April 1, 2015

How to implement Web Application Basic Authentication in Weblogic

You can easily setup the Basic Authentication in Weblogic by using this post. I assume you are having basic knowledge about JEE. If yes, then you just need to configure Group and User in Weblogic Admin console, and modify the web.xml and weblogic.xml files in WEB-INF folder. That's it. You are done and your application resources are secured.

Lets perform the two activities - Weblogic Configuration and Web Application Configuration:

Weblogic Configuration
(You may use existing users and groups and move to next activity)
Use the following steps:
    1. Login to Weblogic Admin console and go to Security Realms > [myrealm] >Users and Groups (tab) 
    2. Select Groups tab in second tab row
    3. Click on new button
    4. Fill the required fields (Group: testGroup etc) and click on Ok to create the group. (Keep the DefaultAuthenticator as provider)
    5. Now similarly, create the test user by clicking the new button on Users tab. (Keep the DefaultAuthenticator as provider)
    6. Now we need to associate the test user with newly created group testGroup. Go to the users list on Users tab.
    7. Click on the newly created user test
    8. Click on Groups tab.
    9. Select the testGroup and click on Save to complete the steps.
Web ApplicationConfiguration
    • In web.xml

<security-constraint>
   <web-resource-collection>
      <web-resource-name>Secure Page</web-resource-name>
      <url-pattern>/securepages/*</url-pattern>
   </web-resource-collection>
   <auth-constraint>
      <role-name>xAdmin</role-name>
   </auth-constraint>
</security-constraint>
 
<login-config>
   <auth-method>BASIC</auth-method>
   <realm-name>default</realm-name>
</login-config>
 
<security-role>
    <role-name>xAdmin</role-name>
</security-role>

    
      • security-constraint tag contains the resource information like Name and URL patterns and which role can access that information using auth-constraint tag. As you can see I have given name Secure Page and secured all the pages under /securepages directory/context. You can give any name to the role that would have the access to resources defined in URL patterns. This name is an identifier only nothing to do with group we created in above activity. But later we need to map it with actual weblogic group.
      • login-config tag describes what method we are going to use for authentication or how the login form would appear. Here we are using the BASIC, similarly for form-authentication you can use FORM. In Admin console you can check or config which realm you want to use. Same we need to set in realm-name tag
      • You know we have given role in auth-constaint, same we need to declare in web.xml. So in short, we use security-role tag for role declaration.
    • In weblogic.xml

<security-role-assignment>
   <role-name>xAdmin</role-name>
   <principal-name>testGroup</principal-name>
</security-role-assignment>



      • weblogic.xml is also part of WEB-INF directory. Since we have defined the resources to be secured, role that can access them, BASIC authentication method and role declaration the only part remains to map the declared role with weblogic group or individual user. That is done using setting weblogic group in principal-name and declared role in role-name tag.

Now, after performing all the above mentioned activities, basic authentication are up and running. You can test it by accessing the secure page on browser.

Note: Above steps will setup the basic authentication and the browser would provide the login window and it cannot be customized. If you want a custom Login page then please refer the Form Authentication.







Script automate the updates of web.xml and weblogic.xml

Use this script to automate the updating of web.xml and weblogic.xml in any war file
#!/bin/bash

war_file=
ws_name=
ROLE_NAME=

while getopts f:n:r: option
do
  case "${option}" in
    f) war_file=${OPTARG};;
    n) ws_name=${OPTARG};;
    r) ROLE_NAME=${OPTARG};;
  esac
done

OLD_TXT="<\/web-app>"
NEW_TEXT="\n  <security-constraint>\n    <web-resource-collection>\n      <web-resource-name>Secured-Pages<\/web-resource-name>\n      <url-pattern>\/*<\/url-pattern>\n    <\/web-resource-collection>\n    <auth-constraint>\n      <role-name>$ROLE_NAME<\/role-name>\n    <\/auth-constraint>\n  <\/security-constraint>\n  \n  <login-config>\n    <auth-method>BASIC<\/auth-method>\n    <realm-name>default<\/realm-name>\n  <\/login-config>\n  \n  <security-role>\n    <role-name>$ROLE_NAME<\/role-name>\n  <\/security-role>\n<\/web-app>\n"

cp $war_file $war_file.original
jar xvf $war_file
cd WEB-INF/
sed -i -r "s/$OLD_TXT/$NEW_TEXT/g" web.xml

echo "<weblogic-web-app xmlns="'"http://www.bea.com/ns/weblogic/weblogic-web-app"'">
  <context-root>"BanksESB_$ws_name"</context-root>
  <security-role-assignment>
    <role-name>$ROLE_NAME</role-name>
    <principal-name>$ROLE_NAME</principal-name>
  </security-role-assignment>
</weblogic-web-app>" > weblogic.xml

cd ..
jar cvfM $war_file WEB-INF/*
#zip war_file WEB-INF/*
rm -r WEB-INF/

No comments: