Oracle Weblogic SAML2 Authorization

Grammatically the title has no much sense, but those were the keywords that I used to type a couple of years ago when I started to work in the integration of our JEE applications into our SSO system.

Oracle Weblogic provides a module that supports the SAML2 protocol. SAML, Security Assertion Markup Language, is an XML-based standard that allows the different parties of a system to exchange authentication and authorization information. It is also one of the protocols of Microsoft Active Directory Federation Services, the central component of the CERN SSO. If you are interested in the integration of these two products you have a lot of documentation either in the official documentation or in other blog entries. What it is not so well documented is how to authorize your users in Oracle Weblogic once they have been authenticated.

The key point is how to create the java.security.Principals objects from the SSO response.  Below you can see part of the user's information that is embedded in one SSO response:

<samlp:Response>
        <Subject>
            <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">luis.rodriguez.fernandez@cern.ch</NameID>
            <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                <SubjectConfirmationData InResponseTo="_0x17f877e0ae82fefaf4020518518bb4cf"
                                         NotOnOrAfter="2015-02-24T17:45:00.552Z"
                                         Recipient="https://e-groups.cern.ch/prodAIS23_A_Cluster/saml2/sp/acs/post"
                                         />
            </SubjectConfirmation>
        </Subject>
        <AttributeStatement>
            <Attribute Name="http://schemas.xmlsoap.org/claims/CommonName">
                <AttributeValue>lurodrig</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/claims/Group">
                <AttributeValue>Admin Users</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/claims/DisplayName">
                <AttributeValue>Luis Rodriguez Fernandez</AttributeValue>
            </Attribute>
            <Attribute Name="http://schemas.xmlsoap.org/claims/PhoneNumber">
                <AttributeValue>+41227673542</AttributeValue>
            </Attribute>
        </AttributeStatement>
    </Assertion>
</samlp:Response>

In firefox you can use the SAML Tracer to see the complete response.

For extracting the above information I have implemented a few classes:

  • One mapper class that gets the AttributeValue element: CernWlsPrincipalMapper
  • An enum class that represents the each Attribute
  • A set of classes that represents the user and the groups that it belongs to: CernWlsPrincipal, CernWlsUserPrincipal, CernWlsGroupPrincipal

The CernWlsPrincipalMapper is executed just after Weblogic receives the SSO response. You have to declare it in the User Name Mapper Class Name field of your SSO Identity Asserter see Configure a custom user name mapper. Remember that you have to add your classes in the system classpath of Weblogic Server. The easiest is to add the path to the library to the EXT_PRE_CLASSPATH or EXT_POST_CLASSPATH variables in the weblogic scripts. Me I use to do it in the setDomainEnv.sh: $DOMAIN_HOME/bin/setDomainEnv.sh

After the execution of the mapper one instance of the CernWlsUserPrincipal  is created, but also one instance of CernWlsGroupPrincipal per each of the Group Attribute. So now you can use your deployment descriptors (web.xml & weblogic.xml) for restricting the access to your applications. Imagine that you have an admin area that must be accesible to users that belong to the Admin Users group. First we declare the security-constraint it in our web.xml:

    <security-constraint>
        <display-name>Administration area</display-name>
        <web-resource-collection>
            <web-resource-name>AdminArea</web-resource-name>
            <description>Administrator privileges</description>
            <url-pattern>/admin/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <description>Only administrators</description>
            <role-name>Administrators</role-name>
        </auth-constraint>
    </security-constraint>

<security-role><role-name>Administrators</role-name></security-role>

And finally in the weblogic.xml we map the above role with the group:

    <wls:security-role-assignment>
        <wls:role-name>Administrators</wls:role-name>
        <wls:principal-name>Admin Users</wls:principal-name>
    </wls:security-role-assignment>

Just one last hint If we want to give access to any authenticated user we will set users in the <wls:principal-name> element.

You can find the all the code here, have a nice coding day!!!

Add new comment

You are here