CODEWITHSUNDEEP
javajava-ee-6weblogic11gbasic-authentication
Ahsan Mahboob Shah
Ahsan Mahboob Shah

Reputation: 4029

Double authentication issue for REST web service deployed in WebLogic

I have a restful web service which is protected using HTTP Basic authentication with LDAP provider.

After deploying the application to WebLogic, it prompts for authentication twice upon invocation.

First by Spring Security Then by WebLogic Server.

Further investigation on the subject reveals that client requests that use HTTP BASIC authentication must pass WebLogic Server authentication, even if access control is not enabled on the target resource.

As an option (provided in the answer), WebLogic's authentication can be disabled through the following configuration in config.xml:

<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

But it will affect all the other applications deployed in the same domain. And I want this for a specific app only.

Appreciate any suggestions.

Upvotes: 2

Views: 2944

Answers (3)

Soapr
Soapr

Reputation: 91

Workaround, add another auth-method in the web.xml:

<login-config>
    <auth-method>CLIENT-CERT</auth-method>
</login-config>

Weblogic's basic-auth prompt won't show, only yours.

source: http://forum.spring.io/forum/spring-projects/security/35977-weblogic-9x-10x-double-prompt-for-login-basic-auth-simple

Upvotes: 3

rsh
rsh

Reputation: 79

Started working after adding below configuration. But required to add new user in weblogic console or we can use default user.

Added below configuration in WEB-INF\web.xml file

  <security-constraint>
    <display-name>Secure REST Area</display-name>
    <web-resource-collection>
        <web-resource-name>Secure REST</web-resource-name>
        <url-pattern>/api/*</url-pattern>
        <http-method>POST</http-method>
    </web-resource-collection>

    <auth-constraint>
        <role-name>Admin</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>default</realm-name>
</login-config>

<security-role>
    <role-name>Admin</role-name>
</security-role>

created weblogic descriptor file in WEB-INF\weblogic.xml and added below configuration.

<weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/90"   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <security-role-assignment>
     <role-name>Admin</role-name>
     <!-- <principal-name>Administrators</principal-name>-->
     <externally-defined/>
 </security-role-assignment>

Upvotes: 1

user41871
user41871

Reputation:

Try disabling WebLogic's authentication in config.xml:

<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

See e.g.

So you can turn this on or off on a per-domain basis. If you need to target a specific app, consider placing that app in a dedicated domain.

Upvotes: 4

Related Questions