2

weblogic Provider

Students who have done OAM and OID projects should all know that to integrate OAM and OID Security Realms be configured in 060a3f29a151fe of weblogic. So what is Provider? In the business system, authentication and authorization have always been the most complicated piece, which is reflected in

  • Diversity of authentication protocols, such as OAuth2, SAML, etc.
  • Diversified authentication methods, such as secondary authentication, verification code authentication, etc.
  • Diversity of authentication strategies, for example, there are multiple authentication sources, the strategies can be diversified, it can be that one fails to pass, or it can pass as long as one passes.
  • There are still a lot of requirements for custom certification in enterprises. There are no corresponding standards when some systems are launched, so they are all self-developed.
  • The password authentication strategy is diverse. Most system password storage is irreversible. If the password is not stored in a service such as LDAP at the beginning, if you want to upgrade later, you will not be able to get the original password, then you need to customize password authentication. Strategy.

In short, authentication is not as simple as username and password verification, so weblogic provides different providers for different authentication scenarios. As a mature commercial server, weblogic naturally includes most of the authentication scenarios. Taking weblogic 11g as an example, it includes the following providers

  • SAML2IdentityAsserter
  • X3gppAssertedIdentityAsserter
  • X3gppAssertedIdentityStrictAsserter
  • DBMSDigestIdentityAsserter
  • IdentityAssertionAuthenticator
  • IdentityHeaderAsserter
  • LdapDigestIdentityAsserter
  • PAssertedIdentityAsserter
  • PAssertedIdentityStrictAsserter
  • CrossTenantAuthenticator
  • TrustServiceIdentityAsserter
  • OSSOIdentityAsserter
  • OAMIdentityAsserter
  • OAMAuthenticator
  • ActiveDirectoryAuthenticator
  • CustomDBMSAuthenticator
  • DefaultAuthenticator
  • DefaultIdentityAsserter
  • IPlanetAuthenticator
  • LDAPAuthenticator
  • LDAPX509IdentityAsserter
  • NegotiateIdentityAsserter
  • NovellAuthenticator
  • OpenLDAPAuthenticator
  • OracleInternetDirectoryAuthenticator
  • OracleVirtualDirectoryAuthenticator
  • ReadOnlySQLAuthenticator
  • SQLAuthenticator
  • WindowsNTAuthenticator
  • SAMLAuthenticator
  • SAMLIdentityAsserter
  • SAMLIdentityAsserterV2

By observing the above list, we found that there are two types of Provider

  • xxxAsserter
  • xxxAuthenticator

So what is the difference between these two? It is very important to understand the difference between the two. If you enter the community, if you have a house card, you can enter directly. If not, you have to prove that you are the head of the community, and you may be needed. Provide information such as ID card and phone number. Similarly, if you access the system with a token or cookie, you need Asserter for authentication and authorization. If you log in to the system with a username and password, you need an Authenticator for authentication. In short, Asserter looks at the token and Authenticator. Look at the password, students who have been equipped with OAM single sign-on should know that two things need to be configured to realize OAM single sign-on

  • Configure OAMIdentityAsserter
  • Configure OracleInternetDirectoryAuthenticator

The question is, why do I need OracleInternetDirectoryAuthenticator with OAMIdentityAsserter? After the user logs in on the login page, all subsequent requests are authenticated and authorized through OAMIdentityAsserter to analyze OAM information, so why do we need an Authenticator? The user information that Asserter can obtain is limited, and only limited user information can be parsed from the token, which is generally the user ID. If you need to judge whether the user exists or if you need more user information, you need to use the Authenticator

JAAS

JAAS (Java Authentication and Authorization Service) is a standard user authentication and authorization model provided by Java integrated in the JDK (under the javax.security.auth path). Simply put, JAAS provides a series of interfaces, and different authentication methods are passed. Implement the interface so that it can be integrated into the java application in the form of a plug-in, under the JAAS architecture diagram

There are several important concepts to understand in JAAS

  • Subject

Subject represents the requester, which may be a person or a device

  • Principal

The Principal is associated with the Subject. As mentioned earlier, the Subject means the requester. We can understand the point better with the logged-in user. Then the Principal is the user's account, which may be logged in with a mobile phone number or logged in with an email address. Subject can have multiple Principal

  • LoginContext

LoginContext authentication context, provides a series of authentication methods, is responsible for calling specific authentication implementation (LoginModule), and returns Subject after successful authentication

  • LoginModule

The specific implementation of authentication, in which the login method implements the login logic, stores the result, and the commit method finally submits the Subject to the context

  • CallbackHandler

When LoginModule needs to get authentication information such as username and password, it needs to call CallbackHandler to return this information. In the gui application, CallbackHandler may pop up a window for the user to enter the username and password

  • Callback

The user information that LoginModule needs to obtain becomes the Callback. For example, if you need to obtain the user name from the CallbackHandler, a NameCallback will be created. If you need to obtain the password, a PasswordCallback will be created. The CallbackHandler returns the user information according to the type of Callback.

Project Background

A project needs to replace OAM with other products, and requires that the application cannot be modified to achieve seamless switching. The application is deployed on webogic, and OAM and OID are integrated through OAMIdentityAsserter and OracleInternetDirectoryAuthenticator to achieve single sign-on. The application part is configured as follows

  • web.xml
   <security-constraint>
    <web-resource-collection>
        <web-resource-name>SecurePages</web-resource-name>
        <description>These pages are only accessible by authorized users.</description>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
        <description>These are the roles who have access.</description>
        <role-name>ValidUser</role-name>
    </auth-constraint>
    <user-data-constraint>
        <description>This is how the user data must be transmitted.</description>
        <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
</security-constraint>
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>myrealm</realm-name>
</login-config>
<security-role>
    <description>These are the roles who have access.</description>
    <role-name>ValidUser</role-name>
</security-role>
  • weblogic.xml
  <wls:security-role-assignment>
      <wls:role-name>ValidUser</wls:role-name>
      <wls:principal-name>users</wls:principal-name>
  </wls:security-role-assignment>

Note that the login-config configuration <auth-method>CLIENT-CERT</auth-method> , this configuration indicates that the application obtains user information from the context, that is, obtains user information from the getUserPrincipal method of HttpServletRequest

Implementation plan

If you want to switch without moving the application code, you have to implement a function similar to OAMIdentityAsserter, that is, to develop a custom Asserter, so that the application can still get user information from the context as long as the Asserter is authenticated.

Develop custom Provider

Next, we need to develop a Provider to meet the following requirements. If YUFU_REMOTE_USER is included in the http header, then the value is the user id, and the request is deemed to have been authenticated, just like the implementation mechanism of OAM_REMOTE_USER

You may think that this authentication mechanism is too clumsy and easy to have security problems. Therefore, the prerequisite of this scheme is that the reverse proxy of the authentication center is required in front, and users cannot bypass the authentication center for access. You can set the firewall at the firewall level. Request isolation

Provider is implemented through weblogic MBean, so the development process is basically the same as that of MBean

  • Create MBean description file

YufuSSOIdentityAsserter.xml

<?xml version="1.0" ?>
<!DOCTYPE MBeanType SYSTEM "commo.dtd">

<MBeanType
        Name="YufuSSOIdentityAsserter"
        DisplayName="YufuSSOIdentityAsserter"
        Package="com.yufu.plugin.weblogic"
        Extends="weblogic.management.security.authentication.IdentityAsserter"
        PersistPolicy="OnUpdate"
>
    <MBeanAttribute
            Name="ProviderClassName"
            Type="java.lang.String"
            Writeable="false"
            Preprocessor="weblogic.management.configuration.LegalHelper.checkClassName(value)"
            Default="&quot;com.yufu.plugin.weblogic.YufuSSOIdentityAsserterProviderImpl&quot;"
    />

    <MBeanAttribute
            Name="Description"
            Type="java.lang.String"
            Writeable="false"
            Default="&quot;得帆云weblogic认证插件&quot;"
    />

    <MBeanAttribute
            Name="Version"
            Type="java.lang.String"
            Writeable="false"
            Default="&quot;1.0&quot;"
    />

    <MBeanAttribute
            Name="SupportedTypes"
            Type="java.lang.String[]"
            Writeable="false"
            Default="new String[] { &quot;YUFU_REMOTE_USER&quot; }"
    />

    <MBeanAttribute
            Name="ActiveTypes"
            Type="java.lang.String[]"
            Default="new String[] { &quot;YUFU_REMOTE_USER&quot; }"
    />


    <MBeanAttribute
            Name="Base64DecodingRequired"
            Type="boolean"
            Writeable="false"
            Default="false"
            Description="See MyIdentityAsserter-doc.xml."
    />

</MBeanType>

This file mainly defines the implementation class and related configuration of the Provider. The attributes defined here will be displayed on the interface when weblogic creates the Provider. SupportedTypes indicates the supported token types, here it refers to the token name, which is the name of the http header, and ActiveTypes indicates the default selection. The token type.

  • Prepare the following three java files

YufuSSOIdentityAsserterProviderImpl.java

package com.yufu.plugin.weblogic;

import java.util.HashMap;

import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.AppConfigurationEntry.LoginModuleControlFlag;

import weblogic.management.security.ProviderMBean;
import weblogic.security.provider.PrincipalValidatorImpl;
import weblogic.security.service.ContextHandler;
import weblogic.security.spi.*;

public final class YufuSSOIdentityAsserterProviderImpl implements AuthenticationProviderV2, IdentityAsserterV2 {
    final static private String TOKEN_TYPE = "YUFU_REMOTE_USER";

    private String description;
    private LoginModuleControlFlag controlFlag;


    public void initialize(ProviderMBean mbean, SecurityServices services) {
        System.out.println("插件初始化");
        YufuSSOIdentityAsserterMBean asserterBean = (YufuSSOIdentityAsserterMBean) mbean;
        description = asserterBean.getDescription() + "\n" + asserterBean.getVersion();
        controlFlag = LoginModuleControlFlag.SUFFICIENT;
    }

    /**
     * 核心认证逻辑
     *
     * @param type    token名称
     * @param token   token值(byte[]类型)
     * @param context
     * @return
     * @throws IdentityAssertionException
     */
    public CallbackHandler assertIdentity(String type, Object token, ContextHandler context) throws IdentityAssertionException {
        System.out.println("\tType\t\t= " + type);
        System.out.println("\tToken\t\t= " + token);
        this.validate(type, token);
        byte[] tokenBytes = (byte[]) token;
        if (tokenBytes == null || tokenBytes.length < 1) {
            String error = "received empty token byte array";
            throw new IdentityAssertionException(error);
        }
        String userName = new String(tokenBytes);
        return new YufuSSOCallbackHandlerImpl(userName);
    }

    private void validate(String type, Object token) throws IdentityAssertionException {
        if (!(TOKEN_TYPE.equals(type))) {
            String error = "unknown token type \"" + type + "\"." + " Expected " + TOKEN_TYPE;
            throw new IdentityAssertionException(error);
        }

        if (!(token instanceof byte[])) {
            String error = "received unknown token class \"" + token.getClass() + "\"." + " Expected a byte[].";
            System.out.println("\tError: " + error);
            throw new IdentityAssertionException(error);
        }
    }


    public AppConfigurationEntry getLoginModuleConfiguration() {
        HashMap options = new HashMap();
        return getConfiguration(options);
    }

    /**
     * 定义LoginModule实现类
     *
     * @param options
     * @return
     */
    private AppConfigurationEntry getConfiguration(HashMap options) {
        return new
                AppConfigurationEntry(
                "com.yufu.plugin.weblogic.YufuSSOLoginModuleImpl",
                controlFlag,
                options
        );
    }

    public AppConfigurationEntry getAssertionModuleConfiguration() {
        HashMap options = new HashMap();
        options.put("IdentityAssertion", "true");
        return getConfiguration(options);
    }

    public PrincipalValidator getPrincipalValidator() {
        return new PrincipalValidatorImpl();
    }

    public String getDescription() {
        return description;
    }

    public void shutdown() {
    }

    public IdentityAsserterV2 getIdentityAsserter() {
        return this;
    }

}

YufuSSOLoginModuleImpl.java

package com.yufu.plugin.weblogic;
import java.io.IOException;
import java.util.Map;
import java.util.Vector;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import weblogic.security.principal.WLSGroupImpl;
import weblogic.security.principal.WLSUserImpl;
final public class YufuSSOLoginModuleImpl implements LoginModule {
    private Subject subject;
    private CallbackHandler callbackHandler;
    private boolean loginSucceeded;
    private boolean principalsInSubject;
    private Vector principalsForSubject = new Vector();

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) {
        System.out.println("YufuSSOLoginModuleImpl.initialize");
        this.subject = subject;
        this.callbackHandler = callbackHandler;
    }

    /**
     * 登录逻辑
     * @return
     * @throws LoginException
     */
    public boolean login() throws LoginException {
        System.out.println("插件校验登录");
        Callback[] callbacks = getCallbacks();
        String userName = getUserName(callbacks);
        loginSucceeded = true;
        principalsForSubject.add(new WLSUserImpl(userName));
        addGroupsForSubject(userName);
        return loginSucceeded;
    }

    /**
     * 确认登录成功
     *
     * @return
     * @throws LoginException
     */
    public boolean commit() throws LoginException {
        if (loginSucceeded) {
            subject.getPrincipals().addAll(principalsForSubject);
            principalsInSubject = true;
            return true;
        } else {
            return false;
        }
    }
    public boolean abort() throws LoginException {
        if (principalsInSubject) {
            subject.getPrincipals().removeAll(principalsForSubject);
            principalsInSubject = false;
        }
        return true;
    }
    public boolean logout() throws LoginException {
        return true;
    }
    private void throwLoginException(String msg) throws LoginException {
        throw new LoginException(msg);
    }
    private Callback[] getCallbacks() throws LoginException {
        if (callbackHandler == null) {
            throwLoginException("缺少callback处理器");
        }
        Callback[] callbacks = new Callback[1];
        try {
            callbackHandler.handle(callbacks);
        } catch (IOException e) {
            throw new LoginException(e.toString());
        } catch (UnsupportedCallbackException e) {
            throwLoginException(e.toString() + " " + e.getCallback().toString());
        }
        return callbacks;
    }
    private String getUserName(Callback[] callbacks) throws LoginException {
        String userName = ((NameCallback) callbacks[0]).getName();
        if (userName == null) {
            throwLoginException("Username为空.");
        }
        return userName;
    }
    private void addGroupsForSubject(String userName) {
        String groupName = "YufuPerimeterAtnUsers";
        System.out.println("\tgroupName\t= " + groupName);
        principalsForSubject.add(new WLSGroupImpl(groupName));
    }
}

YufuSSOCallbackHandlerImpl.java

package com.yufu.plugin.weblogic;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
class YufuSSOCallbackHandlerImpl implements CallbackHandler {
    private String userName;

    YufuSSOCallbackHandlerImpl(String user) {
        userName = user;
    }

    public void handle(Callback[] callbacks) throws UnsupportedCallbackException {
        for (int i = 0; i < callbacks.length; i++) {
            Callback callback = callbacks[i];
            if (!(callback instanceof NameCallback)) {
                throw new UnsupportedCallbackException(callback, "Unrecognized Callback");
            }
            NameCallback nameCallback = (NameCallback) callback;
            nameCallback.setName(userName);
        }
    }
}
  • Prepare ant build file

build.xml

<project name="Expenselink Build" default="all" basedir=".">
<property name="fileDir" value="test" />

<target name="all" depends="build"/>

<target name="build" depends="clean,build.mdf,build.mjf"/>

<target name="clean">
<delete dir="${fileDir}" failonerror="false"/>
<delete file="YufuSSOIdentityAsserter.jar" failonerror="false"/>
<echo message="Clean finish" />
</target>

<!-- helper to build an MDF (mbean definition file) -->
<target name="build.mdf">
<java dir="${basedir}" fork="false" classname="weblogic.management.commo.WebLogicMBeanMaker">
<arg line="-files ${fileDir}" />
<arg value="-createStubs" />
<arg line="-MDF YufuSSOIdentityAsserter.xml" />
</java>
<echo message="Created Supporting Classes" />
</target>

<target name="build.mjf">

<copy todir="${fileDir}" flatten="true">
<fileset dir=".">
<include name="*.java" />
</fileset>
</copy>

<java dir="${basedir}" fork="false" classname="weblogic.management.commo.WebLogicMBeanMaker">
<arg line="-MJF YufuSSOIdentityAsserter.jar" />
<arg line="-files ${fileDir}" />
</java>
<echo message="Created Mbean Jar" />
</target>

</project>

Upload these files to the weblogic server

$ ll
-rw-r--r-- 1 oracle oinstall  1102 May 11 10:03 build.xml
-rw-r--r-- 1 oracle oinstall   890 May 11 09:58 YufuSSOCallbackHandlerImpl.java
-rw-r--r-- 1 oracle oinstall  3194 May 11 10:34 YufuSSOIdentityAsserterProviderImpl.java
-rw-r--r-- 1 oracle oinstall  1576 May 11 09:58 YufuSSOIdentityAsserter.xml
-rw-r--r-- 1 oracle oinstall  4585 May 11 09:58 YufuSSOLoginModuleImpl.java

Copy the $MIDDLEWARE_HOME/wlserver_10.3/server/lib/mbeantypes/commo.dtd file to the current directory

$ ll
-rw-r--r-- 1 oracle oinstall  1102 May 11 10:03 build.xml
-rw-r--r-- 1 oracle oinstall  7993 May 11 09:58 commo.dtd
-rw-r--r-- 1 oracle oinstall   890 May 11 09:58 YufuSSOCallbackHandlerImpl.java
-rw-r--r-- 1 oracle oinstall  3194 May 11 10:34 YufuSSOIdentityAsserterProviderImpl.java
-rw-r--r-- 1 oracle oinstall  1576 May 11 09:58 YufuSSOIdentityAsserter.xml
-rw-r--r-- 1 oracle oinstall  4585 May 11 09:58 YufuSSOLoginModuleImpl.java
  • Set the weblogic context environment
cd $MIDDLEWARE_HOME/user_projects/domains/portal_domain/bin/
. ./setDomainEnv.sh

The purpose of executing setDomainEnv.sh is to set the weblogic context environment, so that weblogic-related dependent jar packages can be found in the subsequent script execution process

MIDDLEWARE_HOME: Middleware directory, such as /u01/Middleware

The first one in the second line of the command has a dot . , this can’t be ignored

  • Execute the ant command in the build.xml directory
$ ll
total 36
-rw-r--r-- 1 oracle oinstall 1102 May 11 10:03 build.xml
-rw-r--r-- 1 oracle oinstall 7993 May 11 09:58 commo.dtd
drwxr-xr-x 2 oracle oinstall 4096 May 11 13:00 src
-rw-r--r-- 1 oracle oinstall  890 May 11 09:58 YufuSSOCallbackHandlerImpl.java
-rw-r--r-- 1 oracle oinstall 3194 May 11 10:34 YufuSSOIdentityAsserterProviderImpl.java
-rw-r--r-- 1 oracle oinstall 1576 May 11 09:58 YufuSSOIdentityAsserter.xml
-rw-r--r-- 1 oracle oinstall 4585 May 11 09:58 YufuSSOLoginModuleImpl.java


$ ant
Buildfile: build.xml

clean:
   [delete] Deleting directory /data/Middleware/user_projects/domains/portal_domain/assert/yufu/src
     [echo] Clean finish

build.mdf:
     [java] Working directory ignored when same JVM is used.
     [java] Parsing the MBean definition file: YufuSSOIdentityAsserter.xml
     [echo] Created Supporting Classes

build.mjf:
     [copy] Copying 3 files to /data/Middleware/user_projects/domains/portal_domain/assert/yufu/src
     [java] Working directory ignored when same JVM is used.
     [java] Creating an MJF from the contents of directory src...
     [java] Compiling the files...
     [java] Creating the list.
     [java] Doing the compile.
    .....
build:

all:

BUILD SUCCESSFUL
Total time: 5 seconds

After the build is successful, a jar file will be generated locally and copy the file to the following directory

cp YufuSSOIdentityAsserter.jar $MIDDLEWARE_HOME/wlserver_10.3/server/lib/mbeantypes/
Weblogic itself comes with the ant tool, the path is located in the $MIDDLEWARE_HOME/modules/org.apache.ant_1.7.1 directory, you can add the following configuration in the user's .bash_profile

ANT_HOME=/data/Middleware/modules/org.apache.ant_1.7.1

PATH=$ANT_HOME/bin:$PATH

So you can use the ant command directly

  • Restart all servers (AdminServer and ManagerServer)

Configure Provider

Log in to the console and enter myrealm >Providers to see the self-developed Asserter

Click Save to save, click Activate changes to apply all changes

  • Problems encountered

There may be an error during activation

The background error is as follows:

<May 10, 2021 4:54:50 PM CST> <Error> <Console> <BEA-240003> <Console encountered the following error weblogic.management.provider.UpdateException: [Management:141191]The prepare phase of the configuration update failed with an exception:
 at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService.updateDeploymentContext

 ...

Caused by: java.io.IOException: [Management:141245]Schema Validation Error in config/config.xml see log for details. Schema validation can be disabled by starting the server with the command line option: -Dweblogic.configuration.schemaValidationEnabled=false
 at weblogic.management.provider.internal.EditAccessImpl.checkErrors(EditAccessImpl.java:2340)
 at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService.handleConfigTreeLoad(RuntimeAccessDeploymentReceiverService.java:968)
 at weblogic.management.provider.internal.RuntimeAccessDeploymentReceiverService.updateDeploymentContext(RuntimeAccessDeploymentReceiverService.java:599)
>

This error is that after configuring the provider, weblogic writes the information into the config/config.xml file, and the file fails the validation in Schema validation. This should be caused by a bug in weblogic. The solution is setDomainEnv Find this paragraph in .sh (about line 530)

JAVA_OPTIONS="${JAVA_OPTIONS}"
export JAVA_OPTIONS

Change it to

JAVA_OPTIONS="${JAVA_OPTIONS} -Dweblogic.configuration.schemaValidationEnabled=false"
export JAVA_OPTIONS

Then restart all servers

verification

  • Prepare a servlet, the code is as follows
public class SecurityServlet extends HttpServlet {

    @Override
    protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
        StringBuffer str = new StringBuffer();
        str.append("remoteUser:" + req.getRemoteUser() + "\r\n<br/>");
        String name = (req.getUserPrincipal() == null) ? null : req
                .getUserPrincipal().getName();
        str.append("Principal Name: " + name + "\r\n<br/>");
        str.append("Authentication Type: " + req.getAuthType() + "\n<br/>");
        resp.setCharacterEncoding("utf-8");
        resp.setContentType("text/html; charset=UTF-8");
        resp.getOutputStream().write(str.toString().getBytes("utf-8"));
        resp.getOutputStream().flush();
    }
}
  • web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
         version="2.5" xmlns="http://java.sun.com/xml/ns/javaee">
    <servlet>
        <servlet-name>security</servlet-name>
        <servlet-class>com.demo.service.SecurityServlet</servlet-class>
    </servlet>
    <servlet-mapping>
        <servlet-name>security</servlet-name>
        <url-pattern>/security</url-pattern>
    </servlet-mapping>
   
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>SecurePages</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>ValidUser</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>NONE</transport-guarantee>
        </user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>CLIENT-CERT</auth-method>
        <realm-name>myrealm</realm-name>
    </login-config>
    <security-role>
        <role-name>ValidUser</role-name>
    </security-role>
</web-app>
  • weblogi.xml
<?xml version='1.0' encoding='UTF-8'?>
<wls:weblogic-web-app
        xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-web-app"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
        http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd
        http://xmlns.oracle.com/weblogic/weblogic-web-app
        http://xmlns.oracle.com/weblogic/weblogic-web-app/1.4/weblogic-web-app.xsd">
    <wls:security-role-assignment>
        <wls:role-name>ValidUser</wls:role-name>
        <wls:principal-name>users</wls:principal-name>
    </wls:security-role-assignment>
    <wls:context-root>/definetool</wls:context-root>
</wls:weblogic-web-app>
  • deploy

Package the application and deploy weblogic

  • test
➜  curl -v http://192.168.1.23:7001/definetool/security

*   Trying 192.168.1.23...
* TCP_NODELAY set
* Connected to 192.168.1.23 (192.168.1.23) port 7001 (#0)
> GET /definetool/security HTTP/1.1
> Host: 192.168.1.23:7001
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 401 Unauthorized
< Date: Tue, 11 May 2021 11:57:20 GMT
< Content-Length: 1468
< Content-Type: text/html; charset=UTF-8
< 

Add the token (token name is YUFU_REMOTE_USER) defined in the configuration file

➜ curl -v http://192.168.1.23:7001/definetool/security -H 'YUFU_REMOTE_USER:helen'

*   Trying 192.168.1.23...
* TCP_NODELAY set
* Connected to 192.168.1.23 (192.168.1.23) port 7001 (#0)
> GET /definetool/security HTTP/1.1
> Host: 192.168.1.23:7001
> User-Agent: curl/7.54.0
> Accept: */*
> YUFU_REMOTE_USER:helen
> 
< HTTP/1.1 200 OK
< Date: Tue, 11 May 2021 11:59:31 GMT
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
< X-ORACLE-DMS-ECID: c813593f0a2fd3cb:70daab41:17959480e1c:-8000-0000000000000034
< Set-Cookie: JSESSIONID=JNNbS-fvPiFe2u2upP13qyykiOvQ8IlLLLxd7m2_GSWEhlwUQlrd!686904248; path=/; HttpOnly
< 
remoteUser:helen
<br/>Principal Name: helen
<br/>Authentication Type: CLIENT_CERT
* Connection #0 to host 192.168.1.23 left intact
<br/>%                                                      

Verified

Source code

All codes have been submitted to gitlab welcome star


DQuery
300 声望94 粉丝

幸福是奋斗出来的


引用和评论

0 条评论