Weblogic 12.2.1.2 security realm authenticating but call to isUserInRole returning false.
I have a Java web application that I am working on that is authenticating by using SSO (SPNEGO) token. The security realm and providers are setup in a Multitenancy WebLogic Server (12.2.1.2) and everything appears to be working fine except when a call to isUserInRole is made. It always returns false. The user is being authenticated, a Subject is being created and populated with all of the correct Principals (Groups) from the AD.
I have tried mapping the Principals to a security role assignment in the weblogic.xml file and use that role assignment in the web.xml to try and map the role to a specific Principal (Group) but it is not working as I thought it would.
The application consists of one servlet in the WAR that should display login information to the screen if the authentication succeeds. The authentication succeeds and the information is displayed and I can see my name from the AD and all of the Principals (Groups) that I belong to.
The configuration for the weblogic.xml and the web.xml are as follows.
weblogic.xml
<security-role-assignment>
<role-name>SITE_ADMIN</role-name>
<principal-name>@DEV_ADMIN</principal-name>
<principal-name>DEV_ADMIN</principal-name>
</security-role-assignment>
web.xml
<servlet>
<servlet-name>AuthSimpleTestServlet</servlet-name>
<servlet-class>functional.test.SimpleTestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AuthSimpleTestServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>secured pages</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SITE_ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<security-role>
<description>Admin Role</description>
<role-name>SITE_ADMIN</role-name>
</security-role>
When I use the browser to test the authentication I am authenticated and the servlet displays my username, all of my Principals and some other information just like it should if I have been authenticated.
Requested URL:
http://dev-server:7011/CHAD/SPNEGO_TEST
Request information:
Request method: GET
Request URI: /CHAD/SPNEGO_TEST
Request protocol: HTTP/1.1
Servlet path:
Path info:
Path translated:
Query string:
Content length:
Content type:
Server name: dev-server
Server port: 7011
Remote user: DCConway
Scheme: http
Authorization scheme: CLIENT_CERT
Request scheme: http
Request Principal: DCConway
Attempt to Authenticate using HttpServletRequest.authenticate: true
HttpServletRequest.isUserInRole(SITE_ADMIN): false
Weblogic Username-> weblogic.security.SubjectUtils.getUsername(Subject): DCConway
Number of Principals from the Subject: 47
Principal List: (list edited for post)
DCConway
DEV_ADMIN
@DEV_ADMIN
Request headers:
Accept: text/html, application/xhtml+xml, image/jxr, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0
WOW64
Trident/7.0
rv:11.0) like Gecko
Accept-Encoding: gzip, deflate, peerdist
Host: dev-server:7011
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=YAAx-omzQbMg4jE-bedCM-5Guwngj56xAmXVIqhcbFSJxti7Ae6J!2096529829
Authorization: Negotiate YIILJAYG.....
X-P2P-PeerDist: Version=1.1
X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0
Request Attributes:
weblogic.servlet.network_channel.port: type=java.lang.Integer str='7011'
In the results of being authenticated I can see that using the servlet request to get the remote user works. I can see that using the Principal to get the username works. Calling authenticate using the servlet request works and I can see all of my Principals. I'm at a loss at the moment trying o figure out why the call to isUserInRole is not returning true. I'm guessing that something in the principal to role mapping isn't correct but I don't see where I messed it up yet.
I imagine that I could just use the principals to make the security work and restrict user's based on those but I would really like to know what and where I messed up the mappings or if it's because there are no roles defined in AD just groups. Any explanations are greatly appreciated.
java authentication java-ee weblogic jsf-2.2
add a comment |
I have a Java web application that I am working on that is authenticating by using SSO (SPNEGO) token. The security realm and providers are setup in a Multitenancy WebLogic Server (12.2.1.2) and everything appears to be working fine except when a call to isUserInRole is made. It always returns false. The user is being authenticated, a Subject is being created and populated with all of the correct Principals (Groups) from the AD.
I have tried mapping the Principals to a security role assignment in the weblogic.xml file and use that role assignment in the web.xml to try and map the role to a specific Principal (Group) but it is not working as I thought it would.
The application consists of one servlet in the WAR that should display login information to the screen if the authentication succeeds. The authentication succeeds and the information is displayed and I can see my name from the AD and all of the Principals (Groups) that I belong to.
The configuration for the weblogic.xml and the web.xml are as follows.
weblogic.xml
<security-role-assignment>
<role-name>SITE_ADMIN</role-name>
<principal-name>@DEV_ADMIN</principal-name>
<principal-name>DEV_ADMIN</principal-name>
</security-role-assignment>
web.xml
<servlet>
<servlet-name>AuthSimpleTestServlet</servlet-name>
<servlet-class>functional.test.SimpleTestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AuthSimpleTestServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>secured pages</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SITE_ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<security-role>
<description>Admin Role</description>
<role-name>SITE_ADMIN</role-name>
</security-role>
When I use the browser to test the authentication I am authenticated and the servlet displays my username, all of my Principals and some other information just like it should if I have been authenticated.
