Wednesday, January 2, 2013

Weblogic Custom Authentication #1

We can configure multiple WLS authentication provider (e.g. ActiveDirectory, Sun LDAP) as shown below.



If authentication and authorization information is stored custom repository not supported by above list, we can use following option.



CustomDBMSAuthenticator : Once it is configured as below, you can plugin in any Java class as long as it implements weblogic.security.providers.authentication.CustomDBMSAuthenticatorPlugin interface.



We can see the method "lookupPassword" which is called during authentication.


package weblogic.security.providers.authentication;
public interface CustomDBMSAuthenticatorPlugin {
    void initialize(weblogic.management.security.ProviderMBean providerMBean) { }
    void shutdown() { }
    java.lang.String lookupPassword(java.sql.Connection connection, java.lang.String userName) { }
    boolean userExists(java.sql.Connection connection, java.lang.String userName) { }
    java.lang.String[] lookupUserGroups(java.sql.Connection connection, java.lang.String userName) { }
}


We can completely ignore connection information and write custom java code to reach out to any custom repository and return the password. In that way it can be used for any custom repository instead of just custom database repository.

The major concern with this interface is that it requires you to return the password in lookupPassword method. Majority of the time enterprise level identity repository is not going to give you the password. Enterprise custom repository usually have their own authenticate method but above interface doesn't provide the password.

Another concern is that it only support WLS authentication and authorization. It doesn't provide JPS authentication and authorization.

  • WLS authentication is used for all basic WLS modules (e.g. Console, EM, etc.)
  • JPS authentication is used for SOA specific component, especially Worklist Application. 
If we implement custom authentication provider using above approach, it only covers WLS authentication and authorization, it would not be called during SOA module login (e.g. Worklist App).

No comments: