Weblogic 12.2.1.2 security realm authenticating but call to isUserInRole returning false.












0















I have a Java web application that I am working on that is authenticating by using SSO (SPNEGO) token. The security realm and providers are setup in a Multitenancy WebLogic Server (12.2.1.2) and everything appears to be working fine except when a call to isUserInRole is made. It always returns false. The user is being authenticated, a Subject is being created and populated with all of the correct Principals (Groups) from the AD.
I have tried mapping the Principals to a security role assignment in the weblogic.xml file and use that role assignment in the web.xml to try and map the role to a specific Principal (Group) but it is not working as I thought it would.



The application consists of one servlet in the WAR that should display login information to the screen if the authentication succeeds. The authentication succeeds and the information is displayed and I can see my name from the AD and all of the Principals (Groups) that I belong to.



The configuration for the weblogic.xml and the web.xml are as follows.



weblogic.xml



  <security-role-assignment>
<role-name>SITE_ADMIN</role-name>
<principal-name>@DEV_ADMIN</principal-name>
<principal-name>DEV_ADMIN</principal-name>
</security-role-assignment>


web.xml



<servlet>
<servlet-name>AuthSimpleTestServlet</servlet-name>
<servlet-class>functional.test.SimpleTestServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AuthSimpleTestServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>secured pages</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SITE_ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
<security-role>
<description>Admin Role</description>
<role-name>SITE_ADMIN</role-name>
</security-role>


When I use the browser to test the authentication I am authenticated and the servlet displays my username, all of my Principals and some other information just like it should if I have been authenticated.



Requested URL:
http://dev-server:7011/CHAD/SPNEGO_TEST



Request information:



Request method: GET



Request URI: /CHAD/SPNEGO_TEST



Request protocol: HTTP/1.1



Servlet path:



Path info:



Path translated:



Query string:



Content length:



Content type:



Server name: dev-server



Server port: 7011



Remote user: DCConway



Scheme: http



Authorization scheme: CLIENT_CERT



Request scheme: http



Request Principal: DCConway



Attempt to Authenticate using HttpServletRequest.authenticate: true



HttpServletRequest.isUserInRole(SITE_ADMIN): false



Weblogic Username-> weblogic.security.SubjectUtils.getUsername(Subject): DCConway



Number of Principals from the Subject: 47



Principal List: (list edited for post)



DCConway



DEV_ADMIN



@DEV_ADMIN



Request headers:



Accept: text/html, application/xhtml+xml, image/jxr, /



Accept-Language: en-US



User-Agent: Mozilla/5.0 (Windows NT 10.0



WOW64



Trident/7.0



rv:11.0) like Gecko



Accept-Encoding: gzip, deflate, peerdist



Host: dev-server:7011



DNT: 1



Connection: Keep-Alive



Cookie: JSESSIONID=YAAx-omzQbMg4jE-bedCM-5Guwngj56xAmXVIqhcbFSJxti7Ae6J!2096529829



Authorization: Negotiate YIILJAYG.....



X-P2P-PeerDist: Version=1.1



X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0



Request Attributes:



weblogic.servlet.network_channel.port: type=java.lang.Integer str='7011'



In the results of being authenticated I can see that using the servlet request to get the remote user works. I can see that using the Principal to get the username works. Calling authenticate using the servlet request works and I can see all of my Principals. I'm at a loss at the moment trying o figure out why the call to isUserInRole is not returning true. I'm guessing that something in the principal to role mapping isn't correct but I don't see where I messed it up yet.



I imagine that I could just use the principals to make the security work and restrict user's based on those but I would really like to know what and where I messed up the mappings or if it's because there are no roles defined in AD just groups. Any explanations are greatly appreciated.










share|improve this question



























    0















    I have a Java web application that I am working on that is authenticating by using SSO (SPNEGO) token. The security realm and providers are setup in a Multitenancy WebLogic Server (12.2.1.2) and everything appears to be working fine except when a call to isUserInRole is made. It always returns false. The user is being authenticated, a Subject is being created and populated with all of the correct Principals (Groups) from the AD.
    I have tried mapping the Principals to a security role assignment in the weblogic.xml file and use that role assignment in the web.xml to try and map the role to a specific Principal (Group) but it is not working as I thought it would.



