Protecting WebLogic Server application using Oracle Entitlement Server
This post talks about protecting a WebLogic server application using Oracle Entitlement Server. This means coarse grained access which is page level access based on user user roles. Though OES is meant for fine grained access, we will discuss how a basic WL app can be protected at first. Later if you want to provide ATN using OAM and ATZ using OES, you can follow this.
I will talk about installing a WebLogic SSM, configuring the SSM and protecting sample WL app using SSM.
Install WebLogic SSM: WL SSM is used only to protect weblogic apps.
Run the installer and provide the following details.
- Select BEA Home (You can install SSM either in the same Admin home or in a different location)
- Select only OES SM For WLS [Notice OES SM Common is also selected ]
- Enter the SCM name if you want to associate the WL SSM to an SCM (optional)
- Enter the administration url eg., https://admin_host_name:port/
- Select the JDK (select latest version available in WebLogic server installation)
After the installation is finished, click the Finish.
Applying Patch:The latest SSM patch available is CP3.
Extract the patch file and copy the patches folder to the $BEA_HOME/ales32-ssm
Edit the ApplySsmPatch.sh and provide jdk and ssm directory locations.
Run the patch as shown below. All OES servers has to be stopped before applying patch.
To check status: ./ApplySsmPatch.sh status
To upgrade SSM to CP3
We will proceed to next step assuming the WebLogic domain is already created.
Configure SSM: This step involves creating an WL SSM instance
Edit the file myssm_config.properties for the following params.
wls.domain.dir = weblogic_domain_directory
ssm.conf.id = wlsapp (you will see )
db.password = abcd1234 (oes database user password used while running DBConfigTool)
ales.admin.password = abcd1234 (OES admin password)
ssm.admin.name = weblogic (Weblogic domain username)
ssm.admin.password = abcd1234
arme.port = 8000
ales.organization.scope = wlsapp_org (since CP3, Application scope is replaced with Organizational scope )
ales.identity.dir =wlsapp_dir (identity directory where users for this application in OES are stored)
db.jdbc.url = jdbc:oracle:thin:@db_server:1521:db_sid
db.jdbc.driver = oracle.jdbc.driver.OracleDriver (uncomment this line)
scm.name = adminconfig
Run the ConfigTool as shown below.
To check everything works: ./ConfigTool.sh -check myssm_config.properties (Advisory to run this command as it checks if there are any conflicts). The WebLogic server should be stopped before running this command.
To process : ./ConfigTool.sh -process myssm_config.properties
This will create the the WL SSM instance, organization with wlsapp in OES and policies.
Open the OES EUI console and access the Resources. Traverse to the organization wlsapp->shared->server and create New AdminServer and map it as Resource. Distribute the policies. Policy distributed is crucial and missing this will not allow weblogic server to start (will throw Authentication failed at booting stage) .
Start the WebLogic server.
Access the WLS console and see the new realm created and marked as true (default realm). Check the providers, Database Authenticator where the OES will authenticate users against the DB using this Authenticator.
Deploy WebLogic Application:
Now deploy the weblogic application and test the application.
Lets assume the app simply consists of welcome.jsp with ales tags as mentioned below.
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”
“http://www.w3.org/TR/html4/loose.dtd”>
<%@ taglib prefix=”ales” uri=”http://www.bea.com/ales/tags”%>
<%@ page language=”java” contentType=”text/html; charset=ISO-8859-1″
pageEncoding=”ISO-8859-1″%>
<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=windows-1252″/>
<title>welcome OES user</title>
</head>
<ales:setSecurityContext value=”/check”>
<ales:attribute name=”foo” value=”1″/>
</ales:setSecurityContext>
<body>
<ales:isAccessAllowed resource=”/isAllowed” action=”view”>
<ales:then>You are allowed to see the secret text</ales:then>
<ales:else>DenyReason: You are not valid user </ales:else>
</ales:isAccessAllowed>
</body>
</html>
Discovery Mode:
The application has to be accessed by enabling discovery mode in weblogic server.
Discovery mode will disable all the securities applied for the application. That is authentication, authorization based on groups/roles etc., Hence the user will not be challenged with any authentication when he access the application.
To do so, stop the weblogic server and add/uncomment the following lines in set-wls-env.bat/sh
com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.discoverymode=true
com.bea.security.providers.authorization.asi.RoleProviderImpl.discoverymode=true
Then start the weblogic server and access the application once again.
About the Author Mahendra
I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com