Thursday, January 3, 2013

Weblogic Custom Authentication Provider #2

I wrote in previous blog entry about how to configure custom authentication provider with Weblogic server. However, there are quite a few concerns associated with this approach, so I had to write generic custom authentication provider, and then I can plugin any module I like.

Some of the concerns with out of the box approches
  • Need to implement both WLS and JPS identity 
  •  WLS security is used for all basic Weblogic Modules (e.g. Console, EM, etc.)
  • JPS security provider is used for SOA modules (e.g. Worklist application)
  • WLS custom security provider is relatively easy to write - details
  • JPS custom security provider is really lot of work as it requires you to implement multiple interfaces (similar to 10g custom identity service) and multiple methods details
  • Need to register different security provider at different places


Implemented Solution

I believe at the end if would be much easier to if all the complex details can be hidden regarding WebLogic and SOA security provider and if client has to just implement a simple interface and provide that in the class path that would be ideal way to go. So here it goes:

Install Java Custom Security Provider
  1. download CustomSecurityProvider.jar
  2. Copy this jar file to $wls_server_home/server/lib/mbeantypes and $domain_home/lib directories
  3. Modify file : $domain_home/config/fmwconfig/jps-config.xml
    • Add Following  
    • <serviceProvider type="IDENTITY_STORE" name="custom.provider" class="oracle.security.jps.internal.idstore.generic.GenericIdentityStoreProvider">
          <description>Custom IdStore Provider</description>
      </serviceProvider>
      
      <serviceInstance name="idstore.custom" provider="custom.provider"  location="./">
          <description>Custom Identity Store Service Instance</description>
          <property name="idstore.type" value="CUSTOM"/>
          <property name="ADF_IM_FACTORY_CLASS" value="com.spring.security.jps.identity.CustomIdentityStoreFactory"/>
          <property name="CustomSecurityProviderPlugIn" value="com.spring.security.plugin.CustomSecurityProviderPlugin"/>
      </serviceInstance>
      
    • Replace Following
    • <jpsContext name="default">
          <serviceInstanceRef ref="credstore"/>
          <serviceInstanceRef ref="keystore"/> 
          <serviceInstanceRef ref="policystore.xml"/>
          <serviceInstanceRef ref="audit"/>
          <!--
              <serviceInstanceRef ref="idstore.ldap"/>
              <serviceInstanceRef ref="trust"/>
              <serviceInstanceRef ref="pdp.service"/>
              <serviceInstanceRef ref="attribute"/>
          -->
          <serviceInstanceRef ref="idstore.custom"/>
      </jpsContext>
      
  4. Restart Admin and Managed servers


Configure Java Custom Security Provider
  • Implement the custom java security provider interface: com.spring.security.plugin.ICustomSecurityProviderPlugIn 
    • Note that for given custom repository we only need to implement following methods
    • package com.spring.security.plugin;
      
      import java.util.List;
      import java.util.Map;
      import java.util.Properties;
      
      public interface ICustomSecurityProviderPlugIn {
          
           /* WLS */ 
          void initialize(Properties properties);
          boolean login(String userName, java.lang.String password);
          List<String> getUserRoles(java.lang.String userName);
      
           /* JPS */ 
          List<Map> searchUsers(String userNamePattern);
          List<Map> searchRoles(String roleNamePattern);
          Map getUserDetail(String userName);
          Map getRoleDetail(String roleName);
      }
      
      
    • If you opt to implement WLS, you can ignore to implement JPS related methods
    • A sample implementation is provided with jar file (com.spring.security.plugin.CustomSecurityProviderPlugIn)


  • Make your implemented java or jar class available to weblogic classpath ($domain_home/lib)
  • Custom Security Provider should be available in drop down as below


  • Modify file : $domain_home/config/fmwconfig/jps-config.xml with your implementation

  • <serviceInstance name="idstore.custom" provider="custom.provider"  location="./">
        <description>Custom Identity Store Service Instance</description>
        <property name="idstore.type" value="CUSTOM"/>
        <property name="ADF_IM_FACTORY_CLASS" value="com.spring.security.jps.identity.CustomIdentityStoreFactory"/>
        <property name="CustomSecurityProviderPlugIn" value="com.spring.security.plugin.CustomSecurityProviderPlugin"/>
    </serviceInstance>
    


  • Restart the server
  • 6 comments:

    Unknown said...

    Hello Chintan!!! I'm implemented your solution proposed about a CustomProviderPlugin. You talk about a sample in a JAR file (com.spring.security.plugin.CustomSecurityProviderPlugIn) but I can't see the sample. I would like to see if you don't mind because I am hacing troubles with the BPM Roles. Your CustomProvider is working to me in Weblogic Console, but I cant get it working in BPM Workspace. Could you give me a clue? Or any sample about searchRoles, searchUsers, etc, applied to BPM Workspace?

    Thanks in advanced

    Chintan Shah said...

    I thought it was mentioned in blog on step 1. It is available at http://www.springsoa.com/WLCustomSecurityProvider/CustomSecurityProvider.jar

    Beto Azpe said...

    Hello Chintan, i am trying to configure a SQL-based Custom Identity Store. I am following your instructions but it is not working, i cant see DB users (fro example from Enterprice Manager to adding users to roles). I am working with version 11.1.1.7, i tried with version 11.1.1.4 and i do see users from DB. Do you know if there is something different between versions?.

    Thanks in advance.

    Luis

    Chintan Shah said...

    Hello Luis,

    So it worked in 11.1.1.4, but not in 11.1.1.7? I have not tried with 11.1.1.7, and not sure if there are any differences. Anything in logs?

    Thanks

    Chintan

    Unknown said...

    Hi Chintan,

    Is it possible to get the source of this jar.

    Thanks!
    Abhijit

    Martial said...

    Hi Chintan,

    I have implemented your solution, I would like to modifiy the source(I would delete the System.out.println), is it possible to get the source of the customSecuirtyProvider.jar.

    Thanks,
    Martial