2

Our current application uses JSF/JPA technology and is deployed on Weblogic 12.1.2 and does the following:

  1. Authenticates a user through an IDP
  2. The IDP after authenticating the user sends back the Groups the user belong to
  3. Using Web.xml and WebLogic.xml we map the Groups to Roles

Our Application Scoped roles are very granular and it helps us do the following:

  1. Hide UI pages or components on UI
  2. use RolesAllowed annotation on methods

Since Group to Role mapping is in Weblogic.xml, our application users can't change the groups to roles mapping and this is the problem that I have to solve.

My goal is to do the following:

  1. Authenticate a user through our IDP
  2. The IDP will send us the Groups user belongs to
  3. Define the roles in web.xml
  4. Define tables that our application will read to find Group to Role mapping
  5. Use Weblogic API to do Group to Role Mapping
  6. Create a UI to allow our users to change the Group to Role mapping

The problem that i am running into is that i can't find how to do Group to Role Mapping dynamically using WebLogic since i can't get access to WebLogic API that will allow me to change Group to Role mapping in my deployed application. Has anyone done this before?

I have looked at creating a custom Role mapper but i am not sure how to get the handle to this custom Role Mapper in our deployed application.

kali
  • 49
  • 5
  • this thread http://stackoverflow.com/questions/9082208/programmatically-add-roles-after-authentication answers my question but for GlassFish Application Server. I need the same for WebLogic – kali Feb 08 '16 at 19:17

2 Answers2

0

As of Java EE 7, this is not possible based on this thread dynamic roles on a Java EE server

If someone does want this feature added to Java EE 8 then please vote for the following two open feature requests in Java EE 8

https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-8 https://java.net/jira/browse/JASPIC_SPEC-22

Community
  • 1
  • 1
kali
  • 49
  • 5
0

Not really a concrete answer, but it can be done using a Weblogic specific solution.

See examples in: https://docs.oracle.com/cd/E13212_01/wles/docs42/dvspisec/examples.html

You have to implement the getRoles method:

import weblogic.security.spi.RoleMapper;
import weblogic.security.spi.RoleProvider;

public final class MyRoleMapperProviderImpl implements RoleProvider, RoleMapper 
{
   public Map getRoles(Subject subject, Resource resource,
      ContextHandler handler)
   {
      ...
   }
}

You can generate a MBean for it as well to establish automatic loading: https://docs.oracle.com/middleware/1213/wls/DEVSP/generate_mbeantype.htm#DEVSP617

java -DMDF=xmlfile -Dfiles=filesdir -DcreateStubs=true
weblogic.management.commo.WebLogicMBeanMaker

The result can be added as a jar to the server classpath and the implementation is available on server startup.

Escay
  • 294
  • 1
  • 10