Map JavaEE app roles to weblogic security roles

2
votes

I think I might be missing something obvious here but I have a weblogic server setup to host my J2EE web application. As well as this I have enterprise manager setup that allows the mapping of an LDAP server to security roles for example the AD group:

g-uk-user

Might be mapped to the security role:

UKUser

I am then trying to authenticate my web application using these security roles however I can only seem to find the mapping between weblogic groups or users and roles within my application for example:

To associate a user or group with the TaskAdmins role, edit the <wls:principal-name> entry that is associated with the <wls:role-name>TaskAdmins</wls:role-name> entry. For example,<wls:security-role-assignment>
 <wls:role-name>TaskAdmins</wls:role-name>
 <wls:principal-name>User_or_group</wls:principal-name>

Important: You must create a new stanza for each user or group that you want to associate with the TaskAdmins role.

This concept works absolutely fine when using groups within weblogic but I don't want to map to groups I want to be able to map to security roles which I can't seem to do.

web.xml

<security-constraint>
      <display-name>MySecurityConstraint</display-name>
       <web-resource-collection>
        <web-resource-name>SecureContent</web-resource-name>
        <url-pattern>/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
        <role-name>PORTAL_USER</role-name>
       </auth-constraint>
       <user-data-constraint>
        <transport-guarantee>NONE</transport-guarantee>
       </user-data-constraint>
 </security-constraint>

 <login-config>
      <auth-method>FORM</auth-method>
      <realm-name>myrealm</realm-name>
      <form-login-config>
           <form-login-page>/login</form-login-page>
           <form-error-page>/login?error</form-error-page>
      </form-login-config>
 </login-config>


 <security-role>
     <role-name>PORTAL_USER</role-name>
 </security-role>
 <security-role>
    <role-name>ACT_AS</role-name>
 </security-role>
 <security-role>
     <role-name>ADMIN</role-name>
 </security-role>

weblogic.xml

<wls:security-role-assignment>
<wls:role-name>PORTAL_USER</wls:role-name>
<wls:principal-name>Admin</wls:principal-name>


<wls:security-role-assignment>
<wls:role-name>ACT_AS</wls:role-name>
<wls:principal-name>ACT_AS</wls:principal-name>

1
javasecurityjakarta-eeweblogic
I'm not sure I understand but have you mapped out security-role assignments in your web.xml as well? See stackoverflow.com/questions/11903739/… and stackoverflow.com/questions/23480900/… If that doesn't help, another option is to create a new group that encompasses all users that have that security role, it's not ideal but it should workDisplay Name is missing
Added the relevant files that I have. Basically anyone in the role PORTAL_USER in my app will have access to it. I want to map this role to a security role in weblogic but it seems I can only map it to groups or users. The reason I need to do this is because we have mapped AD groups from an LDAP server to security roles within Enterprise Manager.Simon Nicholls
Thanks for the links, I think in both examples they are actually using groups and NOT security roles. I think the method to do this would be to authenticate using the 'users' group in weblogic and then authorise using the security roles. I need to understand how to get a users security roles however. In this link blog.whitehorses.nl/2010/01/29/… he refers to security roles but I actually think he means groups as can be seen in his code where he adds roles in the app based on groups:if ( principal instanceof WLSGroupImpl)Simon Nicholls
Glad you were able to find a solution - thanks for sharing your answer.Display Name is missing

1 Answers

2
votes

Answered this in Get Security Roles From Weblogic for Spring Security

I was basically very confused with the mapping. If the roles are created in Weblogic NO mapping should be done within the application itself as this is what Weblogic effectively is doing for you. I couldn't find a way for my app to be able to get these roles however (or understand how it would do it!) and I was also deploying directly from Eclipse which meant that you can only use mapping to roles defined in the application itself.

Building and deploying the application and selecting custom roles under security settings in weblogic will allow the creation of security roles for that application and will also allow the app to use security roles from Weblogic. These roles should still be defined in web.xml and weblogic will take care of the rest!