Re: JAAS between WLS (untrusted) domains - ServerIdentity failedvalidation - Weblogic

This is a discussion on Re: JAAS between WLS (untrusted) domains - ServerIdentity failedvalidation - Weblogic ; Hi Mark, You should first establish a trust relationship between your Weblogic servers: http://e-docs.bea.com/wls/docs70/sec...n.html#1171534 Then you can use JAAS to authenticate and get valid Subjects for the two users. --dejan Mark Fine wrote: >I'm trying to create a proxy/delegate class ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Re: JAAS between WLS (untrusted) domains - ServerIdentity failedvalidation

  1. Re: JAAS between WLS (untrusted) domains - ServerIdentity failedvalidation

    Hi Mark,

    You should first establish a trust relationship between your Weblogic
    servers:

    http://e-docs.bea.com/wls/docs70/sec...n.html#1171534

    Then you can use JAAS to authenticate and get valid Subjects for the two
    users.

    --dejan

    Mark Fine wrote:

    >I'm trying to create a proxy/delegate class that can be used by clients to
    >transparently access a server.
    >The class should be usable from clients within WLS containers and from
    >regular java apps.
    >Using JNDI authentication everything works fine.
    >
    >Using JAAS I'm having a problem when my client is a EJB app in an untrusted
    >WLS domain. When the login is requested the following error is occuring:
    >
    >
    >I want to be able to do a JAAS login to a non-trusted domain. I'm assuming
    >that the server is trying to pass the subject who is logged into the current
    >container, and my call to LoginContext.login()
    >
    >Any thoughts?
    >
    >//Example of code
    >{
    >loginContext = new LoginContext("ServiceSecurity", new
    >FW_SimpleCallbackHandler(pUser, pPassword, pUrl));
    >...
    >loginContext.login();
    >...
    >Subject subject = loginContext.getSubject();
    >....
    >serviceHome = (ServiceHome)weblogic.security.Security.runAs( subject,
    > new PrivilegedExceptionAction() {
    > public Object run() throws Exception{
    > //JNDI lookup
    > //Create session bean instance
    > }
    > });
    >
    >}
    >
    >
    >weblogic.security.Security.runAs( subject,
    > new PrivilegedExceptionAction() {
    > public Object run() throws Exception{
    > //do operation on instance
    > }
    > });
    >
    >}
    >
    >
    >
    >
    >



  2. Re: JAAS between WLS (untrusted) domains - ServerIdentity failed validation

    Thanks, but i think the content was miscommunicated. Everything works fine
    when the domains are "trusted". I want to know how to have "untrusted"
    domains talk to each other through explicit logins.

    ie. imagine an application on a domain in a finance department. What if
    they are trusted against other domains and can't / don't want to establish
    trust with your domain. They just need access to one particular service you
    expose.

    Thanks,
    m


    "Deyan D. Bektchiev" wrote in message
    news:3f2eae29$1@newsgroups.bea.com...
    > Hi Mark,
    >
    > You should first establish a trust relationship between your Weblogic
    > servers:
    >
    > http://e-docs.bea.com/wls/docs70/sec...n.html#1171534
    >
    > Then you can use JAAS to authenticate and get valid Subjects for the two
    > users.
    >
    > --dejan
    >
    > Mark Fine wrote:
    >
    > >I'm trying to create a proxy/delegate class that can be used by clients

    to
    > >transparently access a server.
    > >The class should be usable from clients within WLS containers and from
    > >regular java apps.
    > >Using JNDI authentication everything works fine.
    > >
    > >Using JAAS I'm having a problem when my client is a EJB app in an

    untrusted
    > >WLS domain. When the login is requested the following error is occuring:
    > >
    > >
    > >I want to be able to do a JAAS login to a non-trusted domain. I'm

    assuming
    > >that the server is trying to pass the subject who is logged into the

    current
    > >container, and my call to LoginContext.login()
    > >
    > >Any thoughts?
    > >
    > >//Example of code
    > >{
    > >loginContext = new LoginContext("ServiceSecurity", new
    > >FW_SimpleCallbackHandler(pUser, pPassword, pUrl));
    > >...
    > >loginContext.login();
    > >...
    > >Subject subject = loginContext.getSubject();
    > >....
    > >serviceHome = (ServiceHome)weblogic.security.Security.runAs( subject,
    > > new PrivilegedExceptionAction() {
    > > public Object run() throws Exception{
    > > //JNDI lookup
    > > //Create session bean instance
    > > }
    > > });
    > >
    > >}
    > >
    > >
    > >weblogic.security.Security.runAs( subject,
    > > new PrivilegedExceptionAction() {
    > > public Object run() throws Exception{
    > > //do operation on instance
    > > }
    > > });
    > >
    > >}
    > >
    > >
    > >
    > >
    > >

    >




  3. Re: JAAS between WLS (untrusted) domains - ServerIdentity failed validation

    This is exactly what I am doing.
    Implicitly there is a security context within the session bean (the user
    logs in via the web app and context is propagated). I obtain a LoginContext
    to the other server and call the method within that context.
    It doesn't work because it is implicitly passing the security context of the
    session bean and failing due to lack of trust.

