Security

WebLogic SQLAuthenticator Demo With FormBased Authentication

Hi,

Jay SenSharma

Jay SenSharma

Thanks to Sanjay for asking a very good query. In Response to Sanjay’s Comment on SQLAuthenticator.

http://middlewaremagic.com/weblogic/?p=2034#comment-2838 with Form Based Authentication.

Here we are going to see a very Simple example of Using FormBased Authentication of demo. But in this case we won’t use the WebLogic’s default Authenticator provider, Rather we will create a separate SQL Authenticator provider inside the Security Realm and the we will insert some Users information in the Database so that we can validate the Database users using our FormBased Authentication technique.

Step1). Create the following Tables “USERS”, “GROUPS” and “GROUPMEMBERS” with exactly same Data Definition as mentioned below:

CREATE TABLE USERS (
    U_NAME VARCHAR(200) NOT NULL,
    U_PASSWORD VARCHAR(50) NOT NULL,
    U_DESCRIPTION VARCHAR(1000));

ALTER TABLE USERS
   ADD CONSTRAINT PK_USERS
   PRIMARY KEY (U_NAME);

CREATE TABLE GROUPS (
    G_NAME VARCHAR(200) NOT NULL,
    G_DESCRIPTION VARCHAR(1000) NULL);

ALTER TABLE GROUPS
   ADD CONSTRAINT PK_GROUPS
   PRIMARY KEY (G_NAME);

CREATE TABLE GROUPMEMBERS (
    G_NAME VARCHAR(200) NOT NULL,
    G_MEMBER VARCHAR(200) NOT NULL);

ALTER TABLE GROUPMEMBERS
   ADD CONSTRAINT PK_GROUPMEMS
   PRIMARY KEY (
      G_NAME,
      G_MEMBER
   );

ALTER TABLE GROUPMEMBERS
   ADD CONSTRAINT FK1_GROUPMEMBERS
   FOREIGN KEY ( G_NAME )
   REFERENCES GROUPS (G_NAME)
   ON DELETE CASCADE;

Step2). Insert the following records in the Above Tables.


insert into USERS  values('weblogic','weblogic','This is an Admin User with username weblogic, password weblogic');

insert into GROUPS values('Adminsitrators','This is an Administrators Group');

insert into GROUPMEMBERS values('Adminsitrators','weblogic');

Step3). Create a DataSource baed on whetever dataSource you want to chose. I created a Simple DataSource like following “$DOMAIN_HOME/config/jdbc/SQLAuthDS-8981-jdbc.xml”:

<?xml version='1.0' encoding='UTF-8'?>
<jdbc-data-source xmlns="http://www.bea.com/ns/weblogic/jdbc-data-source" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/jdbc-data-source http://www.bea.com/ns/weblogic/jdbc-data-source/1.0/jdbc-data-source.xsd">
  <name>SQLAuthDS</name>
  <jdbc-driver-params>
    <url>jdbc:oracle:thin:@10.65.209.158:1521:xe</url>
    <driver-name>oracle.jdbc.OracleDriver</driver-name>
    <properties>
      <property>
        <name>user</name>
        <value>SYSTEM</value>
      </property>
    </properties>
    <password-encrypted>{3DES}sUnlI08xXhw=</password-encrypted>
  </jdbc-driver-params>
  <jdbc-connection-pool-params>
    <test-table-name>SQL SELECT 1 FROM DUAL</test-table-name>
  </jdbc-connection-pool-params>
  <jdbc-data-source-params>
    <jndi-name>SQLAuthDS_Jndi</jndi-name>
    <global-transactions-protocol>OnePhaseCommit</global-transactions-protocol>
  </jdbc-data-source-params>
</jdbc-data-source>

And inside your “config.xml” file you will see DataSource file entry ike following:

  <jdbc-system-resource>
    <name>SQLAuthDS</name>
    <target>AdminServer</target>
    <descriptor-file-name>jdbc/SQLAuthDS-8981-jdbc.xml</descriptor-file-name>
  </jdbc-system-resource>

Step4). Now login to Admin Console and create the SQL Authenticator Provider like following:

Home ———)Summary of Security Realms —————-)myrealm ——————)Providers (Tab) Click “New” button
Provider Name: MySQLAuthenticatorProvider
Provider Type: SQL Authenticator

SQL_Auth_Provider_One

SQL_Auth_Provider_One

Now Click On your ProviderName “MySQLAuthenticatorProvider” and go to “Provider Specific” (Tab) and then select the following values:
Plaintext Passwords Enabled (Check this Check Box)
Data Source Name: SQLAuthDS
Group Membership Searching: unlimited

Rest of the things will be as it is Default.

SQL_Auth_Provider_Second

SQL_Auth_Provider_Second

Step5). Now Go to Security Realm and the do the following:
Home——————)Summary of Security Realms ——————)myrealm ——————)Providers ——————) DefaultAuthenticator (click) Now Change it’s “Control Flag” to “OPTIONAL”
Save above Changes.

Step6). Now again Go to Security Realm and the do the following:
Home——————)Summary of Security Realms——————)myrealm ——————)Providers——————) MySQLAuthenticatorProvider (click) Now Change it’s “Control Flag” to “REQUIRED”
Save above Changes.

Step7). Now restart your Server so that the Changes will take effect (Make Sure that the Database is running).

====================Form Based Authentication Below======================

Step8). Now insert some more records in the database:

insert into USERS  values('testuser','testpassword','This is an testuser User with username testuser, password testpassword');

insert into GROUPS values('testgroup','This is an test Group');

insert into GROUPMEMBERS values('testgroup','testuser');

Step9). Now use the Following FormBased Authentication Program to deploy on the WebLogic Server: http://middlewaremagic.com/weblogic/?p=2034

Step10). Now Deploy the Above Application On the Server and test it.
username: testuser
password: testpassword

Thanks
Jay SenSharma


Security Breach And Attack For Java Based Application Servers

Hi,

Jay SenSharma

Jay SenSharma

DISCLAIMER:

In this article we may see an abnormal behaviors of weblogic. Which may not be necessarily a BUG but it is always to be aware of such behavior while using Weblogic. The idea behind making this page is just to make awareness among the WebLogic Admins to be alert specially when the some of these behaviors are related to WebLogic Security.

Some of the behaviors of WebLogic which may be due to inappropriate Security implementation in the Security system of WebLogic, Even if in some cases it is work as designed, Still it suggests to keep an eye on it and try to make those features more enhanced. Some of them are now fixed by the Application Server Vendor but still some need to be fixed or enhanced. The intentions here are not to point to the weak points of any Application Server but solely to make people aware about such strange or uncommon behaviors.

==========================================================================
Any WebServer or Application Server which runs on below mentioned JVM are not safe due to the security breach. For example if you just want to hang A server then just sent the following request to the Server using any HttpClient like JMeter or any other Utility which allows you to send the Http Header of your Choice.

Once you are able to send the following Http Request Header successfully to the Java based Application/Web Server …the Server will try to parse the Http Request Header and it will Hang  while processing this request.

“GET”,”/”,headers={“Accept-Language”: “en-us;q=2.2250738585072012e-308”}

Just for an example try to run the following simple Java program which just tries to parse a Double value 2.2250738585072012e-308. As soon as you will run this program you will see that your JVM will Hang….and the CPU Utilization will be around 100%   😉

class HangJVM
{
  public static void main(String[] args)
    {
      System.out.println("Test:");
      double d = Double.parseDouble("2.2250738585072012e-308");
      System.out.println("Value: " + d);
     }
}

The JVMs which are affected are as following:
Java SE
JDK and JRE 6 Update 23 and earlier for Windows, Solaris, and Linux
JDK 5.0 Update 27 and earlier for Solaris 9
SDK 1.4.2_29 and earlier for Solaris 8

Java for Business
JDK and JRE 6 Update 23 and earlier for Windows, Solaris and Linux
JDK and JRE 5.0 Update 27 and earlier for Windows, Solaris and Linux
SDK and JRE 1.4.2_29 and earlier for Windows, Solaris and Linux

Save your JVM and your Application Server From Attack or Contact your Support 😉

Or Please get a Fix from Support  Which Updates the “rt.jar” of the JVM The Fix Details are available in the following Link  http://middlewaremagic.com/weblogic/?p=5393#comment-2821

And

Regarding the “Oracle Security Alert for CVE-2010-4476″You can get the Temp Security Patches related to this issue from the following link:http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html

.
Thanks
Jay SenSharma


Deleting Users And Groups Using WLST NonStop

Ravish Mody

Here is a simple example of WLST Script which allows us to delete Users and Groups. This  a similar WLST script which Jay had created for Creating Users And Groups Using WLST NonStop , however here we are just deleting the same users and groups. Doing the same thing from admin console is very time consuming. The following WLST Script is just an example for the same but it does the same work in one go.

The best thing here is the Administrator need to just edit the properties file with the users and group details, rest of the things will be taken care by the WLST Script. Administrator need to just change the  Iteration of “for” Loop in the WLST Script sccording to the number of WebLogic Users and WebLogic Groups.

Steps to Deleting Users And Groups Using WLST

Step1). Create a Directory somewhere in your file system like :  “C:WLST_MultiDomain_DS”

Step2). Write a Properties file “details.properties” inside “C:WLST_MultiDomain_DS” like following:

domain.name=Domain_8001
admin.url=t3://localhost:8001
admin.userName=weblogic
admin.password=weblogic
security.realmName=myrealm

total.groups=2
total.username=3

delete.group.name.1=GroupOne
delete.group.name.2=GroupTwo

delete.user.name.1=TestUserOne
delete.user.name.2=TestUserTwo
delete.user.name.3=TestUserThree

NOTE: The “delete.group.name.1.members” Entries must end with a COMMA (,)

Step3). Write the  WLST Script “delete_users_groups.py” inside “C:WLST_MultiDomain_DS” directory.

#############################################################################
#
# @author Copyright (c) 2010 - 2011 by Middleware Magic, All Rights Reserved.
#
#############################################################################

from java.io import FileInputStream

propInputStream = FileInputStream("details.properties")
configProps = Properties()
configProps.load(propInputStream)

domainName=configProps.get("domain.name")
adminURL=configProps.get("admin.url")
adminUserName=configProps.get("admin.userName")
adminPassword=configProps.get("admin.password")
realmName=configProps.get("security.realmName")

totalGroups_to_Create=configProps.get("total.groups")
totalUsers_to_Create=configProps.get("total.username")

connect(adminUserName, adminPassword, adminURL)
serverConfig()
authenticatorPath= '/SecurityConfiguration/' + domainName + '/Realms/' + realmName + '/AuthenticationProviders/DefaultAuthenticator'
print authenticatorPath
cd(authenticatorPath)

print 'Deleting Groups . . .'

i=1
while (i <= int(totalGroups_to_Create)) :
	groupName = configProps.get("delete.group.name."+ str(i))
	try:
		cmo.removeGroup(groupName)
		print '-----------Group Deleted With Name : ' , groupName
	except:
		print '*************** CANNOT DELETE !!! Check If The Group With the Name : ' , groupName ,' Exists or NOT...'
	i = i + 1
print ' '
print ' '

print 'Deleting Users . . .'
x=1
while (x <= int(totalUsers_to_Create)):
	userName = configProps.get("delete.user.name."+ str(x))
	try:
		cmo.removeUser(userName)
		print '-----------User Deleted With Name : ' , userName
	except:
		print '*************** CANNOT DELETE !!! Check If the User With the Name : ' , userName ,' Exists or NOT...'
	x = x + 1
print ' '
print ' '

Step4). Run the “. ./setWLSEnv.sh” by adding two DOTs separated by a single space …..before the actual script like following : (use ‘cd’ command to move inside the <BEA_HOME>/wlserver_10.3/server/bin) then run the following command….
.  ./setWLSEnv.sh

Note: the first DOT represents that set the Environment in the current Shell, AND the second ./ represents execute the script from the current directory.

Step5). Now run the WLS Script like following:

java        weblogic.WLST        delete_users_groups.py

Following would be the output:

C:WLST_MultiDomain_DS>java weblogic.WLST delete_users_groups.py

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Connecting to t3://localhost:8001 with userid weblogic ...
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'Domain_8001'.

Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.

Already in Config Runtime

/SecurityConfiguration/Domain_8001/Realms/myrealm/AuthenticationProviders/DefaultAuthenticator
Deleting Groups . . .
-----------Group Deleted With Name :  GroupOne
-----------Group Deleted With Name :  GroupTwo

Deleting Users . . .
-----------User Deleted With Name :  TestUserOne
-----------User Deleted With Name :  TestUserTwo
-----------User Deleted With Name :  TestUserThree

If the Groups or Users are does not exists then below output would be seen

java weblogic.WLST delete_users_groups.py

Initializing WebLogic Scripting Tool (WLST) ...

Welcome to WebLogic Server Administration Scripting Shell

Type help() for help on available commands

Connecting to t3://localhost:8001 with userid weblogic ...
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'Domain_8001'.

Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.

Already in Config Runtime

/SecurityConfiguration/Domain_8001/Realms/myrealm/AuthenticationProviders/DefaultAuthenticator
Deleting Groups . . .
*************** CANNOT DELETE !!! Check If The Group With the Name :  GroupOne  Exists or NOT...
*************** CANNOT DELETE !!! Check If The Group With the Name :  GroupTwo  Exists or NOT...

Deleting Users . . .
*************** CANNOT DELETE !!! Check If the User With the Name :  TestUserOne  Exists or NOT...
*************** CANNOT DELETE !!! Check If the User With the Name :  TestUserTwo  Exists or NOT...
*************** CANNOT DELETE !!! Check If the User With the Name :  TestUserThree  Exists or NOT...

.

.

Regards,

Ravish Mody


Copyright © 2010-2012 Middleware Magic. All rights reserved. |