SSO for Oracle REST DataServices

Submitted by lurodrig on
Blog article:

Hello there,

Recently I've started to dig into the ORDS authentication and more specifically in how to make it work against my Oracle WebLogic server authenticators.

ORDS Service Definition

The first step is to create or define a REST service in our Oracle database. The oracle-base.com guys have a fantastic how to here. In summary you have to perform two operations:

  1. Enable the schema for REST

DECLARE
  PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN

    ORDS.ENABLE_SCHEMA(p_enabled => TRUE,
                       p_schema => 'CERNDB_MWCTL_A_01_DEV',
                       p_url_mapping_type => 'BASE_PATH',
                       p_url_mapping_pattern => 'cerndb_mwctl_a_01_dev',
                       p_auto_rest_auth => FALSE);
    
    commit;

END;

  1. Define the service

DECLARE
  PRAGMA AUTONOMOUS_TRANSACTION;
BEGIN

    ORDS.ENABLE_OBJECT(p_enabled => TRUE,
                       p_schema => 'CERNDB_MWCTL_A_01_DEV',
                       p_object => 'DEPLOYMENT',
                       p_object_type => 'TABLE',
                       p_object_alias => 'deployment',
                       p_auto_rest_auth => FALSE);
    
    commit;

END;

In the above snippet we are exposing the table DEPLOYMENT for READ, UPDATE, INSERT and DELETE operations. For this example we are using the AutoREST feature of ORDS.

In my WebLogic side I have the ords listener application deployed against the /ords-sso context, and my Oracle Database is mapped against /devdb11. This means that I can access my service through: https://my.domain/ords-sso/devdb11/cerndb_mwctl_a_01_dev/deployment

ORDS configuration at a glance

Although the aim of this post is not to show you how to setup your ords installation (for this you have great posts like this one from the smartdogservices.com people, thanks!) just have a quick look at the configuration files:

ORDS configuration at a glance

Protecting the ORDS Service

Now we want to protect our service. For this we need to:

  1. Define WHO can access:
BEGIN
  ORDS.CREATE_ROLE('crud-deployments');     
 
  ORDS.CREATE_PRIVILEGE(
      p_name => 'crud-operations-on-deployment-table',
      p_role_name => 'crud-deployments',
      p_label => 'Deployment Data',
      p_description => 'CRUD operations on deployment table');
  COMMIT;
END;
  1. Map the service URL:
BEGIN
 ORDS.CREATE_PRIVILEGE_MAPPING(
      p_privilege_name => 'crud-operations-on-deployment-table',
      p_pattern => '/deployment/*');     
  COMMIT;
END;

If we now try to access our service we will get a "401 Unauthorized" and a link to the ORDS default sign-in form.

WebLogic and ORDS war SSO configuration

OK, we have everything set-up and ready, so now lets attack the real meat of this article, the SSO integration:

  1. Configure your managed server as a service provider. If the official documentation is not enough you can always have a look at Puneeth's blog entry here (thanks!)
  2. Configure your ords-sso.war. We want to protect the access to the /ords-sso application: when an unauthenticated request arrive WebLogic redirects it to our Identity Provider. As the authorization will be done by ORDS we allow all users to access:
    1. web.xml

 <security-constraint>
   <web-resource-collection>
      <web-resource-name>principals</web-resource-name>
      <url-pattern>/*</url-pattern>
   </web-resource-collection>
   <auth-constraint>
      <role-name>AllUsers</role-name>
   </auth-constraint>
</security-constraint>

<security-role>
 <role-name>AllUsers</role-name>
</security-role>

  1. weblogic.xml:
<security-role-assignment>
        <role-name>AllUsers</role-name>
        <principal-name>users</principal-name>
 </security-role-assignment>
  1.  Install a credential mapper for your SAML2 Identity Asserter. This is needed by WebLogic in order to create the user Java Principals.
  2. Deploy your ords-sso war

You are done!

If now you try to access your service endpoint instead of being redirected to the default ORDS sign-in form you will be redirected to your IdP one. If you are curious about how weblogic manage this authentication you can enable this debug flags:

-Dweblogic.DebugSecurityAtz=true  -Dweblogic.DebugSecurityAtn=true -Dweblogic.log.StdoutSeverity=Debug  -Dweblogic.log.RedirectStdoutToServerLogEnabled=true  -Dweblogic.log.RedirectStderrToServerLogEnabled=true -Dweblogic.security.saml2.atn.DebugSecuritySAML2Atn=true -Dweblogic.debug.DebugSecuritySAML2CredMap=true -Dweblogic.debug.DebugSecuritySAML2Lib=true -Dweblogic.debug.DebugSecuritySAML2Service=true -Dweblogic.debug.DebugSecurityRoleMap=true

Hope it helps and have a nice coding day!

Luis

Add new comment

CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

Disclaimer

The views expressed in this blog are those of the authors and cannot be regarded as representing CERN’s official position.

CERN Social Media Guidelines

 

Blogroll