Covering J2EE Security and WebLogic Topics

WebLogic 9.1 Authorization Gotcha

The Problem

I have a web application prototype that I’m developing on WebLogic 8.1.4 that uses simple container-managed authorization. I thought I’d play around with WebLogic 9.1 a bit so I deployed my app there fully expecting it to work just fine. I set up my users and groups in the 9.1 domain and then tried to access it.

The login screen came up but I couldn’t see the protected page after entering my username and password. Instead, I was rewarded with the login screen again. I checked and double-checked my users and groups. Everything seemed OK. I enabled auditing and saw that authentication succeeded but authorization failed.

I was stumped and outraged that BEA released 9.1 without testing container-managed security! 😉

The Solution

As it turns out, I must admit to an expedient approach I take for prototypes that saves me some typing. I usually just create several groups, throw some users in the groups, and then protect resources based on the group names. By doing this, I don’t have to mess with the weblogic.xml deployment descriptor.

I know that this descriptor can map roles to principals, but I never needed it for my simple group-based authorization cheat. The reason is that WebLogic 8.x would automatically map role names defined in web.xml to principals of the same name. Here’s the output from the server stating this:

<Jan 6, 2006 9:14:36 PM EST> <Warning> <HTTP> <BEA-101304> <Webapp: ServletContext(id=5449525,name=FancyApp,context-path=/FancyApp), the role: Administrators defined in web.xml has not been mapped to principals in security-role-assignment in weblogic.xml. Will use the rolename itself as the principal-name.>

Now, I always knew that it was doing that for me so it never occured to me that 9.1 would behave differently. It was only out of desperation that I tried doing the mapping myself in weblogic.xml as shown below:



The externally-defined element indicates that the realm determines what the role name maps to. I also modified web.xml to use the role name instead of the group name. With these changes in place my application worked fine.

UPDATE: I should have pointed out in the original article that the externally-defined element allowed me to use the WebLogic Console to map the Admin role to groups. I could have "hard-coded" the mapping by replacing <externally-defined/> with <principal-name>Administrators</principal-name>, for example. This would map the Admin role to the Administrators group.

I can only conclude that the default mapping does not occur in 9.1 and there’s nothing to warn cheaters like me of the situation.

I guess WebLogic 9.1 is trying to protect lazy programmers from themselves…