I guess I am ashamed and embarassed to not know a solution to this problem even after using WebLogic fo so many years.
Here is my problem:
1) I have three weblogic servers - all in different clusters. WebLogic A, B and C. WebLogic A has a web app A.
WebLogic B has a EJB B. WebLogic C has EJB C. The invocation sequence is :
Web App A calls --> EJB B calls --> EJB C
I want to pass the identity of the original user for the entire call sequence.
2)The WebApp A uses a j_security_check and iPlanet LDAP Authenticator to login the end user "jdoe".
3)When I try accessing EJB B from Web App A, I get following error message on WebLogic B - "Invalid Subject: jdoe ".
The error makes sense because WebLogic B does not know about user jdoe. But what steps are required to get this entire A--> B --> C sequence working? I went through the entire WebLogic docs. I cannot find a complete solution to this problem.
a) Do I need to write a custom identity asserter for WebLogic B and WebLogic C that checks the existence of user and his roles from iPlanet LDAP?
b) I tried setting a new default identity asserter and set "Trusted Client Principals" as * and Token Type to be "CSI.PrincipalName". But that didnt help either
c) Furthermore - How can I secure message between the three servers and still pass the identity of "jdoe" ? I used mutual SSL (I set up custom key and trust stores for all servers and also each server trusts other server's key with "client cert enforced" option and used t3s for EJB invocation), but then the ejb invocation worked with
<anonymous> principal - which is not exactly I wanted.
For long I have read about CSIv2 and identity propagation etc. and when I start to implement I just dont know how to proceed.
Any solution and suggestion is appreciated