44 Configuring JASPIC Security
Read the JASPIC specification at http://www.jcp.org/en/jsr/detail?id=196
.
This chapter includes the following sections:
This section assumes that you are familiar with a basic overview of JASPIC, as described in JASPIC Security in Understanding Security for Oracle WebLogic Server.
JASPIC Mechanisms Override WebLogic Server Defaults
If you configure an Authentication Configuration Provider for a Web application, it is used instead of the WebLogic Server authentication mechanism for that Web Application. The JASPIC authentication provider assumes responsibility for authenticating the user credentials and returning a Subject.
You should therefore exercise care when you specify an Authentication Configuration Provider to make sure that it satisfies your security authentication needs.
Prerequisites for Configuring JASPIC
There are certain prerequisites for configuring JASPIC in your environment including, how to make your own or third party server authentication module (SAM) or Authentication Configuration Providers available to WebLogic Server.
The JASPIC programming model is described in the Java Authentication Service Provider Interface for Containers (JASPIC) specification (http://www.jcp.org/en/jsr/detail?id=196
).
A sample SAM implementation is described in Adding Authentication Mechanisms to the Servlet Container in the GlassFish Server Open Source Edition Application Development Guide. Although written from the GlassFish Server perspective, the tips for writing a SAM, and the sample SAM itself, are instructive.
This section includes the following topics:
Server Authentication Module Must Be in Classpath
If you plan to configure a WebLogic Server Authentication Configuration Provider, you must add the jar for your SAM to the system classpath via the startup scripts or the command line used to start the WebLogic Server instance. If you do not do this, WebLogic Server is not able to find the appropriate classes.
Custom Authentication Configuration Providers Must Be in Classpath
If you plan to configure a custom Authentication Configuration Provider, you must add the jar for your custom Authentication Configuration Provider to the system classpath via the startup scripts or the command line used to start the WebLogic Server instance. If you do not do this, WebLogic Server is not able to find the appropriate classes.
Location of Configuration Data
You can use either the WebLogic Server Administration Console or the WebLogic Scripting Tool (WLST) to configure JASPIC and the Authentication Configuration Providers. After you configure JASPIC and the Authentication Configuration Providers, the domain-wide Authentication Configuration Provider configuration data is kept in the domain config.xml
file in the <jaspic>
element.
For example:
<jaspic> <auth-config-provider xsi:type="wls-auth-config-providerType"> <name>WLSAuthConfigProvider-0</name> </auth-config-provider> </jaspic>
When you configure an Authentication Configuration Provider for a deployed Web application, the WebLogic Server Administration Console (or WLST) updates the deployment plan (plan.xml) for the Web application with the application-specific Authentication Configuration Provider configuration. For example:
<variable> <name>JASPICProvider_AuthConfigProviderName_13210476440805</name> <value>WLSAuthConfigProvider-0</value> </variable> : <variable-assignment> <name>JASPICProvider_AuthConfigProviderName_13210476440805</name> <xpath>/weblogic-web-app/jaspic-provider/auth-config-provider-name</xpath> </variable-assignment>
If you do not use a deployment plan for your application, you can instead add the jaspic-provider
deployment descriptor element to weblogic.xml
.
jaspic-provider
specifies the authConfigProvider
to be registered for use during authentication. For example, <wls:jaspic-provider>my-acp</wls:jlaspic-provider>
.
Configuring JASPIC for a Domain
You can configure JASPIC for a domain using the Oracle WebLogic Server Administration Console.
By default, JASPIC is enabled for a domain. This means that you can configure JASPIC properties for the domain, and JASPIC is available for any Web applications for which you have specified an Authentication Configuration Provider.
See Configure Web applications for JASPIC in Oracle WebLogic Server Administration Console Online Help for the specific steps to follow to configure JASPIC in the WebLogic Server Administration Console.
If you disable JASPIC for a domain, JASPIC is then disabled for all Web applications in that domain, regardless of their configuration.
To configure JASPIC for a domain:
Displaying Authentication Configuration Providers
You can view the Authentication Configuration Providers for a domain by using the Oracle WebLogic Server Administration Console.
To display the Authentication Configuration Providers for a domain:
Configuring JASPIC for a Web Application
You can specify which, if any, Authentication Configuration Provider is to apply to a specific Web application by using the WebLogic Server Administration Console.
Before you can do this, you must first perform the following steps, as described in Configuring JASPIC for a Domain.
-
Enable JASPIC in the domain.
-
Configure a WebLogic Server Authentication Configuration Provider. Or,
-
Configure a Custom Authentication Configuration Provider.
To configure JASPIC properties for this Web application:
Configuring JASPIC Using WLST
You can use WLST to configure JASPIC for a domain, and perform tasks such as creating a WLS Authentication Configuration Provider or a custom Authentication Configuration Provider, listing all WLS and custom Authentication Configuration Providers, enabling and disabling JASPIC for a domain.
For information about using WLST, see Understanding the WebLogic Scripting Tool.
This section requires you to configure the following MBeans via WLST:
See MBean Reference for Oracle WebLogic Server for additional MBean information.
Creating a WLS Authentication Configuration Provider
Example 44-1 creates a WLS Authentication Configuration Provider, sets the class name of the SAM, and sets a configuration property.
After you run this example, restart WebLogic Server.
Example 44-1 Create a WLS Authentication Configuration Provider
connect('','','t3://host:port') Please enter your username : Please enter your password : ... edit() startEdit() cd('SecurityConfiguration') cd('mydomain') jaspic = cmo.getJASPIC() wacp = jaspic.createWLSAuthConfigProvider('wacp') am = wacp.getAuthModule() am.setClassName('com.my.auth.module.Classname') props = Properties() props.setProperty('property', 'value') am.setProperties(props) save() activate()
Creating a Custom Authentication Configuration Provider
Example 44-2 creates a custom Authentication Configuration Provider, sets the class name of this Authentication Configuration Provider, and sets a configuration property.
After you run this example, restart WebLogic Server.
Example 44-2 Create a Custom Authentication Configuration Provider
connect('','','t3://host:port') Please enter your username : Please enter your password : ... edit() startEdit() cd('SecurityConfiguration') cd('mydomain') jaspic = cmo.getJASPIC() acp = jaspic.createCustomAuthConfigProvider('cacp') acp.setClassName('com.my.acp.Classname') props = Properties() props.setProperty('property', 'value') acp.setProperties(props) save() activate()
Listing All WLS and Custom Authentication Configuration Providers
Example 44-3 shows how to list all Authentication Configuration Providers for a domain.
Example 44-3 List All Authentication Configuration Providers
connect('','','t3://host:port') Please enter your username : Please enter your password : ... edit() startEdit() cd('SecurityConfiguration') cd('mydomain') jaspic = cmo.getJASPIC() jaspic.getAuthConfigProviders()
Enabling JASPIC for a Domain
Example 44-4 shows how to enable JASPIC for a domain.
After you run this example, restart WebLogic Server.
Example 44-4 Enable JASPIC for a Domain
connect('','','t3://host:port') Please enter your username : Please enter your password : ... edit() startEdit() cd('SecurityConfiguration') cd('mydomain') jaspic = cmo.getJASPIC() jaspic.setEnabled(false) save() activate()
Disabling JASPIC for a Domain
Example 44-5 shows how to disable JASPIC for a domain.
After you run this example, restart WebLogic Server.
Example 44-5 Disable JASPIC for a Domain
connect('','','t3://host:port') Please enter your username : Please enter your password : ... edit() startEdit() cd('SecurityConfiguration') cd('mydomain') jaspic = cmo.getJASPIC() jaspic.setEnabled(false) save() activate()