Package examples.security.jaas

This package demonstrates how to access a WebLogic Server resource (in this case, an RMI object) through the use of JAAS authentication.

See:
Description

Interface Summary

Frobable

A remote interface that illustrates access control on an RMI object.

Class Summary

CertLoginModule	Sample login module for certificate based mutual authentication.
ConfigParser
FrobImpl	Illustrates how to use an ACL to protect the methods of an RMI object's.
MyCallbackHandler	Implementation of the CallbackHandler Interface
SampleAction
SampleClient	Sample client for JAAS user authentication
SampleConfig	Sample configuration class for JAAS user authentication.
SampleLoginModule	Sample login module that performs password authentication.

Package examples.security.jaas Description

This package demonstrates how to access a WebLogic Server resource (in this case, an RMI object) through the use of JAAS authentication. JAAS authentication replaces a JNDI Environment object as the way to pass authentication data from a client to WebLogic Server. Two JAAS login modules are supplied in the package:

• SampleLoginModule.java authenticates principals using a username and password. The user is prompted for a username and password which is then passed through the JAAS authenticated interface. If authentication is successful the client will attempt to execute the RMI object method using the JAAS authorization doAs interface. The SampleClient.java class connects to WebLogic Server using a username and password defined through the Administration Console.

• CertLoginModule.java authenticates principals using a digital certificate. The user is prompted for the name of a digital certificate, private key file, and a digital certificate for a certificate authority. This information is passed through the JAAS authenticated interface. If authentication is successful the client will attempt to execute the RMI object method using the JAAS authorization doAs interface.

Perform the following steps in order to build, compile and run the example:

1. Build the example
2. Configure the WebLogic server for username/password authentication or certificate authentication
3. Run the example

Build the Example

1. Set up your development shell as described in Setting up your environment.

2. Compile the example by executing an ant build script or by executing a set of commands.
   • An ant build script is available in the samples/examples/security/jaas directory. Enter the following command to execute the build script:

     ant

   • Enter the following commands to compile the example:
     1. Compile the Frobable interface and implementation class in the samples/examples/security/jaas directory:

         javac -d  %SERVER_CLASSES% Frobable.java FrobImpl.java

     2. Run the WebLogic RMI compiler to generate a client stub and skeleton for the FrobImpl interface:

         java weblogic.rmic -d %SERVER_CLASSES% examples.security.acl.FrobImpl

     3. Compile the example classes:

         javac -d %CLIENT_CLASSES% SampleAction.java

         javac -d %CLIENT_CLASSES% SampleClient.java

         javac -d %CLIENT_CLASSES% SampleConfig.java

         javac -d %CLIENT_CLASSES% SampleLoginModule.java

         javac -d %CLIENT_CLASSES% CertLoginModule.java

         javac -d %CLIENT_CLASSES% ConfigParser.java

Configure the Server for Username/Password Authentication

1. Bring up the Administration Console in a browser.

2. Register the FrobImpl instance as a RMI startup class:
   1. Click to expand the Deployments node in the left pane.
   2. Click to expand the Startup & Shutdown node in the left pane.
   3. Select the frob node.
   4. Verify that the ClassName is examples.security.jaas.FrobImpl.
   5. Deploy the frob startup class on the examplesServer.

3. If not already defined, define joeuser as a User in the File realm:
   1. Click to expand the Security node in the left pane.
   2. Select the Users node.
   3. Click the Create a New User link.
   4. Add a User named joeuser with the password joepass.

   Note: The Examples WebLogic Server comes pre-configured with users and groups; the preceding procedure is provided mostly for informational purposes.

4. If not already added, add joeuser to the Everyone Group.
   1. Click to expand the Group node in the left pane.
   2. Enter everyone in the Name attribute.
   3. Click on the Users attribute and select joeuser
   4. Click on the Apply button.

5. Create an ACL called aclexample that grants the permission frob for User joeuser:
   1. Select the Access Control Lists node in the left pane.
   2. Create a new ACL with the name aclexample.
   3. In the Permission field, enter frob.
   4. In the Grant to User field, enter joeuser.

Configure the Server for Certificate Authentication

1. Copy the demonstration digital certificate and private key for WebLogic Server and the digital certificate for the certificate authority from the \wlserver6.1\config\examples directory to the directory in which you are running the JAAS code example.
   • The name of the digital certificate is democert.pem.
   • The name of the digital certificate for the certificate authority is ca.pem.
   • The name of the private key file is demokey.pem.

   You can also use digital certificate and private key you obtain with the JAAS code example. Copy the digital certificates and the private key file into the directory in which you are running the JAAS code example.

2. Copy the Sample.policy file from the \wlserver6.1\samples\examples\security\jaas directory to the \wlserver61.\config\examples directory.

3. Bring up the Administration Console in a browser.

4. Register the FrobImpl instance as a RMI startup class:
   1. Click to expand the Deployments node in the left pane.
   2. Click to expand the Startup & Shutdown node in the left pane.
   3. Select the frob node.
   4. Verify that the ClassName is examples.security.jaas.FrobImpl.
   5. Deploy the frob startup class on the examplesServer.

5. Run the CertAuthenticator code example. This code example installs the SimpleCertAuthenticator which is used for certificate authentication. In order for the JAAS code example to work with the demonstration digital certificate, a user named support must be defined through the Administration Console.

Run the Example

1. Restart the Server. When starting WebLogic Server, use the following command line argument to specify the location of policy file that is used with the JAAS code example.

     -Djava.security.auth.policy=%WL_HOME%\config\examples\Sample.policy

2. You can use either username/password authentication or certificate authentication with SampleClient.
   • Use the following command to run SampleClient with username/password authentication:

     java -Dweblogic.security.SSL.ignoreHostnameVerification=true examples.security.jaas.SampleClient url

     url specifies the T3 or HTTP protocol and the default port on which WebLogic Server listens for communications. SampleClient does support access using the HTTPS protocol.

     For example:

     java -Dweblogic.security.SSL.ignoreHostnameVerification=true examples.security.jaas.SampleClient t3://localhost:7001

   • Use the following command to run SampleClient with certificate authentication:

     java -Dweblogic.security.SSL.ignoreHostnameVerification=true examples.security.jaas.SampleClient url cert

     cert tells the SampleClient to use the configured CertLoginModule.

     For example:

     java -Dweblogic.security.SSL.ignoreHostnameVerification=true examples.security.jaas.SampleClient t3s://localhost:7002 cert 

     You are prompted for the name of the digital certificate for the private key for WebLogic Server, and the name of the digital certificate for the certificate authority. If you use your own digital certificate and its private key is encrypted, enter the password for the private key.

   • To use the HTTP protocol in the SampleClient, you must configure the server for tunneling. To configure WebLogic Server for tunneling, perform these steps:

     1. Bring up the Administration Console in a browser.

     2. Click to expand the Servers node in the left pane of the Administration Console.

     3. Select the exampleServer node in the left pane of the Administration Console.

     4. Select the Tuning tab in the Server Configuration window and check the Tunneling Enable check box. The server does not have to be restarted to enable the tunneling option.

     5. To run the SampleClient, enter the commands listed above, but specify http instead of t3.

There's more...

Read more about using the JAAS API to authenticate clients in Programming WebLogic Security .