4 Replies Latest reply on Apr 24, 2017 12:41 PM by Luis

    ORDS is not authentication against Weblogic Server Repository

    Luis

      Hello there,

       

      I can see that there are a few related discussions but all of them are archived :

       

      ORDS - RESTful Authentication without OAuth in Weblogic. Privileges, groups?

      ORDS Weblogic Authentitication and Get User Info Rest API

      SSO in APEX - Apex Listener (ORDS) on Weblogic

       

      What I want to achieve is exactly what it is NOT explained in this tutorial: This document does not describe how to integrate WebLogic Server and GlassFish with the many popular user repository systems such as LDAP repositories, but Oracle REST Data Services can authenticate against such repositories after WebLogic Server or GlassFish has been correctly configured.

       

      What I have so far is:

       

      • ORDS enabled for one table (DEPLOYMENT) in my schema
      • Oracle REST Data Services role (crud-deployments)
      • A privilege (crud-operations-on-deployment-table) mapped to that role
      • And I have mapped that privileged against a mapping (/deployment/*)

       

      All of the above means that only the users with the role crud-deployments can access the services behind the /deployment/* URL. So if I make a request against any protected resource (e.g. https://my.domain.com/ords/my_schema/deployment/) I am redirected to the ORDS sign-in URL: https://my.domain.com/ords/my_schema/sign-in/?r=deployment%2F

       

      The /ords application is deployed in an Oracle Weblogic Server 12.1.3 with the LDAPAuthenticator. This authenticator is rightly configured and my users can authenticate.

       

      The problem is that if the ORDS sign-in form always reply with a 401 Unauthorized. Just a few lines for brevity:

       

      UnauthorizedException [statusCode=401, reasons=[]]
      at oracle.dbtools.http.auth.RequestAuthorizationProvider.authorize(RequestAuthorizationProvider.java:145)
      .../...
      Caused by: NotAuthorizedException [authConstraint=crud-operations-on-deployment-table, error=null]
      at oracle.dbtools.http.auth.RequestAuthorizationProvider.authorize(RequestAuthorizationProvider.java:142)
      

       

      However it works if bypass the sign-in form including the "Authorization: Basic XXXX" header on my request: e.g.

       

      curl --basic --user myuser https://my.domain.com/ords/my_schema /deployment/
      

       

      Any thoughts on this?

       

      Thanks in advance,

       

      Luis

       

      ps: I will provide some log traces about this.

       

      pps: my final aim is to make this work for OAUTH2 clients and integrate it with our SSO solution (SAML2).

       

      Message was edited by: Luis The role is crud-deployments and not crud-operations-on-deployment-table, this means that your user needs to be member of crud-deployments groups in the LDAP

        • 1. Re: ORDS is not authentication against Weblogic Server Repository
          Luis

          Hello there,

           

          As promised, some debugging .

           

          Basic authentication: it works

           

          curl -v --basic --user XXXX:YYYY http://localhost:8001/ords/my_schema/deployment/
          
          *  About to connect() to localhost port 8001 (#0)
          *  Trying ::1...
          * Connected to localhost (::1) port 8001 (#0)
          * Server auth using Basic with user 'XXXX'
          > GET /ords/my_schema/deployment/ HTTP/1.1
          > Authorization: Basic ZZZZZZZZZ
          > User-Agent: curl/7.29.0
          > Host: my.domain.com:8001
          > Accept: */*
          
          < HTTP/1.1 200 OK
          < Date: Fri, 07 Apr 2017 08:51:13 GMT
          < Transfer-Encoding: chunked
          < Content-Type: application/json
          < X-ORACLE-DMS-ECID: 32a33e64-0c2b-406b-af58-ba1a2ea65828-000020d8
          < ETag: "o3U1gFI2WWhhxoCbQQ3HsCgrfMVLkWUdQIVLEZFbeQAEV1kMo9G3Al0yofxw+9ZUy4ir85qJtFtz9QAq2/uVNQ=="
          < Set-Cookie: JSESSIONID=AAASDASDAD; path=/; HttpOnly
          < X-ORACLE-DMS-RID: 0
          < 
          {"items":[...,{"rel":"first","href":"http://localhost:8001/ords/devdb11/cerndb_mwctl_a_01_dev/deployment/"}]}
          

           

          In the managed server logs I can see that the user is being authenticated by my LDAPAuthenticator:

           

          My principals are created correctly:

           

          ####<Apr 7, 2017, 10:51:13,855 AM CEST> <Debug> <SecurityAtn> <pcitdes12.cern.ch> <server1> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogi
          c.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <32a33e64-0c2b-406b-af58-ba1a2ea65828-000020d8> <1491555073855> <[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate authenticate succeeded for user j2eeps, Identity=Subject: 24
                  Principal = class weblogic.security.principal.WLSUserImpl("XXXX")
                  Principal = class weblogic.security.principal.WLSGroupImpl("crud-operations-on-deployment-table")
          > 
          ####<Apr 7, 2017, 10:51:13,855 AM CEST> <Debug> <SecurityAtn> <pcitdes12.cern.ch> <server1> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <32a33e64-0c2b-406b-af58-ba1a2ea65828-000020d8> <1491555073855> <[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <weblogic.security.service.internal.WLSJAASLoginServiceImpl$ServiceImpl.authenticate login succeeded and XXXX was not previously locked out>
          

           

          And ORDS is taking over the request:

           

          ####<Apr 7, 2017, 10:51:13,856 AM CEST> <Debug> <oracle.dbtools> <pcitdes12.cern.ch> <server1> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <j2eeps> <> <32a33e64-0c2b-406b-af58-ba1a2ea65828-000020d8> <1491555073856> <[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <authenticated request as: --Attributes--
          weblogic.servlet.network_channel.port = 8001
          apex.diagnostic.context = ...
          oracle.dbtools.http.ecid = 32a33e64-0c2b-406b-af58-ba1a2ea65828-000020d8
          ECID-Principal = ECIDPrincipal [ecid=32a33e64-0c2b-406b-af58-ba1a2ea65828-000020d8]
          oracle.dbtools.common.di.Services = URL Mapped Scope
          --Attributes--
          GET /ords/devdb11/cerndb_mwctl_a_01_dev/deployment/ HTTP/1.1
          Host: localhost
          Authorization: Basic xxxx
          User-Agent: curl/7.29.0
          Host: localhost:8001
          Accept: */*
          
          Principal: {user: XXXX, roles: [crud-operations-on-deployment-table]} weblogic.servlet.internal.ServletInputStreamImpl@27a3e747
          
          >
          

           

          ORDS authorizes the request:

           

          ####<Apr 7, 2017, 10:51:14,583 AM CEST> <Debug> <oracle.dbtools> <pcitdes12.cern.ch> <server1> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <j2eeps> <> <32a33e64-0c2b-406b-af58-ba1a2ea65828-000020d8> <1491555074583> <[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <XXXX is authorized to access: [EndUserAuthorizationConstraintImpl [name=crud-operations-on-deployment-table, roles=[crud-deployments], challenges=[]]]>
          

           

          And finally executes it:

           

          ####<Apr 7, 2017, 10:51:14,584 AM CEST> <Debug> <oracle.dbtools> <pcitdes12.cern.ch> <server1> <[ACTIVE] ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'> <j2eeps> <> <32a33e64-0c2b-406b-af58-ba1a2ea65828-000020d8> <1491555074584> <[severity-value: 128] [rid: 0] [partition-id: 0] [partition-name: DOMAIN] > <BEA-000000> <select * from (
          select q_.* , row_number() over (order by 1) rn___ from (
          select
           "USER_RESOURCE_ID",
           "CREATION_DATE",
           "IS_DEPLOYED",
           "NAME",
           "REPOSITORY_NAME",
           "STATE",
           "SYS_ID",
           "VERSION",
           "APPLICATION_ID"
          from
           "DEPLOYMENT") q_
          ) 
          where rn___ between :row_offset and :row_count declares the following explicit parameters, but does not reference them: page_size>
          

           

          NOTE: my managed server logging properties looks like this:

          • Minimum severity to log: Trace
          • Platform Logger Levels: oracle.dbtools=FINE
          • Log file. Severity level: Debug

           

          More to come, stay tuned!

           

          Luis

          • 2. Re: ORDS is not authentication against Weblogic Server Repository
            Luis

            Hello there,

             

            It turns out that with another user account it works! The difference stands in the number of LDAP groups that this user is memberof:

             

            <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 22 principals IT WORKS!

             

            And my original user account:

             

            <weblogic.security.service.internal.WLSIdentityServiceImpl.getIdentityFromSubject Subject: 284 principals IT FAILS!

             

            Any thoughts on this?

             

            Thank you in advance,

             

            Luis

             

             

             

             

            • 3. Re: ORDS is not authentication against Weblogic Server Repository
              Luis

              Hello there,

               

              It turns out that it works against WebLogic SAML Authentication Provider. I do think that it deserves an entry on our blog.

               

              About the ldap one I have opened a SR with support, lets see...

               

              Cheers,

               

              Luis