Security Archive

How to prevent CSRF attack

Sometimes when one application tries to call another application running on another server you get an error window with the message potential CSRF attack. At the same time you will see the following error message in the log files.

<BEA-000000> <A request has been denied as a potential CSRF attack.>

This issues arises due to the fact that WLS is not able to set the jsession id in the request made to the other server.

To address this issue we need to add the following in weblogic.xml

<session-descriptor>
<cookie-http-only>false</cookie-http-only>
</session-descriptor>

 

If the issue still persists, we need to add the following in the web.xml

<init-param>
<param-name>crossDomainSessionSecurity</param-name>
<param-value>false</param-value>
</init-param>

 

 

 

Recommended Best Practices for Securing WebLogic Server.

Disable SSL V2, Weak Ciphers, and Null Encryptions

You can use the following jvm options to disable Weak Ciphers.

-Dweblogic.security.SSL.allowUnencryptedNullCipher=false
-Dweblogic.security.disableNullCipher=true

Steps to disable SSL V2 follows later.

Use Secure Cookies to Prevent Session Stealing

Please refer to this article : link

Configure WebLogic Server to use a Specific Cipher Suite or a List of Ciphers

Please refer to this article : link

-Dweblogic.security.SSL.Ciphersuites=TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_RC4_128_MD5

Restrict the SSL Protocol Versions Allowed by WebLogic Server

Please refer to this article : link

You should also allow only the required http methods ( GET/POST) to access the resource on the server. You can restrict other methods from the web.xml

Refer this

Simple Sample Custom Identity Asserter for Weblogic Server 12c

To implement a custom identity asserter for Weblogic Server we need to write a provide that implements AuthenticationProviderV2 and IdentityAsserterV2. We need to write and Mbean definition file and a callback handler.

SimpleSampleIdentityAsserterProviderImpl

 

package examples.security.providers.identityassertion.simple;

import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import weblogic.management.security.ProviderMBean;
import weblogic.security.service.ContextHandler;
import weblogic.security.spi.AuthenticationProviderV2;
import weblogic.security.spi.IdentityAsserterV2;
import weblogic.security.spi.IdentityAssertionException;
import weblogic.security.spi.PrincipalValidator;
import weblogic.security.spi.SecurityServices;
import javax.servlet.http.HttpServletRequest;

public final class SimpleSampleIdentityAsserterProviderImpl implements AuthenticationProviderV2, IdentityAsserterV2
{
  final static private String TOKEN_TYPE   = "SamplePerimeterAtnToken"; 
  final static private String TOKEN_PREFIX = "username="; 

  private String description; 

  public void initialize(ProviderMBean mbean, SecurityServices services)
  {
    System.out.println("SimpleSampleIdentityAsserterProviderImpl.initialize");
    SimpleSampleIdentityAsserterMBean myMBean = (SimpleSampleIdentityAsserterMBean)mbean;
    description                         = myMBean.getDescription() + "\n" + myMBean.getVersion();
  }

  public String getDescription()
  {
    return description;
  }

  public void shutdown()
  {
    System.out.println("SimpleSampleIdentityAsserterProviderImpl.shutdown");
  }

  public IdentityAsserterV2 getIdentityAsserter()
  {
    return this;
  }

  public CallbackHandler assertIdentity(String type, Object token, ContextHandler context) throws IdentityAssertionException
  {
    System.out.println("SimpleSampleIdentityAsserterProviderImpl.assertIdentity");
    System.out.println("\tType\t\t= "  + type);
    System.out.println("\tToken\t\t= " + token);

	Object requestValue = context.getValue("com.bea.contextelement.servlet.HttpServletRequest");
    if ((requestValue == null) || (!(requestValue instanceof HttpServletRequest)))
	  {
	   System.out.println("do nothing");
	   }
   else{
       HttpServletRequest request = (HttpServletRequest) requestValue;
	   java.util.Enumeration names = request.getHeaderNames();
        while(names.hasMoreElements()){
            String name = (String) names.nextElement();
            System.out.println(name + ":" + request.getHeader(name));
        }
   }

    // check the token type
    if (!(TOKEN_TYPE.equals(type))) {
      String error =
        "SimpleSampleIdentityAsserter received unknown token type \"" + type + "\"." +
        " Expected " + TOKEN_TYPE;
      System.out.println("\tError: " + error);
      throw new IdentityAssertionException(error);
    }

    // make sure the token is an array of bytes
    if (!(token instanceof byte[])) {
      String error = 
        "SimpleSampleIdentityAsserter received unknown token class \"" + token.getClass() + "\"." +
        " Expected a byte[].";
      System.out.println("\tError: " + error);
      throw new IdentityAssertionException(error);
    }

    // convert the array of bytes to a string
    byte[] tokenBytes = (byte[])token;
    if (tokenBytes == null || tokenBytes.length &lt; 1) {
      String error =
        "SimpleSampleIdentityAsserter received empty token byte array";
      System.out.println("\tError: " + error);
      throw new IdentityAssertionException(error);
    }

    String tokenStr = new String(tokenBytes);

    // make sure the string contains "username=someusername
    if (!(tokenStr.startsWith(TOKEN_PREFIX))) {
      String error =
        "SimpleSampleIdentityAsserter received unknown token string \"" + type + "\"." +
        " Expected " + TOKEN_PREFIX + "username";
      System.out.println("\tError: " + error);
      throw new IdentityAssertionException(error);
    }

    // extract the username from the token
    String userName = tokenStr.substring(TOKEN_PREFIX.length());
    System.out.println("\tuserName\t= " + userName);

    // store it in a callback handler that authenticators can use
    // to retrieve the username.
    return new SimpleSampleCallbackHandlerImpl(userName);
  }

  public AppConfigurationEntry getLoginModuleConfiguration()
  {
    return null;
  }

  public AppConfigurationEntry getAssertionModuleConfiguration()
  {
    return null;
  }

  public PrincipalValidator getPrincipalValidator() 
  {
    return null;
  }
}

SimpleSampleCallbackHandlerImpl

 

package examples.security.providers.identityassertion.simple;

import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;

/*package*/ class SimpleSampleCallbackHandlerImpl implements CallbackHandler
{
  private String userName; // the name of the user from the identity assertion token

  /*package*/ SimpleSampleCallbackHandlerImpl(String user)
  {
    userName = user;
  }

  public void handle(Callback[] callbacks) throws UnsupportedCallbackException
  {
    // loop over the callbacks
    for (int i = 0; i < callbacks.length; i++) {

      Callback callback = callbacks[i];

      // we only handle NameCallbacks
      if (!(callback instanceof NameCallback)) {
        throw new UnsupportedCallbackException(callback, "Unrecognized Callback");
      }

      // send the user name to the name callback:
      NameCallback nameCallback = (NameCallback)callback;
      nameCallback.setName(userName);
    }
  }
}

SimpleSampleIdentityAsserter.xml

<?xml version="1.0" ?>
<!DOCTYPE MBeanType SYSTEM "commo.dtd">

<MBeanType
 Name          = "SimpleSampleIdentityAsserter"
 DisplayName   = "SimpleSampleIdentityAsserter"
 Package       = "examples.security.providers.identityassertion.simple"
 Extends       = "weblogic.management.security.authentication.IdentityAsserter"
 PersistPolicy = "OnUpdate"
>

 <MBeanAttribute
  Name          = "ProviderClassName"
  Type          = "java.lang.String"
  Writeable     = "false"
  Preprocessor = "weblogic.management.configuration.LegalHelper.checkClassName(value)"
  Default       = "&quot;examples.security.providers.identityassertion.simple.SimpleSampleIdentityAsserterProviderImpl&quot;"
 />

 <MBeanAttribute
  Name          = "Description"
  Type          = "java.lang.String"
  Writeable     = "false"
  Default       = "&quot;WebLogic Simple Sample Identity Asserter Provider&quot;"
 />

 <MBeanAttribute
  Name          = "Version"
  Type          = "java.lang.String"
  Writeable     = "false"
  Default       = "&quot;1.0&quot;"
 />

 <MBeanAttribute  
  Name 		= "SupportedTypes"
  Type 		= "java.lang.String[]"
  Writeable 	= "false"
  Default 	= "new String[] { &quot;SamplePerimeterAtnToken&quot; }"
 />

 <MBeanAttribute  
  Name 		= "ActiveTypes"
  Type 		= "java.lang.String[]"
  Default 	= "new String[] { &quot;SamplePerimeterAtnToken&quot; }"
 />

   <MBeanAttribute  
  Name 		= "Base64DecodingRequired"
  Type 		= "boolean"
  Writeable 	= "true"
  Default 	= "false"
 />

</MBeanType>

Create a build.xml as follows.

<project name="Build" default="all" basedir=".">

<property name="fileDir" value="test" />

<target name="all" depends="build"/>

 <target name="build" depends="clean,build.mdf,build.mjf"/>

  <target name="clean">
    <delete dir="${fileDir}" failonerror="false"/>
	<delete file="SampleIdentityAsserter.jar" failonerror="false"/>
	<echo message="Clean finish" />
  </target>

  <!-- helper to build an MDF (mbean definition file) -->
	<target name="build.mdf">
		<java dir="${basedir}" fork="false" classname="weblogic.management.commo.WebLogicMBeanMaker">
			<arg line="-files ${fileDir}" />
			<arg value="-createStubs" />
			<arg line="-MDF SimpleSampleIdentityAsserter.xml" />
		</java>
		<echo message="Created Supporting Classes" />
	</target>

	<target name="build.mjf">

	    <copy todir="${fileDir}" flatten="true">
			<fileset dir=".">
			  <include name="*.java" />
			</fileset>
		</copy>

		<java dir="${basedir}" fork="false" classname="weblogic.management.commo.WebLogicMBeanMaker">
		    <arg line="-MJF SampleIdentityAsserter.jar" />
			<arg line="-files ${fileDir}" />
		</java>
		<echo message="Created Mbean Jar" />
	</target>

</project>

Keep all these files in the same directory. Copy setWLSEnv.cmd from WL_HOME\server\bin and commo.dtd from WL_HOME\server\lib to this diretory. The directory will then have the following files.

 

files

 

 

Run Ant

C:\Replication\identityasserter12c>ant build

Buildfile: build.xml

clean:
[delete] Deleting directory C:\Replication\identityasserter12c\test
[delete] Deleting: C:\Replication\identityasserter12c\SampleIdentityAsserter.
jar
[echo] Clean finish

build.mdf:
[java] Working directory ignored when same JVM is used.
[java] Parsing the MBean definition file: SimpleSampleIdentityAsserter.xml
[echo] Created Supporting Classes

build.mjf:
[copy] Copying 2 files to C:\Replication\identityasserter12c\test
[java] Working directory ignored when same JVM is used.
[java] Creating an MJF from the contents of directory test…
[java] Compiling the files…
[java] Creating the list.
[java] Doing the compile.
[java] WLMaker-SubProcess: : EXTRACT FROM C:/bea12c/WLSERV~1.1/server\lib\m
beantypes\wlManagementMBean.jar
[java] WLMaker-SubProcess: : INTO wlMakerTempDir
[java] WLMaker-SubProcess: :
[java] WLMaker-SubProcess: :
[java] WLMaker-SubProcess: :
[java] WLMaker-SubProcess: : Generating the implementations for security MB
eans
[java] WLMaker-SubProcess: : Generating for examples.security.providers.ide
ntityassertion.simple.SimpleSampleIdentityAsserterMBean to C:\Replication\identi
tyasserter12c\test\examples\security\providers\identityassertion\simple\SimpleSa
mpleIdentityAsserterMBeanImpl.java
[java] WLMaker-SubProcess: : no annotation found for key [i]
[java] WLMaker-SubProcess: : no annotation found for key [velocityCount]
[java] WLMaker-SubProcess: : no annotation found for key [line]
[java] WLMaker-SubProcess: : no annotation found for key [f]
[java] WLMaker-SubProcess: : no annotation found for key [m]
[java] WLMaker-SubProcess: : no annotation found for key [p]
[java] WLMaker-SubProcess: : no annotation found for key [n]
[java] WLMaker-SubProcess: : done
[java] WLMaker-SubProcess: :
[java] WLMaker-SubProcess: :
[java] WLMaker-SubProcess: :
[java] WLMaker-SubProcess: : Generating the parsing binders for security MB
eans
[java] WLMaker-SubProcess: : Generating for examples.security.providers.ide
ntityassertion.simple.SimpleSampleIdentityAsserterMBean to C:\Replication\identi
tyasserter12c\test\examples\security\providers\identityassertion\simple\SimpleSa
mpleIdentityAsserterMBeanBinder.java
[java] WLMaker-SubProcess: : done
[java] WLMaker-SubProcess: :
[java] WLMaker-SubProcess: :
[java] WLMaker-SubProcess: :
[java] WLMaker-SubProcess: : Generating the bean infos for security MBeans

[java] WLMaker-SubProcess: : Generating for examples.security.providers.ide
ntityassertion.simple.SimpleSampleIdentityAsserterMBean to C:\Replication\identi
tyasserter12c\test\examples\security\providers\identityassertion\simple\SimpleSa
mpleIdentityAsserterMBeanImplBeanInfo.java
[java] WLMaker-SubProcess: : no annotation found for key [import]
[java] WLMaker-SubProcess: : no annotation found for key [property]
[java] WLMaker-SubProcess: : no annotation found for key [beanConfigurable]

[java] WLMaker-SubProcess: : no annotation found for key [beanIntfExclude]
[java] WLMaker-SubProcess: : no annotation found for key [propertyMethod]
[java] WLMaker-SubProcess: : no annotation found for key [method]
[java] WLMaker-SubProcess: : Generating Bean Factory Class to test\weblogic
\management\security\SAMPLEIDENTITYASSERTERBeanInfoFactory.java
[java] WLMaker-SubProcess: : done
[java] WLMaker-SubProcess: : Stopped draining WLMaker-SubProcess:
[java] WLMaker-SubProcess: : Stopped draining WLMaker-SubProcess:
[java] WLMaker-SchemaGen-SubProcess: Generating schema for security provide
r mbeans …
[java] WLMaker-SchemaGen-SubProcess: MBEAN TYPES DIR : null
[java] WLMaker-SchemaGen-SubProcess: SET BASE LIB C:\bea12c\WLSERV~1.1\serv
er\lib\schema\weblogic-domain-binding.jar
[java] WLMaker-SchemaGen-SubProcess: Stopped draining WLMaker-SchemaGen-Sub
Process
[java] WLMaker-SchemaGen-SubProcess: Stopped draining WLMaker-SchemaGen-Sub
Process
[java] Creating the list.
[java] Doing the compile.
[java] Note: C:\Replication\identityasserter12c\test\examples\security\prov
iders\identityassertion\simple\SimpleSampleIdentityAsserterMBeanImpl.java uses o
r overrides a deprecated API.
[java] Note: Recompile with -Xlint:deprecation for details.
[java] Note: Some input files use unchecked or unsafe operations.
[java] Note: Recompile with -Xlint:unchecked for details.
[java] Creating the MJF…
[java] MJF is created.

 

An  Mbean JAR file will b created in that directory with the name SampleIdentityAsserter.jar

Place this jar file in WL_HOME\server\lib\mbeantypes

 

mbeantype

 

After placing the jar file, restart the Weblogic server.

Go to Security Realm Providers, create a new Authentication Provider
Home > Summary of Security Realms > myrealm > Providers > Authentication > new Simple Sample Identity Asserter

 

Simple Sample Identity Asserter

 

Once the identity asserter is created reorder the providers to make it first in the list. One more restart is required. On restart the custom identity asserter will be initialized. When any secure resource is accessed on the server and the token is present in the header the Custom Identity Asserter is invoked. Note, this identity asserter does not expect Base64 encoded token.

You will see the following loggging when the identity asserter is invoked.

SimpleSampleIdentityAsserterProviderImpl.assertIdentity
Type = SamplePerimeterAtnToken
Token = [B@c4221d
SamplePerimeterAtnToken:username=SamplePerimeterAtnUsers
User-Agent:Java/1.6.0_37
Host:localhost:7001
Accept:text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection:keep-alive
userName = SamplePerimeterAtnUsers
Header Name SamplePerimeterAtnToken Content username=SamplePerimeterAtnUsers
Header Name User-Agent Content Java/1.6.0_37
Header Name Host Content localhost:7001
Header Name Accept Content text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Header Name Connection Content keep-alive

 

 

 

 

Weblogic SSL configuration with Custom Identity and Custom Trust

These days the enterprise applications have grown more complex and boast a great deal of sensitive and critical data online. Cyber security has become more than important these days to secure the data.

Secure Sockets Layer plays a pivotal role in how a sensitive data can be protected, accessed over a network.

Secure Sockets Layer (SSL) provides secure connections by allowing two applications connecting over a network connection to authenticate the other’s identity and by encrypting the data exchanged between the applications. Authentication allows a server and optionally a client to verify the identity of the application on the other end of a network connection. Encryption makes data transmitted over the network intelligible only to the intended recipient.

It provides transport level security by usage of the SSL certificates which are provided by the Industry standard Certificate Authorities like Verisign, GeoTrust, GoDaddy etc.

WebLogic Server supports SSL on a dedicated listen port which defaults to 7002. To establish an SSL connection, a Web browser connects to WebLogic Server by supplying the SSL listen port and the HTTPs protocol in the connection URL, for example, https://myserver:7002.

The below post describes the complete procedure about procuring the certificate, installing and configuring the certificate to the WebLogic Server. (WebLogic SSL Configuration).

1: Generating and procuring the certificate:

a: Open a command prompt and set the environment by running the setDomainEnv script.

b: Generate the private – public key pair. For demonstration we would use keytool java utility to do so. However we can use other utilities like openssl etc.

keytool -genkey -alias client -keyalg  RSA -keysize 2048  -keystore identity.jks -storepass password -keypass password

c: Generate a Certificate Signing Request (CSR) and send it to Certifying Authority.

keytool -certreq -keyalg RSA -keysize 2048 -alias client -file certreq.csr -keystore identity.jks -storepass password

The CA would return with the certificate reply and the RootCA and sometimes an intermediateCA certificate.

d:  Import the certificates into the keystore, this can be done in two ways either by importing the certificates in an order of RootCA, intermediateCA and then Certificate reply. Or we can create a certificate chain clubbing them in an order into a .pem file.

For demo, we would create a certificate chain file CertChain.pem and import it into the identity keystore overriding the private key alias which is client in this example.

keytool -import  -file CertChain.pem -alias client -keystore  identity.jks -storepass password

e: Create a trust keystore, this can be done my importing your RootCA certificate into another keystore that constitutes the trust.

keytool -import  -file rootCA.cer -alias RootCA -keystore trust.jks -storepass password

To verify the contents of the keystore, you can use the below command,

Keytool –list –v –keystore <keystore-name> -storepass  <keystore-password>

 

2: Configuring the keystore on the WebLogic Server.

a: Log into the Admin Console, select the server on which you want to configure the SSL certificate.

Server  –>  Click on the Keystore tab. By default it points to the Demo Certificates.

From the dropdown list select the “Custom Identity and  Custom Trust” option.

Enter the identity and trust keystore details.

b: Configure the identity of the server:

Click on the SSL tab and enter the alias of the private key i.e. client in this case and the keypass password.

NOTE: If you enable the SSL for a WebLogic Server, by default it would be One Way SSL. If you want to change to Two Way SSL, you would require to select  the two way SSL behavior from the Advanced option list.

c: Configure the SSL port.

By default it would be 7002.

Go to server –> General tab –> Specify  and enable SSL port.

You can see the below messages in the server logs which indicate that the certificates are loaded.

<Notice> <Security> <BEA-090171> <Loading the identity certificate and private key stored under the alias client from the JKS keystore file C:\Wonders\WebLogic\Security\SSL-Certs\Verisign\identityVerisign.jks.>

<Notice> <Security> <BEA-090169> <Loading trustedcertificates from the JKS keystore file C:\Wonders\WebLogic\Security\SSL-Certs\Verisign\trustVerisign.jks.>

 

3: Test the setup:

You can test the setup by accessing the admin console (if SSL is configured for Admin Server) or any application deployed on the server by accessing it on https protocol.

https://localhost:7002/console

Now verify whether the right certificate is configured or not.

Click on the certificate details and you would find the details about the identity and the RootCA along with the certificate chain.

 

NOTE: For a production environment make sure that CN (Common Name) of the certificate matches with the server host name.

You can also use self signed certificates or trial certificates for testing purpose. However is it not recommended to use them in production environment.

You can get the Verisign trail certificates from the below link.

http://www.verisign.com/ssl/free-30day-trial/

For further reading :

http://download.oracle.com/docs/cd/E13222_01/wls/docs103/secmanage/ssl.html

Regards,

Wonders Team 🙂

Securing WebServices using Username / Password mechanism

Security is an important aspect of your application design. When the web services are deployed and accessed, you might like to restrict its accesses to particular set of users/ groups or any users of a particular role. Hence we specify the policies for the application  webservice in this case at the transport level.

WebServices can be secured using the below mechanisms:

Transport-level security secures the connection between the client application and WebLogic Server with Secure Sockets Layer (SSL). SSL provides secure connections by allowing two applications connecting over a network to authenticate the other’s identity and by encrypting the data exchanged between the applications. Authentication allows a server, and optionally a client, to verify the identity of the application on the other end of a network connection. A client certificate (two-way SSL) can be used to authenticate the user.

Encryption makes data transmitted over the network intelligible only to the intended recipient.

Transport-level security includes HTTP BASIC authentication as well as SSL.

Message-Level Security refers to securing some or all of the message content, which relies on the WS-Security specification. WS-Security provides support for encrypting and/or signing part or all of a message. It also provides authentication using token-based credentials. In addition to WS-Security, WebLogic Server also supports the WS-SecureConversation standard to enable a secure session to be established between two trusted parties to facilitate the exchange of multiple messages in a stateful and secure manner.

Access control security answers the question “who can do what?” First you specify the security roles that are allowed to access a Web Service; a security role is a privilege granted to users or groups based on specific conditions. Then, when a client application attempts to invoke a Web Service operation, the client authenticates itself to WebLogic Server, and if the client has the authorization, it is allowed to continue with the invocation. Access control security secures only WebLogic Server resources. That is, if you configureonly access control security, the connection between the client application and WebLogic Server is not secure and the SOAP message is in plain text

 

The below post describes a demonstration of simple username/password-based authentication for webservices.

Pre-requisites :

1: WebService  deployed.

You can refer the below posts to create a sample WebService and a Java stand alone client to access the same.

http://weblogic-wonders.com/weblogic/2011/05/20/webservice-by-bottom-up-approach-using-ant-script/

http://weblogic-wonders.com/weblogic/2011/05/23/creating-stand-alone-webservice-client-from-wsdl/

 

Please follow the steps below:

1. Defining security poilicies:

Define the  policies to the WebService from the console:-

Go to Deployments –> WebService application deployed –> Security –> Policies. From the predicate list select a User / Group/ Role who can access the WebService.

Click save to create the security policy for the WebService.

2: Test the setup:

If you access the WebService without proper credentials, then you would experience the below error.

Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: Access denied to operation sayHelloWorld

at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:188)

at com.sun.xml.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:116)

at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)

at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)

at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:118)

at $Proxy29.sayHelloWorld(Unknown Source)

at com.test.webservice.client.Main.main(Main.java:17)

Caused by: javax.xml.ws.soap.SOAPFaultException: Access denied to operation sayHelloWorld

at weblogic.wsee.jaxws.security.AuthorizationTube.processRequest(AuthorizationTube.java:189)

In the java client, specify the user credentials to access the WebService as below.

Map<String, Object> rc = ((BindingProvider)port).getRequestContext();

rc.put(BindingProvider.USERNAME_PROPERTY, "weblogic");

rc.put(BindingProvider.PASSWORD_PROPERTY, "weblogic");

The JAX-WS BindingProvider class contains username and password properties that we set to specifythe user’s credentials. The underlying web service stub takes care of base 64 encoding these credentials and including them in the HTTP headers of the SOAP request.

A typical java standalone client would look like below.

 

import com.test.webservice.client.*;

import java.util.Map;

import javax.xml.ws.BindingProvider;

public class Main {

public static void main(String[] args) {

com.test.webservice.client.HelloWorldService service = new com.test.webservice.client.HelloWorldService();

com.test.webservice.client.HelloWorldPortType port = service.getHelloWorldPortTypePort();

Map<String, Object> rc = ((BindingProvider)port).getRequestContext();

rc.put(BindingProvider.USERNAME_PROPERTY, "weblogic");

rc.put(BindingProvider.PASSWORD_PROPERTY, "weblogic");

String result=port.sayHelloWorld(" Anandraj ");

System.out.println("********* RESULT from WebService ***********");
System.out.println(result);

System.out.println("********************************************");
}

}

 

Compile and execute the java client, then you would be able to invoke the secured WebService successfully.

You can refer the below link for securing the WebService using the Basic Authentication:

http://weblogic-wonders.com/weblogic/2010/01/04/securing-webservices-using-basic-authentication-on-weblogic-server/

For further reading :

http://download.oracle.com/docs/cd/E12840_01/wls/docs103/webserv_sec/message.html

Regards,

Wonders Team. 🙂

 

 

Import/ Export users and groups from Security Realm

Exporting users and groups from WebLogic Security Realm.

Login into the WebLogic Administration console ,navigate to Security Realm -> MyRealm

Navigate to Migration tab ->Export  Specify the location where the data needs to be exported.

Verify whether the users and groups are exported by checking the location, you would find set of files listed below.

  1. DefaultAuthenticator.dat
  2. DefaultCredentialMapper.dat
  3. exportIndex.dat
  4. XACMLAuthorizer.dat
  5. XACMLRoleMapper.dat

The users and groups from the realm are successfully exported now.

For importing the Users and Groups into an existing realm, follow the below steps.

  1. Login into the WebLogic Administration console ,navigate to Security Realm -> MyRealm

  1. Navigate to Migration tab Import Specify the location from where the data needs to be imported.

Note: This data that needs to be imported should have previously been exported from a security realm. The directory (Realm-Export) should contain the below files.

  1. DefaultAuthenticator.dat
  2. DefaultCredentialMapper.dat
  3. exportIndex.dat
  4. XACMLAuthorizer.dat
  5. XACMLRoleMapper.dat Check the Users and Groups tab under Security Realms → MyRealms, you will see the users are imported. It would not import the duplicate entries.

3. Check the Users and Groups tab under Security Realms → MyRealms, you will see the users are imported. It would not import the duplicate entries.