It's all about Weblogic..!!!

September 9, 2011

Authentication..? Role Mapping..? Authorization..? Adjudication..?

Filed under: Security — streethawkz @ 7:25 pm

Authentication :

 

 

 

 

 

 

 

 

 

Subject (which thus far contained just the anonymous role and anonymous user) is modified according to the result of the authentication process, as follows :

If authentication is successful, then:

– The anonymous user is removed from the subject and replaced, as appropriate, by an authenticated user.

– Authenticated role is added.

– Other roles are added to the subject, as appropriate.

Notice that a successful authentication results then in a subject that has exactly

– one principal corresponding to a non-anonymous user,

– one principal corresponding to the authenticated role,

– and possibly other principals corresponding to enterprise or application roles.

If authentication is not successful, then the anonymous user is retained.

—————————————————————————————————————————-

  • What is a pricipal ?

Principal is an authenticated user or group.

  • What is a subject ?

Subject is a collection of principals.

Eg :

If a user is in 2 groups then the subject would be 1 + 2 = 3.

So the subject for the above example is 3.

We can conclude that subject = n + 1 principals, where n is the number of groups.

As soon as user gets authenticated we get a subject.

 

 

 

 

 

 

——————————————————————————————————————————

Role Mapper :

 

 

 

 

 

 

 

 

Consider an example where in “ weblogic “ user logs in to the console :

Resource IDs:

  • <Resource: type=<jndi>, application=, path={weblogic}, action=lookup>
  • <Resource: type=<url>, application=consoleapp, contextPath=/console, uri=/console.portal, httpMethod=GET>

input << JAAS Subject + resource id

output >>Role Set

  • <XACML RoleMapper getRoles(): returning roles Anonymous, Admin>

 

 

 

 

 

 

 

.

Authorization and Role Mapping :

– It takes the subject as input.

– Before authorization happens Role Mapping has to be done so that roles that a user belongs-to is know.

– The signed subject along with information as to what resource / page is being requested by a user is sent to the Role Mapper.

– The Role Mapper now checks the user role and passes the following information to the Authorizer :

1. Information about the Role of the user

2. The resource / page he is requesting

3. And the signed subject.

– Now authorizer uses these information and locates the resource and answers the “is access allowed?” question.

 

 

 

 

 

.

Authorization :

 

 

 

 

 

 

 

 

Check the Subject against deployment descriptor :

————————————————

In weblogic 9.1 and above two authorizers are enabled by default :

– DefaultAuthorizer

– XACML Authorization provider ( this is the default from WLS 9.1 and above )

—————————————————————————————————————————————-

Adjudication :

 

 

 

 

 

 

 

 

The WebLogic Adjudication provider has an attribute called Require Unanimous Permit that governs its behavior. By default, the Require Unanimous Permit attribute is set to TRUE, which causes the WebLogic Adjudication provider to act as follows:

  • If all the Authorization providers’ Access Decisions return PERMIT, then return a final verdict of TRUE (that is, permit access to the WebLogic resource).
  • If some Authorization providers’ Access Decisions return PERMIT and others return ABSTAIN, then return a final verdict of FALSE (that is, deny access to the WebLogic resource).
  • If any of the Authorization providers’ Access Decisions return ABSTAIN or DENY, then return a final verdict of FALSE (that is, deny access to the WebLogic resource).

If you change the Require Unanimous Permit attribute to FALSE, the WebLogic Adjudication provider acts as follows:

  • If all the Authorization providers’ Access Decisions return PERMIT, then return a final verdict of TRUE (that is, permit access to the WebLogic resource).
  • If some Authorization providers’ Access Decisions return PERMIT and others return ABSTAIN, then return a final verdict of TRUE (that is, permit access to the WebLogic resource).
  • If any of the Authorization providers’ Access Decisions return DENY, then return a final verdict of FALSE (that is, deny access to the WebLogic resource).
———————————————————————————————————————–

WebLogic Security Service supports the following types of security providers :

  •  Authentication :

It validates the username and password against a database and authenticates it.

It is mainly in clear text format – a username and password.

  • Identity Assertion :

Here the input is anything other than a username and password that is provided to authenticate a user. For example like a certificate or may be a face recognition/ fingerprint recognition where in the authentication is done based on pattern matching. ( this example is just to understand the concept of IA ).

So basically the authentication and the Identity Assertion do the same job – i.e authenticating a user.

The only difference is in the input format they accept.

  • Credential Mapping :

Credential mappings let you map WebLogic Server users to remote users.

It does the exact opposite job of an Identity Assertor.

It takes the authenticated user information and converts it into other formats.

Eg : x509 certificate format

  • Certificate Lookup and Validation (CLV) :

It mainly checks the chaining of certificates.

It also validates incoming certificates.

  • Auditor :

Logs all the events generated by other providers.

————————————————————————————————————————-

Advertisements

1 Comment »

  1. really good one .thanks very much:-)- Sathiya

    Comment by Sathiya — February 22, 2013 @ 4:04 pm


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: