servlet authentication filter Archive

Servlet Authentication Filter for Weblogic Server

A growing need exists to trap request coming to Weblogic Server before it reaches the Container. Weblogic Server’s presence in Single Signon environment is increasing hence it becomes imperative that Clients should have the knowledge on how to develop a Servlet Authentication Filter and plug it in with Weblogic Server. A SAF (Servlet Authentication Filter) can be used in many scenarios. One of the most common uses I have seen is in redirecting to SAML Provider Site for authentication.

The steps the create a SAF is pretty much the same as other Custom Providers are created in WLS

Following link has the details on how to create a Custom Provider and how to integrate it with WLS.
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/dvspisec/servlet.html

Following is a working sample that I developed for one of my Client.

First we need to create an MDF (Mbean definition file)

SimpleSampleServletAuthenticationFilter.xml

<?xml version=”1.0″ ?>
<!DOCTYPE MBeanType SYSTEM “commo.dtd”>

<MBeanType
Name = “SimpleServletAuthenticationFilter”
DisplayName = “SimpleServletAuthenticationFilter”
Package = “examples.security.providers.saf.simple”
Extends = “weblogic.management.security.authentication.Authenticator”
Implements =”weblogic.management.security.authentication.ServletAuthenticationFilter”
PersistPolicy = “OnUpdate”
>

<MBeanAttribute
Name = “ProviderClassName”
Type = “java.lang.String”
Writeable = “false”
Preprocessor = “weblogic.management.configuration.LegalHelper.checkClassName(value)”
Default = “&quot;examples.security.providers.saf.simple.SimpleSampleServletAuthenticationFilter&quot;”
/>

<MBeanAttribute
Name = “Description”
Type = “java.lang.String”
Writeable = “false”
Default = “&quot;WebLogic Simple Sample Servlet Authentication Filter&quot;”
/>

<MBeanAttribute
Name = “Version”
Type = “java.lang.String”
Writeable = “false”
Default = “&quot;1.0&quot;”
/>

</MBeanType>

Create a Filter Class

TokenFilter.java

/**
*
* @author faisalk
*/

package examples.security.providers.saf.simple;

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.util.*;

public final class TokenFilter implements Filter
{

private FilterConfig filterConfig = null;

public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain)
throws IOException, ServletException
{
System.out.println(“In do filter”);
HttpServletRequest req = (HttpServletRequest)request;
HttpServletResponse res = (HttpServletResponse)response;

Enumeration names = ((HttpServletRequest)request).getHeaderNames();

while(names.hasMoreElements()){
String name = (String) names.nextElement();
System.out.println(“Header Name “+name+” Content “+((HttpServletRequest)request).getHeader(name));
}

chain.doFilter(request,response);
}

public void destroy() { }

public void init(FilterConfig filterConfig) {
this.filterConfig = filterConfig;
}
}

The above filter just prints out the headers.

Finally create Provider Class

SimpleSampleServletAuthenticationFilter.java

/**
*
* @author faisalk
*/

package examples.security.providers.saf.simple;

import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import weblogic.management.security.ProviderMBean;
import weblogic.security.service.ContextHandler;
import weblogic.security.spi.AuthenticationProviderV2;
import weblogic.security.spi.ServletAuthenticationFilter;
import weblogic.security.spi.IdentityAsserterV2;
import weblogic.security.spi.IdentityAssertionException;
import weblogic.security.spi.PrincipalValidator;
import weblogic.security.spi.SecurityServices;
import javax.servlet.Filter;

public final class SimpleSampleServletAuthenticationFilter implements AuthenticationProviderV2, ServletAuthenticationFilter
{

private String description; // a description of this provider

public void initialize(ProviderMBean mbean, SecurityServices services)
{
System.out.println(“SimpleSampleServletAuthenticationFilter.initialize”);

}

public String getDescription()
{
return description;
}

public void shutdown()
{
System.out.println(“SimpleSampleServletAuthenticationFilter.shutdown”);
}

public IdentityAsserterV2 getIdentityAsserter()
{
return null;
}

public Filter[] getServletAuthenticationFilters()
{
System.out.println(“SimpleSampleServletAuthenticationFilter.getServletAuthenticationFilters”);

Filter[] filters = new Filter[1];
TokenFilter token = new TokenFilter();
filters[0]= token;
return filters;
}

public AppConfigurationEntry getLoginModuleConfiguration()
{
return null;
}

public AppConfigurationEntry getAssertionModuleConfiguration()
{
return null;
}

public PrincipalValidator getPrincipalValidator()
{
return null;
}
}

The details of the interfaces implemented are there in the official site.
You can get more details there. I am not covering the details of the API for now

Copy the three files in a folder.
Keep the following build script to the same folder

build.xml

<!– @author Faisal Khan–>

<project name=”Expenselink Build” default=”all” basedir=”.”>

<property name=”fileDir” value=”test” />

<target name=”all” depends=”build”/>

<target name=”build” depends=”clean,build.mdf,build.mjf”/>

<target name=”clean”>
<delete dir=”${fileDir}” failonerror=”false”/>
<delete file=”SimpleSampleServletAuthenticationFilter.jar” failonerror=”false”/>
<echo message=”Clean finish” />
</target>

<!– helper to build an MDF (mbean definition file) –>
<target name=”build.mdf”>
<java dir=”${basedir}” fork=”false” classname=”weblogic.management.commo.WebLogicMBeanMaker”>
<arg line=”-files ${fileDir}” />
<arg value=”-createStubs” />
<arg line=”-MDF SimpleSampleServletAuthenticationFilter.xml” />
</java>
<echo message=”Created Supporting Classes” />
</target>

<target name=”build.mjf”>

<copy todir=”${fileDir}” flatten=”true”>
<fileset dir=”.”>
<include name=”*.java” />
</fileset>
</copy>

<java dir=”${basedir}” fork=”false” classname=”weblogic.management.commo.WebLogicMBeanMaker”>
<arg line=”-MJF SimpleSampleServletAuthenticationFilter.jar” />
<arg line=”-files ${fileDir}” />
</java>
<echo message=”Created Mbean Jar” />
</target>

</project>

Copy commo.dtd present in server lib to this directory.
Run setWLSEnv.cmd and cd to this directory.
Type ant in the command prompt
A Servlet Authenticator Filter jar file would be created.

Place this jar file in WL_HOME\server\lib\mbeantypes
Restart the Server.
Go to Security Realm Providers, create a new Authentication Provider
Home > Summary of Security Realms > myrealm > Providers > Authentication > SAF
Restart the server.

Whenever any protected resource is accessed, the SAF is invoked.