    //Example of code
    {
    loginContext = new LoginContext("ServiceSecurity", new
    FW_SimpleCallbackHandler(pUser, pPassword, pUrl));
    ....
    loginContext.login();
    ....
    Subject subject = loginContext.getSubject();
    .....
    serviceHome = (ServiceHome)weblogic.security.Security.runAs( subject,
    new PrivilegedExceptionAction() {
    public Object run() throws Exception{
    //JNDI lookup
    //Create session bean instance
    }
    });
    }
    ....
    weblogic.security.Security.runAs( subject,
    new PrivilegedExceptionAction() {
    public Object run() throws Exception{
    //do operation on instance
    }
    });
    }


    "Deyan D. Bektchiev" wrote in message
    news:3f2ebb08@newsgroups.bea.com...
    > In that case you should be able to get the two different Subjects from
    > the two different domains (return a different url from the URLCallback
    > when you login with JAAS), and afterwards use
    >
    > weblogic.security.Security.doAs(...);
    >
    > with the correct Subject for the appropriate server when you access the
    > servers.
    >
    > HTH,
    > --dejan
    >
    > Mark Fine wrote:
    >
    > >Thanks, but i think the content was miscommunicated. Everything works

    fine
    > >when the domains are "trusted". I want to know how to have "untrusted"
    > >domains talk to each other through explicit logins.
    > >
    > >ie. imagine an application on a domain in a finance department. What if
    > >they are trusted against other domains and can't / don't want to

    establish
    > >trust with your domain. They just need access to one particular service

    you
    > >expose.
    > >
    > >Thanks,
    > >m
    > >
    > >
    > >"Deyan D. Bektchiev" wrote in message
    > >news:3f2eae29$1@newsgroups.bea.com...
    > >
    > >
    > >>Hi Mark,
    > >>
    > >>You should first establish a trust relationship between your Weblogic
    > >>servers:
    > >>
    > >>http://e-docs.bea.com/wls/docs70/sec...n.html#1171534
    > >>
    > >>Then you can use JAAS to authenticate and get valid Subjects for the two
    > >>users.
    > >>
    > >>--dejan
    > >>
    > >>Mark Fine wrote:
    > >>
    > >>
    > >>
    > >>>I'm trying to create a proxy/delegate class that can be used by clients
    > >>>
    > >>>

    > >to
    > >
    > >
    > >>>transparently access a server.
    > >>>The class should be usable from clients within WLS containers and from
    > >>>regular java apps.
    > >>>Using JNDI authentication everything works fine.
    > >>>
    > >>>Using JAAS I'm having a problem when my client is a EJB app in an
    > >>>
    > >>>

    > >untrusted
    > >
    > >
    > >>>WLS domain. When the login is requested the following error is

    occuring:
    > >>>
    > >>>
    > >>>I want to be able to do a JAAS login to a non-trusted domain. I'm
    > >>>
    > >>>

    > >assuming
    > >
    > >
    > >>>that the server is trying to pass the subject who is logged into the
    > >>>
    > >>>

    > >current
    > >
    > >
    > >>>container, and my call to LoginContext.login()
    > >>>
    > >>>Any thoughts?
    > >>>
    > >>>//Example of code
    > >>>{
    > >>>loginContext = new LoginContext("ServiceSecurity", new
    > >>>FW_SimpleCallbackHandler(pUser, pPassword, pUrl));
    > >>>...
    > >>>loginContext.login();
    > >>>...
    > >>>Subject subject = loginContext.getSubject();
    > >>>....
    > >>>serviceHome = (ServiceHome)weblogic.security.Security.runAs( subject,
    > >>> new PrivilegedExceptionAction() {
    > >>> public Object run() throws Exception{
    > >>> //JNDI lookup
    > >>> //Create session bean instance
    > >>> }
    > >>> });
    > >>>
    > >>>}
    > >>>
    > >>>
    > >>>weblogic.security.Security.runAs( subject,
    > >>> new PrivilegedExceptionAction() {
    > >>> public Object run() throws Exception{
    > >>> //do operation on instance
    > >>> }
    > >>> });
    > >>>
    > >>>}
    > >>>
    > >>>
    > >>>
    > >>>
    > >>>
    > >>>
    > >>>

    > >
    > >
    > >
    > >

    >




  4. Re: JAAS between WLS (untrusted) domains - ServerIdentity failedvalidation

    Then I'd start talking to BEA support to see if they even know how to do
    this.

    Without the trust relationship I'm not sure if you can achieve what you
    want.