    The application consists of one servlet in the WAR that should display login information to the screen if the authentication succeeds. The authentication succeeds and the information is displayed and I can see my name from the AD and all of the Principals (Groups) that I belong to.



    The configuration for the weblogic.xml and the web.xml are as follows.



    weblogic.xml



      <security-role-assignment>
    <role-name>SITE_ADMIN</role-name>
    <principal-name>@DEV_ADMIN</principal-name>
    <principal-name>DEV_ADMIN</principal-name>
    </security-role-assignment>


    web.xml



    <servlet>
    <servlet-name>AuthSimpleTestServlet</servlet-name>
    <servlet-class>functional.test.SimpleTestServlet</servlet-class>
    </servlet>
    <servlet-mapping>
    <servlet-name>AuthSimpleTestServlet</servlet-name>
    <url-pattern>/*</url-pattern>
    </servlet-mapping>
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>secured pages</web-resource-name>
    <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
    <role-name>SITE_ADMIN</role-name>
    </auth-constraint>
    <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    <login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>myrealm</realm-name>
    </login-config>
    <security-role>
    <description>Admin Role</description>
    <role-name>SITE_ADMIN</role-name>
    </security-role>


    When I use the browser to test the authentication I am authenticated and the servlet displays my username, all of my Principals and some other information just like it should if I have been authenticated.



    Requested URL:
    http://dev-server:7011/CHAD/SPNEGO_TEST



    Request information:



    Request method: GET



    Request URI: /CHAD/SPNEGO_TEST



    Request protocol: HTTP/1.1



    Servlet path:



    Path info:



    Path translated:



    Query string:



    Content length:



    Content type:



    Server name: dev-server



    Server port: 7011



    Remote user: DCConway



    Scheme: http



    Authorization scheme: CLIENT_CERT



    Request scheme: http



    Request Principal: DCConway



    Attempt to Authenticate using HttpServletRequest.authenticate: true



    HttpServletRequest.isUserInRole(SITE_ADMIN): false



    Weblogic Username-> weblogic.security.SubjectUtils.getUsername(Subject): DCConway



    Number of Principals from the Subject: 47



    Principal List: (list edited for post)



    DCConway



    DEV_ADMIN



    @DEV_ADMIN



    Request headers:



    Accept: text/html, application/xhtml+xml, image/jxr, /



    Accept-Language: en-US



    User-Agent: Mozilla/5.0 (Windows NT 10.0



    WOW64



    Trident/7.0



    rv:11.0) like Gecko



    Accept-Encoding: gzip, deflate, peerdist



    Host: dev-server:7011



    DNT: 1



    Connection: Keep-Alive



    Cookie: JSESSIONID=YAAx-omzQbMg4jE-bedCM-5Guwngj56xAmXVIqhcbFSJxti7Ae6J!2096529829



    Authorization: Negotiate YIILJAYG.....



    X-P2P-PeerDist: Version=1.1



    X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0



    Request Attributes:



    weblogic.servlet.network_channel.port: type=java.lang.Integer str='7011'



    In the results of being authenticated I can see that using the servlet request to get the remote user works. I can see that using the Principal to get the username works. Calling authenticate using the servlet request works and I can see all of my Principals. I'm at a loss at the moment trying o figure out why the call to isUserInRole is not returning true. I'm guessing that something in the principal to role mapping isn't correct but I don't see where I messed it up yet.



    I imagine that I could just use the principals to make the security work and restrict user's based on those but I would really like to know what and where I messed up the mappings or if it's because there are no roles defined in AD just groups. Any explanations are greatly appreciated.










    share|improve this question

























      0












      0








      0








      I have a Java web application that I am working on that is authenticating by using SSO (SPNEGO) token. The security realm and providers are setup in a Multitenancy WebLogic Server (12.2.1.2) and everything appears to be working fine except when a call to isUserInRole is made. It always returns false. The user is being authenticated, a Subject is being created and populated with all of the correct Principals (Groups) from the AD.
      I have tried mapping the Principals to a security role assignment in the weblogic.xml file and use that role assignment in the web.xml to try and map the role to a specific Principal (Group) but it is not working as I thought it would.



      The application consists of one servlet in the WAR that should display login information to the screen if the authentication succeeds. The authentication succeeds and the information is displayed and I can see my name from the AD and all of the Principals (Groups) that I belong to.



      The configuration for the weblogic.xml and the web.xml are as follows.



      weblogic.xml



        <security-role-assignment>
      <role-name>SITE_ADMIN</role-name>
      <principal-name>@DEV_ADMIN</principal-name>
      <principal-name>DEV_ADMIN</principal-name>
      </security-role-assignment>


      web.xml



      <servlet>
      <servlet-name>AuthSimpleTestServlet</servlet-name>
      <servlet-class>functional.test.SimpleTestServlet</servlet-class>
      </servlet>
      <servlet-mapping>
      <servlet-name>AuthSimpleTestServlet</servlet-name>
      <url-pattern>/*</url-pattern>
      </servlet-mapping>
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>secured pages</web-resource-name>
      <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>SITE_ADMIN</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <login-config>
      <auth-method>CLIENT-CERT</auth-method>
      <realm-name>myrealm</realm-name>
      </login-config>
      <security-role>
      <description>Admin Role</description>
      <role-name>SITE_ADMIN</role-name>
      </security-role>


      When I use the browser to test the authentication I am authenticated and the servlet displays my username, all of my Principals and some other information just like it should if I have been authenticated.



      Requested URL:
      http://dev-server:7011/CHAD/SPNEGO_TEST



      Request information:



      Request method: GET



      Request URI: /CHAD/SPNEGO_TEST



      Request protocol: HTTP/1.1



      Servlet path:



      Path info:



      Path translated:



      Query string:



      Content length:



      Content type:



      Server name: dev-server



      Server port: 7011



      Remote user: DCConway



      Scheme: http



      Authorization scheme: CLIENT_CERT



      Request scheme: http



      Request Principal: DCConway



      Attempt to Authenticate using HttpServletRequest.authenticate: true



      HttpServletRequest.isUserInRole(SITE_ADMIN): false



      Weblogic Username-> weblogic.security.SubjectUtils.getUsername(Subject): DCConway



      Number of Principals from the Subject: 47



      Principal List: (list edited for post)



      DCConway



      DEV_ADMIN



      @DEV_ADMIN



      Request headers:



      Accept: text/html, application/xhtml+xml, image/jxr, /



      Accept-Language: en-US



      User-Agent: Mozilla/5.0 (Windows NT 10.0



      WOW64



      Trident/7.0



      rv:11.0) like Gecko



      Accept-Encoding: gzip, deflate, peerdist



      Host: dev-server:7011



      DNT: 1



      Connection: Keep-Alive



      Cookie: JSESSIONID=YAAx-omzQbMg4jE-bedCM-5Guwngj56xAmXVIqhcbFSJxti7Ae6J!2096529829



      Authorization: Negotiate YIILJAYG.....



      X-P2P-PeerDist: Version=1.1



      X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0



      Request Attributes:



      weblogic.servlet.network_channel.port: type=java.lang.Integer str='7011'



      In the results of being authenticated I can see that using the servlet request to get the remote user works. I can see that using the Principal to get the username works. Calling authenticate using the servlet request works and I can see all of my Principals. I'm at a loss at the moment trying o figure out why the call to isUserInRole is not returning true. I'm guessing that something in the principal to role mapping isn't correct but I don't see where I messed it up yet.



      I imagine that I could just use the principals to make the security work and restrict user's based on those but I would really like to know what and where I messed up the mappings or if it's because there are no roles defined in AD just groups. Any explanations are greatly appreciated.










      share|improve this question














      I have a Java web application that I am working on that is authenticating by using SSO (SPNEGO) token. The security realm and providers are setup in a Multitenancy WebLogic Server (12.2.1.2) and everything appears to be working fine except when a call to isUserInRole is made. It always returns false. The user is being authenticated, a Subject is being created and populated with all of the correct Principals (Groups) from the AD.
      I have tried mapping the Principals to a security role assignment in the weblogic.xml file and use that role assignment in the web.xml to try and map the role to a specific Principal (Group) but it is not working as I thought it would.



      The application consists of one servlet in the WAR that should display login information to the screen if the authentication succeeds. The authentication succeeds and the information is displayed and I can see my name from the AD and all of the Principals (Groups) that I belong to.



      The configuration for the weblogic.xml and the web.xml are as follows.



      weblogic.xml



        <security-role-assignment>
      <role-name>SITE_ADMIN</role-name>
      <principal-name>@DEV_ADMIN</principal-name>
      <principal-name>DEV_ADMIN</principal-name>
      </security-role-assignment>


      web.xml



      <servlet>
      <servlet-name>AuthSimpleTestServlet</servlet-name>
      <servlet-class>functional.test.SimpleTestServlet</servlet-class>
      </servlet>
      <servlet-mapping>
      <servlet-name>AuthSimpleTestServlet</servlet-name>
      <url-pattern>/*</url-pattern>
      </servlet-mapping>
      <security-constraint>
      <web-resource-collection>
      <web-resource-name>secured pages</web-resource-name>
      <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <auth-constraint>
      <role-name>SITE_ADMIN</role-name>
      </auth-constraint>
      <user-data-constraint>
      <transport-guarantee>NONE</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <login-config>
      <auth-method>CLIENT-CERT</auth-method>
      <realm-name>myrealm</realm-name>
      </login-config>
      <security-role>
      <description>Admin Role</description>
      <role-name>SITE_ADMIN</role-name>
      </security-role>


      When I use the browser to test the authentication I am authenticated and the servlet displays my username, all of my Principals and some other information just like it should if I have been authenticated.



      Requested URL:
      http://dev-server:7011/CHAD/SPNEGO_TEST



      Request information:



      Request method: GET



      Request URI: /CHAD/SPNEGO_TEST



      Request protocol: HTTP/1.1



      Servlet path:



      Path info:



      Path translated:



      Query string:



      Content length:



      Content type:



      Server name: dev-server



      Server port: 7011



      Remote user: DCConway



      Scheme: http



      Authorization scheme: CLIENT_CERT



      Request scheme: http



      Request Principal: DCConway



      Attempt to Authenticate using HttpServletRequest.authenticate: true



      HttpServletRequest.isUserInRole(SITE_ADMIN): false



      Weblogic Username-> weblogic.security.SubjectUtils.getUsername(Subject): DCConway



      Number of Principals from the Subject: 47



      Principal List: (list edited for post)



      DCConway



      DEV_ADMIN



      @DEV_ADMIN



      Request headers:



      Accept: text/html, application/xhtml+xml, image/jxr, /



      Accept-Language: en-US



      User-Agent: Mozilla/5.0 (Windows NT 10.0



      WOW64



      Trident/7.0



      rv:11.0) like Gecko



      Accept-Encoding: gzip, deflate, peerdist



      Host: dev-server:7011



      DNT: 1



      Connection: Keep-Alive



      Cookie: JSESSIONID=YAAx-omzQbMg4jE-bedCM-5Guwngj56xAmXVIqhcbFSJxti7Ae6J!2096529829



      Authorization: Negotiate YIILJAYG.....



      X-P2P-PeerDist: Version=1.1



      X-P2P-PeerDistEx: MinContentInformation=1.0, MaxContentInformation=2.0



      Request Attributes:



      weblogic.servlet.network_channel.port: type=java.lang.Integer str='7011'



      In the results of being authenticated I can see that using the servlet request to get the remote user works. I can see that using the Principal to get the username works. Calling authenticate using the servlet request works and I can see all of my Principals. I'm at a loss at the moment trying o figure out why the call to isUserInRole is not returning true. I'm guessing that something in the principal to role mapping isn't correct but I don't see where I messed it up yet.



      I imagine that I could just use the principals to make the security work and restrict user's based on those but I would really like to know what and where I messed up the mappings or if it's because there are no roles defined in AD just groups. Any explanations are greatly appreciated.







      java authentication java-ee weblogic jsf-2.2






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 20 '18 at 17:57









      ChadNCChadNC

      1,93541927




      1,93541927
























          0






          active

          oldest

          votes











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53398838%2fweblogic-12-2-1-2-security-realm-authenticating-but-call-to-isuserinrole-returni%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          0






          active

          oldest

          votes








          0






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53398838%2fweblogic-12-2-1-2-security-realm-authenticating-but-call-to-isuserinrole-returni%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

          Alcedinidae

          RAC Tourist Trophy