securityweblogic12coc4j

OC4J to WebLogic 12c migration and security configuration questions


In OC4J, we were using a custom JAAS LoginModule. I've created a SqlAuthenticator that replicates that same logic, and that seems to work. For our app, when I go to the login page and enter the wrong password, it sends me to the login failed page. That part's fine.

However, when I enter the correct password, WebLogic just sends me back to the welcome page, with no message. I can't find anything in the log files to help me out. I'm guessing that it's an authorization problem, as opposed to authentication problem. I had assumed that the SqlAuthenticator would take care of that since it's able to fetch both groups and users of our app from the database.

I've never dealt with "roles" before. I'm not sure how they differ from "groups", which is all we really need. Do I need to define roles? Do they get tied to "groups" ? Is it the roles and policies that need to be configured? What am I missing?

Here's a snippet of the log file

<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <  Roles:Admin,Anonymous> 
<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <  Resource: type=<url>, application=ifactory-security, contextPath=/ifactory-security, uri=/secure/index.jsp, httpMethod=GET> 
<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <  Direction: ONCE> 
<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <  Context Handler: > 
<SecurityEEngine> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <evaluate([Users: gkephart|Groups: Final Quality Control Release,users,EDA Failover,Enroll Administrators,Read Only,QA Documentation,Etrack2 Administrators|Roles: not null], type=<url>, application=ifactory-security, contextPath=/ifactory-security, uri=/secure/index.jsp, httpMethod=GET)> 
<SecurityEEngine> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <Evaluating resource weblogic.entitlement.data.EResource@3557103 with expression: {Rol(Etrack2 Administrators,Etrack2 Administrators)}> 
<SecurityEEngine> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <Evaluation result: false> 
<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <Default Authorization isAccessAllowed(): returning DENY> 
<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <com.bea.common.security.internal.service.AccessDecisionServiceImpl.isAccessAllowed AccessDecision returned DENY> 
<SecurityAdjudicator> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Results=[ DENY ]> 
<SecurityAdjudicator> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Resource=type=<url>, application=ifactory-security, contextPath=/ifactory-security, uri=/secure/index.jsp, httpMethod=GET> 
<SecurityAdjudicator> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <DefaultAdjudicatorImpl.adjudicate results: DENY > 
<SecurityAdjudicator> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <com.bea.common.security.internal.service.AdjudicationServiceImpl.adjudicate Adjudictor returned false, returning that value> 
<SecurityAtz> <[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1416943077504> <BEA-000000> <com.bea.common.security.internal.service.AuthorizationServiceImpl.isAccessAllowed returning adjudicated: false> 

Here's the pertinent part of the web.xml

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>SecurePages</web-resource-name>
      <description>All secure pages</description>
      <url-pattern>/secure/*</url-pattern>
      <http-method>POST</http-method>
      <http-method>GET</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>Etrack2 Administrators</role-name>
    </auth-constraint>
    <user-data-constraint>
      <description>SSL not required</description>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/login.jsp</form-login-page>
      <form-error-page>/login_failed.jsp</form-error-page>
    </form-login-config>
  </login-config>

  <security-role>
    <role-name>Etrack2 Administrators</role-name>
  </security-role>

Here's my weblogic.xml. Note that I've added a group and a user as principals.

<weblogic-web-app xmlns="http://xmlns.oracle.com/weblogic/weblogic-web-app">
  <description><![CDATA[Generated by XDoclet. Use weblogicwebxml's description attribute to modify this value.]]></description>
  <weblogic-version>12</weblogic-version>
  <!-- 
    If you do not define a security-role-assignment element and its sub-elements, the Web application container implicitly 
    maps the role name as a principal name and logs a warning. 
    The EJB container does not deploy the module if mappings are not defined.

    Consider the following usage scenarios for the role name is "role_xyz"
    * If you map "role_xyz" to user "joe" in weblogic.xml, role_xyz becomes a local role.
    * If you specify role_xyz as an externally defined role, it becomes global (it refers to the role defined at the realm level).
    * If you do not define a security-role-assignment element, role_xyz becomes a local role, 
      and the Web application container creates an implicit mapping to it and logs a warning.
  -->
  <security-role-assignment>
    <role-name>Etrack2 Administrators</role-name>
    <principal-name>Etrack2 Administrators</principal-name>
    <principal-name>gkephart</principal-name>
  </security-role-assignment>
  <context-root>/ifactory-security</context-root>
</weblogic-web-app>

Solution

  • With the log file and the web.xml, I can see that you do need to set up security roles that your users/groups can be a part of. Right now, your user has no associated roles, so you are denied.

    In your web.xml you need to create a security-role after </login-config> like:

    <security-role>
       <role-name>Etrack2 Administrators</role-name>
    </security-role>
    

    Then in your weblogic.xml file, you need to define who has access to that role. Based on your error message it looks like you already have an Etrack2 Administrators group set up, which gkephart is in. That group is the principal-name below. You could also specify individual user names if need be but a group should be sufficient:

    <security-role-assignment>
       <role-name>Etrack2 Administrators</role-name>
       <principal-name>Etrack2 Administrators</principal-name>
    </security-role-assignment>
    

    Have a look at the Oracle docs here for more info.

    This is a decent example as well on how to do it via the weblogic console and deployment descriptors.


    Notes on implicit role mapping taken from the Oracle docs here:

    Use implicit role assignment if you want to hard-code your role mapping at deployment time to a known principal name.

    With implicit role assignment (omitting security-role-assignment in weblogic.xml), WebLogic assigns a security-role name to a role of the exact same name. Note that implicit role mapping takes place regardless of whether the role name defined is actually available in the security realm. For example, if you use the “everyone” role in web.xml but you do not explicitly assign the role in weblogic.xml, the server displays the warning:

    <Webapp: ServletContext(id=id,name=application,context-path=/context), the 
    role: everyone defined in web.xml has not been mapped to principals in 
    security-role-assignment in weblogic.xml. Will use the rolename itself 
    as the principal-name.>
    

    You can turn that message off. See the docs here for more info