Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

WebLogic authentication debugging

Login information and group memberships (identity) often are centrally managed in Enterprises. Many systems use this information to, for example, achieve Single Sign On (SSO) functionality. Surprisingly, access to the Weblogic Server Console and applications is often not centrally managed. I will explain why centralizing management of these identities, in addition to increased security, quickly starts reducing operational cost and even increases developer productivity. During a demonstration, I will introduce several methods for debugging authentication using an external authentication provider in order to lower the bar to apply this pattern. This technically oriented presentation is especially useful for people working in operations managing Weblogic Servers.

  • Loggen Sie sich ein, um Kommentare anzuzeigen.

WebLogic authentication debugging

  1. 1. OGh Oracle Fusion Middleware Experience 2016 bij FIGI Zeist Maarten Smeets, 16-02-2016 Debugging WebLogic authentication
  2. 2. Introduction • About AMIS – Located in the Netherlands – Oracle Award winning partner • About me – Senior Oracle Integration Consultant – Experience with Oracle SOA Suite since 2007 – Well certified (SOA, BPM, Java, SQL, PL/SQL among others) – Author more than 100 blog articles (http://javaoraclesoa.blogspot.com) @MaartenSmeetsNL https://nl.linkedin.com/in/smeetsm
  3. 3. 4 Oracle Virtual Technology Summit http://www.oracle.com/technetwork/community/developer-day/index.html March 8, 2016, 18:30:00 CET • Database Application Development • Oracle DB12c Performance • MySQL • Java EE, Microservices and JPA • All about Java 8! • The Internet of Things • WebLogic 12.2.1 and Java EE • Operating Systems and Virtualization • Storage,SPARC, and Software Development
  4. 4. Agenda • Oracle Identity Stores • Introduction Oracle Platform Security Services (OPSS) • What to debug • How to debug WebLogic authentication • How to debug application authentication
  5. 5. 6 Why use an external Identity Store? Application WLS SOA WLS OSB WLS ADF WLS WCC • An application uses company internal users • Often internal users are already present in an Identity Store • Management organization in place • Single environment to manage users • Single account per user
  6. 6. 7 Introduction OPSS Oracle Identity Store solutions • Oracle Unified Directory – Embedded Berkeley Database – LDAP proxy – Much faster read/write than ODSEE – Provides LDAP virtualization – Elastic scaling – Strategic Directory Server product – Designed to address current and future on-premise, mobile, and cloud needs • Oracle Directory Server Enterprise Edition – ODSEE 5.2 and 6.3 are in Sustaining Support – No new fixes will be created • Oracle Virtual Directory – Provides virtualization of different sources – OUD does not replace OVD • Oracle Internet Directory – Uses external Oracle DB – Used with Fusion Applications https://blogs.oracle.com/OracleIDM/entry/why_customers_should_upgrade_directory
  7. 7. Agenda • Oracle Identity Stores • Introduction Oracle Platform Security Services (OPSS) • What to debug • How to debug WebLogic authentication • How to debug application authentication
  8. 8. Introduction OPSS Identity Store Providers Authentication Authorization Credential Store Framework User / Role Service Provider Interface Layer OPSS APIs WebLogic Server JavaEE application Java SE application
  9. 9. Agenda • Oracle Identity Stores • Introduction Oracle Platform Security Services (OPSS) • What to debug • How to debug WebLogic authentication • How to debug application authentication
  10. 10. What to debug Identity Store WebLogic Console Application Authentication API Virtualization Platform security jps-config.xml jps-config-jse.xml system-jazn-data.xml config.xml web.xml weblogic.xml LDAP queries SSL/TLS Role mappings Organizational Units Authentication provider
  11. 11. Agenda • Oracle Identity Stores • Introduction Oracle Platform Security Services (OPSS) • What to debug • How to debug WebLogic authentication • How to debug application authentication
  12. 12. 13 Debug Weblogic authentication using an external client • Using an external client Apache Directory Studio
  13. 13. 14 Debug WebLogic authentication Embedded LDAP
  14. 14. 15 Debug WebLogic authentication Embedded LDAP • Login using: Bind DN / User: cn=Admin • Running by default on the AdminServer port • Check out cn=Config for LDAP server properties
  15. 15. 16 Debug WebLogic authentication Embedded LDAP • Notice the use of dynamic groups
  16. 16. 17 Debug WebLogic authentication Embedded LDAP • Notice the use of dynamic groups
  17. 17. 18 Debug WebLogic authentication Authentication provider configuration • Select the authentication provider (as specific as possible) • JAAS Control flags • LDAP connection details • LDAP search behavior – Users – Static groups – Dynamic groups • Cache settings
  18. 18. 19 Debug WebLogic authentication using Weblogic Console • JAAS Control flags – SUFFICIENT: if authentication is passed, no other authentication providers are evaluated. If it fails, they are – REQUIRED: the authentication provider is always called and authentication must succeed – OPTIONAL: passing authentication of this provider is optional. If all providers are optional, one needs to pass – REQUISITE: authentication has to succeed on this provider. After that providers of lower priority are evaluated
  19. 19. 20 Debug Weblogic authentication Cache settings • How to uniquely identify an LDAP entry. The GUID Attribute • The GUID Attribute is used as cache key • Provider specific – OUD, OpenLDAP, ApacheDS: entryuuid – Active Directory: objectguid – OVD, OID: orclguid • Misconfiguration can lead to first login fail, second login success (cache issues)
  20. 20. 21 Debug Weblogic authentication using Weblogic Console • Connection to external provider works • Server trust is established • User query works • Validating authentication details works
  21. 21. 22 Debug Weblogic authentication using Weblogic Console • Dynamic group object class works • Group Base DN works • User Dynamic Group DN Attribute works • Dynamic Group Name Attribute works
  22. 22. 23 Debug Weblogic authentication using log files LDAP connections LDAP queries
  23. 23. 24 Demo • Embedded LDAP • How to create a user in an LDAP server • How to configure WebLogic server to use the server • Debug authentication using the console • Debug the authentication using the log files
  24. 24. Agenda • Oracle Identity Stores • Introduction Oracle Platform Security Services (OPSS) • What to debug • How to debug WebLogic authentication • How to debug application authentication
  25. 25. Debug application authentication Identity Store WebLogic Console Application Authentication API Authentication provider Virtualization Platform security jps-config.xml jps-config-jse.xml system-jazn-data.xml config.xml web.xml weblogic.xml LDAP queries SSL/TLS Role mappings Organizational Units
  26. 26. 27 OPSS configuration files in $DOMAIN_HOME/config/fmwconfig • Java Platform Security: jps-config.xml (Java EE), jps-config.jse.xml (Java SE) login modules, authentication providers, authorization policy providers, credential stores and auditing services • jazn-data.xml, system-jazn-data.xml – users, groups and authorization policies • cwallet.sso – credentials used by the application • adapters.os_xml – LibOVD plugin configuration
  27. 27. 28 Debug application authentication LibOVD • Present since 11.1.1.4. Seen several patches since then. Lightweight OVD alternative supplied with WebLogic Server. • FMW components which use OPSS can only use the first LDAP authentication provider LibOVD provides virtualization • Configuration Edit <DOMAINDIR>/config/fmwconfig/jps-config.xml manually or from Enterprise Manager Plugin configuration in <DOMAINDIR>configfmwconfigovddefaultadapters.os_xml http://fusionsecurity.blogspot.nl/2012/06/libovd-when-and-how.html
  28. 28. 29 Debug application authentication LibOVD configuration • <DOMAINDIR>/config/fmwconfig/jps-config.xml Provides login modules, authentication providers, credential stores
  29. 29. 30 Debug application authentication LibOVD configuration • The OPSS API only queries static groups by default. Not dynamic groups. • Use the LibOVD dynamic group plugin to present dynamic groups like static groups (configuration in <DOMAINDIR>configfmwconfigovddefaultadapters.os_xml) • Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses • Only one structural class is allowed per LDAP object • Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames http://www.ateam-oracle.com/oracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2/
  30. 30. 31 Debug application authentication LibOVD debugging • Can be used when ADFLogger is used in application • Can be used for specific Weblogic Server component debugging such as oracle.ods.virtualization for LibOVD
  31. 31. 32 Debug application authentication ADF Security • Application configuration files – web.xml Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter) – weblogic.xml Maps valid-users to OPSS principal users
  32. 32. 33 Demo • Use basic authentication in an ADF application
  33. 33. 34 Debug application authentication ADF Security • Application configuration files – jazn-data.xml Contains development users / roles Application roles are granted to enterprise roles / users (from the OPSS API which uses the authorization provider). Resource permissions are granted to application roles or enterprise roles. – Test with: Java: ADFContext.getCurrent().getSecurityContext().isUserInRole(“role”) EL: #{securityContext.userInRole[‘role']} Users Enterprise roles Application roles Permissions Grants weblogic.xml jazn-data.xml
  34. 34. 35 Debug application authentication ADF Security • <DOMAINDIR>/config/fmwconfig/ system-jazn-data.xml – OOTB file based policy store – Users, groups, authorization policies – CredentialAccessPermission – Change while WebLogic is down or from EM!
  35. 35. 36 Debug application authentication JVM parameters • JVM parameters: – -Djps.auth.debug=true to get AccessControlException among other useful messages – -Djps.auth.debug.verbose=true to get a lot of debug messages http://docs.oracle.com/cd/E23943_01/core.1111/e10043/jpsprops.htm#JISEC2229
  36. 36. 37 Debug application authentication Business Process Management • Authenticate with a user • User is member of (authentication provider) groups • Groups are granted (application) roles and organization units • Business Process Management uses application roles and organization units
  37. 37. 38 Debug application authentication The Identity Service • Can I authenticate the user? – authenticateUser • Can I determine groups? – getGroups http://HOST:PORT/integration/services/IdentityService/identity?WSDL <ORACLE_HOME>/soa/soa/modules/oracle.soa.workflow_11.1.1/bpm-services.jar • Can I determine granted roles? – getGrantedRolesToUser • Can I determine organizational units? – use the Java API
  38. 38. 39 Conclusion • Many debugging options available – Looking at WebLogic Console or application behavior – Using an external client for your authentication provider – Debug logging in WebLogic Server console – Log configuration in Enterprise Manager Fusion Middleware Control – Isolated tests such as IdentityService calls or Java API’s • It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong • WebLogic Console is relatively easy to debug compared to for example LibOVD. Application side debugging is often also not very difficult.

×