Requested URL:
http://dev-server:7011/CHAD/SPNEGO_TEST
Request information:
Request method: GET
Request URI: /CHAD/SPNEGO_TEST
Request protocol: HTTP/1.1
Servlet path:
Path info:
Path translated:
Query string:
Content length:
Content type:
Server name: dev-server
Server port: 7011
Remote user: DCConway
Scheme: http
Authorization scheme: CLIENT_CERT
Request scheme: http
Request Principal: DCConway
Attempt to Authenticate using HttpServletRequest.authenticate: true
HttpServletRequest.isUserInRole(SITE_ADMIN): false
Weblogic Username-> weblogic.security.SubjectUtils.getUsername(Subject): DCConway
Number of Principals from the Subject: 47
Principal List: (list edited for post)
DCConway
DEV_ADMIN
@DEV_ADMIN
Request headers:
Accept: text/html, application/xhtml+xml, image/jxr, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0
WOW64
Trident/7.0
rv:11.0) like Gecko
Accept-Encoding: gzip, deflate, peerdist
Host: dev-server:7011
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=YAAx-omzQbMg4jE-bedCM-5Guwngj56xAmXVIqhcbFSJxti7Ae6J!2096529829
Authorization: Negotiate YIILJAYG.....
X-P2P-PeerDist: Version=1.1
X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0
Request Attributes:
weblogic.servlet.network_channel.port: type=java.lang.Integer str='7011'
In the results of being authenticated I can see that using the servlet request to get the remote user works. I can see that using the Principal to get the username works. Calling authenticate using the servlet request works and I can see all of my Principals. I'm at a loss at the moment trying o figure out why the call to isUserInRole is not returning true. I'm guessing that something in the principal to role mapping isn't correct but I don't see where I messed it up yet.
I imagine that I could just use the principals to make the security work and restrict user's based on those but I would really like to know what and where I messed up the mappings or if it's because there are no roles defined in AD just groups. Any explanations are greatly appreciated.
java authentication java-ee weblogic jsf-2.2
add a comment |
I have a Java web application that I am working on that is authenticating by using SSO (SPNEGO) token. The security realm and providers are setup in a Multitenancy WebLogic Server (12.2.1.2) and everything appears to be working fine except when a call to isUserInRole is made. It always returns false. The user is being authenticated, a Subject is being created and populated with all of the correct Principals (Groups) from the AD.
I have tried mapping the Principals to a security role assignment in the weblogic.xml file and use that role assignment in the web.xml to try and map the role to a specific Principal (Group) but it is not working as I thought it would.
The application consists of one servlet in the WAR that should display login information to the screen if the authentication succeeds. The authentication succeeds and the information is displayed and I can see my name from the AD and all of the Principals (Groups) that I belong to.
The configuration for the weblogic.xml and the web.xml are as follows.
weblogic.xml
<security-role-assignment>
<role-name>SITE_ADMIN</role-name>
<principal-name>@DEV_ADMIN</principal-name>
<principal-name>DEV_ADMIN</principal-name>
</security-role-assignment>
web.xml
<servlet>
<servlet-name>AuthSimpleTestServlet</servlet-name>
<servlet-class>functional.test.SimpleTestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AuthSimpleTestServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>secured pages</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SITE_ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<security-role>
<description>Admin Role</description>
<role-name>SITE_ADMIN</role-name>
</security-role>
When I use the browser to test the authentication I am authenticated and the servlet displays my username, all of my Principals and some other information just like it should if I have been authenticated.
Requested URL:
http://dev-server:7011/CHAD/SPNEGO_TEST
Request information:
Request method: GET
Request URI: /CHAD/SPNEGO_TEST
Request protocol: HTTP/1.1
Servlet path:
Path info:
Path translated:
Query string:
Content length:
Content type:
Server name: dev-server
Server port: 7011
Remote user: DCConway
Scheme: http
Authorization scheme: CLIENT_CERT
Request scheme: http
Request Principal: DCConway
Attempt to Authenticate using HttpServletRequest.authenticate: true
HttpServletRequest.isUserInRole(SITE_ADMIN): false
Weblogic Username-> weblogic.security.SubjectUtils.getUsername(Subject): DCConway
Number of Principals from the Subject: 47
Principal List: (list edited for post)
DCConway
DEV_ADMIN
@DEV_ADMIN
Request headers:
Accept: text/html, application/xhtml+xml, image/jxr, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0
WOW64
Trident/7.0
rv:11.0) like Gecko
Accept-Encoding: gzip, deflate, peerdist
Host: dev-server:7011
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=YAAx-omzQbMg4jE-bedCM-5Guwngj56xAmXVIqhcbFSJxti7Ae6J!2096529829
Authorization: Negotiate YIILJAYG.....
X-P2P-PeerDist: Version=1.1
X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0
Request Attributes:
weblogic.servlet.network_channel.port: type=java.lang.Integer str='7011'
In the results of being authenticated I can see that using the servlet request to get the remote user works. I can see that using the Principal to get the username works. Calling authenticate using the servlet request works and I can see all of my Principals. I'm at a loss at the moment trying o figure out why the call to isUserInRole is not returning true. I'm guessing that something in the principal to role mapping isn't correct but I don't see where I messed it up yet.
I imagine that I could just use the principals to make the security work and restrict user's based on those but I would really like to know what and where I messed up the mappings or if it's because there are no roles defined in AD just groups. Any explanations are greatly appreciated.
java authentication java-ee weblogic jsf-2.2
I have a Java web application that I am working on that is authenticating by using SSO (SPNEGO) token. The security realm and providers are setup in a Multitenancy WebLogic Server (12.2.1.2) and everything appears to be working fine except when a call to isUserInRole is made. It always returns false. The user is being authenticated, a Subject is being created and populated with all of the correct Principals (Groups) from the AD.
I have tried mapping the Principals to a security role assignment in the weblogic.xml file and use that role assignment in the web.xml to try and map the role to a specific Principal (Group) but it is not working as I thought it would.
The application consists of one servlet in the WAR that should display login information to the screen if the authentication succeeds. The authentication succeeds and the information is displayed and I can see my name from the AD and all of the Principals (Groups) that I belong to.
The configuration for the weblogic.xml and the web.xml are as follows.
weblogic.xml
<security-role-assignment>
<role-name>SITE_ADMIN</role-name>
<principal-name>@DEV_ADMIN</principal-name>
<principal-name>DEV_ADMIN</principal-name>
</security-role-assignment>
web.xml
<servlet>
<servlet-name>AuthSimpleTestServlet</servlet-name>
<servlet-class>functional.test.SimpleTestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AuthSimpleTestServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>secured pages</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SITE_ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<security-role>
<description>Admin Role</description>
<role-name>SITE_ADMIN</role-name>
</security-role>
When I use the browser to test the authentication I am authenticated and the servlet displays my username, all of my Principals and some other information just like it should if I have been authenticated.
Requested URL:
http://dev-server:7011/CHAD/SPNEGO_TEST
Request information:
Request method: GET
Request URI: /CHAD/SPNEGO_TEST
Request protocol: HTTP/1.1
Servlet path:
Path info:
Path translated:
Query string:
Content length:
Content type:
Server name: dev-server
Server port: 7011
Remote user: DCConway
Scheme: http
Authorization scheme: CLIENT_CERT
Request scheme: http
Request Principal: DCConway
Attempt to Authenticate using HttpServletRequest.authenticate: true
HttpServletRequest.isUserInRole(SITE_ADMIN): false
Weblogic Username-> weblogic.security.SubjectUtils.getUsername(Subject): DCConway
Number of Principals from the Subject: 47
Principal List: (list edited for post)
DCConway
DEV_ADMIN
@DEV_ADMIN
Request headers:
Accept: text/html, application/xhtml+xml, image/jxr, /
Accept-Language: en-US
User-Agent: Mozilla/5.0 (Windows NT 10.0
WOW64
Trident/7.0
rv:11.0) like Gecko
Accept-Encoding: gzip, deflate, peerdist
Host: dev-server:7011
DNT: 1
Connection: Keep-Alive
Cookie: JSESSIONID=YAAx-omzQbMg4jE-bedCM-5Guwngj56xAmXVIqhcbFSJxti7Ae6J!2096529829
Authorization: Negotiate YIILJAYG.....
X-P2P-PeerDist: Version=1.1
X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0
Request Attributes:
weblogic.servlet.network_channel.port: type=java.lang.Integer str='7011'
In the results of being authenticated I can see that using the servlet request to get the remote user works. I can see that using the Principal to get the username works. Calling authenticate using the servlet request works and I can see all of my Principals. I'm at a loss at the moment trying o figure out why the call to isUserInRole is not returning true. I'm guessing that something in the principal to role mapping isn't correct but I don't see where I messed it up yet.
I imagine that I could just use the principals to make the security work and restrict user's based on those but I would really like to know what and where I messed up the mappings or if it's because there are no roles defined in AD just groups. Any explanations are greatly appreciated.
java authentication java-ee weblogic jsf-2.2
java authentication java-ee weblogic jsf-2.2
asked Nov 20 '18 at 17:57
ChadNCChadNC
1,93541927
1,93541927
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53398838%2fweblogic-12-2-1-2-security-realm-authenticating-but-call-to-isuserinrole-returni%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53398838%2fweblogic-12-2-1-2-security-realm-authenticating-but-call-to-isuserinrole-returni%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown