weblogic authentication debugging
TRANSCRIPT
OGh Oracle Fusion Middleware Experience 2016 bij FIGI Zeist
Maarten Smeets 16-02-2016
Debugging WebLogic authentication
Introduction
bull About AMISndash Located in the Netherlandsndash Oracle Award winning partner
bull About mendash Senior Oracle Integration Consultantndash Experience with Oracle SOA Suite since 2007ndash Well certified (SOA BPM Java SQL
PLSQL among others)ndash Author more than 100 blog articles (
httpjavaoraclesoablogspotcom)
MaartenSmeetsNL
httpsnllinkedincominsmeetsm
4
Oracle Virtual Technology Summit
httpwwworaclecomtechnetworkcommunitydeveloper-dayindexhtml
March 8 2016 183000 CET
bull Database Application Developmentbull Oracle DB12c Performancebull MySQLbull Java EE Microservices and JPAbull All about Java 8 bull The Internet of Thingsbull WebLogic 1221 and Java EEbull Operating Systems and Virtualizationbull StorageSPARC and Software
Development
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
6
Why use an external Identity Store
Application
WLS SOA
WLS OSB
WLS ADF
WLS WCC
bull An application uses company internal users
bull Often internal users are already present in an Identity Store
bull Management organization in place
bull Single environment to manage users
bull Single account per user
7
Introduction OPSSOracle Identity Store solutions
bull Oracle Unified Directoryndash Embedded Berkeley Databasendash LDAP proxyndash Much faster readwrite than ODSEEndash Provides LDAP virtualizationndash Elastic scalingndash Strategic Directory Server productndash Designed to address current and future
on-premise mobile and cloud needs
bull Oracle Directory Server Enterprise Editionndash ODSEE 52 and 63 are in Sustaining Supportndash No new fixes will be created
bull Oracle Virtual Directoryndash Provides virtualization of different sourcesndash OUD does not replace OVD
bull Oracle Internet Directoryndash Uses external Oracle DBndash Used with Fusion Applications
httpsblogsoraclecomOracleIDMentrywhy_customers_should_upgrade_directory
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Introduction OPSS
Identity Store
Providers
Authentication Authorization Credential Store Framework User Role
Service Provider Interface Layer
OPSS APIs
WebLogic Server
JavaEE application Java SE application
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
What to debug
Identity Store
WebLogic Console
ApplicationAuthentication API
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
Authentication provider
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
13
Debug Weblogic authenticationusing an external client
bull Using an external client
Apache Directory Studio
14
Debug WebLogic authenticationEmbedded LDAP
15
Debug WebLogic authenticationEmbedded LDAP
bull Login usingBind DN User cn=Admin
bull Running by default on the AdminServer port
bull Check out cn=Config for LDAP server properties
16
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
17
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
18
Debug WebLogic authenticationAuthentication provider configuration
bull Select the authentication provider (as specific as possible)
bull JAAS Control flags
bull LDAP connection details
bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups
bull Cache settings
19
Debug WebLogic authenticationusing Weblogic Console
bull JAAS Control flags
ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are
ndash REQUIRED the authentication provider is always called and authentication must succeed
ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass
ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
Introduction
bull About AMISndash Located in the Netherlandsndash Oracle Award winning partner
bull About mendash Senior Oracle Integration Consultantndash Experience with Oracle SOA Suite since 2007ndash Well certified (SOA BPM Java SQL
PLSQL among others)ndash Author more than 100 blog articles (
httpjavaoraclesoablogspotcom)
MaartenSmeetsNL
httpsnllinkedincominsmeetsm
4
Oracle Virtual Technology Summit
httpwwworaclecomtechnetworkcommunitydeveloper-dayindexhtml
March 8 2016 183000 CET
bull Database Application Developmentbull Oracle DB12c Performancebull MySQLbull Java EE Microservices and JPAbull All about Java 8 bull The Internet of Thingsbull WebLogic 1221 and Java EEbull Operating Systems and Virtualizationbull StorageSPARC and Software
Development
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
6
Why use an external Identity Store
Application
WLS SOA
WLS OSB
WLS ADF
WLS WCC
bull An application uses company internal users
bull Often internal users are already present in an Identity Store
bull Management organization in place
bull Single environment to manage users
bull Single account per user
7
Introduction OPSSOracle Identity Store solutions
bull Oracle Unified Directoryndash Embedded Berkeley Databasendash LDAP proxyndash Much faster readwrite than ODSEEndash Provides LDAP virtualizationndash Elastic scalingndash Strategic Directory Server productndash Designed to address current and future
on-premise mobile and cloud needs
bull Oracle Directory Server Enterprise Editionndash ODSEE 52 and 63 are in Sustaining Supportndash No new fixes will be created
bull Oracle Virtual Directoryndash Provides virtualization of different sourcesndash OUD does not replace OVD
bull Oracle Internet Directoryndash Uses external Oracle DBndash Used with Fusion Applications
httpsblogsoraclecomOracleIDMentrywhy_customers_should_upgrade_directory
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Introduction OPSS
Identity Store
Providers
Authentication Authorization Credential Store Framework User Role
Service Provider Interface Layer
OPSS APIs
WebLogic Server
JavaEE application Java SE application
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
What to debug
Identity Store
WebLogic Console
ApplicationAuthentication API
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
Authentication provider
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
13
Debug Weblogic authenticationusing an external client
bull Using an external client
Apache Directory Studio
14
Debug WebLogic authenticationEmbedded LDAP
15
Debug WebLogic authenticationEmbedded LDAP
bull Login usingBind DN User cn=Admin
bull Running by default on the AdminServer port
bull Check out cn=Config for LDAP server properties
16
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
17
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
18
Debug WebLogic authenticationAuthentication provider configuration
bull Select the authentication provider (as specific as possible)
bull JAAS Control flags
bull LDAP connection details
bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups
bull Cache settings
19
Debug WebLogic authenticationusing Weblogic Console
bull JAAS Control flags
ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are
ndash REQUIRED the authentication provider is always called and authentication must succeed
ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass
ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
4
Oracle Virtual Technology Summit
httpwwworaclecomtechnetworkcommunitydeveloper-dayindexhtml
March 8 2016 183000 CET
bull Database Application Developmentbull Oracle DB12c Performancebull MySQLbull Java EE Microservices and JPAbull All about Java 8 bull The Internet of Thingsbull WebLogic 1221 and Java EEbull Operating Systems and Virtualizationbull StorageSPARC and Software
Development
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
6
Why use an external Identity Store
Application
WLS SOA
WLS OSB
WLS ADF
WLS WCC
bull An application uses company internal users
bull Often internal users are already present in an Identity Store
bull Management organization in place
bull Single environment to manage users
bull Single account per user
7
Introduction OPSSOracle Identity Store solutions
bull Oracle Unified Directoryndash Embedded Berkeley Databasendash LDAP proxyndash Much faster readwrite than ODSEEndash Provides LDAP virtualizationndash Elastic scalingndash Strategic Directory Server productndash Designed to address current and future
on-premise mobile and cloud needs
bull Oracle Directory Server Enterprise Editionndash ODSEE 52 and 63 are in Sustaining Supportndash No new fixes will be created
bull Oracle Virtual Directoryndash Provides virtualization of different sourcesndash OUD does not replace OVD
bull Oracle Internet Directoryndash Uses external Oracle DBndash Used with Fusion Applications
httpsblogsoraclecomOracleIDMentrywhy_customers_should_upgrade_directory
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Introduction OPSS
Identity Store
Providers
Authentication Authorization Credential Store Framework User Role
Service Provider Interface Layer
OPSS APIs
WebLogic Server
JavaEE application Java SE application
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
What to debug
Identity Store
WebLogic Console
ApplicationAuthentication API
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
Authentication provider
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
13
Debug Weblogic authenticationusing an external client
bull Using an external client
Apache Directory Studio
14
Debug WebLogic authenticationEmbedded LDAP
15
Debug WebLogic authenticationEmbedded LDAP
bull Login usingBind DN User cn=Admin
bull Running by default on the AdminServer port
bull Check out cn=Config for LDAP server properties
16
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
17
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
18
Debug WebLogic authenticationAuthentication provider configuration
bull Select the authentication provider (as specific as possible)
bull JAAS Control flags
bull LDAP connection details
bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups
bull Cache settings
19
Debug WebLogic authenticationusing Weblogic Console
bull JAAS Control flags
ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are
ndash REQUIRED the authentication provider is always called and authentication must succeed
ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass
ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
6
Why use an external Identity Store
Application
WLS SOA
WLS OSB
WLS ADF
WLS WCC
bull An application uses company internal users
bull Often internal users are already present in an Identity Store
bull Management organization in place
bull Single environment to manage users
bull Single account per user
7
Introduction OPSSOracle Identity Store solutions
bull Oracle Unified Directoryndash Embedded Berkeley Databasendash LDAP proxyndash Much faster readwrite than ODSEEndash Provides LDAP virtualizationndash Elastic scalingndash Strategic Directory Server productndash Designed to address current and future
on-premise mobile and cloud needs
bull Oracle Directory Server Enterprise Editionndash ODSEE 52 and 63 are in Sustaining Supportndash No new fixes will be created
bull Oracle Virtual Directoryndash Provides virtualization of different sourcesndash OUD does not replace OVD
bull Oracle Internet Directoryndash Uses external Oracle DBndash Used with Fusion Applications
httpsblogsoraclecomOracleIDMentrywhy_customers_should_upgrade_directory
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Introduction OPSS
Identity Store
Providers
Authentication Authorization Credential Store Framework User Role
Service Provider Interface Layer
OPSS APIs
WebLogic Server
JavaEE application Java SE application
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
What to debug
Identity Store
WebLogic Console
ApplicationAuthentication API
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
Authentication provider
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
13
Debug Weblogic authenticationusing an external client
bull Using an external client
Apache Directory Studio
14
Debug WebLogic authenticationEmbedded LDAP
15
Debug WebLogic authenticationEmbedded LDAP
bull Login usingBind DN User cn=Admin
bull Running by default on the AdminServer port
bull Check out cn=Config for LDAP server properties
16
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
17
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
18
Debug WebLogic authenticationAuthentication provider configuration
bull Select the authentication provider (as specific as possible)
bull JAAS Control flags
bull LDAP connection details
bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups
bull Cache settings
19
Debug WebLogic authenticationusing Weblogic Console
bull JAAS Control flags
ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are
ndash REQUIRED the authentication provider is always called and authentication must succeed
ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass
ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
6
Why use an external Identity Store
Application
WLS SOA
WLS OSB
WLS ADF
WLS WCC
bull An application uses company internal users
bull Often internal users are already present in an Identity Store
bull Management organization in place
bull Single environment to manage users
bull Single account per user
7
Introduction OPSSOracle Identity Store solutions
bull Oracle Unified Directoryndash Embedded Berkeley Databasendash LDAP proxyndash Much faster readwrite than ODSEEndash Provides LDAP virtualizationndash Elastic scalingndash Strategic Directory Server productndash Designed to address current and future
on-premise mobile and cloud needs
bull Oracle Directory Server Enterprise Editionndash ODSEE 52 and 63 are in Sustaining Supportndash No new fixes will be created
bull Oracle Virtual Directoryndash Provides virtualization of different sourcesndash OUD does not replace OVD
bull Oracle Internet Directoryndash Uses external Oracle DBndash Used with Fusion Applications
httpsblogsoraclecomOracleIDMentrywhy_customers_should_upgrade_directory
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Introduction OPSS
Identity Store
Providers
Authentication Authorization Credential Store Framework User Role
Service Provider Interface Layer
OPSS APIs
WebLogic Server
JavaEE application Java SE application
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
What to debug
Identity Store
WebLogic Console
ApplicationAuthentication API
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
Authentication provider
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
13
Debug Weblogic authenticationusing an external client
bull Using an external client
Apache Directory Studio
14
Debug WebLogic authenticationEmbedded LDAP
15
Debug WebLogic authenticationEmbedded LDAP
bull Login usingBind DN User cn=Admin
bull Running by default on the AdminServer port
bull Check out cn=Config for LDAP server properties
16
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
17
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
18
Debug WebLogic authenticationAuthentication provider configuration
bull Select the authentication provider (as specific as possible)
bull JAAS Control flags
bull LDAP connection details
bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups
bull Cache settings
19
Debug WebLogic authenticationusing Weblogic Console
bull JAAS Control flags
ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are
ndash REQUIRED the authentication provider is always called and authentication must succeed
ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass
ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
7
Introduction OPSSOracle Identity Store solutions
bull Oracle Unified Directoryndash Embedded Berkeley Databasendash LDAP proxyndash Much faster readwrite than ODSEEndash Provides LDAP virtualizationndash Elastic scalingndash Strategic Directory Server productndash Designed to address current and future
on-premise mobile and cloud needs
bull Oracle Directory Server Enterprise Editionndash ODSEE 52 and 63 are in Sustaining Supportndash No new fixes will be created
bull Oracle Virtual Directoryndash Provides virtualization of different sourcesndash OUD does not replace OVD
bull Oracle Internet Directoryndash Uses external Oracle DBndash Used with Fusion Applications
httpsblogsoraclecomOracleIDMentrywhy_customers_should_upgrade_directory
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Introduction OPSS
Identity Store
Providers
Authentication Authorization Credential Store Framework User Role
Service Provider Interface Layer
OPSS APIs
WebLogic Server
JavaEE application Java SE application
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
What to debug
Identity Store
WebLogic Console
ApplicationAuthentication API
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
Authentication provider
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
13
Debug Weblogic authenticationusing an external client
bull Using an external client
Apache Directory Studio
14
Debug WebLogic authenticationEmbedded LDAP
15
Debug WebLogic authenticationEmbedded LDAP
bull Login usingBind DN User cn=Admin
bull Running by default on the AdminServer port
bull Check out cn=Config for LDAP server properties
16
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
17
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
18
Debug WebLogic authenticationAuthentication provider configuration
bull Select the authentication provider (as specific as possible)
bull JAAS Control flags
bull LDAP connection details
bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups
bull Cache settings
19
Debug WebLogic authenticationusing Weblogic Console
bull JAAS Control flags
ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are
ndash REQUIRED the authentication provider is always called and authentication must succeed
ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass
ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Introduction OPSS
Identity Store
Providers
Authentication Authorization Credential Store Framework User Role
Service Provider Interface Layer
OPSS APIs
WebLogic Server
JavaEE application Java SE application
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
What to debug
Identity Store
WebLogic Console
ApplicationAuthentication API
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
Authentication provider
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
13
Debug Weblogic authenticationusing an external client
bull Using an external client
Apache Directory Studio
14
Debug WebLogic authenticationEmbedded LDAP
15
Debug WebLogic authenticationEmbedded LDAP
bull Login usingBind DN User cn=Admin
bull Running by default on the AdminServer port
bull Check out cn=Config for LDAP server properties
16
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
17
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
18
Debug WebLogic authenticationAuthentication provider configuration
bull Select the authentication provider (as specific as possible)
bull JAAS Control flags
bull LDAP connection details
bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups
bull Cache settings
19
Debug WebLogic authenticationusing Weblogic Console
bull JAAS Control flags
ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are
ndash REQUIRED the authentication provider is always called and authentication must succeed
ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass
ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
Introduction OPSS
Identity Store
Providers
Authentication Authorization Credential Store Framework User Role
Service Provider Interface Layer
OPSS APIs
WebLogic Server
JavaEE application Java SE application
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
What to debug
Identity Store
WebLogic Console
ApplicationAuthentication API
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
Authentication provider
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
13
Debug Weblogic authenticationusing an external client
bull Using an external client
Apache Directory Studio
14
Debug WebLogic authenticationEmbedded LDAP
15
Debug WebLogic authenticationEmbedded LDAP
bull Login usingBind DN User cn=Admin
bull Running by default on the AdminServer port
bull Check out cn=Config for LDAP server properties
16
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
17
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
18
Debug WebLogic authenticationAuthentication provider configuration
bull Select the authentication provider (as specific as possible)
bull JAAS Control flags
bull LDAP connection details
bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups
bull Cache settings
19
Debug WebLogic authenticationusing Weblogic Console
bull JAAS Control flags
ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are
ndash REQUIRED the authentication provider is always called and authentication must succeed
ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass
ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
What to debug
Identity Store
WebLogic Console
ApplicationAuthentication API
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
Authentication provider
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
13
Debug Weblogic authenticationusing an external client
bull Using an external client
Apache Directory Studio
14
Debug WebLogic authenticationEmbedded LDAP
15
Debug WebLogic authenticationEmbedded LDAP
bull Login usingBind DN User cn=Admin
bull Running by default on the AdminServer port
bull Check out cn=Config for LDAP server properties
16
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
17
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
18
Debug WebLogic authenticationAuthentication provider configuration
bull Select the authentication provider (as specific as possible)
bull JAAS Control flags
bull LDAP connection details
bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups
bull Cache settings
19
Debug WebLogic authenticationusing Weblogic Console
bull JAAS Control flags
ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are
ndash REQUIRED the authentication provider is always called and authentication must succeed
ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass
ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
What to debug
Identity Store
WebLogic Console
ApplicationAuthentication API
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
Authentication provider
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
13
Debug Weblogic authenticationusing an external client
bull Using an external client
Apache Directory Studio
14
Debug WebLogic authenticationEmbedded LDAP
15
Debug WebLogic authenticationEmbedded LDAP
bull Login usingBind DN User cn=Admin
bull Running by default on the AdminServer port
bull Check out cn=Config for LDAP server properties
16
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
17
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
18
Debug WebLogic authenticationAuthentication provider configuration
bull Select the authentication provider (as specific as possible)
bull JAAS Control flags
bull LDAP connection details
bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups
bull Cache settings
19
Debug WebLogic authenticationusing Weblogic Console
bull JAAS Control flags
ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are
ndash REQUIRED the authentication provider is always called and authentication must succeed
ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass
ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
13
Debug Weblogic authenticationusing an external client
bull Using an external client
Apache Directory Studio
14
Debug WebLogic authenticationEmbedded LDAP
15
Debug WebLogic authenticationEmbedded LDAP
bull Login usingBind DN User cn=Admin
bull Running by default on the AdminServer port
bull Check out cn=Config for LDAP server properties
16
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
17
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
18
Debug WebLogic authenticationAuthentication provider configuration
bull Select the authentication provider (as specific as possible)
bull JAAS Control flags
bull LDAP connection details
bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups
bull Cache settings
19
Debug WebLogic authenticationusing Weblogic Console
bull JAAS Control flags
ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are
ndash REQUIRED the authentication provider is always called and authentication must succeed
ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass
ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
13
Debug Weblogic authenticationusing an external client
bull Using an external client
Apache Directory Studio
14
Debug WebLogic authenticationEmbedded LDAP
15
Debug WebLogic authenticationEmbedded LDAP
bull Login usingBind DN User cn=Admin
bull Running by default on the AdminServer port
bull Check out cn=Config for LDAP server properties
16
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
17
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
18
Debug WebLogic authenticationAuthentication provider configuration
bull Select the authentication provider (as specific as possible)
bull JAAS Control flags
bull LDAP connection details
bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups
bull Cache settings
19
Debug WebLogic authenticationusing Weblogic Console
bull JAAS Control flags
ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are
ndash REQUIRED the authentication provider is always called and authentication must succeed
ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass
ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
14
Debug WebLogic authenticationEmbedded LDAP
15
Debug WebLogic authenticationEmbedded LDAP
bull Login usingBind DN User cn=Admin
bull Running by default on the AdminServer port
bull Check out cn=Config for LDAP server properties
16
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
17
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
18
Debug WebLogic authenticationAuthentication provider configuration
bull Select the authentication provider (as specific as possible)
bull JAAS Control flags
bull LDAP connection details
bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups
bull Cache settings
19
Debug WebLogic authenticationusing Weblogic Console
bull JAAS Control flags
ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are
ndash REQUIRED the authentication provider is always called and authentication must succeed
ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass
ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
15
Debug WebLogic authenticationEmbedded LDAP
bull Login usingBind DN User cn=Admin
bull Running by default on the AdminServer port
bull Check out cn=Config for LDAP server properties
16
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
17
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
18
Debug WebLogic authenticationAuthentication provider configuration
bull Select the authentication provider (as specific as possible)
bull JAAS Control flags
bull LDAP connection details
bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups
bull Cache settings
19
Debug WebLogic authenticationusing Weblogic Console
bull JAAS Control flags
ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are
ndash REQUIRED the authentication provider is always called and authentication must succeed
ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass
ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
16
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
17
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
18
Debug WebLogic authenticationAuthentication provider configuration
bull Select the authentication provider (as specific as possible)
bull JAAS Control flags
bull LDAP connection details
bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups
bull Cache settings
19
Debug WebLogic authenticationusing Weblogic Console
bull JAAS Control flags
ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are
ndash REQUIRED the authentication provider is always called and authentication must succeed
ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass
ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
17
Debug WebLogic authenticationEmbedded LDAP
bull Notice the use of dynamic groups
18
Debug WebLogic authenticationAuthentication provider configuration
bull Select the authentication provider (as specific as possible)
bull JAAS Control flags
bull LDAP connection details
bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups
bull Cache settings
19
Debug WebLogic authenticationusing Weblogic Console
bull JAAS Control flags
ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are
ndash REQUIRED the authentication provider is always called and authentication must succeed
ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass
ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
18
Debug WebLogic authenticationAuthentication provider configuration
bull Select the authentication provider (as specific as possible)
bull JAAS Control flags
bull LDAP connection details
bull LDAP search behaviorndash Usersndash Static groupsndash Dynamic groups
bull Cache settings
19
Debug WebLogic authenticationusing Weblogic Console
bull JAAS Control flags
ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are
ndash REQUIRED the authentication provider is always called and authentication must succeed
ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass
ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
19
Debug WebLogic authenticationusing Weblogic Console
bull JAAS Control flags
ndash SUFFICIENT if authentication is passed no other authentication providers are evaluated If it fails they are
ndash REQUIRED the authentication provider is always called and authentication must succeed
ndash OPTIONAL passing authentication of this provider is optional If all providers are optional one needs to pass
ndash REQUISITE authentication has to succeed on this provider After that providers of lower priority are evaluated
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
20
Debug Weblogic authenticationCache settings
bull How to uniquely identify an LDAP entry The GUID Attribute
bull The GUID Attribute is used as cache key
bull Provider specificndash OUD OpenLDAP ApacheDS entryuuidndash Active Directory objectguidndash OVD OID orclguid
bull Misconfiguration can lead to first login fail second login success (cache issues)
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
21
Debug Weblogic authenticationusing Weblogic Console
bull Connection to external provider works
bull Server trust is established
bull User query works
bull Validating authentication details works
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
22
Debug Weblogic authenticationusing Weblogic Console
bull Dynamic group object class works
bull Group Base DN works
bull User Dynamic Group DN Attribute works
bull Dynamic Group Name Attribute works
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
23
Debug Weblogic authenticationusing log files
LDAP connectionsLDAP queries
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
24
Demo
bull Embedded LDAP
bull How to create a user in an LDAP server
bull How to configure WebLogic server to use the server
bull Debug authentication using the console
bull Debug the authentication using the log files
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
Agenda
bull Oracle Identity Stores
bull Introduction Oracle Platform Security Services (OPSS)
bull What to debug
bull How to debug WebLogic authentication
bull How to debug application authentication
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
Debug application authentication
Identity Store
WebLogic Console
ApplicationAuthentication API
Authentication provider
VirtualizationPlatform security
jps-configxmljps-config-jsexmlsystem-jazn-dataxml
configxml webxmlweblogicxml
LDAP queriesSSLTLS
Role mappingsOrganizational Units
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
27
OPSS configuration filesin $DOMAIN_HOMEconfigfmwconfig
bull Java Platform Security jps-configxml (Java EE) jps-configjsexml (Java SE) login modules authentication providers authorization policy providers credential stores and auditing services
bull jazn-dataxml system-jazn-dataxmlndash users groups and authorization policies
bull cwalletssondash credentials used by the application
bull adaptersos_xmlndash LibOVD plugin configuration
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
28
Debug application authenticationLibOVD
bull Present since 11114 Seen several patches since then Lightweight OVD alternative supplied with WebLogic Server
bull FMW components which use OPSS can only use the first LDAP authentication providerLibOVD provides virtualization
bull ConfigurationEdit ltDOMAINDIRgtconfigfmwconfigjps-configxml manually or from Enterprise ManagerPlugin configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml
httpfusionsecurityblogspotnl201206libovd-when-and-howhtml
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
29
Debug application authenticationLibOVD configuration
bull ltDOMAINDIRgtconfigfmwconfigjps-configxmlProvides login modules authentication providers credential stores
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
30
Debug application authenticationLibOVD configuration
bull The OPSS API only queries static groups by default Not dynamic groups
