What is the role-name of the default "authenticated role" in WebLogic? How do I reference it in my deployment descriptor?

3
votes

I'm attempting to implement an authentication mechanism in a web app, which I'm deploying on a WebLogic 12c instance. I want to restrict access to certain pages to only authenticated users.

My problem is in figuring out how to define the auth-constraint of my security portion to do this. This is the security portion of my web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>secure</web-resource-name>
        <url-pattern>/secure/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>

<security-role>
    <description>Any User</description>
    <role-name>user</role-name>
</security-role>


<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>myrealm</realm-name>
    <form-login-config>
        <form-login-page>/login.html</form-login-page>
        <form-error-page>/auth_error.html</form-error-page>
    </form-login-config>
</login-config>

Right now, authentication works properly, but I get a 403 - Forbidden when I try to access any of the secure pages, and I'm fairly certain that this is because I don't have any users mapped to the "user" role. I've already tried specifying the wildcard (*) for role names, and that didn't work.

I'd prefer to not have to configure any mappings on the WebLogic side. WebLogic documentation specifies that there is a special "Authenticated Role" that is automatically given to any user who authenticates (see http://docs.oracle.com/cd/E14571_01/core.1111/e10043/introroles.htm#CJAGGDCA)

That documentation is for 11g - is the same role available in 12c? If so, can I reference it in my web.xml to grant access to any authenticated user? What would its role-name be?

1
jakarta-eeweblogicweblogic12c

1 Answers

9
votes

I believe I've found the solution.

I didn't determine the name of a default authenticated role, but there seems to be an implicit group in WebLogic called "users", which all users belong to by default. It doesn't seem that this group shows up anywhere in the Admin Console, but all users seem to belong to it by default.

In my web.xml, I define an "authenticated-users" role (the name isn't important). Then, in weblogic.xml, I map that role to the "users" group. This allows any page protected by the "authenticated-users" constraint to be accessed by any user who is authenticated.

I've only tested this using FORM authentication, but I don't see any reason why it wouldn't also work for other methods.

web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>secure</web-resource-name>
        <url-pattern>/secure/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>authenticated-users</role-name>
    </auth-constraint>
</security-constraint>

<security-role>
    <description>Any User</description>
    <role-name>authenticated-users</role-name>
</security-role>


<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>myrealm</realm-name>
    <form-login-config>
        <form-login-page>/login_form.html</form-login-page>
        <form-error-page>/login_error.html</form-error-page>
    </form-login-config>
</login-config>

weblogic.xml

<?xml version="1.0" encoding="UTF-8"?>
<wls:weblogic-web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:wls="http://www.bea.com/ns/weblogic/90"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">

<wls:security-role-assignment>
    <wls:role-name>authenticated-users</wls:role-name>
    <wls:principal-name>users</wls:principal-name>
</wls:security-role-assignment>