SQL Developer Data Modeler

Hi,

yes and no. In weblogic the authentication is performed by authentication providers. Depending on which provider you use, you can use the WebLogic JMX API to create new accounts. For example, if you use the Weblogic embedded LDAP server then this is possible to do. If you use OID then better is to directly access OID to create users because the generic LDAPprovider that you can use to hook up OID to WLS does not support account creation

Frank

Hi,

You can achieve this by using a sql authentication provider. It gets the users and their roles & credentials from the db tables which you can configure in WLS. In JSF, you can create a creation form based on the table (which you configured for authentication), which can be used for the users to register.

Check out this doc for more information.

Regards,
Arun

Hi,

thank you for your quickly answer. I spend in the same time to display images with ORDImage.

So I'm a beginner, so I don't know if I use LDAP server or OID thing. How is it possible to know?

Thank you
Regards

Hi,

It depends on your requirement. If the application that you would be deploying uses more number of user or, the users stored would be used across multiple applications (Single Sign On kind of), then you can go for LDAP/OID. If it is for simple purpose / used by limited number of users, then you can use the SQL Authentication method (which just needs basic knowledge on SQL - for creating tables and using select statements).

So, in order to suggest for a better solution, let us know your scenario / usage.

Regards,
Arun

Hi,

my application will concern around 100 people and more after. I don't want limit.

Regards

Hi,

Check out this page.

http://download.oracle.com/docs/cd/E13155_01/wlp/docs103/security/planning.html

It will surely help out to formulate your strategy and to narrow down to the authentication provider that would suite your scenario.

Regards,
Arun

Hi,

To answer your question about my scenario, I need only 'normal' user, I don't want create group or roles like administrator, user, visitors.
ok i'm not sure if you understood my question because on this documentation it's only configuration on weblogic console, am not I ?


I will reformulate:
Now, if I would like to create a new user, I need to create via weblogic console and datasource the user.
Is it possible to create a new user via a JSP/JSF page ?

Only authentication works (I show you my login page):

*****************************************

<html>
<body>

<h3>
Security WebApp login page
</h3>
Please enter your user name and password:
<p>
&nbsp;
</p>
<form method="POST" action="j_security_check">
<table border="1">
<tr>
<td>Username:</td>
<td>
<input type="text" name="j_username" id="currentuser"/>
</td>
</tr>
<tr>
<td>Password:</td>
<td>
<input type="password" name="j_password"/>
</td>
</tr>
<tr>
<td colspan="2" align="right">
<input type="submit" value="Submit"/>
</td>
</tr>
</table>
</form>

</body>
</html>

**********************************************

Thank you

Regards

Ok,

here you go.

http://biemond.blogspot.com/2008/12/using-database-tables-as-authentication.html

This document has step by step procedure to setup the SQL Authentication provider with custom db tables with user details.

Once after configuring you WLS with provider and other setups, you can create a jspx page with the creation form based on the user table which can be used as Register page.

Make this Register page unsecured and provide a link for this in your Login page where the user can click and Sign up/register.

Let us know how it goes.

HTH.

Regards,
Arun

Hi,

now I configured the SQL authentication. If I change the password in the console, it changes automatically in the database.
So it worked for it but I think I miss something because the authentication doesn't work.
Maybe in weblogic...

My weblogic is this:

<?xml version="1.0" encoding="UTF-8"?>
<wls:weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:wls="http://www.bea.com/ns/weblogic/90"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd
http://www.bea.com/ns/weblogic/90
http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">
<wls:context-root>AuthenticationWeb</wls:context-root>
<wls:security-role-assignment>
<wls:role-name>miccroomrole</wls:role-name>
<wls:principal-name>paul.henry@oracle.com</wls:principal-name>
<wls:principal-name>juan.mike@oracle.com</wls:principal-name>

</wls:security-role-assignment>
<wls:session-descriptor>
<wls:persistent-store-type>replicated_if_clustered</wls:persistent-store-type>
</wls:session-descriptor>
</wls:weblogic-web-app>

Thank you

Edited by: youlewinner on 27 juil. 2009 05:27

Hi,

What do you mean by it is not working? Does it throw any error when you login?

Have you set the Control Flag to Sufficient (You need to set the same for the DefaultAuthenticator also).

Regards,
Arun

Hi,

it doesn't work, I mean when i log with the user in the database, i'm going directly to error login page.
If I use the ancient login with the ancient password (because before changing to SQL authentication, my authentication works), it still works.

The Control Flag was in Sufficient for db_users but not for the DefaultAuthenticator. So I changed it, and now the same problem, i'm going directly to the error login page.

Regards and thank you

Have you restarted the WLS after changing the control flag for the DefaultAuthenticator?

Also check out if you've got any SQL Exception in your WLS log.

Yes I restarted the WLS after changing it.

I have 3 authentication providers: DefaultAuthenticator, DefaultIdentityAsserter, db_users. Have I need DefaultIdentityAsserter? Should I set parameter inside?

In DefaultAuthenticator, should I tick "Use Retrieved User Name As Principal" ???

You have right, I have problem with SQL, I can see it ini the log. I will resolve it. But I have a question: Should I fill all SQL statement in WLS? Because i don't use group or roles or member, so I didn't fill them, only 6 first ones.

Thank you

Edited by: youlewinner on 27 juil. 2009 06:07

I Hope you are using Form Based authentication. Can you double check if your welcome/success page is the error page ;-)

Thank you for the last post.

So I need to change my database and add columns for group and roles in employee table, alright?

Can I don't fill SQL member statement and description statement?

Regards

I think and I hope it's the last question:
Should I need to configure ADF Security like the previous blog of Edwin Biemond (http://biemond.blogspot.com/2008/12/using-weblogic-provider-as.html). If yes, how do you fill the "LDAP identity Store". I don't understand the "LDAP connection user" --> "o=sgi,c=us" and "LDAP URL" is the login page?
And I don't get so much "User name attribute" and "group name attribute"

Regards

Edited by: youlewinner on 27 juil. 2009 06:44

Hi,

You don't need to configure with LDAP, you can select FORM-BASED and proceed.

Regards,
Arun

Hi,

I filled SQL statements. Now when I would like to log in I have this message:

****
Error 401--Unauthorized
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401 Unauthorized

The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
****

Then i'm not sure about my 'config.xml'. Should I add this:
***
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
****

because I haven't see it on the blog of Edwin Biemond and I already have it.

The config.xml:
****
...

<name>DefaultDomain</name>
<domain-version>10.3.0.0</domain-version>
<security-configuration>
<name>DefaultDomain</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>

<sec:authentication-provider xsi:type="wls:sql-authenticatorType">
<sec:name>db_users</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:enable-group-membership-lookup-hierarchy-caching>false</wls:enable-group-membership-lookup-hierarchy-caching>
<wls:data-source-name>miccroom</wls:data-source-name>
<wls:plaintext-passwords-enabled>true</wls:plaintext-passwords-enabled>
<wls:sql-get-users-password>SELECT password FROM employee WHERE employee_name = ?</wls:sql-get-users-password>
<wls:sql-user-exists>SELECT employee_name FROM employee WHERE employee_name = ?</wls:sql-user-exists>
<wls:sql-list-member-groups>SELECT id_role FROM employee WHERE employee_name = ?</wls:sql-list-member-groups>
<wls:sql-list-users>SELECT employee_name FROM employee WHERE employee_name LIKE ?</wls:sql-list-users>

<wls:sql-list-groups>SELECT role_name FROM roles WHERE role_name LIKE ?</wls:sql-list-groups>
<wls:sql-group-exists>SELECT role_name FROM roles WHERE role_name = ?</wls:sql-group-exists>
<wls:sql-is-member>SELECT employee_name FROM employee WHERE id_role = ? AND employee_name = ?</wls:sql-is-member>

<wls:password-style>PLAINTEXT</wls:password-style>
<wls:sql-create-user>INSERT INTO employee ( id_employee , employee_name , password, id_role ) VALUES ( ? , ? , ?, ? )</wls:sql-create-user>
<wls:sql-remove-user>DELETE FROM employee WHERE employee_name = ?</wls:sql-remove-user>
<wls:sql-remove-group-memberships>DELETE FROM employee WHERE employee_name = ? OR role_name = ?</wls:sql-remove-group-memberships>

<wls:sql-set-user-password>UPDATE employee SET password = ? WHERE employee_name = ?</wls:sql-set-user-password>
<wls:sql-create-group>INSERT INTO roles VALUES ( ? , ? )</wls:sql-create-group>

<wls:sql-add-member-to-group>INSERT INTO employee ( id_employee , employee_name , password, id_role ) VALUES( ?, ?, ?, ?)</wls:sql-add-member-to-group>
<wls:sql-remove-member-from-group>DELETE FROM employee WHERE id_role = ? AND employee_name = ?</wls:sql-remove-member-from-group>
<wls:sql-remove-group>DELETE FROM roles WHERE role_name = ?</wls:sql-remove-group>
<wls:sql-remove-group-member>DELETE FROM employee WHERE id_role = ?</wls:sql-remove-group-member>
<wls:sql-list-group-members>SELECT employee_name FROM employee WHERE role_name = ? AND employee_name LIKE ?</wls:sql-list-group-members>
</sec:authentication-provider>

<sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
</realm>

...

****


Thank you

Edited by: youlewinner on 28 juil. 2009 03:15

Hi,

Can you try changing the realm name in jazn-data.xml ?

Open 'jazn-data.xml'

Click on 'Users' button, opens 'Edit JPS Identity & Policy Store'

Select 'jazn.com' node and modify the name to 'myrealm'

Select 'Roles' under 'myrealm' and add 'valid-users' and then click on Ok button to close the dialog

-Arun

Hi,

i'm a little bit lost, it doesn't work. I have to make a point, now when I log in it writes: "Error 403 - Forbidden" and if I write an error ini the login or password i'm going to errorlogin page. I have couple of questions:

Q1: Shoud I have to create a provider authenticatiion named ldap. (I have 3 providers authentication: DefaultAuthenticator, DefaultIdentityAsserter and db_users).

Q2: Is it a problem if in group for user I have a number and not "user" (because it's the id_role and not the rool_name)?

Q3: About it, should I need to drag and drop admin and user? (because when I do it, I have this error message: "Message icon - Error Missing IN or OUT parameter at index:: 3 Message icon - Error Errors must be corrected before proceeding."

Q4: If I don't use ldap in adf security I have to use XML. What's exactly "Grant option", because I don't know what is the best way. In Configure ADF Security, my configure is: ADF Authentication and Authorization, Form-Based Authentication and /login.jps and /loginError.jsp, Application XML, Grant to new Objects (i'm not sure about it), "Redirect Upon Successful Authentication" ticked and the homepage.jspx for welcome page, and finish.
Is it good?

Thank you

Hello,

I use all information (login, password...) in the database. So maybe I need tick "RDBMS Security Store Enabled"???

Right now when I login, i'm going directly to error login page.

Thank you
Regards

Hi,

Enable the log in WLS and see what is going on. Might be some of the SQL statement (that is entered for SQL Authenticator) could be giving an error.

Thanks,
Arun

Hmmm...

In your provider specific config page, check the Plaintext Passwords Enabled check box and also set the Password Style to PLAINTEXT and try again?

-Arun