bull Use the LibOVD dynamic group plugin to present dynamic groups like static groups(configuration in ltDOMAINDIRgtconfigfmwconfigovddefaultadaptersos_xml)
bull Requires that the dynamic group has both the GroupOfUniqueNames and GroupOfURL objectclasses
bull Only one structural class is allowed per LDAP object
bull Fix by setting the superclass of GroupOfURLs to GroupOfUniqueNames
httpwwwateam-oraclecomoracle-webcenter-and-dynamic-groups-from-an-external-ldap-server-part-1-of-2
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
31
Debug application authenticationLibOVD debugging
bull Can be used when ADFLogger is used in application
bull Can be used for specific Weblogic Server component debugging such as oracleodsvirtualization for LibOVD
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
32
Debug application authenticationADF Security
bull Application configuration filesndash webxml
Defines authorization constraints (valid-users) and set-up OPSS policy provider (JpsFilter)
ndash weblogicxmlMaps valid-users to OPSS principal users
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
33
Demo
bull Use basic authentication in an ADF application
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
34
Debug application authenticationADF Security
bull Application configuration filesndash jazn-dataxml
Contains development users rolesApplication roles are granted to enterprise roles users (from the OPSS API which uses the authorization provider) Resource permissions are granted to application roles or enterprise roles
ndash Test with Java ADFContextgetCurrent()getSecurityContext()isUserInRole(ldquorolerdquo)EL securityContextuserInRole[lsquorole]
Users
Enterprise roles
Application
roles
Perm
issions
Grants
weblogicxml jazn-dataxml
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
35
Debug application authenticationADF Security
bull ltDOMAINDIRgtconfigfmwconfigsystem-jazn-dataxmlndash OOTB file based policy storendash Users groups authorization policiesndash CredentialAccessPermissionndash Change while WebLogic is down or
from EM
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
36
Debug application authenticationJVM parameters
bull JVM parameters ndash -Djpsauthdebug=true to get AccessControlException among other useful messagesndash -Djpsauthdebugverbose=true to get a lot of debug messages
httpdocsoraclecomcdE23943_01core1111e10043jpspropshtmJISEC2229
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
37
Debug application authenticationBusiness Process Management
bull Authenticate with a user
bull User is member of (authentication provider) groups
bull Groups are granted (application) roles and organization units
bull Business Process Management uses application roles and organization units
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
38
Debug application authenticationThe Identity Service
bull Can I authenticate the userndash authenticateUser
bull Can I determine groupsndash getGroups
httpHOSTPORTintegrationservicesIdentityServiceidentityWSDLltORACLE_HOMEgtsoasoamodulesoraclesoaworkflow_1111bpm-servicesjar
bull Can I determine granted rolesndash getGrantedRolesToUser
bull Can I determine organizational unitsndash use the Java API
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
39
Conclusion
bull Many debugging options availablendash Looking at WebLogic Console or application behaviorndash Using an external client for your authentication providerndash Debug logging in WebLogic Server consolendash Log configuration in Enterprise Manager Fusion Middleware Controlndash Isolated tests such as IdentityService calls or Java APIrsquos
bull It is important to know what is between your application and your authentication provider to structure your debugging efforts and trace at which layer things go wrong
bull WebLogic Console is relatively easy to debug compared to for example LibOVD Application side debugging is often also not very difficult
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-
- Debugging WebLogic authentication
- Slide 2
- Introduction
- Oracle Virtual Technology Summit
- Agenda
- Why use an external Identity Store
- Introduction OPSS Oracle Identity Store solutions
- Agenda (2)
- Introduction OPSS
- Agenda (3)
- What to debug
- Agenda (4)
- Debug Weblogic authentication using an external client
- Debug WebLogic authentication Embedded LDAP
- Debug WebLogic authentication Embedded LDAP (2)
- Debug WebLogic authentication Embedded LDAP (3)
- Debug WebLogic authentication Embedded LDAP (4)
- Debug WebLogic authentication Authentication provider configura
- Debug WebLogic authentication using Weblogic Console
- Debug Weblogic authentication Cache settings
- Debug Weblogic authentication using Weblogic Console
- Debug Weblogic authentication using Weblogic Console (2)
- Debug Weblogic authentication using log files
- Demo
- Agenda (5)
- Debug application authentication
- OPSS configuration files in $DOMAIN_HOMEconfigfmwconfig
- Debug application authentication LibOVD
- Debug application authentication LibOVD configuration
- Debug application authentication LibOVD configuration (2)
- Debug application authentication LibOVD debugging
- Debug application authentication ADF Security
- Demo (2)
- Debug application authentication ADF Security (2)
- Debug application authentication ADF Security (3)
- Debug application authentication JVM parameters
- Debug application authentication Business Process Management
- Debug application authentication The Identity Service
- Conclusion
- Slide 40
-