Using customer UserNameMapper with custom Identity Asserter - Weblogic

This is a discussion on Using customer UserNameMapper with custom Identity Asserter - Weblogic ; I am writing my custom username mapper and identity asserter. i want my identity asserter to use my custom name mapper. how do i accomplish that. can I have multiple username mappers and identity asserters per realm ? i also ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Using customer UserNameMapper with custom Identity Asserter

  1. Using customer UserNameMapper with custom Identity Asserter


    I am writing my custom username mapper and identity asserter.

    i want my identity asserter to use my custom name mapper. how do i accomplish
    that.

    can I have multiple username mappers and identity asserters per realm ?

    i also want to use identity asserter first in the authentication path else use
    the auth providers. i read in an earlier post this is not supported. when will
    weblogic support this ?

  2. Re: Using customer UserNameMapper with custom Identity Asserter



    Peter

    Thanks

    couple more questions

    1. do you know when will BEA support ITTPrincipalName ? I see ITTAnonymous supported
    ?
    2. using GSSUP - is there any limit in size of the username and password ?

    what if I passed in the kerberos token encoded as a base64 string as password
    and write a custom identity asserter .. will that work ? i dont want to go the
    http route and want to stay with T3 or iiop since my services are EJBs.



    "Peter" wrote:
    >
    >"newsgroups.bea.com" wrote in message
    >news:3f3ce87f$1@newsgroups.bea.com...
    >> Peter
    >>
    >> I appreciate your clear responses. They are very very helpful.
    >>
    >> Another question
    >>
    >> In the IdentityAsserter Interface, one of the parameters is byte[]

    >token.
    >My
    >> login module will ofcourse be Krb5LoginModule from jdk1.4
    >>
    >> How does this token get to the identity Asserter. In my case the token

    >is
    >a
    >> kerberos token.
    >>
    >> I am still not able to tie kerberos strings together with identity
    >> assertion. I figured out what needs to be done to be able to respond

    >to a
    >> token of type "kerberosTicket" which I set through the MBean and the
    >> provider. but how do i get the token from the client is unclear to

    >me. I
    >> figure it is GSSAPI but for that weblogic server acts as a kerberos
    >> Application Server responding to GSS api requests.
    >>

    >
    >It depends on the client.
    >
    >With t3 and wls iiop clients, there is no way to pass additional information
    >that can be
    >used for identity assertion. You may be able to use a custom login module
    >and then use
    >runas on the client side - you would then have to write a authentication
    >provider and principal
    >validator on the server side (to handle the principals).
    >
    >With an iiop csiv2 client, wls supports the standard csiv2 identity
    >assertions, but there is currently
    >no support for any gss token except for the gssup token.
    >
    >With a http client, you can use cookies or request headers and pass the
    >token which can then
    >be validated by the identity asserter that you write.
    >
    >
    >
    >
    >
    >



  3. Re: Using customer UserNameMapper with custom Identity Asserter


    "PremS" wrote in message
    news:3f4991ed@newsgroups.bea.com...
    >
    >
    > 1. do you know when will BEA support ITTPrincipalName ? I see

    ITTAnonymous supported
    > ?


    CSIv2 ITTPrincipalName identity assertion tokens is supported

    > 2. using GSSUP - is there any limit in size of the username and password ?
    >


    Not that I know off.

    > what if I passed in the kerberos token encoded as a base64 string as

    password
    > and write a custom identity asserter .. will that work ?


    You would have to write an authenticator instead of a identity asserter. The
    username/password
    code path will end up calling your login module associated with the
    authentication provider.

    > i dont want to go the
    > http route and want to stay with T3 or iiop since my services are EJBs.
    >
    >





+ Reply to Thread