I’d be happy to assist if I can. Please post the stack trace and we’ll take it from there.

Mike

I try to setup WebLogic 8.1sp5 for handling Soap Messages with a signed Header. Much of your description was very usefull for me. But I configure d a web-servies.xml file, all according to the Bea documentation. However my webservice answers with: ‘{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}InvalidSecurityToken’
May I ask your help for this ?

kind regards,

Harry van Rijn

If I understand you correctly, your users have certificates but you don’t have (and don’t want) a list of users in a data store such as an LDAP server or database.

That scenario is possible but you’ll have to write a custom authentication security provider. The default identity asserter maps the certificate to a username. Part of that work is done by a username mapper class which can pull the value of certain attributes. You could also write your own username mapper if your needs are more elaborate.

Regardless of the username mapper, though, you still have to deal with authentication. If the username mapper returns the CN from the certificate, for example, that CN needs to “exist” in the realm. As a result, your authentication provider will need to say that this CN does indeed represent a valid user even though he doesn’t really exist anywhere.

You can find more information at http://e-docs.bea.com/wls/docs81/dvspisec/ia.html. Note that my description above takes the approach of a separate authentication provider but you could wrap the assertion and authentication into the identity asserter.

Another issue to think about is authorization. I get the feeling that you don’t care about roles but just want the user to be authenticated before accessing your system. If that’s the case, implicit groups might do the trick.

Hope this helps!

but, Can be avoied the creation of each user in weblogic security realm?
I must give the acces to many user …
thanks

You’re right — I hosed that up big time.

I’ve made the corrections in the post.

Thanks!

Here’s the pertinent snippet from web.xml:

- m

Thanks!
-kevin

The default identity asserter will try to extract a known user from the certificate. It does this by pulling something (which is definable by the username mapper) out of the certificate and passing that along as the username. Then, an authenticator will check to see if that user exists. The authenticator might check a database or LDAP server, for example.

The LDAP x509 Identity Asserter differs from the default one in that the certificate presented by the user is the same one that’s stored in LDAP as an attribute of that user. That is, the user’s certificate is stored in LDAP and compared to the certificate that WebLogic received from the user. Furthermore, the username has to be from one of the attributes of the DN such as the CN.

Hope this helps,

Mike

As you suspected, the username mapping has already occurred by the time role mapping happens. You might still be able to get the DN, though.

The RoleMapper interface is

getRoles(javax.security.auth.Subject subject, Resource resource, ContextHandler handler)

The Subject will contain the WL username. However, the ContextHandler contains extra information that a security provider can use. This object is simply a group of name/value pairs. If one of them is the HttpServletRequest, you’re in business. Have a look at http://monduke.com/2006/03/01/reversed-dn-in-weblogic-814/ for how to pull the DN from this object.

I’ve never examined the context data for a role mapper so I can’t tell you what’s in it. It’s also not documented. You’ll just need to loop through the data from your custom role mapper to see what’s inside.

Let me know how it goes.

HTH,

Mike

Thanks!