Identity Asserters are used in token based authentication mechanism. It’s very useful when we have to implement Single Sign on between WLS and some other Server. A Single Identity Asserter can support multiple token types, but only one is active at a time. We can develop an Authentication provider along with the Custom Identity Asserter if the users exists outside WLS. If we want to do perimeter authentication with users within WLS, we don’t have to develop an authenticator along with it.
The way it works is pretty straight forward. Whenever a request is made for a resource which is secure, and requires token based authentication, WLS checks the request header for the active token type. If the token is present, then the container passes it on the Identity Asserter’s assertIdentity method.
In the method we have to write the logic to parse the token and pass the token (username mostly) to the login module. The token can be passed in base64 encoded format or plain, depending on the type of token accepted by the identity asserter.
The steps to create it are the same as other providers.
First we need to create an MDF (Mbean definition file)
SimpleSampleServletAuthenticationFilter.xml
<?xml version=”1.0? ?>
<!DOCTYPE MBeanType SYSTEM “commo.dtd”>
<MBeanType
Name = “SimpleSampleIdentityAsserter”
DisplayName = “SimpleSampleIdentityAsserter”
Package = “examples.security.providers.identityassertion.simple”
Extends = “weblogic.management.security.authentication.IdentityAsserter”
PersistPolicy = “OnUpdate”
>
<MBeanAttribute
Name = “ProviderClassName”
Type = “java.lang.String”
Writeable = “false”
Preprocessor = “weblogic.management.configuration.LegalHelper.checkClassName(value)”
Default = “"examples.security.providers.saf.simple.SimpleSampleServletAuthenticationFilter"”
/>
<MBeanAttribute
Name = “ProviderClassName”
Type = “java.lang.String”
Writeable = “false”
Preprocessor = “weblogic.management.configuration.LegalHelper.checkClassName(value)”
Default = “"examples.security.providers.identityassertion.simple.SimpleSampleIdentityAsserterProviderImpl"”
/>
<MBeanAttribute
Name = “Description”
Type = “java.lang.String”
Writeable = “false”
Default = “"WebLogic Simple Sample Identity Asserter Provider"”
/>
<mbeanattribute
Name = “SupportedTypes”
Type = “java.lang.String[]“
Writeable = “false”
Default = “new String[] { "MyToken" }”
/>
<mbeanattribute
Name = “ActiveTypes”
Type = “java.lang.String[]“
Default = “new String[] { " MyToken " }”
/>
<MBeanAttribute
Name = “Version”
Type = “java.lang.String”
Writeable = “false”
Default = “"1.0"”
/>
</MBeanType>
Implement the IdentityAsserterV2 & AuthenticationProviderV2 SSPI.
SimpleSampleIdentityAsserterProviderImpl.java
/**
*
* @author faisalk
*/
package examples.security.providers.identityassertion.simple;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import weblogic.management.security.ProviderMBean;
import weblogic.security.service.ContextHandler;
import weblogic.security.spi.AuthenticationProviderV2;
import weblogic.security.spi.IdentityAsserterV2;
import weblogic.security.spi.IdentityAssertionException;
import weblogic.security.spi.PrincipalValidator;
import weblogic.security.spi.SecurityServices;
import javax.servlet.http.HttpServletRequest;
public final class SimpleSampleIdentityAsserterProviderImpl implements AuthenticationProviderV2, IdentityAsserterV2
{
final static private String TOKEN_TYPE = “MyToken”;
final static private String TOKEN_PREFIX = “username=”;
private String description;
public void initialize(ProviderMBean mbean, SecurityServices services)
{
System.out.println(“SimpleSampleIdentityAsserterProviderImpl.initialize”);
SimpleSampleIdentityAsserterMBean myMBean = (SimpleSampleIdentityAsserterMBean)mbean;
description= myMBean.getDescription() + “n” + myMBean.getVersion();
}
public String getDescription()
{
return description;
}
public void shutdown()
{
System.out.println(“SimpleSampleIdentityAsserterProviderImpl.shutdown”);
}
public IdentityAsserterV2 getIdentityAsserter()
{
return this;
}
public CallbackHandler assertIdentity(String type, Object token, ContextHandler context) throws IdentityAssertionException
{
System.out.println(“SimpleSampleIdentityAsserterProviderImpl.assertIdentity”);
System.out.println(“tTypett= ” + type);
System.out.println(“tTokentt= ” + token);
Object requestValue = context.getValue(“com.bea.contextelement.servlet.HttpServletRequest”);
if ((requestValue == null) || (!(requestValue instanceof HttpServletRequest)))
{
System.out.println(“do nothing”);
}
else{
HttpServletRequest request = (HttpServletRequest) requestValue;
java.util.Enumeration names = request.getHeaderNames();
while(names.hasMoreElements()){
String name = (String) names.nextElement();
System.out.println(name + “:” + request.getHeader(name));
}
}
// check the token type
if (!(TOKEN_TYPE.equals(type))) {
String error =” received unknown token type ”” + type + “”.” +” Expected ” + TOKEN_TYPE;
System.out.println(“tError: ” + error);
throw new IdentityAssertionException(error);
}
// make sure the token is an array of bytes
if (!(token instanceof byte[])) {
String error =”unknown token class ”” + token.getClass() + “”.” +” Expected a byte[].”;
System.out.println(“tError: ” + error);
throw new IdentityAssertionException(error);
}
// convert the array of bytes to a string
byte[] tokenBytes = (byte[])token;
if (tokenBytes == null || tokenBytes.length < 1) {String error =”received empty token byte array”;System.out.println(“tError: ” + error);throw new IdentityAssertionException(error);}String tokenStr = new String(tokenBytes);// make sure the string contains “username=someusernameif (!(tokenStr.startsWith(TOKEN_PREFIX))) {String error =”received unknown token string ”” + type + “”.” +” Expected ” + TOKEN_PREFIX + “username”;System.out.println(“tError: ” + error);throw new IdentityAssertionException(error);}// extract the username from the tokenString userName = tokenStr.substring(TOKEN_PREFIX.length());System.out.println(“tuserNamet= ” + userName);// store it in a callback handler that authenticators can use// to retrieve the username.return new SimpleSampleCallbackHandlerImpl(userName);}public AppConfigurationEntry getLoginModuleConfiguration(){return null;}public AppConfigurationEntry getAssertionModuleConfiguration(){return null;}public PrincipalValidator getPrincipalValidator(){return null;}}Copy the Provider Class and the MDF in a folder.Keep the following build script in the same folderbuild.xml
<project name=”Expenselink Build” default=”all” basedir=”.”>
<property name=”fileDir” value=”test” />
<target name=”all” depends=”build”/>
<target name=”build” depends=”clean,build.mdf,build.mjf”/>
<target name=”clean”>
<delete dir=”${fileDir}” failonerror=”false”/>
<delete file=”SimpleSampleIdentityAsserter.jar” failonerror=”false”/>
<echo message=”Clean finish” />
</target>
<!– helper to build an MDF (mbean definition file) –>
<target name=”build.mdf”>
<java dir=”${basedir}” fork=”false” classname=”weblogic.management.commo.WebLogicMBeanMaker”>
<arg line=”-files ${fileDir}” />
<arg value=”-createStubs” />
<arg line=”-MDF SimpleSampleIdentityAsserter.xml” />
</java>
<echo message=”Created Supporting Classes” />
</target>
<target name=”build.mjf”>
<copy todir=”${fileDir}” flatten=”true”>
<fileset dir=”.”>
<include name=”*.java” />
</fileset>
</copy>
<java dir=”${basedir}” fork=”false” classname=”weblogic.management.commo.WebLogicMBeanMaker”>
<arg line=”-MJF SimpleSampleIdentityAsserter.jar” />
<arg line=”-files ${fileDir}” />
</java>
<echo message=”Created Mbean Jar” />
</target>
</project>
Copy commo.dtd present in server lib to this directory.
Execute setWLSEnv.cmd and cd to this directory.
Type ant in the command prompt
An Identity Asserter jar file would be created in the same directory.
Place this jar file in WL_HOMEserverlibmbeantypes
Restart the Server.
Go to Security Realm Providers, create a new Authentication Provider
Home > Summary of Security Realms > myrealm > Providers > Authentication > new Simple Sample Identity Asserter
On restart Identity Asserter will get invoked whenever the active token is present in the header.
References:-
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/dvspisec/ia.html
I am getting a couple of errors.1) i guess theres a mismatch in the mdf file name in the ant file and name provided in the sample.I changed the mdf file name to SimpleSampleIdentityAsserter.xml and then could proceed a bit then.2) when i execute from command line i am getting the following errors. [java] C:\data from desktop\temp\custom token\test\examples\security\providers\identityassertion\simple\SimpleSampleIdentityAsserterMBean.java:50: getProviderClassName() is already defined in examples.security.providers.identityassertion.simple.SimpleSampleIdentityAsserterMBean [java] public java.lang.String getProviderClassName (); [java] ^ [java] C:\data from desktop\temp\custom token\test\SimpleSampleIdentityAsserterProviderImpl.java:24: cannot find symbol [java] symbol : class SimpleSampleIdentityAsserterMBean [java] location: class com.sample.custom.token.SimpleSampleIdentityAsserterProviderImpl [java] SimpleSampleIdentityAsserterMBean myMBean = (SimpleSampleIdentityAsserterMBean) mbean; [java] ^ [java] C:\data from desktop\temp\custom token\test\SimpleSampleIdentityAsserterProviderImpl.java:24: cannot find symbol [java] symbol : class SimpleSampleIdentityAsserterMBean [java] location: class com.sample.custom.token.SimpleSampleIdentityAsserterProviderImpl [java] SimpleSampleIdentityAsserterMBean myMBean = (SimpleSampleIdentityAsserterMBean) mbean; [java] ^ [java] C:\data from desktop\temp\custom token\test\SimpleSampleIdentityAsserterProviderImpl.java:73: cannot find symbol [java] symbol : class SimpleSampleCallbackHandlerImpl [java] location: class com.sample.custom.token.SimpleSampleIdentityAsserterProviderImpl [java] return new SimpleSampleCallbackHandlerImpl(userName); [java] ^ [java] 4 errors [java] Exec failed .. exiting
when i try to execute it from weblogic workshop i am getting the below error. [java] Could not find weblogic.management.commo.WebLogicMBeanMaker. Make sure you have it in your classpath [java] at org.apache.tools.ant.taskdefs.ExecuteJava.execute(ExecuteJava.java:170) [java] at org.apache.tools.ant.taskdefs.Java.run(Java.java:710) [java] at org.apache.tools.ant.taskdefs.Java.executeJava(Java.java:178) [java] at org.apache.tools.ant.taskdefs.Java.execute(Java.java:84) [java] at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:275) [java] at org.apache.tools.ant.Task.perform(Task.java:364) [java] at org.apache.tools.ant.Target.execute(Target.java:341) [java] at org.apache.tools.ant.Target.performTasks(Target.java:369) [java] at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1216) [java] at org.apache.tools.ant.Project.executeTarget(Project.java:1185) [java] at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:40) [java] at org.eclipse.ant.internal.ui.antsupport.EclipseDefaultExecutor.executeTargets(EclipseDefaultExecutor.java:32) [java] at org.apache.tools.ant.Project.executeTargets(Project.java:1068) [java] at org.eclipse.ant.internal.ui.antsupport.InternalAntRunner.run(InternalAntRunner.java:423) [java] at org.eclipse.ant.internal.ui.antsupport.InternalAntRunner.main(InternalAntRunner.java:137) [echo] Created Supporting Classesbuild.mjf: [copy] Copying 1 file to C:\ALSB workspaces\domainbb\CustomeAuthenticationClient\src\com\sample\custom\token\test [java] Working directory ignored when same JVM is used. [java] Could not find weblogic.management.commo.WebLogicMBeanMaker. Make sure you have it in your classpath [java] at org.apache.tools.ant.taskdefs.ExecuteJava.execute(ExecuteJava.java:170) [java] at org.apache.tools.ant.taskdefs.Java.run(Java.java:710) [java] at org.apache.tools.ant.taskdefs.Java.executeJava(Java.java:178) [java] at org.apache.tools.ant.taskdefs.Java.execute(Java.java:84) [java] at org.apache.tools.ant.UnknownElement.execute(UnknownElement.java:275) [java] at org.apache.tools.ant.Task.perform(Task.java:364) [java] at org.apache.tools.ant.Target.execute(Target.java:341) [java] at org.apache.tools.ant.Target.performTasks(Target.java:369) [java] at org.apache.tools.ant.Project.executeSortedTargets(Project.java:1216) [java] at org.apache.tools.ant.Project.executeTarget(Project.java:1185) [java] at org.apache.tools.ant.helper.DefaultExecutor.executeTargets(DefaultExecutor.java:40) [java] at org.eclipse.ant.internal.ui.antsupport.EclipseDefaultExecutor.executeTargets(EclipseDefaultExecutor.java:32) [java] at org.apache.tools.ant.Project.executeTargets(Project.java:1068) [java] at org.eclipse.ant.internal.ui.antsupport.InternalAntRunner.run(InternalAntRunner.java:423) [java] at org.eclipse.ant.internal.ui.antsupport.InternalAntRunner.main(InternalAntRunner.java:137)In the build path of the project i have the following jars.\bea\modules\com.bea.core.mbean.maker_1.0.1.0.jar,com.bea.core.weblogic.security_2.0.1.0.jar etc.
Try to create the jar file from command line.
Can you help me with a sample java webservice client code which will be used to invoke a webservice which has the above setting if accepting custom token in HTTP Headers?
Can we use this with the obSSOCookie?
you can use a Custom Identity Asserter, but Weblogic Server, 11g, does provide an Identity Asserter to consume obSSOCookie..
Hi Faisal,I am getting a weird problem..I am setting a token in the request header using Fire Fox Plug-in "Modify Headers". The Custom Identity Assertion Module is getting triggered – however, when I convert the token into a byte array and try to convert the byte array to a String, I only get a set of junk characters. I don't see the actual string. I even tried to create the String using a UTF8 encoding – but, still no luck.have you seen this kind of a problem with the Custom Identity Assertion ?Regards,Sandeep
You will have to set Base64 Encoding to false for the Identity Asserter. For that you will have to add the following in the MDF and rebuild the jar file.MBeanAttribute Name = "Base64DecodingRequired" Type= "boolean" Writeable = "true" Default = "false" Description = "test"Oher option can be, send Base64 Encoded value from the browser.
Hi,
I wld like to read the token from SAML identity assertion provider which is configured in weblogic (console).
Is there any sample code to read the token using java code ?
Thanks,
Ravi
I am afraid there no such API available to do so.
You can develop your own SAML Identity Asserter if u want to capture the Assertion.
Let me know if you have more queries, or if u have anything specific.
Thanks for posting!
Faisal
Hi,
I’m wondering if you could help me out or provide some directions for this. I have a scenario where I need to do two forms of authentication. One way I need to be able to assert a user’s identity and the second a standard form login. I need to have a custom authentication provider for the second because we are managing our groups/roles in a DB and authenticating via an LDAP. This works fine with the standard form login. I run into problems when I try to assert the user. I want to be able to rely on my custom authenticator to be able to add my groups/roles to my subject but I’m having problems mixing this with my identity assertion. Is there a best practice for this? Please help if possible.
Thank you,
Tim
Yes, you can invoke your CustomAuthenticator from the IdentityAsserter.
Make the CONTROL flag of your custom authenticator as SUFFICIENT and non of the other Authenticators should be required.
In the following method, pass the login module class
private AppConfigurationEntry getConfiguration(HashMap options)
{
options.put(“IdentityAssertion”,”true”);
return new
AppConfigurationEntry(
“com.security.dbauthentication.DBLoginModuleImpl”,
a_oControlFlag,
options
);
}
Make sure that the token exists in the header for your custom identity asserted to b invoked.
Hope this helps,
Thanks,
Faisal
Hey faisal,i am getting errors while creating Mbeans. i appreciate if you can send me code with few guide lines of how to set it up. my email is jckmth@gmail.com
But in the class file it complains of missing import weblogic.security.spi.AuthenticationProviderV2 (from com.bea.core.weblogic.security_2.0.1.0.jar) .
I am using weblogic10.3 and it is missing security_2.0.1.0.jar. When i check on the internet.. even examples with 10.0 has this jar.
I have installed Weblogic10.3 on jdk1.6 and it has com.bea.core.weblogic.security_1.0.0.0_6-0-3-0.jar which does not have the weblogic.security.spi.AuthenticationProviderV2.
Any idea where we can download this file.
Thanks Faisal. I am get the same error(shown below) as Abhay.(I also renamed the file SimpleSampleServletAuthenticationFilter.xml to SimpleSampleAuthenticationFilter.xml)
Any Pointers.
Thanks.
build.mdf:
[java] Working directory ignored when same JVM is used.
[java] Parsing the MBean definition file: SimpleSampleIdentityAsserter.xml
[echo] Created Supporting Classes
build.mjf:
[copy] Copying 1 file to C:\SportingBet\src\test
[java] Working directory ignored when same JVM is used.
[java] Creating an MJF from the contents of directory test…
[java] Compiling the files…
[java] Creating the list.
[java] Doing the compile.
[java] C:\XYZ\src\test\examples\security\providers\identityassertio
n\simple\SimpleSampleIdentityAsserterMBean.java:50: getProviderClassName() is al
ready defined in examples.security.providers.identityassertion.simple.SimpleSamp
leIdentityAsserterMBean
[java] public java.lang.String getProviderClassName ();
[java] ^
[java] C:\XYZ\src\test\SimpleSampleIdentityAsserterProviderImpl.jav
a:92: cannot find symbol
[java] symbol : class SimpleSampleCallbackHandlerImpl
[java] location: class examples.security.providers.identityassertion.simple
.SimpleSampleIdentityAsserterProviderImpl
[java] return new SimpleSampleCallbackHandlerImpl(userName);}public AppConf
igurationEntry getLoginModuleConfiguration(){return null;}
[java] ^
[java] 2 errors
[java] Exec failed .. exiting
Hi Ajay,
I have sent u d code, let me know if you still face issues.
-Faisal
Thanks Faisal. This code works.
Hi, I have implemented Identity assertion using the code snippets above…The CallbackHandler however is not there. I am giving my handler below.My problem is that the default Authenticator in weblogic is getting invoked after this, our aim was to bypass the default authentication page. Please note I have both a custom authenticator and a custom identity asserter and have set the control flag for the custom authenticator as SUFFICIENT .Control flag for Default authenticator is OPTIONAL. Yet the weblogic login screen is coming.
public class ManualJEAsserterCallbackHandler implements CallbackHandler{
private String userName;
static int handleCallbackHandlerCount=0;
ManualJEAsserterCallbackHandler(String user){
System.out.println(“ASSERTER CALLBACK HANDLER******ManualJEAsserterCallbackHandler constructor*****”);
userName = user;
}
public void handle(Callback[] callbacks) throws UnsupportedCallbackException
{
System.out.println(“ASSERTER CALLBACK HANDLER:: handle() called”+(handleCallbackHandlerCount++));
System.out.println(“ASSERTER CALLBACK HANDLER******ManualJEAsserterCallbackHandler constructor–>handle(callback[])*****”);
for (int i = 0; i < callbacks.length; i++) {
Callback callback = callbacks[i];
if (!(callback instanceof NameCallback)) {
throw new UnsupportedCallbackException(callback, "Unrecognized Callback");
}
NameCallback nameCallback = (NameCallback)callback;
nameCallback.setName(userName);
}
}
}
what is the token type for your default identity asserter?
is it the same as the one in default identity asserter.. u can try to change the setting of default identity asserter..
Use jarscan
https://weblogic-wonders.com/weblogic/2011/01/26/finding-jar-files-using-jarscan/
-Faisal
“We can develop an Authentication provider along with the Custom Identity Asserter if the users exists outside WLS.”
What are some options if you need to establish trust between 2 WL domains? I’ve read about the Credential attribute that will allow domains to trust authenticated subjects and share principals. Anything else?
Is there support for token based authentication over t3/s or does it have to be http/s?
Yes, you we can use Credential Mappers to generate token on Source Domain and send to the Destination Domain.
Some Credential Mappers like SAML Credential Mapper, PKI Credential Mappers are provided OOB, you can consider using them.
T3 will only work if you want SSO b/w two WLS Domains.
Let me know if you have any doubts.
Cheers!
Faisal
i am also getting errors like Ahay..could you please send me the code to me also.
getProviderClassName() is already defined in examples.security.providers.identityassertion.simple.
SimpleSampleIdentityAsserterMBean
[java] public java.lang.String getProviderClassName ();
[java] ^
sure
I am also getting the same error. Can you please send me the code as well, if possible?
sure Divakar
Hi,
In our application, we are doing the authentication out side of the application( using web SM AGent ) and pass the information thro request headers to the application.
we have https and ssl setup and doing the client-cert in the web.xml.
So i want to have a custom IA like above so that i can get the user name and roles set to Weblogic Subject.
Could you please suggest me if i can use the above the IA.
iam trying to build like above and iam getting an error like below..
getProviderClassName() is already defined in examples.security.providers.identityassertion.simple.
SimpleSampleIdentityAsserterMBean
[java] public java.lang.String getProviderClassName ();
Could you please suggest me.. am i doing write and aslo let me know how to fix tghe error..
i apprciate your help…
thanks
ja.ki.
Do you have a Site Minder Identity Asserter on WLS?
Do you have additional mechanism of authentication using X509 cerficates?
Kindly help me understand your architecture and your requirement better.
Thanks,
Faisal
I developed a custom IA .we have perimeter authentication by Siteminder .we have RSA certificates installed.and it is one way SSL .Everyting is workign fine except When i try to download and view a pdf on the server which is as a BLOB object,iam getting error like certificate Error:Naviagation canceled.Let me know if i need to do anything extra for the certificates setup in the custom IA.As such i haven’t do anythign in custom IA,except setting up the certificates.The server is Weblogic and it worked well before with https before i moved to Perimeter authentication.
LEt me know where iam doing wrong.
the only error i saw is ..
i appriciate your help
Hi Kiran,
What type of IA Asserter is this? Does it process X509 Certificates?
SSL Communication is established even before IdentityAsserters are called.
You need to troubleshoot why SSL Communication is failing.
Enable -Dssl.debug=true on the server and send me the log files.
Thanks,
Faisal
Its continuation to my above post.
In custom IA ,i am asserting the token and iam not doing anythign with the login module except assigning the username to the Weblogic subject.
the error is:(it says it as a wanrning int he console)
Plaintext data for protocol HTTP was received from peer soc-scan-nc03.nc.wachovia.net – 114.3.199.10 instead of an SSL handshake
Invalid/unknown
SSL header was received from peer soc-scan-nc03.nc.wachovia.net – 114.3.199.10 d
uring SSL handshake.
Hi Team,
You are doing a great work sharing Security related issues.
I have the following requirement and would require your help on the same
1. Can we Enable Identity Assertion for Enterprise Applcations
2. Can t3/EJb clients pass identity tokens? If yes, how?
3. Can you point us to documentation/samples/example describing the procedure to enable assertion for EJB application and how EJB client will pass the token?
Hi,
Thanks for your appreciation.
Yes Identity Assertion is possible with Enterprise Applications and EJB/T3 Clients. Right now I dont have a sample ready, will work on it when I find time.
You can refer to the descriptor elements here
http://download.oracle.com/docs/cd/E11035_01/wls100/security/ejb_client.html
Thanks,
Faisal
Hi,
Can I make my custom IA work with the DefaultAuthenticator together? If the IA fails, then the DefaultAuthenticator will challenge user with a form. Now I have to change my web app auth-method to “CLIENT-CERT”, if I keep it as “FORM”, the form login page always comes.
Hi Chen,
You can use Fallback Authentication Mechanism
Kindly go through this.
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/security/thin_client.html#wp1055606
Cheers!
Faisal
Hi Afjal,
In our application we are using Weblogic portal server 9.2.3 and IDM 11g and OAM 11g.So as there is no existing Identity Assertor in weblogic 9.2.3 available to check the OBSSOCOOKIE from OAM 11g.
1. Could you please suggest the approach to make it happen?
2. I have to forward to a Login Module(Portal page) not a simple JSP page after validation fails.How can I achive this?PLease suggest.
MY persinal email id is diguvirtue@gmail.com
Thanks.
Regards,
Digesh
1. Could you please suggest the approach to make it happen?
I am not sure if a custom identity asserter will help here since you will require the mechanism to decode the token.
You might have to upgrade.
2. I have to forward to a Login Module(Portal page) not a simple JSP page after validation fails.How can I achive this?PLease suggest.
Can you please elaborate on this? Forwarding to a servlet or a jsp can happen from the identity asserters…
Thanks,
Faisal
Hi Faisal,
Thanks for sharing this. I have implemented the similar example. I am keeping the
But when I am login in the Weblogic console I am still not able to see this attribute writable there.
Please help me out resolving this issue.
Thanks in advance. 🙂
Hi Prashant,
Which attribute are you talking about?
Can you please send a detailed description with screenshots at khan.faysal06@gmail.com
Cheers!
Faisal
Hi,
Does the Asserter works with WLS 9.2 MP4 together with JDK 5.0 ?
yes it does..
Hi ,
Thanks,.
can you please send source code to this mail id
Hi,
I’m facing a problem with the exemple.
On the restart of the server (with the new asserter):
#### <> <The following exception has occurred:
com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097533]SecurityProvider service class name for monAsserter is not specified.
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:365)
at com.bea.common.engine.internal.ServiceEngineImpl.findOrStartService(ServiceEngineImpl.java:315)
at com.bea.common.engine.internal.ServiceEngineImpl.lookupService(ServiceEngineImpl.java:257)
at com.bea.common.engine.internal.ServicesImpl.getService(ServicesImpl.java:72)
Can you tell me the mistake I made?
Thanks
the problem appears to be with the MDF. You can send send the classes and the config file. I can check whats wrong.
weblogicwonders@weblogic-wonders.com
For the issue : SecurityProvider service class name for xxx is not specified.
The JVM argument -Dfiles can not be current folder.
incorrect:java -Dfiles=. -DMJF=./mbean.jar
correct: java -Dfiles=./build -DMJF=./mbean.jar
Has anyone written a custom attribute? Like the following:
When I try to set this attribute using
MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
mbs.setAttribute(objNm, new Attribute(“MyAttribute”, “aaaa”));
It always throws:
javax.management.AttributeNotFoundException: Attribute is readonly. : Security:Name=myrealmMyAuthAsserter:MyAttribute
at weblogic.management.jmx.modelmbean.WLSModelMBean.setAttribute(WLSModelMBean.java:648)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.setAttribute(DefaultMBeanServerInterceptor.java:762)
at com.sun.jmx.mbeanserver.JmxMBeanServer.setAttribute(JmxMBeanServer.java:699)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$14.run(WLSMBeanServerInterceptorBase.java:378)
at java.security.AccessController.doPrivileged(Native Method)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.setAttribute(WLSMBeanServerInterceptorBase.java:376)
at weblogic.management.mbeanservers.internal.JMXContextInterceptor.setAttribute(JMXContextInterceptor.java:228)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase$14.run(WLSMBeanServerInterceptorBase.java:378)
at java.security.AccessController.doPrivileged(Native Method)
at weblogic.management.jmx.mbeanserver.WLSMBeanServerInterceptorBase.setAttribute(WLSMBeanServerInterceptorBase.java:376)
at weblogic.management.mbeanservers.internal.SecurityInterceptor.setAttribute(SecurityInterceptor.java:359)
at weblogic.management.jmx.mbeanserver.WLSMBeanServer.setAttribute(WLSMBeanServer.java:303)
at com.ironworks.security.HeaderIdentityAsserterProviderImpl.assertIdentity(HeaderIdentityAsserterProviderImpl.java:143)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy35.assertIdentity(Unknown Source)
at com.bea.common.security.internal.service.IdentityAssertionTokenServiceImpl.assertIdentity(IdentityAssertionTokenServiceImpl.java:92)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.bea.common.security.internal.utils.Delegator$ProxyInvocationHandler.invoke(Delegator.java:57)
at $Proxy36.assertIdentity(Unknown Source)
Has anyone written a custom attribute? Like the following:
When I try to set this attribute using
MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
mbs.setAttribute(objNm, new Attribute(“MyAttribute”, “aaaa”));
It always throws:
javax.management.AttributeNotFoundException: Attribute is readonly. : Security:Name=myrealmMyAuthAsserter:MyAttribute
at weblogic.management.jmx.modelmbean.WLSModelMBean.setAttribute(WLSModelMBean.java:648)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.setAttribute(DefaultMBeanServerInterceptor.java:762)
at com.sun.jmx.mbeanserver.JmxMBeanServer.setAttribute(JmxMBeanServer.java:699)
at
Hi,
¿Do you have any simple application example to test this provider?
yes, ill mail it to you!
Hi Faisal,
After doing all the steps mentioned here, I get the following error.
[Security:097534]Failed to obtain an instance of class
Could you please send me a sample that works? Thanks in advance.
sure Vasanth!
sure..
Thanks Faisal. I will wait to hear from you 🙂 Appreciate your help!
Hi,
can you please send me source code as I am getting getProviderClassName() is already defined
Hi,
I have successfully created/deployed the JAR file… On the log, I can see that is initialized. But can’t see it is being triggered. I already set the auth-method to CLIENT-CERT.
Is there something I need to set to make this work.
how are you accessing the application??
After creating the jar file and adding the identity asserter to WLS console, WLS cannot restart. I am getting the following error.
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException:
[Security:097534]Failed to obtain an instance of class com.starwood.security.grc.sso.StarwoodProviderImpl.
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:341)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:220)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1785)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
Truncated. see log file for complete stacktrace
Any help is much appreciated.
Hi Randy,
Ill mail you the code.
Thanks,
Faisal
Hi Faisal.
I am able to create MJF and configure a Custom Identity Assertor in the realm. But the server fails to start with the below exception –
<The realm "myrealm" failed to be loaded: weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097534]Failed to obtain an instance of class examples.security.providers.identityassertion.simple.SimpleSampleIdentityAsserterProviderImpl..
weblogic.security.service.SecurityServiceException: com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097534]Failed to obtain an instance of class examples.security.providers.identityassertion.simple.SimpleSampleIdentityAsserterProviderImpl.
at weblogic.security.service.CSSWLSDelegateImpl.initializeServiceEngine(CSSWLSDelegateImpl.java:341)
at weblogic.security.service.CSSWLSDelegateImpl.initialize(CSSWLSDelegateImpl.java:220)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.InitializeServiceEngine(CommonSecurityServiceManagerDelegateImpl.java:1785)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initializeRealm(CommonSecurityServiceManagerDelegateImpl.java:442)
at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.loadRealm(CommonSecurityServiceManagerDelegateImpl.java:840)
Please help with this.
Thanks,
Peter
Hi Peter,
I have sent you the sample code. It should help.
Thanks,
Faisal
Hi,
Can I request for the fully and running code with the detaild steps?
Any other link or anything will be helpful.
Thanks,
Joebin
Please refer this
https://weblogic-wonders.com/weblogic/2014/01/13/simple-sample-custom-identity-asserter-weblogic-server-12c/
Hi, I’m having the same compile errors with getProviderClassName(). Could you please send my the code?
Br,
// Matthew
sure the code is here
https://weblogic-wonders.com/weblogic/2014/01/13/simple-sample-custom-identity-asserter-weblogic-server-12c/
Hi Faisal,
May I kindly ask you for the full code ? Many thanks in advance.
Kind regards,
Nicolas
sure Nicolas, I have mailed it to you.
Hi Faisal!
Can I ask you to send the source code in mail? Would help a lot.
Thanks in advance!
Regards,
Peter
sure Peter. I have sent it accross.
Hi Faisal,
I am in the same situation as other trying to authenticate external users using custom identity asserter. Can you please send me the complete code. Appreciate your time and effort.
Thanks,
Harish
You can find the code here now
https://weblogic-wonders.com/weblogic/2014/01/14/simple-sample-custom-database-authenticator-oracle-weblogic-server-11g/
Hi Faisal.
After restarting of the server I have the error in logs: “Failed to obtain an instance of class …”. What could be the cause of this error?
And, can I ask you to send source codes?
Thank you so much.
sure, ill mail u accross..
Hi Faisal and other experts,
I created a custom identity asserter to consume the ObSSOCookie created by OAM. I was not able to use the OamAuthprovider out of the box (for some reason I am getting errors while asserting the cookie at OAM).
I have webgate and WebLogic plug-in installed on apache. WebGate is correctly intercepting the request and authenticating the user when ObSSOCookie is not in the http header. However, once authenticated, it is not forwarding my request to WebLogic (That is the feeling I am getting) since my custom authenticator is not invoked.
The security section of web.xml looks like
CLIENT-CERT
myRealm
^M
I am using plain HTTP between Apache and WebLogic. do you see that as a problem ?
Any suggestion(s) to point me in the right direction is appreciated.
Thanks
Raj
Hi Raj,
You can enable debugHTTP on Weblogic and see if you are getting the ObSSOCokkie or not.
If you are getting it, then there might be an issue with your identity asserter.
You can test your identity asserter from a standalone client.
I can send you that.
But first check the logs after enabling debugHTTP.
Thanks,
Faisal
Hi Faisal,
I am getting some issues while trying to build the project.
Can you please send me the source code if possible.
Thanks and Regards,
Prasanth Kumar
Hi Faisal,
I am getting not getting subject and principal on the server side if the user does not exist in WL Console Realm. Is there any way we can assert the users which are not existing in the WL Domain also?
Thanks,
Prassanth Kumar
yes Prassanth. we can call a dummy login module that just returns true from the login method..
Hi Faisal,
I am also running into building issues (Copy&Paste from browser). Could you please send me the source code (better yet: the archived eclipse project)?
Any help is truly appreciated
Thanks a lot.
Kind regards
Werner Alber
ill mail u the code Werner!
Hi Faisal –
Please, can I ask you to send me the full source codes? That will help me a lot.
Thank you so much in advance.
-Helen
Sure Helen, will mail it to you.
Regards,
Faisal
Hi,
I have a requirement to auto login into the managed server’s(under WL) applications (like worklist) using SSO, from another application (not WL, by using a link).
I will have to call the link with a token. As I understood, there are 2 parts: 1. Define the token. 2. Define the provider.
How can I accomplish it?
Can I just copy paste the above files and run the procedure, or is there anything else required?
Please it’s ASAP
Thanks
Joe
Hi Joe,
We can discusss it over chat.
Please add me khan.faysal06@gmail.com
Hi,
After implementing the above, how can I test it? How can I call for example the console or EM application using a TOKEN?
(let’s say from a simple HTML page)
Thanks
Joe
you need to send the token in the connection header.. ill send u a standalone client.
Hi Admin! Could I also please have a copy of the code?
I’m struggling with
com.bea.common.engine.ServiceInitializationException: com.bea.common.engine.SecurityServiceRuntimeException: [Security:097534]Failed to obtain an instance of class
Hello faisal, I’m VERY new to weblogic and security in general so forgive my ignorance when I sound as so. I have been tasked with implementing single sign on for my company and here is the scenario: The company utilizes OAM 10g WebGate which generates the ObSSOCookie, Apache 2.2 is used as a proxy, which in turn forwards the request to the Oracle WebLogic Server using the mod_weblogic plug-in which has been configured in Apache. The OAM_REMOTE_USER header is being passed to weblogic. Mt challenge is what do I need to do in weblogic to allow it to consume this header and assert the identity of the user. The user ids that is passed by the header is the same user ids that we use in weblogic. Can you please help me figure out which authentication provider to use in this scenario. Alos the ldap that the company uses is eds and there is no eds authenticator in weblogic, how do I over come this hurdle? Any help you can provide will be greatly appreciated.
Hello!
During and process “getProviderClassName() is already defined” error become 🙁
Can you send me source code solution of this problem?
sure Miller!
Well now, I too am getting the [Security:097534]Failed to obtain an instance of class exception . I have no idea why. Did you guys ever solve this problem?
What is the version of Weblogic Server you are using?
Check the package name in the MDF.. if you still face issues please feel free to mail me at khan.faysal06@gmail.com
You were right, I had accidentally deleted part of the clasname in my MDF. Thanks!
thanks Thomas!
Please find the updated post here
https://weblogic-wonders.com/weblogic/2014/01/13/simple-sample-custom-identity-asserter-weblogic-server-12c/