    Dejan

    Mark Fine wrote:

    >This is exactly what I am doing.
    >Implicitly there is a security context within the session bean (the user
    >logs in via the web app and context is propagated). I obtain a LoginContext
    >to the other server and call the method within that context.
    >It doesn't work because it is implicitly passing the security context of the
    >session bean and failing due to lack of trust.
    >
    >//Example of code
    >{
    >loginContext = new LoginContext("ServiceSecurity", new
    >FW_SimpleCallbackHandler(pUser, pPassword, pUrl));
    >...
    >loginContext.login();
    >...
    >Subject subject = loginContext.getSubject();
    >....
    >serviceHome = (ServiceHome)weblogic.security.Security.runAs( subject,
    > new PrivilegedExceptionAction() {
    > public Object run() throws Exception{
    > //JNDI lookup
    > //Create session bean instance
    > }
    > });
    >}
    >...
    >weblogic.security.Security.runAs( subject,
    > new PrivilegedExceptionAction() {
    > public Object run() throws Exception{
    > //do operation on instance
    > }
    > });
    >}
    >
    >
    >"Deyan D. Bektchiev" wrote in message
    >news:3f2ebb08@newsgroups.bea.com...
    >
    >
    >>In that case you should be able to get the two different Subjects from
    >>the two different domains (return a different url from the URLCallback
    >>when you login with JAAS), and afterwards use
    >>
    >>weblogic.security.Security.doAs(...);
    >>
    >>with the correct Subject for the appropriate server when you access the
    >>servers.
    >>
    >>HTH,
    >>--dejan
    >>
    >>Mark Fine wrote:
    >>
    >>
    >>
    >>>Thanks, but i think the content was miscommunicated. Everything works
    >>>
    >>>

    >fine
    >
    >
    >>>when the domains are "trusted". I want to know how to have "untrusted"
    >>>domains talk to each other through explicit logins.
    >>>
    >>>ie. imagine an application on a domain in a finance department. What if
    >>>they are trusted against other domains and can't / don't want to
    >>>
    >>>

    >establish
    >
    >
    >>>trust with your domain. They just need access to one particular service
    >>>
    >>>

    >you
    >
    >
    >>>expose.
    >>>
    >>>Thanks,
    >>>m
    >>>
    >>>
    >>>"Deyan D. Bektchiev" wrote in message
    >>>news:3f2eae29$1@newsgroups.bea.com...
    >>>
    >>>
    >>>
    >>>
    >>>>Hi Mark,
    >>>>
    >>>>You should first establish a trust relationship between your Weblogic
    >>>>servers:
    >>>>
    >>>>http://e-docs.bea.com/wls/docs70/sec...n.html#1171534
    >>>>
    >>>>Then you can use JAAS to authenticate and get valid Subjects for the two
    >>>>users.
    >>>>
    >>>>--dejan
    >>>>
    >>>>Mark Fine wrote:
    >>>>
    >>>>
    >>>>
    >>>>
    >>>>
    >>>>>I'm trying to create a proxy/delegate class that can be used by clients
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>to
    >>>
    >>>
    >>>
    >>>
    >>>>>transparently access a server.
    >>>>>The class should be usable from clients within WLS containers and from
    >>>>>regular java apps.
    >>>>>Using JNDI authentication everything works fine.
    >>>>>
    >>>>>Using JAAS I'm having a problem when my client is a EJB app in an
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>untrusted
    >>>
    >>>
    >>>
    >>>
    >>>>>WLS domain. When the login is requested the following error is
    >>>>>
    >>>>>

    >occuring:
    >
    >
    >>>>>
    >>>>>
    >>>>>I want to be able to do a JAAS login to a non-trusted domain. I'm
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>assuming
    >>>
    >>>
    >>>
    >>>
    >>>>>that the server is trying to pass the subject who is logged into the
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>current
    >>>
    >>>
    >>>
    >>>
    >>>>>container, and my call to LoginContext.login()
    >>>>>
    >>>>>Any thoughts?
    >>>>>
    >>>>>//Example of code
    >>>>>{
    >>>>>loginContext = new LoginContext("ServiceSecurity", new
    >>>>>FW_SimpleCallbackHandler(pUser, pPassword, pUrl));
    >>>>>...
    >>>>>loginContext.login();
    >>>>>...
    >>>>>Subject subject = loginContext.getSubject();
    >>>>>....
    >>>>>serviceHome = (ServiceHome)weblogic.security.Security.runAs( subject,
    >>>>> new PrivilegedExceptionAction() {
    >>>>> public Object run() throws Exception{
    >>>>> //JNDI lookup
    >>>>> //Create session bean instance
    >>>>> }
    >>>>> });
    >>>>>
    >>>>>}
    >>>>>
    >>>>>
    >>>>>weblogic.security.Security.runAs( subject,
    >>>>> new PrivilegedExceptionAction() {
    >>>>> public Object run() throws Exception{
    >>>>> //do operation on instance
    >>>>> }
    >>>>> });
    >>>>>
    >>>>>}
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>>>
    >>>
    >>>
    >>>
    >>>

    >
    >
    >
    >



+ Reply to Thread