42 Configuring Jakarta Authentication Security

The Jakarta Authentication specification (formerly JASPIC) defines a service provider interface (SPI). The Jakarta Authentication SPI is used by authentication providers that implement message authentication mechanisms that can be integrated in server Web application message processing. Learn how to configure Jakarta Authentication security in Oracle WebLogic Server.

Read the Jakarta Authentication specification at https://jakarta.ee/specifications/authentication/.

This chapter includes the following sections:

• Jakarta Authentication Mechanisms Override WebLogic Server Defaults

• Prerequisites for Configuring Jakarta Authentication

• Location of Configuration Data

• Configuring Jakarta Authentication for a Domain

• Configuring Jakarta Authentication Using WLST

This section assumes that you are familiar with a basic overview of Jakarta Authentication, as described in Jakarta Authentication Security in Understanding Security for Oracle WebLogic Server.

Jakarta Authentication Mechanisms Override WebLogic Server Defaults

If you configure an Authentication Configuration Provider for a Web application, it is used instead of the WebLogic Server authentication mechanism for that Web Application. The authentication provider from Jakarta Authentication assumes responsibility for authenticating the user credentials and returning a Subject.

You should therefore exercise care when you specify an Authentication Configuration Provider to make sure that it satisfies your security authentication needs.

Prerequisites for Configuring Jakarta Authentication

There are certain prerequisites for configuring Jakarta Authentication in your environment including, how to make your own or third party server authentication module (SAM) or Authentication Configuration Providers available to WebLogic Server.

The Jakarta Authentication programming model is described in the Jakarta Authentication specification (https://jakarta.ee/specifications/authentication/).

A sample SAM implementation is described in Adding Authentication Mechanisms to the Servlet Container in the GlassFish Server Open Source Edition Application Development Guide. Although written from the GlassFish Server perspective, the tips for writing a SAM, and the sample SAM itself, are instructive.

This section includes the following topics:

• Server Authentication Module Must Be in Classpath

• Custom Authentication Configuration Providers Must Be in Classpath

Server Authentication Module Must Be in Classpath

If you plan to configure a WebLogic Server Authentication Configuration Provider, you must add the jar for your SAM to the system classpath via the startup scripts or the command line used to start the WebLogic Server instance. If you do not do this, WebLogic Server is not able to find the appropriate classes.

Custom Authentication Configuration Providers Must Be in Classpath

If you plan to configure a custom Authentication Configuration Provider, you must add the jar for your custom Authentication Configuration Provider to the system classpath via the startup scripts or the command line used to start the WebLogic Server instance. If you do not do this, WebLogic Server is not able to find the appropriate classes.

Location of Configuration Data

You can use the WebLogic Scripting Tool (WLST) to configure Jakarta Authentication and the Authentication Configuration Providers. After you configure Jakarta Authentication and the Authentication Configuration Providers, the domain-wide Authentication Configuration Provider configuration data is kept in the domain config.xml file in the <jaspic> element.

For example:

<jaspic>
      <auth-config-provider xsi:type="wls-auth-config-providerType">
        <name>WLSAuthConfigProvider-0</name>
      </auth-config-provider>
    </jaspic>

When you configure an Authentication Configuration Provider for a deployed Web application, WLST updates the deployment plan (plan.xml) for the Web application with the application-specific Authentication Configuration Provider configuration. For example:

<variable>
      <name>JASPICProvider_AuthConfigProviderName_13210476440805</name>
      <value>WLSAuthConfigProvider-0</value>
</variable>
:
<variable-assignment>
   <name>JASPICProvider_AuthConfigProviderName_13210476440805</name>
   <xpath>/weblogic-web-app/jaspic-provider/auth-config-provider-name</xpath>
</variable-assignment>

If you do not use a deployment plan for your application, you can instead add the jaspic-provider deployment descriptor element to weblogic.xml.

jaspic-provider specifies the authConfigProvider to be registered for use during authentication. For example, <wls:jaspic-provider>my-acp</wls:jlaspic-provider>.

Configuring Jakarta Authentication for a Domain

You can configure Jakarta Authentication (formerly JASPIC) for a domain using WebLogic Remote Console and WLST.

By default, Jakarta Authentication is enabled for a domain.

If you disable Jakarta Authentication for a domain, then Jakarta Authentication is disabled for all Web applications in that domain, regardless of their configuration.

To configure Jakarta Authentication for a domain:

1. In WebLogic Remote Console, open the Edit Tree and go to Environment, then Domain.
2. On the Security tab, click Show Advanced Fields.
3. Turn on the JASPIC Enabled option.
4. Click Save and commit your changes.
5. Using WLST, configure Authentication Configuration providers. See Configuring Jakarta Authentication Using WLST.

After you configure Jakarta Authentication properties for the domain, you can specify which Authentication Configuration provider applies to a specific Web application. See Configure Web Applications for JASPIC in Oracle WebLogic Remote Console Online Help.

Configuring Jakarta Authentication Using WLST

You can use WLST to configure Jakarta Authentication for a domain, and perform tasks such as creating a WebLogic Server Authentication Configuration Provider or a custom Authentication Configuration Provider, listing all WebLogic Server and custom Authentication Configuration Providers, enabling and disabling Jakarta Authentication for a domain.

For information about using WLST, see Understanding the WebLogic Scripting Tool.

This section requires you to configure the following MBeans using WLST:

• JASPICMBean

• CustomAuthConfigProviderMBean

• WLSAuthConfigProviderMBean

See MBean Reference for Oracle WebLogic Server for additional MBean information.

Creating a WLS Authentication Configuration Provider

Example 42-1 creates a WLS Authentication Configuration Provider, sets the class name of the SAM, and sets a configuration property.

After you run this example, restart WebLogic Server.

Example 42-1 Create a WLS Authentication Configuration Provider

connect('','','t3://host:port')
Please enter your username :
Please enter your password :
...
edit()
startEdit()
cd('SecurityConfiguration')
cd('mydomain')
jaspic = cmo.getJASPIC()
wacp = jaspic.createWLSAuthConfigProvider('wacp')
am = wacp.getAuthModule()
am.setClassName('com.my.auth.module.Classname')
props = Properties()
props.setProperty('property', 'value')
am.setProperties(props)
save()
activate()

Creating a Custom Authentication Configuration Provider

Example 42-2 creates a custom Authentication Configuration Provider, sets the class name of this Authentication Configuration Provider, and sets a configuration property.

After you run this example, restart WebLogic Server.

Example 42-2 Create a Custom Authentication Configuration Provider

connect('','','t3://host:port')
Please enter your username :
Please enter your password :
...
edit()
startEdit()
cd('SecurityConfiguration')
cd('mydomain')
jaspic = cmo.getJASPIC()
acp = jaspic.createCustomAuthConfigProvider('cacp')
acp.setClassName('com.my.acp.Classname')
props = Properties()
props.setProperty('property', 'value')
acp.setProperties(props)
save()
activate()

Listing All WLS and Custom Authentication Configuration Providers

Example 42-3 shows how to list all Authentication Configuration Providers for a domain.

Example 42-3 List All Authentication Configuration Providers

connect('','','t3://host:port')
Please enter your username :
Please enter your password :
...
edit()
startEdit()
cd('SecurityConfiguration')
cd('mydomain')
jaspic = cmo.getJASPIC()
jaspic.getAuthConfigProviders()

Enabling Jakarta Authentication for a Domain

Example 42-4 shows how to enable Jakarta Authentication for a domain.

After you run this example, restart WebLogic Server.

Example 42-4 Enable Jakarta Authentication for a Domain

connect('','','t3://host:port')
Please enter your username :
Please enter your password :
...
edit()
startEdit()
cd('SecurityConfiguration')
cd('mydomain')
jaspic = cmo.getJASPIC()
jaspic.setEnabled(false)
save()
activate()

Disabling Jakarta Authentication for a Domain

Example 42-5 shows how to disable Jakarta Authentication for a domain.

After you run this example, restart WebLogic Server.

Example 42-5 Disable Jakarta Authentication for a Domain

connect('','','t3://host:port')
Please enter your username :
Please enter your password :
...
edit()
startEdit()
cd('SecurityConfiguration')
cd('mydomain')
jaspic = cmo.getJASPIC()
jaspic.setEnabled(false)
save()
activate()