Custom Identity Asserter for Weblogic Server

Identity Asserters are used in token based authentication mechanism. It’s very useful when we have to implement Single Sign on between WLS and some other Server. A Single Identity Asserter can support multiple token types, but only one is active at a time. We can develop an Authentication provider along with the Custom Identity Asserter if the users exists outside WLS. If we want to do perimeter authentication with users within WLS, we don’t have to develop an authenticator along with it.

The way it works is pretty straight forward. Whenever a request is made for a resource which is secure, and requires token based authentication, WLS checks the request header for the active token type. If the token is present, then the container passes it on the Identity Asserter’s assertIdentity method.

In the method we have to write the logic to parse the token and pass the token (username mostly) to the login module. The token can be passed in base64 encoded format or plain, depending on the type of token accepted by the identity asserter.

The steps to create it are the same as other providers.

First we need to create an MDF (Mbean definition file)

SimpleSampleServletAuthenticationFilter.xml

<?xml version=”1.0? ?>
<!DOCTYPE MBeanType SYSTEM “commo.dtd”>

<MBeanType
Name = “SimpleSampleIdentityAsserter”
DisplayName = “SimpleSampleIdentityAsserter”
Package = “examples.security.providers.identityassertion.simple”
Extends = “weblogic.management.security.authentication.IdentityAsserter”
PersistPolicy = “OnUpdate”
>

<MBeanAttribute
Name = “ProviderClassName”
Type = “java.lang.String”
Writeable = “false”
Preprocessor = “weblogic.management.configuration.LegalHelper.checkClassName(value)”
Default = “&quot;examples.security.providers.saf.simple.SimpleSampleServletAuthenticationFilter&quot;”
/>

<MBeanAttribute
Name = “ProviderClassName”
Type = “java.lang.String”
Writeable = “false”
Preprocessor = “weblogic.management.configuration.LegalHelper.checkClassName(value)”
Default = “&quot;examples.security.providers.identityassertion.simple.SimpleSampleIdentityAsserterProviderImpl&quot;”
/>
<MBeanAttribute
Name = “Description”
Type = “java.lang.String”
Writeable = “false”
Default = “&quot;WebLogic Simple Sample Identity Asserter Provider&quot;”
/>

<mbeanattribute
Name = “SupportedTypes”
Type = “java.lang.String[]“
Writeable = “false”
Default = “new String[] { &quot;MyToken&quot; }”
/>

<mbeanattribute
Name = “ActiveTypes”
Type = “java.lang.String[]“
Default = “new String[] { &quot; MyToken &quot; }”
/>

<MBeanAttribute
Name = “Version”
Type = “java.lang.String”
Writeable = “false”
Default = “&quot;1.0&quot;”
/>

</MBeanType>

Implement the IdentityAsserterV2 & AuthenticationProviderV2 SSPI.

SimpleSampleIdentityAsserterProviderImpl.java

/**
*
* @author faisalk
*/

package examples.security.providers.identityassertion.simple;

import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import weblogic.management.security.ProviderMBean;
import weblogic.security.service.ContextHandler;
import weblogic.security.spi.AuthenticationProviderV2;
import weblogic.security.spi.IdentityAsserterV2;
import weblogic.security.spi.IdentityAssertionException;
import weblogic.security.spi.PrincipalValidator;
import weblogic.security.spi.SecurityServices;
import javax.servlet.http.HttpServletRequest;

public final class SimpleSampleIdentityAsserterProviderImpl implements AuthenticationProviderV2, IdentityAsserterV2
{
final static private String TOKEN_TYPE = “MyToken”;
final static private String TOKEN_PREFIX = “username=”;
private String description;

public void initialize(ProviderMBean mbean, SecurityServices services)
{
System.out.println(“SimpleSampleIdentityAsserterProviderImpl.initialize”);
SimpleSampleIdentityAsserterMBean myMBean = (SimpleSampleIdentityAsserterMBean)mbean;
description= myMBean.getDescription() + “\n” + myMBean.getVersion();
}

public String getDescription()
{
return description;
}

public void shutdown()
{
System.out.println(“SimpleSampleIdentityAsserterProviderImpl.shutdown”);
}

public IdentityAsserterV2 getIdentityAsserter()
{
return this;
}

public CallbackHandler assertIdentity(String type, Object token, ContextHandler context) throws IdentityAssertionException
{
System.out.println(“SimpleSampleIdentityAsserterProviderImpl.assertIdentity”);
System.out.println(“\tType\t\t= ” + type);
System.out.println(“\tToken\t\t= ” + token);

Object requestValue = context.getValue(“com.bea.contextelement.servlet.HttpServletRequest”);
if ((requestValue == null) || (!(requestValue instanceof HttpServletRequest)))
{
System.out.println(“do nothing”);
}
else{
HttpServletRequest request = (HttpServletRequest) requestValue;
java.util.Enumeration names = request.getHeaderNames();
while(names.hasMoreElements()){
String name = (String) names.nextElement();
System.out.println(name + “:” + request.getHeader(name));
}
}

// check the token type
if (!(TOKEN_TYPE.equals(type))) {
String error =” received unknown token type \”” + type + “\”.” +” Expected ” + TOKEN_TYPE;
System.out.println(“\tError: ” + error);
throw new IdentityAssertionException(error);
}

// make sure the token is an array of bytes
if (!(token instanceof byte[])) {
String error =”unknown token class \”” + token.getClass() + “\”.” +” Expected a byte[].”;
System.out.println(“\tError: ” + error);
throw new IdentityAssertionException(error);
}

// convert the array of bytes to a string
byte[] tokenBytes = (byte[])token;
if (tokenBytes == null || tokenBytes.length < 1) {String error =”received empty token byte array”;System.out.println(“\tError: ” + error);throw new IdentityAssertionException(error);}String tokenStr = new String(tokenBytes);// make sure the string contains “username=someusernameif (!(tokenStr.startsWith(TOKEN_PREFIX))) {String error =”received unknown token string \”” + type + “\”.” +” Expected ” + TOKEN_PREFIX + “username”;System.out.println(“\tError: ” + error);throw new IdentityAssertionException(error);}// extract the username from the tokenString userName = tokenStr.substring(TOKEN_PREFIX.length());System.out.println(“\tuserName\t= ” + userName);// store it in a callback handler that authenticators can use// to retrieve the username.return new SimpleSampleCallbackHandlerImpl(userName);}public AppConfigurationEntry getLoginModuleConfiguration(){return null;}public AppConfigurationEntry getAssertionModuleConfiguration(){return null;}public PrincipalValidator getPrincipalValidator(){return null;}}Copy the Provider Class and the MDF in a folder.Keep the following build script in the same folderbuild.xml

<project name=”Expenselink Build” default=”all” basedir=”.”>
<property name=”fileDir” value=”test” />

<target name=”all” depends=”build”/>

<target name=”build” depends=”clean,build.mdf,build.mjf”/>

<target name=”clean”>
<delete dir=”${fileDir}” failonerror=”false”/>
<delete file=”SimpleSampleIdentityAsserter.jar” failonerror=”false”/>
<echo message=”Clean finish” />
</target>

<!– helper to build an MDF (mbean definition file) –>
<target name=”build.mdf”>
<java dir=”${basedir}” fork=”false” classname=”weblogic.management.commo.WebLogicMBeanMaker”>
<arg line=”-files ${fileDir}” />
<arg value=”-createStubs” />
<arg line=”-MDF SimpleSampleIdentityAsserter.xml” />
</java>
<echo message=”Created Supporting Classes” />
</target>

<target name=”build.mjf”>

<copy todir=”${fileDir}” flatten=”true”>
<fileset dir=”.”>
<include name=”*.java” />
</fileset>
</copy>

<java dir=”${basedir}” fork=”false” classname=”weblogic.management.commo.WebLogicMBeanMaker”>
<arg line=”-MJF SimpleSampleIdentityAsserter.jar” />
<arg line=”-files ${fileDir}” />
</java>
<echo message=”Created Mbean Jar” />
</target>

</project>

Copy commo.dtd present in server lib to this directory.
Execute setWLSEnv.cmd and cd to this directory.
Type ant in the command prompt
An Identity Asserter jar file would be created in the same directory.

