Downloaded 55 times
![34
Debug application authentication
ADF Security
⢠Application configuration files
â jazn-data.xml
Contains development users / roles
Application roles are granted to enterprise roles / users (from the OPSS API which uses the authorization provider).
Resource permissions are granted to application roles or enterprise roles.
â Test with:
Java: ADFContext.getCurrent().getSecurityContext().isUserInRole(âroleâ)
EL: #{securityContext.userInRole[ârole']}
Users
Enterprise
roles
Application
roles
Permissions
Grants
weblogic.xml jazn-data.xml](https://image.slidesharecdn.com/weblogic-authentication-debugging-160217200351/85/WebLogic-authentication-debugging-34-320.jpg)
![34
Debug application authentication
ADF Security
⢠Application configuration files
â jazn-data.xml
Contains development users / roles
Application roles are granted to enterprise roles / users (from the OPSS API which uses the authorization provider).
Resource permissions are granted to application roles or enterprise roles.
â Test with:
Java: ADFContext.getCurrent().getSecurityContext().isUserInRole(âroleâ)
EL: #{securityContext.userInRole[ârole']}
Users
Enterprise
roles
Application
roles
Permissions
Grants
weblogic.xml jazn-data.xml](https://image.slidesharecdn.com/weblogic-authentication-debugging-160217200351/75/WebLogic-authentication-debugging-34-2048.jpg)
Uploaded byMaarten Smeets
WebLogic authentication debugging
The document discusses debugging WebLogic authentication within Oracle Fusion Middleware, focusing on Oracle Identity Store solutions and Oracle Platform Security Services (OPSS). It covers various debugging techniques such as using external clients, the WebLogic console, and specific configuration files to troubleshoot application authentication issues. The conclusion emphasizes the importance of understanding the relationships between applications and authentication providers to effectively debug problems.
TechnologyâŚ
More Related Content
Similar to WebLogic authentication debugging
WebLogic authentication debugging
- 1. OGh Oracle FusionMiddleware Experience 2016 bij FIGI Zeist Maarten Smeets, 16-02-2016 Debugging WebLogic authentication
- 3. Introduction ⢠About AMIS âLocated in the Netherlands â Oracle Award winning partner ⢠About me â Senior Oracle Integration Consultant â Experience with Oracle SOA Suite since 2007 â Well certified (SOA, BPM, Java, SQL, PL/SQL among others) â Author more than 100 blog articles (http://javaoraclesoa.blogspot.com) @MaartenSmeetsNL https://nl.linkedin.com/in/smeetsm
- 4. 4 Oracle Virtual TechnologySummit http://www.oracle.com/technetwork/community/developer-day/index.html March 8, 2016, 18:30:00 CET ⢠Database Application Development ⢠Oracle DB12c Performance ⢠MySQL ⢠Java EE, Microservices and JPA ⢠All about Java 8! ⢠The Internet of Things ⢠WebLogic 12.2.1 and Java EE ⢠Operating Systems and Virtualization ⢠Storage,SPARC, and Software Development
- 5. Agenda ⢠Oracle IdentityStores ⢠Introduction Oracle Platform Security Services (OPSS) ⢠What to debug ⢠How to debug WebLogic authentication ⢠How to debug application authentication
- 6. 6 Why use anexternal Identity Store? Application WLS SOA WLS OSB WLS ADF WLS WCC ⢠An application uses company internal users ⢠Often internal users are already present in an Identity Store ⢠Management organization in place ⢠Single environment to manage users ⢠Single account per user
- 7. 7 Introduction OPSS Oracle IdentityStore solutions ⢠Oracle Unified Directory â Embedded Berkeley Database â LDAP proxy â Much faster read/write than ODSEE â Provides LDAP virtualization â Elastic scaling â Strategic Directory Server product â Designed to address current and future on-premise, mobile, and cloud needs ⢠Oracle Directory Server Enterprise Edition â ODSEE 5.2 and 6.3 are in Sustaining Support â No new fixes will be created ⢠Oracle Virtual Directory â Provides virtualization of different sources â OUD does not replace OVD ⢠Oracle Internet Directory â Uses external Oracle DB â Used with Fusion Applications https://blogs.oracle.com/OracleIDM/entry/why_customers_should_upgrade_directory
- 8. Agenda ⢠Oracle IdentityStores ⢠Introduction Oracle Platform Security Services (OPSS) ⢠What to debug ⢠How to debug WebLogic authentication ⢠How to debug application authentication
- 9. Introduction OPSS Identity Store Providers Authentication Authorization CredentialStore Framework User / Role Service Provider Interface Layer OPSS APIs WebLogic Server JavaEE application Java SE application
- 10. Agenda ⢠Oracle IdentityStores ⢠Introduction Oracle Platform Security Services (OPSS) ⢠What to debug ⢠How to debug WebLogic authentication ⢠How to debug application authentication
- 11. What to debug Identity Store WebLogicConsole Application Authentication API Virtualization Platform security jps-config.xml jps-config-jse.xml system-jazn-data.xml config.xml web.xml weblogic.xml LDAP queries SSL/TLS Role mappings Organizational Units Authentication provider
- 12. Agenda ⢠Oracle IdentityStores ⢠Introduction Oracle Platform Security Services (OPSS) ⢠What to debug ⢠How to debug WebLogic authentication ⢠How to debug application authentication
- 13. 13 Debug Weblogic authentication usingan external client ⢠Using an external client Apache Directory Studio
- 14.
- 15. 15 Debug WebLogic authentication EmbeddedLDAP ⢠Login using: Bind DN / User: cn=Admin ⢠Running by default on the AdminServer port ⢠Check out cn=Config for LDAP server properties
- 16. 16 Debug WebLogic authentication EmbeddedLDAP ⢠Notice the use of dynamic groups
- 17. 17 Debug WebLogic authentication EmbeddedLDAP ⢠Notice the use of dynamic groups
- 18. 18 Debug WebLogic authentication Authenticationprovider configuration ⢠Select the authentication provider (as specific as possible) ⢠JAAS Control flags ⢠LDAP connection details ⢠LDAP search behavior â Users â Static groups â Dynamic groups ⢠Cache settings
- 19. 19 Debug WebLogic authentication usingWeblogic Console ⢠JAAS Control flags â SUFFICIENT: if authentication is passed, no other authentication providers are evaluated. If it fails, they are â REQUIRED: the authentication provider is always called and authentication must succeed â OPTIONAL: passing authentication of this provider is optional. If all providers are optional, one needs to pass â REQUISITE: authentication has to succeed on this provider. After that providers of lower priority are evaluated
- 20. 20 Debug Weblogic authentication Cachesettings ⢠How to uniquely identify an LDAP entry. The GUID Attribute ⢠The GUID Attribute is used as cache key ⢠Provider specific â OUD, OpenLDAP, ApacheDS: entryuuid â Active Directory: objectguid â OVD, OID: orclguid ⢠Misconfiguration can lead to first login fail, second login success (cache issues)
- 21. 21 Debug Weblogic authentication usingWeblogic Console ⢠Connection to external provider works ⢠Server trust is established ⢠User query works ⢠Validating authentication details works
- 22. 22 Debug Weblogic authentication usingWeblogic Console ⢠Dynamic group object class works ⢠Group Base DN works ⢠User Dynamic Group DN Attribute works ⢠Dynamic Group Name Attribute works
- 23. 23 Debug Weblogic authentication usinglog files LDAP connections LDAP queries
- 24. 24 Demo ⢠Embedded LDAP â˘How to create a user in an LDAP server ⢠How to configure WebLogic server to use the server ⢠Debug authentication using the console ⢠Debug the authentication using the log files
- 25. Agenda ⢠Oracle IdentityStores ⢠Introduction Oracle Platform Security Services (OPSS) ⢠What to debug ⢠How to debug WebLogic authentication ⢠How to debug application authentication
- 26. Debug application authentication Identity Store WebLogicConsole Application Authentication API Authentication provider Virtualization Platform security jps-config.xml jps-config-jse.xml system-jazn-data.xml config.xml web.xml weblogic.xml LDAP queries SSL/TLS Role mappings Organizational Units
- 27. 27 OPSS configuration files in$DOMAIN_HOME/config/fmwconfig ⢠Java Platform Security: jps-config.xml (Java EE), jps-config.jse.xml (Java SE) login modules, authentication providers, authorization policy providers, credential stores and auditing services ⢠jazn-data.xml, system-jazn-data.xml â users, groups and authorization policies ⢠cwallet.sso â credentials used by the application ⢠adapters.os_xml â LibOVD plugin configuration
- 28. 28 Debug application authentication LibOVD â˘Present since 11.1.1.4. Seen several patches since then. Lightweight OVD alternative supplied with WebLogic Server. ⢠FMW components which use OPSS can only use the first LDAP authentication provider LibOVD provides virtualization ⢠Configuration Edit <DOMAINDIR>/config/fmwconfig/jps-config.xml manually or from Enterprise Manager Plugin configuration in <DOMAINDIR>configfmwconfigovddefaultadapters.os_xml http://fusionsecurity.blogspot.nl/2012/06/libovd-when-and-how.html
- 29. 29 Debug application authentication LibOVDconfiguration ⢠<DOMAINDIR>/config/fmwconfig/jps-config.xml Provides login modules, authentication providers, credential stores
- 30. 30 Debug application authentication LibOVDconfiguration ⢠The OPSS API only queries static groups by default. Not dynamic groups. ⢠Use the LibOVD dynamic group plugin to present dynamic groups like static groups (configuration in <DOMAINDIR>configfmwconfigovddefaultadapters.os_xml) ⢠Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses ⢠Only one structural class is allowed per LDAP object ⢠Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames http://www.ateam-oracle.com/oracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2/
- 31. 31 Debug application authentication LibOVDdebugging ⢠Can be used when ADFLogger is used in application ⢠Can be used for specific Weblogic Server component debugging such as oracle.ods.virtualization for LibOVD
- 32. 32 Debug application authentication ADFSecurity ⢠Application configuration files â web.xml Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter) â weblogic.xml Maps valid-users to OPSS principal users
- 33. 33 Demo ⢠Use basicauthentication in an ADF application
- 34. 34 Debug application authentication ADFSecurity ⢠Application configuration files â jazn-data.xml Contains development users / roles Application roles are granted to enterprise roles / users (from the OPSS API which uses the authorization provider). Resource permissions are granted to application roles or enterprise roles. â Test with: Java: ADFContext.getCurrent().getSecurityContext().isUserInRole(âroleâ) EL: #{securityContext.userInRole[ârole']} Users Enterprise roles Application roles Permissions Grants weblogic.xml jazn-data.xml
- 35. 35 Debug application authentication ADFSecurity ⢠<DOMAINDIR>/config/fmwconfig/ system-jazn-data.xml â OOTB file based policy store â Users, groups, authorization policies â CredentialAccessPermission â Change while WebLogic is down or from EM!
- 36. 36 Debug application authentication JVMparameters ⢠JVM parameters: â -Djps.auth.debug=true to get AccessControlException among other useful messages â -Djps.auth.debug.verbose=true to get a lot of debug messages http://docs.oracle.com/cd/E23943_01/core.1111/e10043/jpsprops.htm#JISEC2229
- 37. 37 Debug application authentication BusinessProcess Management ⢠Authenticate with a user ⢠User is member of (authentication provider) groups ⢠Groups are granted (application) roles and organization units ⢠Business Process Management uses application roles and organization units
- 38. 38 Debug application authentication TheIdentity Service ⢠Can I authenticate the user? â authenticateUser ⢠Can I determine groups? â getGroups http://HOST:PORT/integration/services/IdentityService/identity?WSDL <ORACLE_HOME>/soa/soa/modules/oracle.soa.workflow_11.1.1/bpm-services.jar ⢠Can I determine granted roles? â getGrantedRolesToUser ⢠Can I determine organizational units? â use the Java API
- 39. 39 Conclusion ⢠Many debuggingoptions available â Looking at WebLogic Console or application behavior â Using an external client for your authentication provider â Debug logging in WebLogic Server console â Log configuration in Enterprise Manager Fusion Middleware Control â Isolated tests such as IdentityService calls or Java APIâs ⢠It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong ⢠WebLogic Console is relatively easy to debug compared to for example LibOVD. Application side debugging is often also not very difficult.
Editor's Notes
- #4Â Recent awards: Oracle EMEA Middleware Partner of the Year, 3 times Oracle Netherlands Middleware partner of the year. One of the rare moments in the Netherlands when it isnât raining.
- #6Â What to debug; understand the configuration required
- #8Â https://blogs.oracle.com/OracleIDM/entry/why_customers_should_upgrade_directory
- #9Â What to debug; understand the configuration required
- #10Â OPSS provides an abstraction layer application programming interfaces (APIs) that insulate developers from security and identity management implementation details (a developer does need to know and implement LDAP to use users and groups in his application)
- #11Â What to debug; understand the configuration required
- #12Â First part of the presentation is about the WebLogic Console to LDAP. Second part of about API to application. JPS, Java Platform Security and LibOVD virtualization. More specific what the configuration files do.
- #13Â What to debug; understand the configuration required
- #14Â Creating LDAP queries is errorprone and after most changes in authentication provider configuration, the server needs a restart
- #15Â Set the password of the Embedded LDAP in order to allow connecting to it. Great source of inspiration for configuring your own LDAP.
- #17Â Recommend using an external LDAP client. WebLogic Server requires restarts after changing authentication provider configuration. External client can be used to easily test queries. Apache Directory Studio is nice. Replace image
- #18Â Recommend using an external LDAP client. WebLogic Server requires restarts after changing authentication provider configuration. External client can be used to easily test queries. Apache Directory Studio is nice. Replace image
- #19Â A specific authentication provider because the generic LDAPAuthenticationProvider has some limitations. Cannot be the first authentication provider. Not supported in LibOVD. Changing configuration (such as LDAP queries) requires restart of the server -> config.xml. Testing the LDAP Connection During Configuration (12.2.1!) Similar to the JDBC connection testing, WebLogic Server tests the connection between the Authentication provider and the LDAP server. On the Provider Specific page, after you configure a new LDAP Authentication provider or make changes to an existing one, when you save your configuration changes, WebLogic Server tests the connection between this provider and the corresponding LDAP server. If the test succeeds, the configuration settings are saved and you may activate them. If the test fails, an error message is displayed indicating a problem. No configuration settings are saved.
- #20Â JAAS control flags. See http://docs.oracle.com/cd/E17904_01/web.1111/e13707/atn.htm#SECMG171. It is usual to have weblogic in the embedded LDAP, control flag set to sufficient and an external LDAP also set to sufficient. Components using the OPSS API without LibOVD only look at the first LDAP server (and only at static groups) so order is also important. When the user is not found, check if authentication provider containing the user is queried in the log. The order matters!
- #21Â Can be confirmed that the GUID Attribute is the cache key? Weblogic LDAPAuthenticator configuration; the GUID Attribute: http://javaoraclesoa.blogspot.nl/2014/12/weblogic-ldapauthenticator.html.
- #22Â Just by clicking around in the Weblogic Console, you can already detect several problems if present.
- #23Â If you canât see users/groups, maybe the current user is not an Administrator but Monitor. Working does not mean it performs!
- #24Â You can see the LDAP server connection
- #26Â What to debug; understand the configuration required
- #27Â First LibOVD, then application security for ADF and BPM
- #31Â http://docs.oracle.com/cd/E25178_01/core.1111/e10043/idstoreadm.htm#JISEC9360 specifies LDAP idstore params. Not all work (JarScan + JD-GUI on WlsLdapIdStoreConfigProvider). Edit adapters.os_xml while WebLogic is down! OPSS APIâs do not query dynamic groups by default: http://www.ateam-oracle.com/oracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-2-of-2/. You can virtualize using LibOVD or OVD.
- #35Â Image from http://www.oracle.com/technetwork/issue-archive/2012/12-jan/o12adf-1364748.html. Application roles are granted to users or enterprise roles. Resource permissions are granted to application roles. Take care jazn-data.xml is merged into system-jazn-data.xml (but not testusers/roles) by ojdeploy. Ojdeploy can be called from Ant, Maven
- #36Â Also credential store access. This is the runtime policy store. http://secureandgo.blogspot.nl/2010/09/opss-artifacts-life-cycle-in-adf.html. If you want to use DB policy store instead of system-jazn-data.xml; https://redstack.wordpress.com/2011/10/29/soa11g-database-as-a-policy-store/
- #37Â http://www.redheap.com/2013/06/secure-credentials-in-adf-application.html
- #38Â Usually ADF and SOA/BPM run on individual servers. A good usecase to use the same authentication provider. SalesRep and BusinessPractices are
- #39Â Several other interesting APIâs under soa-infra application. IdentityService (or FMW apps such as WCC)