
      <auth-method>CLIENT-CERT</auth-method>
      </login-config>

      When we are passing a correct certificate and a correct SAML token, we are getting the error - "Client Authentication failed". In the logs, we are able to see successful parsing of the SAML token to retrieve the group. After that we see the following:

      <?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><S:Fault xmlns:ns4="http://www.w3.org/2003/05/soap-envelope"><faultcode>S:Client.Authentication</faultcode><faultstring>Access denied to operation getContentbyID</faultstring><detail><java:string xmlns:java="java.io">weblogic.wsee.util.AccessException: Access denied to operation getContentbyID
      </java:string></detail></S:Fault></S:Body></S:Envelope>


      Can you please guide me to debug the issue? Is it not possible to use both SAML2.0 and CLIENT-CERT on the same application?