Custom RoleMapper not being called - Weblogic
This is a discussion on Custom RoleMapper not being called - Weblogic ; Iím having a problem with my custom rolemapper.
Let me start with some background. Weíre developing a web app which has itís own security infrastructure in the sense that the user manages the security aspects of the web app through ...
Custom RoleMapper not being called
Iím having a problem with my custom rolemapper.
Let me start with some background. Weíre developing a web app which has itís own security infrastructure in the sense that the user manages the security aspects of the web app through on portion of the web app itself. We have the concepts of Users, Roles and Permissions. A User is an individual who authenticates with the web app and uses one or more of its capabilities. Each user is assigned one or more Roles and each Role is granted one or more Permissions. A Permission allows the user to access one or more EJB methods and/or web tier resources. This mapping is design time fixed. What users are given what roles and what roles are given what permissions is changeable by users who have been given these capabilities within the web app. There is no management of these Users, Roles and Permissions through the WebLogic console. All data is store in an external database.
What Iíve done:
- Individual EJB methods have been tagged with appropriate role-name elements in their method permissions and these appear in the ejb-jar.xml. The values of these role-name elements are one of the Permissions assignable through the Security WebApp. The necessary security-role-assignments have been done in the weblogic-ejb-jar.xml files. For example,
[I think Iím using the externally-defined tag appropriately. I take this to mean that the mapping between users and roles is not deployment time fixed but rather can change using external tools such as the WebLogic Console and also through any other management interface which alters mapping data which is used by any installed RoleMappers.]
- Iíve written a custom Authentication Provider which validates the userId/password against the User table in the database. This works fine.
- Iíve written a custom RoleMapper Provider which will return a list of Permissions which are currently assigned to a User. [IE. Permissions in my database are equivalent to role-names as specified on EJB methods.] This is dynamic in the sense that an admin user can change the mapping (from users to permissions/EJB security role-names) through the Security WebApp. It doesnít depend on current context or resources but rather only on the list of Permissions currently assigned to the authenticated User.
o The trouble Iím having is that my RoleMapper doesnít get called when I expect it to. Iíve got an EJB test client which does a login followed by a Security.runAs(subject, clientTestDriver). ClientTestDriver makes the EJB call to a protected EJB method. My EJB method gets called but there is no apparent attempt to check to see if the Subject has the necessary role to execute this method. IE. My RoleMapper.getRoles() method never gets called.
- Iíve got no other custom Providers. My understanding/expectation is that I donít need an Authorization Provider because it will do the job of taking the role-names returned by the RoleMapper and ensure that the EJB method being called has one of those security roles.
Iím using WebLogic SP3. Iíve got the following settings in the WebLogic Console:
Check Roles and Policies for: Web applications and EJBs protected in DD
The DefaultAuthenticator is still enabled but set to Optional. My Authenicator is also set to optional.
The DefaultRoleMapper is still enabled and so is my custom RoleMapper.
If I look at the security policies in the admin console, each of my EJBs has an inherited policy statement saying ďcaller is a member of group everyoneĒ.
Iím not sure Iím on the right track in this whole approach as everything I read seems to indicate a tendency (maybe requirement?) to manage Users, Groups and Roles through the WebLogic Console and not through a separate web app which doesnít in any way interact with the Console.
Any insights would be greatly appreciated.
Re: Custom RoleMapper not being called
My knowledge of this is extremely limited so please dont expect too much.
However I was under the impression that roles were populated during authorization and not authentication.
We use Siteminder authentication/authorization and its only at the az level that roles are populated in the principal.
Hope it helps (but I doubt it).
Re: Custom RoleMapper not being called
Does RoleMapper.getRoles() ever get called? By the way, how are you connecting to your RDMS in your role mapper? Did you have to make a direct connection to the DB?