Security Archive

How to prevent CSRF attack

Sometimes when one application tries to call another application running on another server you get an error window with the message potential CSRF attack. At the same time you will see the following error message in the log files.

<BEA-000000> <A request has been denied as a potential CSRF attack.>

This issues arises due to the fact that WLS is not able to set the jsession id in the request made to the other server.

To address this issue we need to add the following in weblogic.xml

<session-descriptor>
<cookie-http-only>false</cookie-http-only>
</session-descriptor>

 

If the issue still persists, we need to add the following in the web.xml

<init-param>
<param-name>crossDomainSessionSecurity</param-name>
<param-value>false</param-value>
</init-param>

 

 

 

How to decrypt WebLogic Datasource Password

You need to copy the datasource password present in the -jdbc.xml present under \config\jdbc to the password variable in the WLST Script.

encrypted_password

 

Change the path variable to point to your domain

from weblogic.security.internal import *
from weblogic.security.internal.encryption import *


password = "{AES}0+5YrFk+fD9BFIykr3H+wPsNmPRP/GIOUId7SPqBgNg="
path = "D:/Oracle/Middleware/user_projects/domains/pega7_domain/security"
encryptionService = SerializedSystemIni.getEncryptionService(path)
cService = ClearOrEncryptedService(encryptionService)
print "password: " + cService.decrypt(password)

Execute the above script after setting the environment
>setWLSEnv.cmd
>java weblogic.WLST decryptDatasourcePassword.py

You should see the decrypted password in the terminal.

decrypted_password

Weblogic SAML Attribute Mapper Example

 

It is useful to send custom attributes or tokens in the attribute having identity information of the authenticated user.This identity information can be further used by the detination site to access services on behalf of the user. To implement a SAML Attribute Mapper on Weblogic Server, you need to follow the steps below.

 

1 . Create  SAMLAttributeMapperInfoExample class that  implements SAMLCredentialAttributeMapper

package samlWrapper;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Set;
import javax.security.auth.Subject;
import weblogic.security.providers.saml.SAMLAttributeStatementInfo;
import weblogic.security.providers.saml.SAMLAttributeInfo;
import weblogic.security.providers.saml.SAMLCredentialNameMapper;
import weblogic.security.providers.saml.SAMLCredentialAttributeMapper;
import weblogic.security.providers.saml.SAMLNameMapperInfo;
import weblogic.security.service.ContextHandler;
import weblogic.security.service.ContextElement;
import weblogic.security.spi.WLSGroup;
import weblogic.security.spi.WLSUser;

public class SAMLAttributeMapperInfoExample implements
SAMLCredentialNameMapper,SAMLCredentialAttributeMapper
{

        private final static String defaultAuthMethod =
     "urn:oasis:names:tc:SAML:1.0:am:unspecified";

        private final static String SAML_CONTEXT_ATTRIBUTE_NAME =
     "com.bea.contextelement.saml.context.attribute.name";

        private String nameQualifier = null;
        private String authMethod = defaultAuthMethod;

        public SAMLAttributeMapperInfoExample()
        {
               // make constructor public
        }

/**
 * Set the name qualifier value
 */

        public synchronized void setNameQualifier(String nameQualifier) {
             this.nameQualifier = nameQualifier;
        }

/**
 * Map a <code>Subject</code> and return mapped user and group
 * info as a <code>SAMLNameMapperInfo</code> object.
 */

         public SAMLNameMapperInfo mapSubject(Subject subject, ContextHandler handler) {

               // Provider checks for null Subject...
               Set subjects = subject.getPrincipals(WLSUser.class);
               Set groups = subject.getPrincipals(WLSGroup.class);
               String userName = null;

               if (subjects == null || subjects.size() == 0) {
                   System.out.println("No valid subject found ");
                   return null;
               }

               if (groups == null || groups.size() == 0) {
                   System.out.println("mapSubject: No valid WLSGroup pricipals found in Subject, continuing");
               }

               if (subjects.size() != 1) {
                     System.out.println("mapSubject: More than one WLSUser principal found in Subject, taking first user only");
               }

               userName = ((WLSUser)subjects.iterator().next()).getName();

               if (userName == null || userName.equals("")) {
                   System.out.println("mapSubject: Username string is null or empty, returning null");
                   return null;
               }

               // Return mapping information...
                  System.out.println("mapSubject: Mapped subject: qualifier: " +nameQualifier + ", name: " + userName + ", groups: " + groups);
                  return new SAMLNameMapperInfo(nameQualifier, userName,groups);
         }
/**
 * Map a <code>String</code> subject name and return mapped user and group
 * info as a <code>SAMLNameMapperInfo</code> object.
 */

         public SAMLNameMapperInfo mapName(String name, ContextHandler handler) {

                System.out.println("mapName: Mapped name: qualifier: " +nameQualifier + ", name: " + name);
                return new SAMLNameMapperInfo(nameQualifier, name, null);
         }

