OGh Oracle Fusion Middleware Experience 2016 bij FIGI Zeist

Maarten Smeets 16-02-2016

Debugging WebLogic authentication

Introduction

bull About AMISndash Located in the Netherlandsndash Oracle Award winning partner

bull About mendash Senior Oracle Integration Consultantndash Experience with Oracle SOA Suite since 2007ndash Well certified (SOA BPM Java SQL

PLSQL among others)ndash Author more than 100 blog articles (

httpjavaoraclesoablogspotcom)

MaartenSmeetsNL

httpsnllinkedincominsmeetsm

Introduction

bull About AMISndash Located in the Netherlandsndash Oracle Award winning partner

bull About mendash Senior Oracle Integration Consultantndash Experience with Oracle SOA Suite since 2007ndash Well certified (SOA BPM Java SQL

PLSQL among others)ndash Author more than 100 blog articles (

httpjavaoraclesoablogspotcom)

MaartenSmeetsNL

httpsnllinkedincominsmeetsm

4

Oracle Virtual Technology Summit

httpwwworaclecomtechnetworkcommunitydeveloper-dayindexhtml

March 8 2016 183000 CET

bull Database Application Developmentbull Oracle DB12c Performancebull MySQLbull Java EE Microservices and JPAbull All about Java 8 bull The Internet of Thingsbull WebLogic 1221 and Java EEbull Operating Systems and Virtualizationbull StorageSPARC and Software

Development

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

6

Why use an external Identity Store

Application

WLS SOA

WLS OSB

WLS ADF

WLS WCC

bull An application uses company internal users

bull Often internal users are already present in an Identity Store

bull Management organization in place

bull Single environment to manage users

bull Single account per user

7

Introduction OPSSOracle Identity Store solutions

bull Oracle Unified Directoryndash Embedded Berkeley Databasendash LDAP proxyndash Much faster readwrite than ODSEEndash Provides LDAP virtualizationndash Elastic scalingndash Strategic Directory Server productndash Designed to address current and future

on-premise mobile and cloud needs

bull Oracle Directory Server Enterprise Editionndash ODSEE 52 and 63 are in Sustaining Supportndash No new fixes will be created

bull Oracle Virtual Directoryndash Provides virtualization of different sourcesndash OUD does not replace OVD

bull Oracle Internet Directoryndash Uses external Oracle DBndash Used with Fusion Applications

httpsblogsoraclecomOracleIDMentrywhy_customers_should_upgrade_directory

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Introduction OPSS

Identity Store

Providers

Authentication Authorization Credential Store Framework User Role

Service Provider Interface Layer

OPSS APIs

WebLogic Server

JavaEE application Java SE application

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

What to debug

Identity Store

WebLogic Console

ApplicationAuthentication API

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

Authentication provider

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

13

Debug Weblogic authenticationusing an external client

bull Using an external client

Apache Directory Studio

14

Debug WebLogic authenticationEmbedded LDAP

15

Debug WebLogic authenticationEmbedded LDAP

bull Login usingBind DN User cn=Admin

bull Running by default on the AdminServer port

bull Check out cn=Config for LDAP server properties

16

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

17

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

18

Debug WebLogic authenticationAuthentication provider configuration

bull Select the authentication provider (as specific as possible)

bull JAAS Control flags

bull LDAP connection details

bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups

bull Cache settings

19

Debug WebLogic authenticationusing Weblogic Console

bull JAAS Control flags

ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are

ndash REQUIRED the authentication provider is always called and authentication must succeed

ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass

ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated

20

Debug Weblogic authenticationCache settings

bull How to uniquely identify an LDAP entry The GUID Attribute

bull The GUID Attribute is used as cache key

bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid

bull Misconfiguration can lead to first login fail second login success (cache issues)

21

Debug Weblogic authenticationusing Weblogic Console

bull Connection to external provider works

bull Server trust is established

bull User query works

bull Validating authentication details works

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

6

Why use an external Identity Store

Application

WLS SOA

WLS OSB

WLS ADF

WLS WCC

bull An application uses company internal users

bull Often internal users are already present in an Identity Store

bull Management organization in place

bull Single environment to manage users

bull Single account per user

7

Introduction OPSSOracle Identity Store solutions

bull Oracle Unified Directoryndash Embedded Berkeley Databasendash LDAP proxyndash Much faster readwrite than ODSEEndash Provides LDAP virtualizationndash Elastic scalingndash Strategic Directory Server productndash Designed to address current and future

on-premise mobile and cloud needs

bull Oracle Directory Server Enterprise Editionndash ODSEE 52 and 63 are in Sustaining Supportndash No new fixes will be created

bull Oracle Virtual Directoryndash Provides virtualization of different sourcesndash OUD does not replace OVD

bull Oracle Internet Directoryndash Uses external Oracle DBndash Used with Fusion Applications

httpsblogsoraclecomOracleIDMentrywhy_customers_should_upgrade_directory

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Introduction OPSS

Identity Store

Providers

Authentication Authorization Credential Store Framework User Role

Service Provider Interface Layer

OPSS APIs

WebLogic Server

JavaEE application Java SE application

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

What to debug

Identity Store

WebLogic Console

ApplicationAuthentication API

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

Authentication provider

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

13

Debug Weblogic authenticationusing an external client

bull Using an external client

Apache Directory Studio

14

Debug WebLogic authenticationEmbedded LDAP

15

Debug WebLogic authenticationEmbedded LDAP

bull Login usingBind DN User cn=Admin

bull Running by default on the AdminServer port

bull Check out cn=Config for LDAP server properties

16

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

17

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

18

Debug WebLogic authenticationAuthentication provider configuration

bull Select the authentication provider (as specific as possible)

bull JAAS Control flags

bull LDAP connection details

bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups

bull Cache settings

19

Debug WebLogic authenticationusing Weblogic Console

bull JAAS Control flags

ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are

ndash REQUIRED the authentication provider is always called and authentication must succeed

ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass

ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated

20

Debug Weblogic authenticationCache settings

bull How to uniquely identify an LDAP entry The GUID Attribute

bull The GUID Attribute is used as cache key

bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid

bull Misconfiguration can lead to first login fail second login success (cache issues)

21

Debug Weblogic authenticationusing Weblogic Console

bull Connection to external provider works

bull Server trust is established

bull User query works

bull Validating authentication details works

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

6

Why use an external Identity Store

Application

WLS SOA

WLS OSB

WLS ADF

WLS WCC

bull An application uses company internal users

bull Often internal users are already present in an Identity Store

bull Management organization in place

bull Single environment to manage users

bull Single account per user

7

Introduction OPSSOracle Identity Store solutions

bull Oracle Unified Directoryndash Embedded Berkeley Databasendash LDAP proxyndash Much faster readwrite than ODSEEndash Provides LDAP virtualizationndash Elastic scalingndash Strategic Directory Server productndash Designed to address current and future

on-premise mobile and cloud needs

bull Oracle Directory Server Enterprise Editionndash ODSEE 52 and 63 are in Sustaining Supportndash No new fixes will be created

bull Oracle Virtual Directoryndash Provides virtualization of different sourcesndash OUD does not replace OVD

bull Oracle Internet Directoryndash Uses external Oracle DBndash Used with Fusion Applications

httpsblogsoraclecomOracleIDMentrywhy_customers_should_upgrade_directory

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Introduction OPSS

Identity Store

Providers

Authentication Authorization Credential Store Framework User Role

Service Provider Interface Layer

OPSS APIs

WebLogic Server

JavaEE application Java SE application

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

What to debug

Identity Store

WebLogic Console

ApplicationAuthentication API

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

Authentication provider

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

13

Debug Weblogic authenticationusing an external client

bull Using an external client

Apache Directory Studio

14

Debug WebLogic authenticationEmbedded LDAP

15

Debug WebLogic authenticationEmbedded LDAP

bull Login usingBind DN User cn=Admin

bull Running by default on the AdminServer port

bull Check out cn=Config for LDAP server properties

16

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

17

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

18

Debug WebLogic authenticationAuthentication provider configuration

bull Select the authentication provider (as specific as possible)

bull JAAS Control flags

bull LDAP connection details

bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups

bull Cache settings

19

Debug WebLogic authenticationusing Weblogic Console

bull JAAS Control flags

ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are

ndash REQUIRED the authentication provider is always called and authentication must succeed

ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass

ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated

20

Debug Weblogic authenticationCache settings

bull How to uniquely identify an LDAP entry The GUID Attribute

bull The GUID Attribute is used as cache key

bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid

bull Misconfiguration can lead to first login fail second login success (cache issues)

21

Debug Weblogic authenticationusing Weblogic Console

bull Connection to external provider works

bull Server trust is established

bull User query works

bull Validating authentication details works

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

7

Introduction OPSSOracle Identity Store solutions

bull Oracle Unified Directoryndash Embedded Berkeley Databasendash LDAP proxyndash Much faster readwrite than ODSEEndash Provides LDAP virtualizationndash Elastic scalingndash Strategic Directory Server productndash Designed to address current and future

on-premise mobile and cloud needs

bull Oracle Directory Server Enterprise Editionndash ODSEE 52 and 63 are in Sustaining Supportndash No new fixes will be created

bull Oracle Virtual Directoryndash Provides virtualization of different sourcesndash OUD does not replace OVD

bull Oracle Internet Directoryndash Uses external Oracle DBndash Used with Fusion Applications

httpsblogsoraclecomOracleIDMentrywhy_customers_should_upgrade_directory

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Introduction OPSS

Identity Store

Providers

Authentication Authorization Credential Store Framework User Role

Service Provider Interface Layer

OPSS APIs

WebLogic Server

JavaEE application Java SE application

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

What to debug

Identity Store

WebLogic Console

ApplicationAuthentication API

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

Authentication provider

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

13

Debug Weblogic authenticationusing an external client

bull Using an external client

Apache Directory Studio

14

Debug WebLogic authenticationEmbedded LDAP

15

Debug WebLogic authenticationEmbedded LDAP

bull Login usingBind DN User cn=Admin

bull Running by default on the AdminServer port

bull Check out cn=Config for LDAP server properties

16

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

17

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

18

Debug WebLogic authenticationAuthentication provider configuration

bull Select the authentication provider (as specific as possible)

bull JAAS Control flags

bull LDAP connection details

bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups

bull Cache settings

19

Debug WebLogic authenticationusing Weblogic Console

bull JAAS Control flags

ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are

ndash REQUIRED the authentication provider is always called and authentication must succeed

ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass

ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated

20

Debug Weblogic authenticationCache settings

bull How to uniquely identify an LDAP entry The GUID Attribute

bull The GUID Attribute is used as cache key

bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid

bull Misconfiguration can lead to first login fail second login success (cache issues)

21

Debug Weblogic authenticationusing Weblogic Console

bull Connection to external provider works

bull Server trust is established

bull User query works

bull Validating authentication details works

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Introduction OPSS

Identity Store

Providers

Authentication Authorization Credential Store Framework User Role

Service Provider Interface Layer

OPSS APIs

WebLogic Server

JavaEE application Java SE application

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

What to debug

Identity Store

WebLogic Console

ApplicationAuthentication API

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

Authentication provider

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

13

Debug Weblogic authenticationusing an external client

bull Using an external client

Apache Directory Studio

14

Debug WebLogic authenticationEmbedded LDAP

15

Debug WebLogic authenticationEmbedded LDAP

bull Login usingBind DN User cn=Admin

bull Running by default on the AdminServer port

bull Check out cn=Config for LDAP server properties

16

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

17

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

18

Debug WebLogic authenticationAuthentication provider configuration

bull Select the authentication provider (as specific as possible)

bull JAAS Control flags

bull LDAP connection details

bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups

bull Cache settings

19

Debug WebLogic authenticationusing Weblogic Console

bull JAAS Control flags

ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are

ndash REQUIRED the authentication provider is always called and authentication must succeed

ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass

ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated

20

Debug Weblogic authenticationCache settings

bull How to uniquely identify an LDAP entry The GUID Attribute

bull The GUID Attribute is used as cache key

bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid

bull Misconfiguration can lead to first login fail second login success (cache issues)

21

Debug Weblogic authenticationusing Weblogic Console

bull Connection to external provider works

bull Server trust is established

bull User query works

bull Validating authentication details works

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

Introduction OPSS

Identity Store

Providers

Authentication Authorization Credential Store Framework User Role

Service Provider Interface Layer

OPSS APIs

WebLogic Server

JavaEE application Java SE application

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

What to debug

Identity Store

WebLogic Console

ApplicationAuthentication API

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

Authentication provider

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

13

Debug Weblogic authenticationusing an external client

bull Using an external client

Apache Directory Studio

14

Debug WebLogic authenticationEmbedded LDAP

15

Debug WebLogic authenticationEmbedded LDAP

bull Login usingBind DN User cn=Admin

bull Running by default on the AdminServer port

bull Check out cn=Config for LDAP server properties

16

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

17

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

18

Debug WebLogic authenticationAuthentication provider configuration

bull Select the authentication provider (as specific as possible)

bull JAAS Control flags

bull LDAP connection details

bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups

bull Cache settings

19

Debug WebLogic authenticationusing Weblogic Console

bull JAAS Control flags

ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are

ndash REQUIRED the authentication provider is always called and authentication must succeed

ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass

ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated

20

Debug Weblogic authenticationCache settings

bull How to uniquely identify an LDAP entry The GUID Attribute

bull The GUID Attribute is used as cache key

bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid

bull Misconfiguration can lead to first login fail second login success (cache issues)

21

Debug Weblogic authenticationusing Weblogic Console

bull Connection to external provider works

bull Server trust is established

bull User query works

bull Validating authentication details works

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

What to debug

Identity Store

WebLogic Console

ApplicationAuthentication API

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

Authentication provider

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

13

Debug Weblogic authenticationusing an external client

bull Using an external client

Apache Directory Studio

14

Debug WebLogic authenticationEmbedded LDAP

15

Debug WebLogic authenticationEmbedded LDAP

bull Login usingBind DN User cn=Admin

bull Running by default on the AdminServer port

bull Check out cn=Config for LDAP server properties

16

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

17

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

18

Debug WebLogic authenticationAuthentication provider configuration

bull Select the authentication provider (as specific as possible)

bull JAAS Control flags

bull LDAP connection details

bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups

bull Cache settings

19

Debug WebLogic authenticationusing Weblogic Console

bull JAAS Control flags

ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are

ndash REQUIRED the authentication provider is always called and authentication must succeed

ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass

ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated

20

Debug Weblogic authenticationCache settings

bull How to uniquely identify an LDAP entry The GUID Attribute

bull The GUID Attribute is used as cache key

bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid

bull Misconfiguration can lead to first login fail second login success (cache issues)

21

Debug Weblogic authenticationusing Weblogic Console

bull Connection to external provider works

bull Server trust is established

bull User query works

bull Validating authentication details works

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

What to debug

Identity Store

WebLogic Console

ApplicationAuthentication API

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

Authentication provider

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

13

Debug Weblogic authenticationusing an external client

bull Using an external client

Apache Directory Studio

14

Debug WebLogic authenticationEmbedded LDAP

15

Debug WebLogic authenticationEmbedded LDAP

bull Login usingBind DN User cn=Admin

bull Running by default on the AdminServer port

bull Check out cn=Config for LDAP server properties

16

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

17

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

18

Debug WebLogic authenticationAuthentication provider configuration

bull Select the authentication provider (as specific as possible)

bull JAAS Control flags

bull LDAP connection details

bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups

bull Cache settings

19

Debug WebLogic authenticationusing Weblogic Console

bull JAAS Control flags

ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are

ndash REQUIRED the authentication provider is always called and authentication must succeed

ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass

ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated

20

Debug Weblogic authenticationCache settings

bull How to uniquely identify an LDAP entry The GUID Attribute

bull The GUID Attribute is used as cache key

bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid

bull Misconfiguration can lead to first login fail second login success (cache issues)

21

Debug Weblogic authenticationusing Weblogic Console

bull Connection to external provider works

bull Server trust is established

bull User query works

bull Validating authentication details works

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

13

Debug Weblogic authenticationusing an external client

bull Using an external client

Apache Directory Studio

14

Debug WebLogic authenticationEmbedded LDAP

15

Debug WebLogic authenticationEmbedded LDAP

bull Login usingBind DN User cn=Admin

bull Running by default on the AdminServer port

bull Check out cn=Config for LDAP server properties

16

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

17

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

18

Debug WebLogic authenticationAuthentication provider configuration

bull Select the authentication provider (as specific as possible)

bull JAAS Control flags

bull LDAP connection details

bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups

bull Cache settings

19

Debug WebLogic authenticationusing Weblogic Console

bull JAAS Control flags

ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are

ndash REQUIRED the authentication provider is always called and authentication must succeed

ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass

ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated

20

Debug Weblogic authenticationCache settings

bull How to uniquely identify an LDAP entry The GUID Attribute

bull The GUID Attribute is used as cache key

bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid

bull Misconfiguration can lead to first login fail second login success (cache issues)

21

Debug Weblogic authenticationusing Weblogic Console

bull Connection to external provider works

bull Server trust is established

bull User query works

bull Validating authentication details works

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

13

Debug Weblogic authenticationusing an external client

bull Using an external client

Apache Directory Studio

14

Debug WebLogic authenticationEmbedded LDAP

15

Debug WebLogic authenticationEmbedded LDAP

bull Login usingBind DN User cn=Admin

bull Running by default on the AdminServer port

bull Check out cn=Config for LDAP server properties

16

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

17

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

18

Debug WebLogic authenticationAuthentication provider configuration

bull Select the authentication provider (as specific as possible)

bull JAAS Control flags

bull LDAP connection details

bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups

bull Cache settings

19

Debug WebLogic authenticationusing Weblogic Console

bull JAAS Control flags

ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are

ndash REQUIRED the authentication provider is always called and authentication must succeed

ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass

ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated

20

Debug Weblogic authenticationCache settings

bull How to uniquely identify an LDAP entry The GUID Attribute

bull The GUID Attribute is used as cache key

bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid

bull Misconfiguration can lead to first login fail second login success (cache issues)

21

Debug Weblogic authenticationusing Weblogic Console

bull Connection to external provider works

bull Server trust is established

bull User query works

bull Validating authentication details works

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

14

Debug WebLogic authenticationEmbedded LDAP

15

Debug WebLogic authenticationEmbedded LDAP

bull Login usingBind DN User cn=Admin

bull Running by default on the AdminServer port

bull Check out cn=Config for LDAP server properties

16

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

17

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

18

Debug WebLogic authenticationAuthentication provider configuration

bull Select the authentication provider (as specific as possible)

bull JAAS Control flags

bull LDAP connection details

bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups

bull Cache settings

19

Debug WebLogic authenticationusing Weblogic Console

bull JAAS Control flags

ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are

ndash REQUIRED the authentication provider is always called and authentication must succeed

ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass

ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated

20

Debug Weblogic authenticationCache settings

bull How to uniquely identify an LDAP entry The GUID Attribute

bull The GUID Attribute is used as cache key

bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid

bull Misconfiguration can lead to first login fail second login success (cache issues)

21

Debug Weblogic authenticationusing Weblogic Console

bull Connection to external provider works

bull Server trust is established

bull User query works

bull Validating authentication details works

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

15

Debug WebLogic authenticationEmbedded LDAP

bull Login usingBind DN User cn=Admin

bull Running by default on the AdminServer port

bull Check out cn=Config for LDAP server properties

16

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

17

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

18

Debug WebLogic authenticationAuthentication provider configuration

bull Select the authentication provider (as specific as possible)

bull JAAS Control flags

bull LDAP connection details

bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups

bull Cache settings

19

Debug WebLogic authenticationusing Weblogic Console

bull JAAS Control flags

ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are

ndash REQUIRED the authentication provider is always called and authentication must succeed

ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass

ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated

20

Debug Weblogic authenticationCache settings

bull How to uniquely identify an LDAP entry The GUID Attribute

bull The GUID Attribute is used as cache key

bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid

bull Misconfiguration can lead to first login fail second login success (cache issues)

21

Debug Weblogic authenticationusing Weblogic Console

bull Connection to external provider works

bull Server trust is established

bull User query works

bull Validating authentication details works

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

16

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

17

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

18

Debug WebLogic authenticationAuthentication provider configuration

bull Select the authentication provider (as specific as possible)

bull JAAS Control flags

bull LDAP connection details

bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups

bull Cache settings

19

Debug WebLogic authenticationusing Weblogic Console

bull JAAS Control flags

ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are

ndash REQUIRED the authentication provider is always called and authentication must succeed

ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass

ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated

20

Debug Weblogic authenticationCache settings

bull How to uniquely identify an LDAP entry The GUID Attribute

bull The GUID Attribute is used as cache key

bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid

bull Misconfiguration can lead to first login fail second login success (cache issues)

21

Debug Weblogic authenticationusing Weblogic Console

bull Connection to external provider works

bull Server trust is established

bull User query works

bull Validating authentication details works

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

17

Debug WebLogic authenticationEmbedded LDAP

bull Notice the use of dynamic groups

18

Debug WebLogic authenticationAuthentication provider configuration

bull Select the authentication provider (as specific as possible)

bull JAAS Control flags

bull LDAP connection details

bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups

bull Cache settings

19

Debug WebLogic authenticationusing Weblogic Console

bull JAAS Control flags

ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are

ndash REQUIRED the authentication provider is always called and authentication must succeed

ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass

ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated

20

Debug Weblogic authenticationCache settings

bull How to uniquely identify an LDAP entry The GUID Attribute

bull The GUID Attribute is used as cache key

bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid

bull Misconfiguration can lead to first login fail second login success (cache issues)

21

Debug Weblogic authenticationusing Weblogic Console

bull Connection to external provider works

bull Server trust is established

bull User query works

bull Validating authentication details works

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

18

Debug WebLogic authenticationAuthentication provider configuration

bull Select the authentication provider (as specific as possible)

bull JAAS Control flags

bull LDAP connection details

bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups

bull Cache settings

19

Debug WebLogic authenticationusing Weblogic Console

bull JAAS Control flags

ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are

ndash REQUIRED the authentication provider is always called and authentication must succeed

ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass

ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated

20

Debug Weblogic authenticationCache settings

bull How to uniquely identify an LDAP entry The GUID Attribute

bull The GUID Attribute is used as cache key

bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid

bull Misconfiguration can lead to first login fail second login success (cache issues)

21

Debug Weblogic authenticationusing Weblogic Console

bull Connection to external provider works

bull Server trust is established

bull User query works

bull Validating authentication details works

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

19

Debug WebLogic authenticationusing Weblogic Console

bull JAAS Control flags

ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are

ndash REQUIRED the authentication provider is always called and authentication must succeed

ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass

ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated

20

Debug Weblogic authenticationCache settings

bull How to uniquely identify an LDAP entry The GUID Attribute

bull The GUID Attribute is used as cache key

bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid

bull Misconfiguration can lead to first login fail second login success (cache issues)

21

Debug Weblogic authenticationusing Weblogic Console

bull Connection to external provider works

bull Server trust is established

bull User query works

bull Validating authentication details works

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

20

Debug Weblogic authenticationCache settings

bull How to uniquely identify an LDAP entry The GUID Attribute

bull The GUID Attribute is used as cache key

bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid

bull Misconfiguration can lead to first login fail second login success (cache issues)

21

Debug Weblogic authenticationusing Weblogic Console

bull Connection to external provider works

bull Server trust is established

bull User query works

bull Validating authentication details works

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

21

Debug Weblogic authenticationusing Weblogic Console

bull Connection to external provider works

bull Server trust is established

bull User query works

bull Validating authentication details works

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

22

Debug Weblogic authenticationusing Weblogic Console

bull Dynamic group object class works

bull Group Base DN works

bull User Dynamic Group DN Attribute works

bull Dynamic Group Name Attribute works

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

23

Debug Weblogic authenticationusing log files

LDAP connectionsLDAP queries

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

24

Demo

bull Embedded LDAP

bull How to create a user in an LDAP server

bull How to configure WebLogic server to use the server

bull Debug authentication using the console

bull Debug the authentication using the log files

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

Agenda

bull Oracle Identity Stores

bull Introduction Oracle Platform Security Services (OPSS)

bull What to debug

bull How to debug WebLogic authentication

bull How to debug application authentication

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

Debug application authentication

Identity Store

WebLogic Console

ApplicationAuthentication API

Authentication provider

VirtualizationPlatform security

jps-configxmljps-config-jsexmlsystem-jazn-dataxml

configxml webxmlweblogicxml

LDAP queriesSSLTLS

Role mappingsOrganizational Units

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

27

OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig

bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services

bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies

bull cwalletssondash credentials used by the application

bull adaptersos_xmlndash LibOVD plugin configuration

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

28

Debug application authenticationLibOVD

bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server

bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization

bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml

httpfusionsecurityblogspotnl201206libovd-when-and-howhtml

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

29

Debug application authenticationLibOVD configuration

bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

30

Debug application authenticationLibOVD configuration

bull The OPSS API only queries static groups by default Not dynamic groups

bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)

bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses

bull Only one structural class is allowed per LDAP object

bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames

httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

31

Debug application authenticationLibOVD debugging

bull Can be used when ADFLogger is used in application

bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

32

Debug application authenticationADF Security

bull Application configuration filesndash webxml

Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)

ndash weblogicxmlMaps valid-users to OPSS principal users

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

33

Demo

bull Use basic authentication in an ADF application

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

34

Debug application authenticationADF Security

bull Application configuration filesndash jazn-dataxml

Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles

ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]

Users

Enterprise roles

Application

roles

Perm

issions

Grants

weblogicxml jazn-dataxml

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

35

Debug application authenticationADF Security

bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or

from EM

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

36

Debug application authenticationJVM parameters

bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages

httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

37

Debug application authenticationBusiness Process Management

bull Authenticate with a user

bull User is member of (authentication provider) groups

bull Groups are granted (application) roles and organization units

bull Business Process Management uses application roles and organization units

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

38

Debug application authenticationThe Identity Service

bull Can I authenticate the userndash authenticateUser

bull Can I determine groupsndash getGroups

httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar

bull Can I determine granted rolesndash getGrantedRolesToUser

bull Can I determine organizational unitsndash use the Java API

39

Conclusion

bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos

bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong

bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult

• Debugging WebLogic authentication
• Slide 2
• Introduction
• Oracle Virtual Technology Summit
• Agenda
• Why use an external Identity Store
• Introduction OPSS Oracle Identity Store solutions
• Agenda (2)
• Introduction OPSS
• Agenda (3)
• What to debug
• Agenda (4)
• Debug Weblogic authentication using an external client
• Debug WebLogic authentication Embedded LDAP
• Debug WebLogic authentication Embedded LDAP (2)
• Debug WebLogic authentication Embedded LDAP (3)
• Debug WebLogic authentication Embedded LDAP (4)
• Debug WebLogic authentication Authentication provider configura
• Debug WebLogic authentication using Weblogic Console
• Debug Weblogic authentication Cache settings
• Debug Weblogic authentication using Weblogic Console
• Debug Weblogic authentication using Weblogic Console (2)
• Debug Weblogic authentication using log files
• Demo
• Agenda (5)
• Debug application authentication
• OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
• Debug application authentication LibOVD
• Debug application authentication LibOVD configuration
• Debug application authentication LibOVD configuration (2)
• Debug application authentication LibOVD debugging
• Debug application authentication ADF Security
• Demo (2)
• Debug application authentication ADF Security (2)
• Debug application authentication ADF Security (3)
• Debug application authentication JVM parameters
• Debug application authentication Business Process Management
• Debug application authentication The Identity Service
• Conclusion
• Slide 40

• Debugging WebLogic authentication
• Slide 2
• Introduction
• Oracle Virtual Technology Summit
• Agenda
• Why use an external Identity Store
• Introduction OPSS Oracle Identity Store solutions
• Agenda (2)
• Introduction OPSS
• Agenda (3)
• What to debug
• Agenda (4)
• Debug Weblogic authentication using an external client
• Debug WebLogic authentication Embedded LDAP
• Debug WebLogic authentication Embedded LDAP (2)
• Debug WebLogic authentication Embedded LDAP (3)
• Debug WebLogic authentication Embedded LDAP (4)
• Debug WebLogic authentication Authentication provider configura
• Debug WebLogic authentication using Weblogic Console
• Debug Weblogic authentication Cache settings
• Debug Weblogic authentication using Weblogic Console
• Debug Weblogic authentication using Weblogic Console (2)
• Debug Weblogic authentication using log files
• Demo
• Agenda (5)
• Debug application authentication
• OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
• Debug application authentication LibOVD
• Debug application authentication LibOVD configuration
• Debug application authentication LibOVD configuration (2)
• Debug application authentication LibOVD debugging
• Debug application authentication ADF Security
• Demo (2)
• Debug application authentication ADF Security (2)
• Debug application authentication ADF Security (3)
• Debug application authentication JVM parameters
• Debug application authentication Business Process Management
• Debug application authentication The Identity Service
• Conclusion
• Slide 40