Using UNT Authentication with WebLogic Portal
To implement single-sign on (SSO) with WebLogic Portal
using UNT (User Name Token) authentication, you must configure the
WSRP Producer.
UNT authentication can be used with IIS (Windows) authentication
or ASP.NET Forms Authentication. The steps below cover both options.
Caution: Using UNT in the manner described below results in passwords
being sent between the WSRP Consumer and the WSRP Producer in plain
text. Ensure that the Consumer-Producer channel is secured by https
before using this approach for transmitting a security token.
- Enable authentication for your remote ASP.NET
portlet. For more information on configuring ASP.NET authentication,
consult MSDN and the following resources: http://msdn2.microsoft.com/en-us/library/eeyk640h%28VS.80%29.aspx, http://msdn2.microsoft.com/en-us/library/ms978378.aspx, http://support.microsoft.com/kb/324274.
- Add the UNT security policy declaration to the WSRPService.wsdl
and wsrp_v1_bindings.wsdl files.
- Open the wsdl file for the WSRP Producer: \wsrpproducer\1.1\webapp\wsrpproducer\1.0\WSRPService.wsdl.
- If it is not already present, add the following policy
declaration to the WSRPService.wsdl file as a child of the root element
(<wsdl:definitions>) and before the <wsdl:service> element. (The WSRPService.wsdl file installed
with the WSRP Producer includes the UNT policy by default.)
<wsp:Policy s1:Id="UNTAuth.xml" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:s1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wssp:Identity xmlns:wssp="http://www.bea.com/wls90/security/policy">
<wssp:SupportedTokens>
<wssp:SecurityToken TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken">
<wssp:UsePassword Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"/>
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Identity>
</wsp:Policy>
- Open the wsdl bindings file for the WSRP Producer: \wsrpproducer\1.1\webapp\wsrpproducer\1.0\wsrp_v1_bindings.wsdl.
- Find the <wsdl:input> elements
with the names “getMarkup” and “performBlockingInteraction”. If not
already present, add the <Policy> element shown
below. (The bindings file installed with the WSRP Producer includes
this code within comments; to enable the code, remove the comment
tags.) The complete xml should look as follows:
<wsdl:input name="getMarkup">
<soap:body use="literal"/>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:PolicyReference URI="#UNTAuth.xml"/>
</wsp:Policy>
</wsdl:input>
<wsdl:input name=" performBlockingInteraction ">
<soap:body use="literal"/>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:PolicyReference URI="#UNTAuth.xml"/>
</wsp:Policy>
</wsdl:input>
- Map each WLP user to a user that can access the ASP.NET
portlet application. For instructions, see Configuring User Name Token Security: Configuring
the Consumer in the WLP Federated Portals guide.
- If you are using ASP.NET Forms Authentication, you must
provide information about the login form to the WSRP Producer. In
wsrp-producer.xml, add a <forms-authentication> entry as the last child element of the <portlet> element for each portlet that uses ASP.NET Forms Authentication.
Each entry should include the following elements, as shown in the
example that follows. For a full list of portlet configuration elements,
see WSRP Producer Configuration Elements (wsrp-producer.xml).
Note: If you omit the <forms-authentication> element, the WSRP Producer will still try to authenticate to one
of the IIS forms of authentication (Basic, Windows Integrated, or
even Digest) if the ASP.NET is using one of those and the UNT is provided,
but it will be unable to authenticate to ASP.NET Forms.
Element |
Description |
<IsSSOConfigured> |
Whether or not SSO through ASP.NET Forms Authentication is
enabled or not (true or false). |
<loginpage> |
The name of the login page configured for ASP.NET Forms Authentication
in the remote portlet application. |
<username-field-name> |
The name of the login form field that references the user name. |
<password-field-name> |
The name of the login form field that references the password. |
<login-button-name> |
The name of the submit button in the login form. |
<login-button-value> |
The value of the submit button in the login form. |
<always-use-anonymous-login> |
Whether or not to use anonymous login (true or false). If true,
you must provide <anonymous-username> and <anonymous-password> elements. |
<portlet>
...
<forms-authentication>
<IsSSOConfigured>true</IsSSOConfigured>
<loginpage>login.aspx</loginpage>
<username-field-name>txtUserName</username-field-name>
<password-field-name>txtPassword</password-field-name>
<login-button-name>cmdSubmit</login-button-name>
<login-button-value>Submit</login-button-value>
<always-use-anonymous-login>true</always-use-anonymous-login>
<anonymous-username>userid</anonymous-username>
<anonymous-password>pwd</anonymous-password>
</forms-authentication>
</portlet>
Note: The WSRP specification treats external resources used
by a portlet application different from the portlet markup. An external
resource is anything that is referenced by the portlet markup but
not contained in the markup, such as externally referenced javascript
files, images, or CSS style sheets. Portlet markup is retrieved from
and proxied by the WSRP Producer; in the process the Producer can
negotiate the authentication requirements of portlet applications.
However, WSRP resources are retrieved directly by the WSRP Consumer
without assistance from the WSRP Producer. As a result, external resources
generally should not require authentication when using the WSRP Producer
unless you can configure your WSRP Consumer to directly authenticate.
If you are using Windows (IIS) authentication, you must move all external
resources to a virtual directory or separate server that is configured
to not require authentication in IIS. Take note that many ASP.NET
controls and components use the WebResources feature to dynamically
emit external javascript and image references in your markup. To make
sure that WebResources references do not require authentication, ensure
that any virtual paths from which these references originate do not
require authentication.