Saturday, February 14, 2015

Weblogic Identity Asserter and Athorization Provider in one!

When trying to create a Custom Identity Asserter AND Authorization Provider MBean for weblogic, I ran into some trouble..  After following all of the examples, I was unable to get my MBean to behave as both!

While trying to find solutions, my googleFu turned up a few lead that left me feeling like it could not be done.

http://www.ateam-oracle.com/why-do-i-need-an-authenticator-when-i-have-an-identity-asserter/

https://community.oracle.com/thread/796040


 The problem I had was if my MDF file extended IdentityAsserter, it would not contain a method to 'getControlFlag' to pass to the LoginModule.

I found this great example at http://danielveselka.blogspot.com/2011/10/weblogic-custom-identity-asserter.html. The only problem?  He skirts around the same issue by manually assigning a constant value to the controlFlag that gets passed to the AppConfigurationEntry in the getConfiguration() method.   

 public void initialize(ProviderMBean mbean, SecurityServices services)
  {
    System.out.println("SimpleSampleIdentityAsserterProviderImpl.initialize");
    SimpleSampleIdentityAsserterMBean myMBean = (SimpleSampleIdentityAsserterMBean)mbean;
    description  = myMBean.getDescription() + "\n" + myMBean.getVersion();
    
    controlFlag = LoginModuleControlFlag.SUFFICIENT;
...
} 
  private AppConfigurationEntry getConfiguration(HashMap options)
  {
      System.out.println("SimpleSampleIdentityAsserterProviderImpl: getConfiguration");
    // make sure to specify the simple sample authenticator's login module
    // and to use the control flag from the simple sample authenticator's mbean.
    return new
      AppConfigurationEntry(
        "examples.security.providers.authentication.simple.SimpleSampleLoginModuleImpl",
        controlFlag,
        options
      );
  }



In that example, he has the following in the MDF.  If I had this, My MBean would not build with the getControlFlag() method. 
 Extends       = "weblogic.management.security.authentication.IdentityAsserter"

If I extended the Authenticator, my assertIdentity() methods from the IdentityAsserter would never get called, but I WOULD have the getControlFlag() method 
 Extends       = "weblogic.management.security.authentication.Authenticator"

Turns out this is an easy fix.  There is an attribute value for Implements in the MDF Element Syntax. Having an MBeanType similar to the following solved my problem!

<MBeanType
 Name          = "SimpleSampleIdentityAsserter"
 DisplayName   = "SimpleSampleIdentityAsserter"
 Package       = "examples.security.providers.identityassertion.simple"
 Extends       = "weblogic.management.security.authentication.IdentityAsserter"
 Implements    = "weblogic.management.security.authentication.Authenticator"
 PersistPolicy = "OnUpdate"
>


This allows it to implement all the features of both, but be a single entry that you can add to your weblogic security realm.
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)