From: "Ya Ji"
Sender: "Ya Ji"
Reply-To: "Ya Ji"
Subject: Failed to implement a custom UserNameMapper
Newsgroups: weblogic.developer.interest.security
X-User-Info: 218.88.5.21
NNTP-Posting-Host: 218.88.5.21
X-Original-NNTP-Posting-Host: 218.88.5.21
Message-ID: <3f30e36d$1@newsgroups.bea.com>
Date: 6 Aug 2003 04:15:57 -0700
X-Trace: newsgroups.bea.com 1060168557 218.88.5.21 (6 Aug 2003 04:15:57 -0700)
X-Original-Trace: 6 Aug 2003 04:15:57 -0700, 218.88.5.21
Organization: BEA NEWS SITE
Lines: 149
XPident: Unknown
Path: newsgroups.bea.com!not-for-mail
Xref: newsgroups.bea.com weblogic.developer.interest.security:10441


Hi,

Environment:
WebLogic Server 8.1,configured Two-way SSL successfully

I need to implement a custom UserNameMapper to validate whether client certificate
is revoked.
The custom UserNameMapper should get the client certificate's serialnumber and
check whether it is in CRL.If this serialnumber is in CRL,then the class should
return BAD_CERTIFICATE to terminate SSL connection.

I find a similar question post on newsgroup.Below is the URL of the post:

http://groups.google.com/groups?hl=en&|lang_en&ie=UTF-8&oe=UTF-8&threadm=3da5c7ad%40newsgroups.bea.com&rnum=2&prev=/groups%3Fhl%3Den%26lr%3Dlang_zh-CN%257Clang_zh-TW%257Clang_en%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Dusernamemapper%26sa%3DN%26tab%3Dwg

In this post,Tom Hegadorn provided a custom UserNameMapper code and instructions
of configuration.
But I still failed to get my WLS running normally with custom UserNameMapper.

Below is Tom Hegadorn's instruction.In the parenthesis is what I do.

- Enable two-way SSL for your server
(Yes,my WLS can establish two-way SSL connection successfully)

- Install a client certificate in your browser
(Sure)

- Configure the following values in the admin console under
Security->Realms->myrealm->Providers->
AuthenticationProviders->DefaultIdentityAsserter
User Name Mapper Class Name = MyUserNameMapper
Trusted Client Principals = *
Active Types = AuthenticatedUser X.509 (add X.509)
(Yes,I configured these values,but I entered "weblogic.security.providers.authentication.MyUserN ameMapper"
in the "User Name Mapper Class Name"

Below is a part of config.xml:

PasswordPolicy="wl_default_password_policy"
Realm="wl_default_realm" RealmSetup="true">
Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>

ActiveTypes="X.509|AuthenticatedUser"
Name="Security:Name=myrealmDefaultIdentityAsserter"
Realm="Security:Name=myrealm" TrustedClientPrincipals="" UserNameMapperClassName="weblogic.security.providers.authentication.MyUserN ameMapper"/>
Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
Adjudicator="Security:Name=myrealmDefaultAdjudicator"
AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security :Name=myrealmDefaultIdentityAsserter"
Authorizers="Security:Name=myrealmDefaultAuthorizer"
CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
DefaultRealm="true" DisplayName="myrealm"
Name="Security:Name=myrealm"
RoleMappers="Security:Name=myrealmDefaultRoleMapper" UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>

)

- Set CLIENT-CERT
and set up a security constraint in
web.xml for a security role.
(No,I didn't do that.I use WebLogic Examples Server and never configure a security
role.
Is that necessary to define a security role? )


- Map the security role from web.xml to a weblogic principal
in weblogic.xml
(No.)

- Include MyUserNameMapper class in server class path and
restart the server
(I created a directory "weblogic" and copied MyUserNameMapper.class to sub directory
"security/providers/authentication/".Then I use jar to add the class to weblogic.jar.
C:\>jar uvf weblogic.jar weblogic
adding：weblogic/(in= 0) (out= 0)(stored 0%)
adding：weblogic/security/(in= 0) (out= 0)(stored 0%)
adding：weblogic/security/providers/(in= 0) (out= 0)(stored 0%)
adding：weblogic/security/providers/authentication/(in= 0) (out= 0)(stored
0%)
adding：weblogic/security/providers/authentication/MyUserNameMapper.class(in=
12
45) (out= 675)(deflated 45%)
Then I copied weblogic.jar to BEA_HOME/server/lib and restart WLS.)

Below is the error message when I started WLS.

************************************************** *************************
The WebLogic Server did not start up properly.
java.lang.NoClassDefFoundError: weblogic/security/providers/authentication/MyUse
rNameMapper (wrong name: MyUserNameMapper)
at java.lang.ClassLoader.defineClass0(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java :502)
at java.security.SecureClassLoader.defineClass(Secure ClassLoader.java:12
3)
at java.net.URLClassLoader.defineClass(URLClassLoader .java:250)
at java.net.URLClassLoader.access$100(URLClassLoader. java:54)
at java.net.URLClassLoader$1.run(URLClassLoader.java: 193)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.j ava:186)
at java.lang.ClassLoader.loadClass(ClassLoader.java:2 99)
at sun.misc.Launcher$AppClassLoader.loadClass(Launche r.java:265)
at java.lang.ClassLoader.loadClass(ClassLoader.java:2 92)
at java.lang.ClassLoader.loadClass(ClassLoader.java:2 55)
at java.lang.ClassLoader.loadClassInternal(ClassLoade r.java:315)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:140)
at weblogic.security.providers.authentication.Default IdentityAsserterPro
viderImpl.initialize(DefaultIdentityAsserterProvid erImpl.java:115)
at weblogic.security.service.SecurityServiceManager.c reateSecurityProvid
er(SecurityServiceManager.java:1696)
at weblogic.security.service.PrincipalAuthenticator.i nitialize(Principal
Authenticator.java:158)
at weblogic.security.service.PrincipalAuthenticator.(PrincipalAuth
enticator.java:260)
at weblogic.security.service.SecurityServiceManager.d oATN(SecurityServic
eManager.java:1481)
at weblogic.security.service.SecurityServiceManager.i nitializeRealm(Secu
rityServiceManager.java:1282)
at weblogic.security.service.SecurityServiceManager.l oadRealm(SecuritySe
rviceManager.java:1216)
at weblogic.security.service.SecurityServiceManager.i nitializeRealms(Sec
urityServiceManager.java:1338)
at weblogic.security.service.SecurityServiceManager.i nitialize(SecurityS
erviceManager.java:1018)
at weblogic.t3.srvr.T3Srvr.initializeHere(T3Srvr.java :783)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:627 )
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:337)
at weblogic.Server.main(Server.java:32)
Reason: weblogic/security/providers/authentication/MyUserNameMapper (wrong name:
MyUserNameMapper)
************************************************** *************************

Why it reported "wrong name"? Did I do something wrong?
I need your help.Any hints will be appreciated.

Thank you again.