Tag: Security

WebLogic FormBased Authentication

Hi,

Jay SenSharma

Jay SenSharma

Here is a Simple Demonstration of Using Form Based Authentication to protect some resources which are available as part of our Application. In this demonstration we will see that if we have a Folder with any name like “protected” insode our application and if we want all the contents available in that directory must be accessed only be the Authenticated Users Only. In that case we can follow the below Sample.

Step1). Start WebLogic Server and Create a User with name “testuser”    and password as “testpassword” in the Security realm of the Server.
Home—> Security Realms–> myrealm –> Users and Groups(Tab) –> Users (Sub tab)

The username can be “testuser” but that user must belong to “admin” group. So in the Admin console first create a group with name “admin” and then add the “testuser” to it.

This demo can be found at:
https://github.com/jaysensharma/MiddlewareMagicDemos/tree/master/WebLogic/Security/FormBasedAuthDemo.war

Step2). We are going to develop a Simple WebApplication with Security Constraints. So first of all create a Directry somewhere in your file system.
Example: C:\\FormBasedApp

Step3).Now provide a “welcome.jsp” page inside “C:FormBasedApp”

<html>
<body>
<center>
<h1> Welcome Page </h1>
<h3><font color=maroon><a href="protected/protected.jsp">Access Protected Resource</a></font></h3>
</center>
</body>
</html>

Step4).Provide “login.jsp” page inside “C:FormBasedApp” like following:

<html>
  <head>
    <title>FormBased Authentication Demo in WebLogic Sample</title>
  </head>
<body bgcolor=maroon text=white>
  <center>
  <h2>Please Enter Your UserName & Password (FormBased Auth Example)</h2>
    <form method="GET" action="j_security_check">
       <table border=5%> 
        <tr>
         <td>Username:</td>
         <td><input type="text" name="j_username"></td>
        </tr>

        <tr>
         <td>Password:</td>
         <td><input type="password" name="j_password"></td>
        </tr>

        <tr>
         <td colspan=2 align=right><input type=submit value="Submit"></td>
        </tr>
      </table>
    </form>
</center>
</body>
</html>

Step5). Provide the “failedlogin.html” page inside “C:FormBasedApp” like following:

<html>
  <body>
    <center>
      <h1><font color=red>SORRY!!!</font> U are Not Authorized To Access The Resources.
      <BR>Please Login With valid Credentials.</h1>
    </center>
  </body>
</html>

Step6). Create a Directory “protected” inside “C:FormBasedApp” and then devalope a Secure JSP Page inside “C:FormBasedAppprotected” with some name like “protected.jsp” as following:

<html>
  <head></head>
  <body>
   <center>
     <h1> Protected Page </h1>
     <b><font color=maroon>Congrates!!! Your Login Is Successful...U are able to access the Secure Page.</font></b><BR>
        __________________________***_________________________
   </center>
  </body>
</html>

Step7). Create “WEB-INF” directory inside “C:FormBasedApp” and then provide the “web.xml” file inside “C:FormBasedAppWEB-INF” as following :

<?xml version="1.0"?>
<web-app version="2.5"
         xmlns="http://java.sun.com/xml/ns/javaee"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">

	<welcome-file-list>
		<welcome-file>welcome.jsp</welcome-file>
	</welcome-file-list>

	<security-constraint>
		<display-name>Constraint-0</display-name>
		<web-resource-collection>
			<web-resource-name>Constraint-0</web-resource-name>
			<url-pattern>/protected/*</url-pattern>
		</web-resource-collection>
		<auth-constraint>
			<role-name>admin</role-name>
		</auth-constraint>
		<user-data-constraint>
			<transport-guarantee>NONE</transport-guarantee>
		</user-data-constraint>
	</security-constraint>

	<login-config>
		<auth-method>FORM</auth-method>
		<realm-name>myrealm</realm-name>
		<form-login-config>
			<form-login-page>/login.jsp</form-login-page>
			<form-error-page>/failedlogin.jsp</form-error-page>
		</form-login-config>
	</login-config>

	<security-role>
		<role-name>admin</role-name>
	</security-role>
</web-app>

Step8). Now Provide the “weblogic.xml” file inside “C:FormBasedAppWEB-INF” as following :

<?xml version='1.0' encoding='UTF-8'?>
<weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/90" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
   <security-role-assignment>
     <role-name>admin</role-name>
     <principal-name>testuser<</principal-name>
   </security-role-assignment>
</weblogic-web-app>

Step9). Deploy the “C:FormBasedApp” application in the Server. then Hit the URL. http://localhost:7001/FormBasedApp/

NOTE: Please do not try this Sample in “Internet Explorer 7″…better if u use FireFox Browser to test this application because If you enter a Wrong User name & Password then IE7 will display Error Page 403 rather than displaying the “failedlogin.html”…But the Same Program works fine in FireFox….Looks like some issue with IE7.

If you want to work in IE-7 only then  Open IE7 browser then do the following :

Tools ——-> Internet Options ——> Advanced (Tab)     In this page just UNCHECK   “Uncheck Show Friendly HTTP Error Messages”    Checkbox.

.
.
Thanks
Jay SenSharma


Securing EJB2.x Stateless Using RunAs

Hi,

Jay SenSharma

Jay SenSharma

Here is Simple demonstration of securing EJB2.x Stateless Session bean using the following Tags in “weblogic-ejb.jar.xml”…

if create-as-principal-name is set then use that principal
else If a run-as role has been specified for the bean in ejb-jar.xml then use a principal according to the rules for setting the run-as-role-assignment
else run ejbCreate as an anonymous principal.
The create-as-principal-name element only needs to be specified if operations within ejbCreate require more permissions than the anonymous principal would have.
This element effects the ejbCreate methods of stateless session beans and message-driven beans.

</span>
<pre><security-role-assignment>
<role-name>runAs_role_X</role-name>
<principal-name>jack</principal-name>
</security-role-assignment>
<run-as-role-assignment>
<role-name>runAs_role_X</role-name>
<run-as-principal-name>jack</run-as-principal-name>
</run-as-role-assignment>

Step1).Login to Admin Console and the “Security Realms”–>myRealm–>Users& Groups—>”

Here create a user with name = “jack” and password =”password”

Step2). Develop the Home Interface of our EJB…”IRemoteHome.java


package runassample;
import java.rmi.RemoteException;
import javax.ejb.CreateException;
import javax.ejb.EJBHome;
public interface IRemoteHome extends EJBHome {
public ITestRemote create() throws CreateException, RemoteException;
}

Step3). Now develope the Remote Intyerface…”ITestRemote.java


package runassample;
import java.rmi.Remote;
import java.rmi.RemoteException;
import javax.ejb.EJBObject;
public interface ITestRemote extends EJBObject{
public String display(String name,String password) throws RemoteException;
public String SayHello(String hell) throws RemoteException;
}

Step4). Now develop the Stateless bean Class… “TestRun.java

package runassample;
import java.util.Hashtable;
import javax.ejb.SessionBean;
import weblogic.ejb.GenericSessionBean;
public class TestRun extends GenericSessionBean implements SessionBean {
private static final long serialVersionUID = 1L;

public void ejbCreate() {
System.out.println("nnt ejbCreate() called on EJB TestRun.");
}

public String display(String name,String password){
System.out.println("nt executing display(String name) of TestRun Sessionean");
return "Hello Mr. "+name+"t your Password is : "+password;
}
public String SayHello(String hell){

return hell;
}
}

Step5).Provide the “ejb-jar.xml” inside “META-INF” directory

<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar id="ejb-jar_ID" version="2.1" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/ejb-jar_2_1.xsd">
<display-name>Test</display-name>

<enterprise-beans>
<session>
<ejb-name>TestRun</ejb-name>
<home>runassample.IRemoteHome</home>
<remote>runassample.ITestRemote</remote>
<ejb-class>runassample.TestRun</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
<security-identity>
<run-as>
<role-name>runAs_role_X</role-name>
</run-as>
</security-identity>
</session>
</enterprise-beans>

<assembly-descriptor>
<security-role>
<role-name>runAs_role_X</role-name>
</security-role>
<method-permission>
<role-name>runAs_role_X</role-name>
<method>
<ejb-name>TestRun</ejb-name>
<method-name>display</method-name>
<method-params>
<method-param>java.lang.String</method-param>
<method-param>java.lang.String</method-param>
</method-params>
</method>
</method-permission>
</assembly-descriptor>
</ejb-jar>

Step6). Now Develope “weblogic-ejb-jar.xml” inside “META-INF” directory

<?xml version="1.0" encoding="UTF-8"?>
<weblogic-ejb-jar xmlns="http://www.bea.com/ns/weblogic/90"
xmlns:j2ee="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-ejb-jar.xsd">

<weblogic-enterprise-bean>
<ejb-name>TestRun</ejb-name>
<stateless-session-descriptor>
<pool></pool>
<stateless-clustering></stateless-clustering>
</stateless-session-descriptor>
<transaction-descriptor></transaction-descriptor>
<jndi-name>TestRun</jndi-name>
<remote-client-timeout>0</remote-client-timeout>
</weblogic-enterprise-bean>
<security-role-assignment>
<role-name>runAs_role_X</role-name>
<principal-name>jack</principal-name>
</security-role-assignment>

<run-as-role-assignment>
<role-name>runAs_role_X</role-name>
<run-as-principal-name>jack</run-as-principal-name>
</run-as-role-assignment>
</weblogic-ejb-jar>

Step7). Complie and Deploy the EJB on The Server.

Step8). Write the EJB Client to access the EJB…

import java.util.Hashtable;
import javax.naming.*;
import runassample.*;
public class RunAsEjbClient
{
public static void main(String ar[]) throws Exception
{
Context ctx = null;
java.sql.Connection conn = null;
Hashtable<String,String> ht = new Hashtable<String,String>();
ht.put(Context.INITIAL_CONTEXT_FACTORY,"weblogic.jndi.WLInitialContextFactory");
ht.put(Context.PROVIDER_URL,"t3://localhost:7001");
ht.put(Context.SECURITY_PRINCIPAL,ar[0]);
ht.put(Context.SECURITY_CREDENTIALS,ar[1]);

ctx = new InitialContext(ht);
runassample.IRemoteHome home = (runassample.IRemoteHome) ctx.lookup("TestRun");
runassample.ITestRemote remote=home.create();
System.out.println("ntremote.display("TestUser","password")"+remote.display(ar[0],ar[1]));
}
}

OUTPUT:

Run the client like:


<strong>C:DELETERUN_AS_EJB>java RunAsEjbClient jack <span style="color: green;">password</span></strong>

remote.display("TestUser","password")Hello Mr. jack      your Password is : password

<strong>C:DELETERUN_AS_EJB>java RunAsEjbClient jack <span style="color: red;">Wrongpassword</span></strong>
Exception in thread "main" javax.naming.AuthenticationException [Root exception is java.lang.SecurityException: User: jack, failed to be  authenticated.]
at weblogic.jndi.internal.ExceptionTranslator.toNamingException(ExceptionTranslator.java:42)
at weblogic.jndi.WLInitialContextFactoryDelegate.toNamingException(WLInitialContextFactoryDelegate.java:783)
at weblogic.jndi.WLInitialContextFactoryDelegate.pushSubject(WLInitialContextFactoryDelegate.java:677)
at weblogic.jndi.WLInitialContextFactoryDelegate.newContext(WLInitialContextFactoryDelegate.java:468)
at weblogic.jndi.WLInitialContextFactoryDelegate.getInitialContext(WLInitialContextFactoryDelegate.java:375)
at weblogic.jndi.Environment.getContext(Environment.java:315)
at weblogic.jndi.Environment.getContext(Environment.java:285)
at weblogic.jndi.WLInitialContextFactory.getInitialContext(WLInitialContextFactory.java:117)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at RunAsEjbClient.main(RunAsEjbClient.java:16)
Caused by: java.lang.SecurityException: User: jack, failed to be authenticated.
at weblogic.common.internal.RMIBootServiceImpl.authenticate(RMIBootServiceImpl.java:116)
at weblogic.common.internal.RMIBootServiceImpl_WLSkel.invoke(Unknown Source)
at weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:589)
at weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:477)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:363)
at weblogic.security.service.SecurityManager.runAs(Unknown Source)
at weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:473)
at weblogic.rmi.internal.wls.WLSExecuteRequest.run(WLSExecuteRequest.java:118)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

Thanks

Jay SenSharma


Copyright © 2010-2012 Middleware Magic. All rights reserved. |