2 Replies Latest reply: Feb 7, 2013 9:29 AM by 935795 RSS

    Role and Principal/User mapping

    935795
      Hello,
      I have a web application that uses Form based authentication. The authentic users are in the Active directory. The roles and groups are configured in web and weblogic xmls. I have configured the LDAP provider in weblogic and can see the users of Active Directory. Now, how to map the user/principal of active directory to a role in my web application. I am using a weblogic tutorial http://docs.oracle.com/cd/E24329_01/web.1211/e24485/thin_client.htm#i1057576 and have done as indicated. But there is some link missing.

      web.xml
      <!-- Homepage access -->
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Homepage</web-resource-name>
      <!-- Actions -->
      <url-pattern>/home.action</url-pattern>

      <!-- Pages -->
      <url-pattern>/espManager.jsp</url-pattern>

      <!-- HTTP Methods -->
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>admin</role-name>
      </auth-constraint>
      </security-constraint>
      <!--
      login security
      -->
      <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>ES Manager Application</realm-name>
           <!-- <realm-name>myrealm</realm-name> -->
      <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/loginError.jsp</form-error-page>
      </form-login-config>
      </login-config>

      <!--
      Security roles
      -->
      <security-role>
      <description>Power Users</description>
           <role-name>admin</role-name>
      </security-role>

      weblogic.xml
      <weblogic-web-app>
      ...
      <security-role-assignment>
      <role-name>admin</role-name>
      <principal-name>STPAdminGroup</principal-name>
      <principal-name>raj.so</principal-name>
      </security-role-assignment>
      ...
      </weblogic-web-app>

      How do I tell weblogic that the user raj.so who also belongs to the group STPAdminGroup is authorised to access the home page? I get a 403:forbidden when i use the login credentials of raj.so and password.
      Is there anything I have to do other than configuring 'ES Manager Application' security realm?

      Your help will be very useful.

      Regards,
      Raj
        • 1. Re: Role and Principal/User mapping
          935795
          Hi,

          I just rewrote the web.xml with a non-existing security realm and that did not produce a different error messages.

          <login-config>
          <auth-method>FORM</auth-method>
          <realm-name>ABCDEFGHIJKLMN REALM</realm-name>
          <form-login-config>
          <form-login-page>/login.jsp</form-login-page>
          <form-error-page>/loginError.jsp</form-error-page>
          </form-login-config>
          </login-config>

          At the moment, the only error message is from j_security_check and tells 403 forbidden. This is not sufficient and am blindfolded.
          May I know how you debug login problems.

          Regards,
          Raj
          • 2. Re: Role and Principal/User mapping
            935795
            hello weblogic users,

            I have made a discovery, but yet to see the light. Can someone who has made login for thier apps help.

            I replaced a newly created security realm with the default realm - myrealm. I deleted the active directory ldap with the weblogic embedded ldap. The weblogic.xml now is
            <security-role-assignment>
            <role-name>admin</role-name>
            <principal-name>system</principal-name>
            </security-role-assignment>

            That means the application in war should let the weblogic admin console user - system.
            This works :-)

            So, I created a user myadmin in the embedded ldap server and tried to login. That is no permitted. Does this give a clue? Or Do you understand why, what is happening?