/**
 * Returns the SAML AttributeName for group information.
 *
 * @return The AttributeName.
 */

         public String getGroupAttrName() {
                return SAMLNameMapperInfo.BEA_GROUP_ATTR_NAME;
         }

/**
 * Returns the SAML AttributeNamespace for group information.
 *
 * @return The AttributeNamespace.
 */

         public String getGroupAttrNamespace() {
                return SAMLNameMapperInfo.BEA_GROUP_ATTR_NAMESPACE;
         }

/**
 * set the method.
 * @param method String
 */

         public void setAuthenticationMethod(String method)
         {
                if (method != null)
                  authMethod = method;
         }

/**
 * get the auth method
 * @return method String
 */

         public String getAuthenticationMethod()
         {
                return authMethod;
         }

/**
 * maps a Subject/Context to a Collection of SAMLAttributeStatementInfo
 * instances.
 *
 * @return <code>Collection</code>
 */

         public Collection mapAttributes(Subject subject, ContextHandler handler)
         {
                ArrayList statementList=null;

               try{
                System.out.println("mapAttributes: Subject: "+subject.toString()+",ContextHandler: "+handler.toString());
                String[] names = handler.getNames();

                for ( String name : names){
                  System.out.println("name=="+name);
                }
                Object element = handler.getValue(SAML_CONTEXT_ATTRIBUTE_NAME);

                System.out.println("mapAttributes: got element from ContextHandler");
                System.out.println("mapAttributes: element is a:"+element);
              /*  */

                TestAttribute[] tas = new TestAttribute[1];
                TestAttribute t1 = new TestAttribute();

                tas[0]= t1;
             //   tas = (TestAttribute[])element;

                System.out.println("attributes set!");

/*
 * loop through all test attributes and write a SAMLAttributeStatementInfo
 * for each one.
 */

            statementList = new ArrayList();
           for (int k = 0; k < tas.length; k++)
            {
             ArrayList al = null;
             String[] values = tas[k].getValues();
             if (values != null)
             {
               al = new ArrayList();
               for (int i = 0; i < values.length; i++)
               if (values[i] != null)
                  al.add(values[i]);
               else al.add("");
             }
              System.out.println("values added!");

               SAMLAttributeInfo ai = new SAMLAttributeInfo(tas[k].getName(),
                tas[k].getNamespace(), al);

               SAMLAttributeStatementInfo asi = new
                 SAMLAttributeStatementInfo();
               asi.addAttributeInfo(ai);
               statementList.add(asi);

               System.out.println("added to list");
            }
               }catch(Exception e){
               e.printStackTrace();
               }

           System.out.println("returning"); 
              return statementList;
         }
}

2. Create your test attribute

 

package samlWrapper;

public class TestAttribute {

    public String getNamespace(){
      return "research.iiit.ac.in";
    }

    public String getName(){

    return "KEY";
    }
    public String[] getValues() {

        String[] strArr = new String[1];
        GetKeyInfo info = new GetKeyInfo();
         try{       
        strArr[0] =info.getKeyInfo() ;
         }catch(Exception e){
         e.printStackTrace();
         }

        return strArr;

    }
}

3. Compile the code and create a jar file.

javac -d . *. java

jar -cvf samlAttributeWrapper.jar samlWrapper

4. Add the jar in the classpath of Weblogic Server

5. Restart Weblogic Server

6. Go to

Home >Summary of Security Realms >myrealm >Providers >SAMLCredentialMapperV2

7. Restart Weblogic Server.

 

You will be able to see the attribute in the SAML Assertion

 <Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AssertionID="a7ddaa6c112e5050edceb5532fdc83cb" IssueInstant="2014-12-02T11:44:02.251Z" Issuer="http://www.bea.com/samlTraining" MajorVersion="1" MinorVersion="1">
      <Conditions NotBefore="2014-12-02T11:44:02.249Z" NotOnOrAfter="2014-12-02T11:46:02.249Z" />
      <AuthenticationStatement AuthenticationInstant="2014-12-02T11:44:02.249Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
         <Subject>
            <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="support.bea.com">samluser</NameIdentifier>
            <SubjectConfirmation>
               <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod>
            </SubjectConfirmation>
         </Subject>
      </AuthenticationStatement>
      <AttributeStatement>
         <Subject>
            <NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="support.bea.com">samluser</NameIdentifier>
            <SubjectConfirmation>
               <ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</ConfirmationMethod>
            </SubjectConfirmation>
         </Subject>
         <Attribute AttributeName="KEY" AttributeNamespace="research.iiit.ac.in">
            <AttributeValue>Sun RSA public key, 1024 bits
  modulus: 103223942452118214172751686466335877276326363783217909256864459775887720571092628748705241410943481627672694405565087626768006162694490836999055077986030546326542625330676300887995563301382071733495787296174981656280653313444644720999510869570117823249403866234904143386585681320608607305493768612095697984651
  public exponent: 65537</AttributeValue>
         </Attribute>
      </AttributeStatement>
   </Assertion>