Failed to implement a custom UserNameMapper - Weblogic

This is a discussion on Failed to implement a custom UserNameMapper - Weblogic ; From: "Ya Ji" Sender: "Ya Ji" Reply-To: "Ya Ji" Subject: Failed to implement a custom UserNameMapper Newsgroups: weblogic.developer.interest.security X-User-Info: 218.88.5.21 NNTP-Posting-Host: 218.88.5.21 X-Original-NNTP-Posting-Host: 218.88.5.21 Message-ID: Date: 6 Aug 2003 04:15:57 -0700 X-Trace: newsgroups.bea.com 1060168557 218.88.5.21 (6 Aug 2003 04:15:57 -0700) ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Failed to implement a custom UserNameMapper

  1. Failed to implement a custom UserNameMapper

    From: "Ya Ji"
    Sender: "Ya Ji"
    Reply-To: "Ya Ji"
    Subject: Failed to implement a custom UserNameMapper
    Newsgroups: weblogic.developer.interest.security
    X-User-Info: 218.88.5.21
    NNTP-Posting-Host: 218.88.5.21
    X-Original-NNTP-Posting-Host: 218.88.5.21
    Message-ID: <3f30e36d$1@newsgroups.bea.com>
    Date: 6 Aug 2003 04:15:57 -0700
    X-Trace: newsgroups.bea.com 1060168557 218.88.5.21 (6 Aug 2003 04:15:57 -0700)
    X-Original-Trace: 6 Aug 2003 04:15:57 -0700, 218.88.5.21
    Organization: BEA NEWS SITE
    Lines: 149
    XPident: Unknown
    Path: newsgroups.bea.com!not-for-mail
    Xref: newsgroups.bea.com weblogic.developer.interest.security:10441


    Hi,

    Environment:
    WebLogic Server 8.1,configured Two-way SSL successfully

    I need to implement a custom UserNameMapper to validate whether client certificate
    is revoked.
    The custom UserNameMapper should get the client certificate's serialnumber and
    check whether it is in CRL.If this serialnumber is in CRL,then the class should
    return BAD_CERTIFICATE to terminate SSL connection.

    I find a similar question post on newsgroup.Below is the URL of the post:

    http://groups.google.com/groups?hl=en&|lang_en&ie=UTF-8&oe=UTF-8&threadm=3da5c7ad%40newsgroups.bea.com&rnum=2&prev=/groups%3Fhl%3Den%26lr%3Dlang_zh-CN%257Clang_zh-TW%257Clang_en%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Dusernamemapper%26sa%3DN%26tab%3Dwg

    In this post,Tom Hegadorn provided a custom UserNameMapper code and instructions
    of configuration.
    But I still failed to get my WLS running normally with custom UserNameMapper.

    Below is Tom Hegadorn's instruction.In the parenthesis is what I do.

    - Enable two-way SSL for your server
    (Yes,my WLS can establish two-way SSL connection successfully)

    - Install a client certificate in your browser
    (Sure)

    - Configure the following values in the admin console under
    Security->Realms->myrealm->Providers->
    AuthenticationProviders->DefaultIdentityAsserter
    User Name Mapper Class Name = MyUserNameMapper
    Trusted Client Principals = *
    Active Types = AuthenticatedUser X.509 (add X.509)
    (Yes,I configured these values,but I entered "weblogic.security.providers.authentication.MyUserN ameMapper"
    in the "User Name Mapper Class Name"

    Below is a part of config.xml:

    PasswordPolicy="wl_default_password_policy"
    Realm="wl_default_realm" RealmSetup="true">
    Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>

    ActiveTypes="X.509|AuthenticatedUser"
    Name="Security:Name=myrealmDefaultIdentityAsserter"
    Realm="Security:Name=myrealm" TrustedClientPrincipals="" UserNameMapperClassName="weblogic.security.providers.authentication.MyUserN ameMapper"/>
    Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
    Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
    Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
    Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
    Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
    Adjudicator="Security:Name=myrealmDefaultAdjudicator"
    AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security :Name=myrealmDefaultIdentityAsserter"
    Authorizers="Security:Name=myrealmDefaultAuthorizer"
    CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
    DefaultRealm="true" DisplayName="myrealm"
    Name="Security:Name=myrealm"
    RoleMappers="Security:Name=myrealmDefaultRoleMapper" UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>

    )

    - Set CLIENT-CERT
    and set up a security constraint in
    web.xml for a security role.
    (No,I didn't do that.I use WebLogic Examples Server and never configure a security
    role.
    Is that necessary to define a security role? )


    - Map the security role from web.xml to a weblogic principal
    in weblogic.xml
    (No.)

    - Include MyUserNameMapper class in server class path and
    restart the server
    (I created a directory "weblogic" and copied MyUserNameMapper.class to sub directory
    "security/providers/authentication/".Then I use jar to add the class to weblogic.jar.
    C:\>jar uvf weblogic.jar weblogic
    adding:weblogic/(in= 0) (out= 0)(stored 0%)
    adding:weblogic/security/(in= 0) (out= 0)(stored 0%)
    adding:weblogic/security/providers/(in= 0) (out= 0)(stored 0%)
    adding:weblogic/security/providers/authentication/(in= 0) (out= 0)(stored
    0%)
    adding:weblogic/security/providers/authentication/MyUserNameMapper.class(in=
    12
    45) (out= 675)(deflated 45%)
    Then I copied weblogic.jar to BEA_HOME/server/lib and restart WLS.)

    Below is the error message when I started WLS.

    ************************************************** *************************
    The WebLogic Server did not start up properly.
    java.lang.NoClassDefFoundError: weblogic/security/providers/authentication/MyUse
    rNameMapper (wrong name: MyUserNameMapper)
    at java.lang.ClassLoader.defineClass0(Native Method)
    at java.lang.ClassLoader.defineClass(ClassLoader.java :502)
    at java.security.SecureClassLoader.defineClass(Secure ClassLoader.java:12
    3)
    at java.net.URLClassLoader.defineClass(URLClassLoader .java:250)
    at java.net.URLClassLoader.access$100(URLClassLoader. java:54)
    at java.net.URLClassLoader$1.run(URLClassLoader.java: 193)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.j ava:186)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:2 99)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launche r.java:265)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:2 92)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:2 55)
    at java.lang.ClassLoader.loadClassInternal(ClassLoade r.java:315)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:140)
    at weblogic.security.providers.authentication.Default IdentityAsserterPro
    viderImpl.initialize(DefaultIdentityAsserterProvid erImpl.java:115)
    at weblogic.security.service.SecurityServiceManager.c reateSecurityProvid
    er(SecurityServiceManager.java:1696)
    at weblogic.security.service.PrincipalAuthenticator.i nitialize(Principal
    Authenticator.java:158)
    at weblogic.security.service.PrincipalAuthenticator.(PrincipalAuth
    enticator.java:260)
    at weblogic.security.service.SecurityServiceManager.d oATN(SecurityServic
    eManager.java:1481)
    at weblogic.security.service.SecurityServiceManager.i nitializeRealm(Secu
    rityServiceManager.java:1282)
    at weblogic.security.service.SecurityServiceManager.l oadRealm(SecuritySe
    rviceManager.java:1216)
    at weblogic.security.service.SecurityServiceManager.i nitializeRealms(Sec
    urityServiceManager.java:1338)
    at weblogic.security.service.SecurityServiceManager.i nitialize(SecurityS
    erviceManager.java:1018)
    at weblogic.t3.srvr.T3Srvr.initializeHere(T3Srvr.java :783)
    at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:627 )
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:337)
    at weblogic.Server.main(Server.java:32)
    Reason: weblogic/security/providers/authentication/MyUserNameMapper (wrong name:
    MyUserNameMapper)
    ************************************************** *************************

    Why it reported "wrong name"? Did I do something wrong?
    I need your help.Any hints will be appreciated.

    Thank you again.

  2. Re: Failed to implement a custom UserNameMapper


    "Ya Ji" wrote in message
    news:3f30e36d$1@newsgroups.bea.com...
    >
    > Hi,
    >
    > Environment:
    > WebLogic Server 8.1,configured Two-way SSL successfully
    >
    > I need to implement a custom UserNameMapper to validate whether client

    certificate
    > is revoked.
    > The custom UserNameMapper should get the client certificate's serialnumber

    and
    > check whether it is in CRL.If this serialnumber is in CRL,then the class

    should
    > return BAD_CERTIFICATE to terminate SSL connection.


    >
    > Why it reported "wrong name"? Did I do something wrong?
    > I need your help.Any hints will be appreciated.
    >


    I would create a separate jar with your username mapper and then put that
    jar
    in the classpath. You do not need to use the
    weblogic/security/providers/authentication
    prefix.

    I believe the wrong name error may be because the package name of
    MyUserNameMapper does not match weblogic.security.providers.authentication.





  3. Re: Failed to implement a custom UserNameMapper


    "BlackSnail" wrote in message
    news:3f373abb@newsgroups.bea.com...
    > I feel so depressed because I can't make custom UserNameMapper working

    after
    > try and try.


    I would double check with a program like jwhich to make sure
    http://www.javaworld.com/javaworld/j...avatip105.html
    class is in classpath.

    It looks like everything is setup correctly so I can't understand why you
    are getting
    the error. As a last resort, you could try putting the class in the
    wlSecurityProviders.jar
    But you should not have to do that if it is in the classpath of the server.





  4. Re: Failed to implement a custom UserNameMapper

    Hi,Peter

    I made a foolish mistake which made you and me waste so many time.

    I didn't run setExamplesEnv.cmd before run startExamplesServer.cmd.

    Now I execute setExamplesEnv.cmd first,then the server start normally.

    Thank you for your help.



+ Reply to Thread