0 Replies Latest reply: Apr 10, 2013 4:22 PM by 760593 RSS

    Custom Identity Asserter for Weblogic 10.3.*

    760593
      Hello,

      I am developing a Single Sign On solution for my custom JEE application deployed on WebLogic 10.3.1. The Identity provider is developed using Oracle Access Manager. My deployment topology include Apache web server configured as a reverse proxy in front of WebLogic. My application is deployed on WebLogic and a virtual host entry has been created in apache to forward the http requests to WebLogic.

      I have installed Oracle WebGate on Apache to intercept requests and verify ObSSOCookie. if this cookie is not in HTTP header I get a popup window asking for user id and password. So far so good. If I enter a valid user id and password I do get a ObSSOCookie in the http header but the request is not being forwarded to my WebLogic server. (This is the problem I am trying to figure out).

      Here are more details:
      ===============

      I use http between Apache and WebLogic since it is the last mile in the request destination. I tried using oamAuthnProvider.jar for IdentityAssertion. When I configured this as my identity asserter my requests are going to weblogic initially but the cookie validation was always failing at OAM. Upon working with my OAM team, they said they do not support the cookie validation and I have to trust the cookie and move on to authentication.

      That's when I built a custom Identity asserter based on the sample code (not too fancy) available around web. I undeployed the oamAuthnProvider and deployed my custom authenticator to handle the ObSSOCookie. The http requests from Apache are not forwarded to WebLogic after deploying my custom Identity Asserter. I removed my custom Identity Asserter and deployed oamAuthnProvider same issue.

      Any assistance is very very appreciated.

      Here is the MBean spec and customIdentity asserter impl if you would like to review.

      Your help is very appreciated.



      <?xml version="1.0" ?>
      <!DOCTYPE MBeanType SYSTEM "commo.dtd">

      <MBeanType
      Name = "SimpleSampleIdentityAsserter"
      DisplayName = "SimpleSampleIdentityAsserter"
      Package = "examples.security.providers.identityassertion.simple"
      Extends = "weblogic.management.security.authentication.IdentityAsserter"
      PersistPolicy = "OnUpdate"
      >

      <MBeanAttribute
      Name = "ProviderClassName"
      Type = "java.lang.String"
      Writeable = "false"
      Preprocessor = "weblogic.management.configuration.LegalHelper.checkClassName(value)"
      Default = "&quot;examples.security.providers.identityassertion.simple.SimpleSampleIdentityAsserterProviderImpl&quot;"
      />
      <MBeanAttribute
      Name = "Description"
      Type = "java.lang.String"
      Writeable = "false"
      Default = "&quot;WebLogic Simple Sample Identity Asserter Provider&quot;"
      />

      <MBeanAttribute
      Name = "SupportedTypes"
      Type = "java.lang.String[]"
      Writeable = "false"
      Default = "new String[] {&quot;ObSSOCookie&quot;}"
      />

      <MBeanAttribute
      Name = "Base64DecodingRequired"
      Type = "boolean"
      Writeable = "true"
      Default = "false"
      Description = "Base 64 Decoding required"
      />

      <MBeanAttribute
      Name = "ActiveTypes"
      Type = "java.lang.String[]"
      Default = "new String[] {&quot;ObSSOCookie&quot;}"
      />



      //IdentityAsserterImpl

      package examples.security.providers.identityassertion.simple;

      import javax.security.auth.callback.CallbackHandler;
      import javax.security.auth.login.AppConfigurationEntry;
      import weblogic.management.security.ProviderMBean;
      import weblogic.security.service.ContextHandler;
      import weblogic.security.spi.AuthenticationProviderV2;
      import weblogic.security.spi.IdentityAsserterV2;
      import weblogic.security.spi.IdentityAssertionException;
      import weblogic.security.spi.PrincipalValidator;
      import weblogic.security.spi.SecurityServices;

      import java.util.HashMap;

      public final class SimpleSampleIdentityAsserterProviderImpl implements AuthenticationProviderV2, IdentityAsserterV2
      {
      final static private String TOKEN_TYPE = "ObSSOCookie";
      final static private String TOKEN_PREFIX = "username=";

      private String description;

      public void initialize(ProviderMBean mbean, SecurityServices services)
      {
      System.out.println("SimpleSampleIdentityAsserterProviderImpl.initialize");
      SimpleSampleIdentityAsserterMBean myMBean = (SimpleSampleIdentityAsserterMBean)mbean;
      description = myMBean.getDescription() + "\n" + myMBean.getVersion();
      }

      public String getDescription()
      {
      return description;
      }

      public void shutdown()
      {
      System.out.println("SimpleSampleIdentityAsserterProviderImpl.shutdown");
      }

      public IdentityAsserterV2 getIdentityAsserter()
      {
      return this;
      }

      public CallbackHandler assertIdentity(String type, Object token, ContextHandler context) throws
      IdentityAssertionException
      {
      System.out.println("SimpleSampleIdentityAsserterProviderImpl.assertIdentity");
      System.out.println("\tType\t\t= " + type);
      System.out.println("\tToken\t\t= " + token);

      if (!(TOKEN_TYPE.equals(type))) {
      String error = "SimpleSampleIdentityAsserter received unknown token type \""
      + type + "\"." + " Expected " + TOKEN_TYPE;
      System.out.println("\tError: " + error);
      //throw new IdentityAssertionException(error);
      }

      if (!(token instanceof byte[])) {
      String error = "SimpleSampleIdentityAsserter received unknown token class \""
      + token.getClass() + "\"." + " Expected a byte[].";
      System.out.println("\tError: " + error);
      // throw new IdentityAssertionException(error);
      }

      byte[] tokenBytes = (byte[])token;
      if (tokenBytes == null || tokenBytes.length < 1) {
      String error = "SimpleSampleIdentityAsserter received empty token byte array";
      System.out.println("\tError: " + error);
      //throw new IdentityAssertionException(error);
      }

      String tokenStr = new String(tokenBytes);

           System.out.println(" Token from OAM = " + tokenStr );
      if (!(tokenStr.startsWith(TOKEN_PREFIX))) {
      String error = "SimpleSampleIdentityAsserter received unknown token string \""
      + type + "\"." + " Expected " + TOKEN_PREFIX + "username";
      System.out.println("\tError: " + error);
      //throw new IdentityAssertionException(error);
      }

      String userName = tokenStr.substring(TOKEN_PREFIX.length());
      System.out.println("\tuserName\t= " + userName);
      return new SimpleSampleCallbackHandlerImpl(userName);
      }

      public AppConfigurationEntry getLoginModuleConfiguration()
      {
           HashMap<String, String> configOptions = new HashMap<String, String>();
           configOptions.put("username", "hqs1");
           configOptions.put("fromIdentityAsserter", "true");

           AppConfigurationEntry loginModule = new AppConfigurationEntry("security2.authenticate.LoginModuleImpl",
                          AppConfigurationEntry.LoginModuleControlFlag.SUFFICIENT,configOptions);
      return loginModule;
      }

      public AppConfigurationEntry getAssertionModuleConfiguration()
      {

           HashMap<String, String> configOptions = new HashMap<String, String>();
           configOptions.put("username", "XXX");
           configOptions.put("fromIdentityAsserter", "true");

           AppConfigurationEntry loginModule = new AppConfigurationEntry("security2.authenticate.LoginModuleImpl",
                          AppConfigurationEntry.LoginModuleControlFlag.SUFFICIENT,configOptions);
      return loginModule;
      }

      public PrincipalValidator getPrincipalValidator()
      {
      return null;
      }

      }


      Thanks
      Raj