This discussion is archived
3 Replies Latest reply: Jan 16, 2013 12:30 PM by Nilesh RSS

Java security issue - if web.xml has <login-config> app avail w/ no log in

775976 Newbie
Currently Being Moderated
I am trying to use Java EE security. Following the docs ( [http://docs.oracle.com/cloud/CSJSU/dev_app.htm#BCEHFDFC] ).

The problem is, if a web app has <login-config> in web.xml, then users are not sent to the Cloud login screen when they access the app with its URL. Even if the entry is <login-config/>!
(I did a test with a very small web app. When I leave <login-config/> out of web.xml, then when I access the app URL, I first have to log in (when I Whitelist test it, I get a warning about that tag is missing). When I put <login-config/> in web.xml (the Whitelist warning goes away), but I can access the web app via its URL WITHOUT logging in at all.)

If users haven't logged in, then of course you don't know who they are and what their role is, so you cannot use normal web app security with protected resources.
  • 1. Re: Java security issue - if web.xml has <login-config> app avail w/ no log in
    879125 Newbie
    Currently Being Moderated
    Hi,

    I understand its a bit confusing. I apologize for that. We have tried to document the nuances in that link you provided.

    An empty <login-config/> makes all you pages public. The document link that you pointed out has this information -- here is what it says:

    +"Public application. An application that completely requires public access without an SSO challenge must just include an empty <login-config/> element in web.xml."+

    If you want your pages to be secured, you not only have to put <login-config/> but also provide <auth-method/> underneath it. Absence of <auth-method> makes the pages anonymous.

    For e.g. to make all you pages secured with SSO you have to add this:

    <login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>default</realm-name>
    </login-config>

    Other methods supported are BASIC and FORM.

    You can pick and chose which portion of you web page to be protected by providing the <security-constraint>. Also explained in that same link.

    Also, remember that you must set the <cookie-path> to a unique value if you have 2 or more apps deployed that requires authentication.

    I hope this help.

    Thanks,
    -Anand.
  • 2. Re: Java security issue - if web.xml has <login-config> app avail w/ no log in
    775976 Newbie
    Currently Being Moderated
    Thanks. That clears up the public-ness of some web apps. (Not sure why if a web app has NO <login-config> tag at all that the cloud requires a log in, but I'll leave that for more pressing issues below.)

    I am still having trouble with my web app with protected resources, though. I have defined users and the "boss" role and assigned some users to the "boss" role by using the Identity Console. But the problem is that users are NOT required to log in when they access the web app! Since they don't log in, of course the role-based security does not work, since we don't know WHO they are when they request a protected resource.

    Here is the relevant part of web.xml:
    <security-constraint>
    <display-name>Constraint-0</display-name>
    <web-resource-collection>
    <web-resource-name>Constraint-0</web-resource-name>
    <url-pattern>/officeclosing/*</url-pattern>
    <url-pattern>/managers/*</url-pattern>
    <url-pattern>officeclosing.html</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>manager</role-name>
    </auth-constraint>
    </security-constraint>
    <login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>default</realm-name>
    </login-config>
    <security-role>
    <role-name>manager</role-name>
    </security-role>

    And weblogic.xml:
    <security-role-assignment>
    <role-name>manager</role-name>
    <principal-name>trialabgx.boss</principal-name>
    </security-role-assignment>
    <session-descriptor>
    <cookie-path>timeoff</cookie-path>
    </session-descriptor>
    <context-root>/timeoff</context-root>

    What am I doing wrong?

    Thanks.
  • 3. Re: Java security issue - if web.xml has <login-config> app avail w/ no log in
    Nilesh Newbie
    Currently Being Moderated
    Hello,
    Sorry for the delayed response ,
    Let me answer your first question "(Not sure why if a web app has NO <login-config> tag at all that the cloud requires a log in "
    The reason behind this is as Oracle Public Cloud is a "Enterprise" Cloud offering we have secured by default security posture.
    This is to protect our customers so they don't expose applications to "public" internet unintentionally.
    Explicit requirement of login-config element addition enforces this security constrain.

    Regarding your web.xml and the weblogic.xml ,
    web.xml look fine to me, I suspect the weblogic.xml configuration may be an issue
    If the role "boss" is created under service "java" (or whatever is your service instance name ) then you should try following in the weblogic.xml

    <security-role-assignment>
    <role-name>manager</role-name>
    <principal-name>trialabgx.java.boss</principal-name> #(or trialabgx.<Your Service Instance Name>.boss )
    </security-role-assignment>
    <session-descriptor>
    <cookie-path>timeoff</cookie-path>
    </session-descriptor>
    <context-root>/timeoff</context-root>

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points