Cheese
Cheese

Reputation: 1449

How do you pass user credentials to a WebLogic 11g Authentication Provider?

I think I've got a high level understanding of WebLogic's AuthenticationProviders, but I can't get my head around how to pass user credentials to a provider.


My Understanding

When reading up on JAAS, I think I've got a grasp of how to use a LoginContext to perform a login. The LoginContext picks up on the LoginModule and JAAS options from the JAAS config file. By defining an instance of some CallbackHandler, you can pass along user credentials. After calling LoginContext.login(), the login is performed using the associated LoginModule.

After going through Oracle's documentation on AuthorizationProviders, most of it seems pretty straightforward. An AuthenticationProvider utilizes JAAS to perform a login. It seems like an AuthenticationProvider manages a LoginContext internally.

What I'm having a hard time grasping/finding is how WebLogic manages the LoginContext and the CallbackHandler that eventually get passed to the LoginModule.initialize method.


The Situation

The app:

Currently, the application uses a form login and submits with a "j_security_check" action. There's a custom AuthenticationProvider and LoginModule that handles the login and processes the username and password submitted in the form.

I'm assuming WebLogic can handle the "j_security_check" action internally and knows how to map the form input fields to a CallbackHandler that's passed to the custom LoginModule.


My Goal

I'm attempting to create a second login process that involves extracting credentials (username/password) from HTTP request headers. The credentials are currently extracted with a servlet filter. One way or another, I'd like to pass these credentials to the LoginModule that's already in place for the form login.

I would like to do one of the following:

  1. Take the credentials straight from the headers and pass them to the AuthenticationProvider (through some custom AuthenticationProvider implementation and/or configuration)
  2. Extract the header credentials with a servlet filter and manually pass them to the AuthenticationProvider.

My Question

What can I do to pass the header credentials to the LoginModule?

  1. Is there a predefined AuthenticationProvider that can pull a username and password from a header? Can you describe the flow from the request to the login?
  2. Is there some way to get access to the CallbackHandler or LoginContext used by an AuthenticationProvider? This way I can pass the credentials to the AuthenticationProvider myself.
  3. How does WebLogic know where to obtain user credentials and how to tie them to a particular AuthenticationProvider?

It's very possible I'm missing some key concepts along the way, so feel free to put me on the right track with anything I've mentioned.

Thanks!

Upvotes: 2

Views: 2765

Answers (2)

Ravi Gupta
Ravi Gupta

Reputation: 224

It's an old thread but I felt that it might be worth adding that a container agnostic option would be to call httpRequest.login(username,password) method.

Upvotes: 1

Cheese
Cheese

Reputation: 1449

My biggest hangup with understanding WebLogic's AuthenticationProviders was in understanding how to pass the credentials. It seemed like too many things were "automagically" happening behind-the-scenes. I felt like I had to somehow get access to a LoginContext and/or CallbackHandler that WebLogic manipulated in the background. I was on the right track, but missed something important about JAAS authentication...

Authentication Providers - How JAAS Works With the WebLogic Security Framework

Steps 3 and 4 of a JAAS authentication are listed as:

  1. The WebLogic Server container calls into the WebLogic Security Framework. If there is a client-side CallbackHandler containing authentication information, this is passed into the WebLogic Security Framework.

  2. For each of the configured Authentication providers, the WebLogic Security Framework creates a CallbackHandler using the authentication information that was passed in. (These are internal CallbackHandlers created on the server-side by the WebLogic Security Framework, and are not related to the client's CallbackHandler.)

This is the part that threw me off. My mind was tunneled in on a CallbackHandler passing WebLogic the authentication information. I failed to pick up on the note shown at the end of the steps:

Note:

For authentication performed entirely on the server-side, the process would begin at step 3, and the WebLogic Server container would call the weblogic.security.services.authentication.login method prior to step 4.

Authentication - Method Summary

And wouldn't you know it... Authenticationhas four login methods, each of which accepts a CallbackHandler!

For my situation, I can use the servlet filter to pick out the credentials from a request header, pass them to a CallbackHandler, then call Authentication.login(CallbackHandler callbackHandler) to successfully log in with a custom LoginModule.

Upvotes: 2

Related Questions