Modify Headers Firefox plugin
https://addons.mozilla.org/en-US/firefox/addon/modify-headers/
Modify HTTP header
Capture HTTP headers
Weblogic Identity Assertion Concepts
http://docs.oracle.com/cd/E21764_01/web.1111/e13718/ia.htm#autoId0
Weblogic log of test Identity Asserter
weblogic.xml assigns role to group
web.xml configures web resource as secured
Error without modified header
Result page with added header
Authorized access with configured Identity Asserter
Modify SimpleSampleIdentityAsserter - set Base64DecodingRequired to false
http://docs.oracle.com/cd/E21764_01/web.1111/e13718/ia.htm#autoId15
Capture HTTP headers
To change user it is necessary to remove cookie with JSESSIONID
In Firefox this is done using about:permissions
Opera allows to edit existing cookies
Cookie Information
Cookie Manager
IdentityAsserter MBean in WLS Admin console
All Weblogic users are assigned to group users. This can be used to allow access to authorized application for all authenticated users by mapping role to users principal in web.xml
returns
weblogic.xml
web.xml
https://addons.mozilla.org/en-US/firefox/addon/modify-headers/
Modify HTTP header
Capture HTTP headers
Weblogic Identity Assertion Concepts
http://docs.oracle.com/cd/E21764_01/web.1111/e13718/ia.htm#autoId0
Weblogic log of test Identity Asserter
SimpleSampleIdentityAsserterProviderImpl.assertIdentity
Type = SamplePerimeterAtnToken
Token = [B@f99f26
userName = dave
weblogic.xml assigns role to group
<?xml version="1.0" encoding="UTF-8"?>
<weblogic-web-app
xmlns="http://www.bea.com/ns/weblogic/90"
xmlns:j2ee="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">
<security-role-assignment>
<role-name>SamplePerimeterAtnRole</role-name>
<principal-name>SamplePerimeterAtnUsers</principal-name>
</security-role-assignment>
</weblogic-web-app>
web.xml configures web resource as secured
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<!-- Specifies the security settings for the SamplePerimeterAtn web app.
This webapp is used to demonstrate how to use identity assertion to
perform perimeter authentication (where someone outside WLS is
responsible for authenticating the user).
Copyright (c) 2005 by BEA Systems, Inc. All Rights Reserved.
-->
<security-constraint>
<!-- all the pages in this webapp are secured -->
<web-resource-collection>
<web-resource-name>SecuredPages</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<!-- only users in the SamplePerimeterAtnRole will
be granted access to the pages in this webapp
-->
<auth-constraint>
<role-name>
SamplePerimeterAtnRole
</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Use weblogic.xml to map the SamplePerimeterAtnRole
to the SamplePerimeterAtnUsers group. As a result,
"SamplePerimterAtnUsers" will be granted the role
for this webapp (thus be able to access its pages)
-->
<security-role>
<role-name>
SamplePerimeterAtnRole
</role-name>
</security-role>
<!-- turn on identity assertion
The webapp only specifies that identity assertion should be
used. It does not dictate what kind of tokens to use. Rather,
the client and the identity asserter have to agree on the token
type and format.
- the client is responsible sending in a token that identifies the user
- the identity asserter is responsible for converting that token
to a user name.
- the authenticators are responsible for putting that user
and its groups into the subject
The realm name is not used so set it to "NoSuchRealm". It
has nothing to do with the realm names in the console.
Set the auth method to CLIENT-CERT to turn on identity
assertion for this webapp.
-->
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>NoSuchRealm</realm-name>
</login-config>
</web-app>
Error without modified header
Error 401--Unauthorized
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.2 401 Unauthorized
The request requires user authentication. The response MUST include a WWW-Authenticate header field (section 14.46) containing a challenge applicable to the requested resource. The client MAY repeat the request with a suitable Authorization header field (section 14.8). If the request already included Authorization credentials, then the 401 response indicates that authorization has been refused for those credentials. If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user SHOULD be presented the entity that was given in the response, since that entity MAY include relevant diagnostic information. HTTP access authentication is explained in section 11.
Result page with added header
SamplePerimeterAtn.jsp Subject: Principal: dave Principal: SamplePerimeterAtnUsers Private Credential: dave
Authorized access with configured Identity Asserter
Modify SimpleSampleIdentityAsserter - set Base64DecodingRequired to false
http://docs.oracle.com/cd/E21764_01/web.1111/e13718/ia.htm#autoId15
<MBeanAttribute
Name = "Base64DecodingRequired"
Type = "boolean"
Writeable = "false"
Default = "false"
Description = "See MyIdentityAsserter-doc.xml."
/>
Capture HTTP headers
http://localhost:7001/samplePerimeterAtnWebApp/SamplePerimeterAtn.jsp
GET /samplePerimeterAtnWebApp/SamplePerimeterAtn.jsp HTTP/1.1
Host: localhost:7001
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: ADMINCONSOLESESSION=0X41P3rh1pbcCGhBn8nJ5yB55R9zds3v6fjD68QMjT5F6cYZqFGJ!-863651884; JSESSIONID=WVJXP3rJnc1tpjTn5SHW4TC5tRLGhgDBgBDTvZqTQGSR67r88XDR!-863651884
SamplePerimeterAtnToken: username=dave
HTTP/1.1 200 OK
Date: Sat, 31 Mar 2012 16:17:46 GMT
Content-Length: 116
Content-Type: text/html; charset=ISO-8859-1
X-Powered-By: Servlet/3.0 JSP/2.2
To change user it is necessary to remove cookie with JSESSIONID
Cookie: JSESSIONID=pZrFP3yQQpFLnJvPLGSTpcgnGRqCQtYJfdfpySLYJG1gd3QCTGWz!-863651884
In Firefox this is done using about:permissions
Opera allows to edit existing cookies
Cookie Information
Cookie Manager
IdentityAsserter MBean in WLS Admin console
All Weblogic users are assigned to group users. This can be used to allow access to authorized application for all authenticated users by mapping role to users principal in web.xml
weblogic.security.Security.getCurrentSubject()
returns
SamplePerimeterAtn.jsp Subject: Principal: dave Private Credential: dave
weblogic.xml
<?xml version="1.0" encoding="UTF-8"?>
<weblogic-web-app
xmlns="http://www.bea.com/ns/weblogic/90"
xmlns:j2ee="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.bea.com/ns/weblogic/90 http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">
<security-role-assignment>
<role-name>authusers</role-name>
<principal-name>users</principal-name>
</security-role-assignment>
</weblogic-web-app>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<!-- Specifies the security settings for the SamplePerimeterAtn web app.
This webapp is used to demonstrate how to use identity assertion to
perform perimeter authentication (where someone outside WLS is
responsible for authenticating the user).
Copyright (c) 2005 by BEA Systems, Inc. All Rights Reserved.
-->
<security-constraint>
<!-- all the pages in this webapp are secured -->
<web-resource-collection>
<web-resource-name>SecuredPages</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<!-- all authenticated users in the authusers will
be granted access to the pages in this webapp
-->
<auth-constraint>
<role-name>authusers</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<!-- Use weblogic.xml to map the authusers
to the users group. As a result,
"users" will be granted the role
for this webapp (thus be able to access its pages)
-->
<security-role>
<role-name>
authusers
</role-name>
</security-role>
<!-- turn on identity assertion
The webapp only specifies that identity assertion should be
used. It does not dictate what kind of tokens to use. Rather,
the client and the identity asserter have to agree on the token
type and format.
- the client is responsible sending in a token that identifies the user
- the identity asserter is responsible for converting that token
to a user name.
- the authenticators are responsible for putting that user
and its groups into the subject
The realm name is not used so set it to "NoSuchRealm". It
has nothing to do with the realm names in the console.
Set the auth method to CLIENT-CERT to turn on identity
assertion for this webapp.
-->
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>NoSuchRealm</realm-name>
</login-config>
<servlet>
<description></description>
<display-name>AuthenticationSnoop</display-name>
<servlet-name>AuthenticationSnoop</servlet-name>
<servlet-class>dave.AuthenticationSnoop</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AuthenticationSnoop</servlet-name>
<url-pattern>/AuthenticationSnoop</url-pattern>
</servlet-mapping>
</web-app>