Comments on: Implicit Groups in WebLogic

By: Mike Fleming

Mike Fleming — Wed, 17 Oct 2007 23:56:51 +0000

Chetan,

The message you emailed me contained the following event which didn’t come out in your comment above:

#### Audit Record Begin


   <<>> 

   [Security:090304]Authentication Failed: User crc javax.security.auth.login.FailedLoginException:

[Security:090302]Authentication Failed: User crc denied> Audit Record End ####

I’m just re-posting this here to see why some comments have trouble with code-like things and to potentially help future readers.

Anyway, my email response was this:

“That message is very helpful.

Assuming you only have one authenticator and that the user “crc”
exists, the only possibility is that the password is wrong.
Double-check your code.”

By: Chetan

Chetan — Wed, 17 Oct 2007 13:10:57 +0000

hi
i tried the weblogic auditing. In the auditor log when my created user is going to login that time in audit log the entry is like follows :

#### Audit Record Begin
>>
Audit Record End ####

I couldn’t understood from this exactly where is the problem . Help me .

By: Mike Fleming

Mike Fleming — Tue, 09 Oct 2007 01:01:19 +0000

Chetan,

Have you tried the advice given in Troubleshooting Authentication Issues with Audit Logs? You really need to know if this is an authentication failure or an authorization failure. The audit log will tell you.

Also, you can send me your code at mike @ monduke dot com and I’ll have a look at it if you’d like.

Mike

By: Chetan

Chetan — Mon, 08 Oct 2007 09:44:16 +0000

hi
Still i am stucked with the same problem . I have one other application which is having clustered environment and they have used the MBeanHome deprecated APIs to create user their code is running fine and there created user can also log in through application . but in my code i have used MBeanServerConnection to create user but it is not able to log in . Help me .

By: Chetan

Chetan — Thu, 27 Sep 2007 04:43:44 +0000

Mike ,

thx a lot for ur response .

yes it works when i create user manually through weblogic console. then why the programatically created user is not able to get connection ?

By: Mike Fleming

Mike Fleming — Thu, 27 Sep 2007 00:50:41 +0000

Chetan,

Unfortunately, your code didn’t come through. However, I saw your posts on the BEA forums indicating that you are doing EJB lookups.

Does your client work with a user you manually created in WebLogic console?

Mike

By: Chetan

Chetan — Wed, 26 Sep 2007 08:41:39 +0000

In the last post i have sent the code i used to create user in realm . Please suggest me why my created user is not getting authenticated I am not using Role Policy i mean to say i am not using authorization part of weblogic only i am using authentication part . Help me .

By: Mike Fleming

Mike Fleming — Tue, 25 Sep 2007 01:58:23 +0000

Chetan,

The implicit groups don’t need to be created (or have users added to them) because they already exist and users are “in” the groups under certain conditions which are handled automatically by the server. For example, a user is automatically in the “users” group after a successful authentication.

As mentioned in the post, if you want to use one of these groups, just create a role for your application that maps to the implicit group you want.

Since your user is probably not authorized to access your application, check the security constraints to make sure the role you used maps to the appropriate group.

You might find Troubleshooting Authentication Issues with Audit Logs useful…

By: Chetan

Chetan — Mon, 24 Sep 2007 11:26:22 +0000

I am creating user in realm through API using MBeanServerConnection object and invoking createUser method . But that created user is not getting authenticated to weblogic it is giving AuthenticationException . Where this user created by createUser API is created means in which group or in implicit group coz it is shown in user list of realm and there is no group as such for that user created through API .

By: Mike Fleming

Mike Fleming — Sat, 31 Mar 2007 12:26:12 +0000

Good point.

The solution to that might be to add a configuration setting and change the link condition to something like:

(isUserInRole(â€AuthorRoleâ€) || isFreeForAll())

By: Niels Harremoes

Niels Harremoes — Sat, 31 Mar 2007 08:40:18 +0000

You are right. I hadn’t thought about the everyone group requiring login.
But just removing security constraints and role mappings will probably not work, since the application is likely to use isUserInRole(“AuthorRole”) to determine whether to show the “Add new post” link.

By: Mike Fleming

Mike Fleming — Sat, 31 Mar 2007 01:06:31 +0000

Niels,

Thanks for the comment.

If I understand your scenario correctly, you’re mapping AuthorRole to the AuthorGroup for the first instance so that you can identify the specific users you mentioned. Correct me if I made a bad assumption especially since I read in some extra detail.

For the second instance you’re mapping AuthorRole to the everyone group in the hopes of allowing anonymous users to have the AuthorRole.

But from what I’ve seen, any security constraint in web.xml requires authentication even if the role ultimately maps to the everyone group. In that case, your second instance would still require authentication but the user would be otherwise unprivileged.

To answer your question, I would implement the free-for-all instance by removing the security constraints.

Here’s the sample app I used when writing the post. Perhaps if I’m configuring it incorrectly it will jump out at you.

Do you have a working example?

Thanks again.

By: Niels Harremoes

Niels Harremoes — Fri, 30 Mar 2007 07:40:51 +0000

Assume you have a discussion forum application which defines an AuthorRole. Now, you want to deploy two instances of the application, one where only specific authenticated users are authors and one free-for-all, which doesn’t require authentication. How would you set up the latter without the everyone group?