Reputation: 1449
How do you pass user credentials to a WebLogic 11g Authentication Provider?
I think I've got a high level understanding of WebLogic's AuthenticationProviders, but I can't get my head around how to pass user credentials to a provider.
My Understanding
When reading up on JAAS, I think I've got a grasp of how to use a LoginContext to perform a login. The LoginContext picks up on the LoginModule and JAAS options from the JAAS config file. By defining an instance of some CallbackHandler, you can pass along user credentials. After calling LoginContext.login(), the login is performed using the associated LoginModule.
After going through Oracle's documentation on AuthorizationProviders, most of it seems pretty straightforward. An AuthenticationProvider utilizes JAAS to perform a login. It seems like an AuthenticationProvider manages a LoginContext internally.
What I'm having a hard time grasping/finding is how WebLogic manages the LoginContext and the CallbackHandler that eventually get passed to the LoginModule.initialize method.
The Situation
The app:
- Java web application running on WebLogic 11g (10.3.6).
- Attempting to authenticate with a username and password, without a form login.
Currently, the application uses a form login and submits with a "j_security_check" action. There's a custom AuthenticationProvider and LoginModule that handles the login and processes the username and password submitted in the form.
I'm assuming WebLogic can handle the "j_security_check" action internally and knows how to map the form input fields to a CallbackHandler that's passed to the custom LoginModule.
My Goal
I'm attempting to create a second login process that involves extracting credentials (username/password) from HTTP request headers. The credentials are currently extracted with a servlet filter. One way or another, I'd like to pass these credentials to the LoginModule that's already in place for the form login.
I would like to do one of the following:
- Take the credentials straight from the headers and pass them to the
AuthenticationProvider(through some customAuthenticationProviderimplementation and/or configuration) - Extract the header credentials with a servlet filter and manually pass them to the
AuthenticationProvider.
My Question
What can I do to pass the header credentials to the LoginModule?
- Is there a predefined
AuthenticationProviderthat can pull a username and password from a header? Can you describe the flow from the request to the login? - Is there some way to get access to the
CallbackHandlerorLoginContextused by anAuthenticationProvider? This way I can pass the credentials to theAuthenticationProvidermyself. - How does WebLogic know where to obtain user credentials and how to tie them to a particular
AuthenticationProvider?
It's very possible I'm missing some key concepts along the way, so feel free to put me on the right track with anything I've mentioned.
Thanks!
Upvotes: 2
Views: 2765
Answers (2)
Reputation: 224
It's an old thread but I felt that it might be worth adding that a container agnostic option would be to call httpRequest.login(username,password) method.
Upvotes: 1
Reputation: 1449
My biggest hangup with understanding WebLogic's AuthenticationProviders was in understanding how to pass the credentials. It seemed like too many things were "automagically" happening behind-the-scenes. I felt like I had to somehow get access to a LoginContext and/or CallbackHandler that WebLogic manipulated in the background. I was on the right track, but missed something important about JAAS authentication...
Authentication Providers - How JAAS Works With the WebLogic Security Framework
Steps 3 and 4 of a JAAS authentication are listed as:
The WebLogic Server container calls into the WebLogic Security Framework. If there is a client-side CallbackHandler containing authentication information, this is passed into the WebLogic Security Framework.
For each of the configured Authentication providers, the WebLogic Security Framework creates a CallbackHandler using the authentication information that was passed in. (These are internal CallbackHandlers created on the server-side by the WebLogic Security Framework, and are not related to the client's CallbackHandler.)
This is the part that threw me off. My mind was tunneled in on a CallbackHandler passing WebLogic the authentication information. I failed to pick up on the note shown at the end of the steps:
Note:
For authentication performed entirely on the server-side, the process would begin at step 3, and the WebLogic Server container would call the weblogic.security.services.authentication.login method prior to step 4.
Authentication - Method Summary
And wouldn't you know it... Authenticationhas four login methods, each of which accepts a CallbackHandler!
For my situation, I can use the servlet filter to pick out the credentials from a request header, pass them to a CallbackHandler, then call Authentication.login(CallbackHandler callbackHandler) to successfully log in with a custom LoginModule.
Upvotes: 2
Related Questions
- User failed to be authenticated in WebLogic
- Double authentication issue for REST web service deployed in WebLogic
- Creating WebLogic users programmatically from a standalone Java client
- Setting AuthenticatedSubject for all ressources
- Weblogic 12c encryption algorithme for credentials
- how to do weblogic authentication for a web application
- Creating a Custom Authentication Provider in Oracle WebLogic Server 12.1.2.0.0
- weblogic 12c basic authentication not prompting for userid
- Programmatic login (authentication) in WebLogic (JAAS)
- Weblogic 11g Create new User exception