Place this jar file in WL_HOME\server\lib\mbeantypes
Restart the Server.
Go to Security Realm Providers, create a new Authentication Provider
Home > Summary of Security Realms > myrealm > Providers > Authentication > new Simple Sample Identity Asserter

On restart Identity Asserter will get invoked whenever the active token is present in the header.

References:-

http://download.oracle.com/docs/cd/E12840_01/wls/docs103/dvspisec/ia.html

Latest Comments

  1. ABHAY March 17, 2010
  2. ABHAY March 17, 2010
  3. Faisal Khan March 17, 2010
  4. ABHAY March 23, 2010
  5. Avijeet April 30, 2010
  6. Faisal Khan May 2, 2010
  7. Sandeep Seshan May 5, 2010
  8. Faisal Khan May 6, 2010
  9. RAvi May 26, 2010
    • admin May 26, 2010
  10. monkeypunch August 13, 2010
    • admin August 13, 2010
  11. vishal October 15, 2010
  12. Ajay January 25, 2011
    • Ajay January 27, 2011
      • Administrator February 1, 2011
        • Ajay February 2, 2011
          • Bhaswati April 3, 2015
          • Administrator April 8, 2015
  13. Steve February 1, 2011
    • Administrator February 10, 2011
  14. jaki February 12, 2011
    • Administrator February 13, 2011
      • Divakar November 1, 2013
        • Administrator November 4, 2013
  15. jaki February 12, 2011
    • Administrator February 13, 2011
  16. ja.ki. March 3, 2011
    • Administrator March 5, 2011
  17. ja.ki. March 3, 2011
  18. Ravi May 13, 2011
  19. zhonghui chen June 10, 2011
  20. Digesh June 10, 2011
    • Administrator June 30, 2011
  21. Prashant June 20, 2011
    • Administrator June 30, 2011
  22. Joe July 28, 2011
    • Administrator August 12, 2011
  23. sreehari August 17, 2011
  24. Yoru September 29, 2011
  25. ABC October 19, 2011
  26. ABC October 31, 2011
  27. ABC October 31, 2011
  28. Lanoh November 22, 2011
    • Administrator February 3, 2012
  29. Sekar January 30, 2012
    • Administrator February 1, 2012
    • Administrator February 3, 2012
  30. Sekar February 4, 2012
  31. sri patelu February 18, 2012
  32. Srinivas March 24, 2012
    • Administrator May 9, 2012
  33. Randy Sussner September 25, 2012
    • Administrator September 29, 2012
  34. Peter S November 4, 2012
    • Administrator November 4, 2012
  35. Administrator November 28, 2012
  36. Matthew November 28, 2012
  37. Nicolas DUMINIL January 27, 2013
    • Administrator February 7, 2013
  38. Peter February 13, 2013
    • Administrator February 17, 2013
  39. Harish March 19, 2013
  40. Yuri March 26, 2013
    • Administrator March 28, 2013
  41. Raj April 10, 2013
    • Administrator April 14, 2013
  42. Prasanth May 6, 2013
  43. Prasanth May 17, 2013
    • Administrator January 16, 2014
  44. Werner Alber June 6, 2013
    • Administrator July 12, 2013
  45. Helen July 10, 2013
    • Administrator July 12, 2013
  46. Joe July 31, 2013
  47. Joe August 1, 2013
    • Administrator August 13, 2013
  48. Ricardo August 13, 2013
  49. Joyce August 20, 2013
  50. Vitaly October 25, 2013
    • Administrator November 4, 2013
  51. Thomas Isaksen January 9, 2014
    • Administrator January 9, 2014
      • Thomas Isaksen January 10, 2014
        • Administrator January 12, 2014
  52. Administrator February 17, 2013

Leave a Reply