It is useful to send custom attributes or tokens in the attribute having identity information of the authenticated user.This identity information can be further used by the detination site to access services on behalf of the user. To implement a SAML Attribute Mapper on Weblogic Server, you need to follow the steps below.

 

1 . Create  SAMLAttributeMapperInfoExample class that  implements SAMLCredentialAttributeMapper

package samlWrapper;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Set;
import javax.security.auth.Subject;
import weblogic.security.providers.saml.SAMLAttributeStatementInfo;
import weblogic.security.providers.saml.SAMLAttributeInfo;
import weblogic.security.providers.saml.SAMLCredentialNameMapper;
import weblogic.security.providers.saml.SAMLCredentialAttributeMapper;
import weblogic.security.providers.saml.SAMLNameMapperInfo;
import weblogic.security.service.ContextHandler;
import weblogic.security.service.ContextElement;
import weblogic.security.spi.WLSGroup;
import weblogic.security.spi.WLSUser;

public class SAMLAttributeMapperInfoExample implements
SAMLCredentialNameMapper,SAMLCredentialAttributeMapper
{

        private final static String defaultAuthMethod =
     "urn:oasis:names:tc:SAML:1.0:am:unspecified";

        private final static String SAML_CONTEXT_ATTRIBUTE_NAME =
     "com.bea.contextelement.saml.context.attribute.name";

        private String nameQualifier = null;
        private String authMethod = defaultAuthMethod;

        public SAMLAttributeMapperInfoExample()
        {
               // make constructor public
        }

/**
 * Set the name qualifier value
 */

        public synchronized void setNameQualifier(String nameQualifier) {
             this.nameQualifier = nameQualifier;
        }

/**
 * Map a <code>Subject</code> and return mapped user and group
 * info as a <code>SAMLNameMapperInfo</code> object.
 */

         public SAMLNameMapperInfo mapSubject(Subject subject, ContextHandler handler) {

               // Provider checks for null Subject...
               Set subjects = subject.getPrincipals(WLSUser.class);
               Set groups = subject.getPrincipals(WLSGroup.class);
               String userName = null;

               if (subjects == null || subjects.size() == 0) {
                   System.out.println("No valid subject found ");
                   return null;
               }

               if (groups == null || groups.size() == 0) {
                   System.out.println("mapSubject: No valid WLSGroup pricipals found in Subject, continuing");
               }

               if (subjects.size() != 1) {
                     System.out.println("mapSubject: More than one WLSUser principal found in Subject, taking first user only");
               }

               userName = ((WLSUser)subjects.iterator().next()).getName();

               if (userName == null || userName.equals("")) {
                   System.out.println("mapSubject: Username string is null or empty, returning null");
                   return null;
               }

               // Return mapping information...
                  System.out.println("mapSubject: Mapped subject: qualifier: " +nameQualifier + ", name: " + userName + ", groups: " + groups);
                  return new SAMLNameMapperInfo(nameQualifier, userName,groups);
         }
/**
 * Map a <code>String</code> subject name and return mapped user and group
 * info as a <code>SAMLNameMapperInfo</code> object.
 */

         public SAMLNameMapperInfo mapName(String name, ContextHandler handler) {

                System.out.println("mapName: Mapped name: qualifier: " +nameQualifier + ", name: " + name);
                return new SAMLNameMapperInfo(nameQualifier, name, null);
         }

/**
 * Returns the SAML AttributeName for group information.
 *
 * @return The AttributeName.
 */

         public String getGroupAttrName() {
                return SAMLNameMapperInfo.BEA_GROUP_ATTR_NAME;
         }

/**
 * Returns the SAML AttributeNamespace for group information.
 *
 * @return The AttributeNamespace.
 */

         public String getGroupAttrNamespace() {
                return SAMLNameMapperInfo.BEA_GROUP_ATTR_NAMESPACE;
         }

/**
 * set the method.
 * @param method String
 */

         public void setAuthenticationMethod(String method)
         {
                if (method != null)
                  authMethod = method;
         }

/**
 * get the auth method
 * @return method String
 */

         public String getAuthenticationMethod()
         {
                return authMethod;
         }

/**
 * maps a Subject/Context to a Collection of SAMLAttributeStatementInfo
 * instances.
 *
 * @return <code>Collection</code>
 */

         public Collection mapAttributes(Subject subject, ContextHandler handler)
         {
                ArrayList statementList=null;

               try{
                System.out.println("mapAttributes: Subject: "+subject.toString()+",ContextHandler: "+handler.toString());
                String[] names = handler.getNames();

                for ( String name : names){
                  System.out.println("name=="+name);
                }
                Object element = handler.getValue(SAML_CONTEXT_ATTRIBUTE_NAME);

                System.out.println("mapAttributes: got element from ContextHandler");
                System.out.println("mapAttributes: element is a:"+element);
              /*  */

                TestAttribute[] tas = new TestAttribute[1];
                TestAttribute t1 = new TestAttribute();

                tas[0]= t1;
             //   tas = (TestAttribute[])element;

                System.out.println("attributes set!");

/*
 * loop through all test attributes and write a SAMLAttributeStatementInfo
 * for each one.
 */

            statementList = new ArrayList();
           for (int k = 0; k < tas.length; k++)
            {
             ArrayList al = null;
             String[] values = tas[k].getValues();
             if (values != null)
             {
               al = new ArrayList();
               for (int i = 0; i < values.length; i++)
               if (values[i] != null)
                  al.add(values[i]);
               else al.add("");
             }
              System.out.println("values added!");

               SAMLAttributeInfo ai = new SAMLAttributeInfo(tas[k].getName(),
                tas[k].getNamespace(), al);

               SAMLAttributeStatementInfo asi = new
                 SAMLAttributeStatementInfo();
               asi.addAttributeInfo(ai);
               statementList.add(asi);

               System.out.println("added to list");
            }
               }catch(Exception e){
               e.printStackTrace();
               }

           System.out.println("returning"); 
              return statementList;
         }
}

2. Create your test attribute

 

package samlWrapper;

public class TestAttribute {

    public String getNamespace(){
      return "research.iiit.ac.in";
    }

    public String getName(){

    return "KEY";
    }
    public String[] getValues() {

        String[] strArr = new String[1];
        GetKeyInfo info = new GetKeyInfo();
         try{       
        strArr[0] =info.getKeyInfo() ;
         }catch(Exception e){
         e.printStackTrace();
         }

        return strArr;

    }
}

3. Compile the code and create a jar file.

javac -d . *. java

jar -cvf samlAttributeWrapper.jar samlWrapper

4. Add the jar in the classpath of Weblogic Server

5. Restart Weblogic Server

6. Go to

Home >Summary of Security Realms >myrealm >Providers >SAMLCredentialMapperV2

7. Restart Weblogic Server.

 

You will be able to see the attribute in the SAML Assertion

 <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AssertionID="a7ddaa6c112e5050edceb5532fdc83cb" IssueInstant="2014-12-02T11:44:02.251Z" Issuer="http://www.bea.com/samlTraining" MajorVersion="1" MinorVersion="1">
      <Conditions NotBefore="2014-12-02T11:44:02.249Z" NotOnOrAfter="2014-12-02T11:46:02.249Z" />
      <AuthenticationStatement AuthenticationInstant="2014-12-02T11:44:02.249Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
         <Subject>
            <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="support.bea.com">samluser</NameIdentifier>
            <SubjectConfirmation>
               <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod>
            </SubjectConfirmation>
         </Subject>
      </AuthenticationStatement>
      <AttributeStatement>
         <Subject>
            <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="support.bea.com">samluser</NameIdentifier>
            <SubjectConfirmation>
               <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod>
            </SubjectConfirmation>
         </Subject>
         <Attribute AttributeName="KEY" AttributeNamespace="research.iiit.ac.in">
            <AttributeValue>Sun RSA public key, 1024 bits
  modulus: 103223942452118214172751686466335877276326363783217909256864459775887720571092628748705241410943481627672694405565087626768006162694490836999055077986030546326542625330676300887995563301382071733495787296174981656280653313444644720999510869570117823249403866234904143386585681320608607305493768612095697984651
  public exponent: 65537</AttributeValue>
         </Attribute>
      </AttributeStatement>
   </Assertion>

 

Details of the SSL POODLE bug can be found here

We can address it in the following way.

1) Disable SSL 3.0 support in the client.

TLS 1

2) Disable SSL 3.0 support in the server.

We can start WebLogic server with the following JVM option

-Dweblogic.security.SSL.protocolVersion=TLS1

Ref :-

http://weblogic-wonders.com/weblogic/2009/12/08/use-specific-ssl-protocol-version-with-weblogic-server/

Disable support for CBC-based cipher suites when using SSL 3.0 (in either client or server).

You can do it by editing you config.xml

 

<ssl>
<enabled>true</enabled>
<ciphersuite>TLS_RSA_WITH_RC4_128_SHA</ciphersuite>
<ciphersuite>TLS_RSA_WITH_RC4_128_MD5</ciphersuite>
<hostname-verification-ignored>true</hostname-verification-ignored>
<listen-port>7002</listen-port>
<server-private-key-alias>xxxxxxx </server-private-key-alias>
<server-private-key-pass-phrase-encrypted>xxxxxx</server-private-key-pass-phrase-encrypted>
</ssl>

Ref:-

http://weblogic-wonders.com/weblogic/2009/12/08/use-specific-ssl-protocol-version-with-weblogic-server/

This article explains the attack in details.

http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability