Agile superadmin authentication during Weblogic startup

In Agile PLM, we all know superadmin account is used to start Weblogic server, this account is authenticated against Agile database. In previous version before 9.3.2, we define the username and its plain password in startAgile script. In 9.3.2 and 9.3.3, we move the user account information to a separate file which is specified by -Dweblogic.system.BootIdentityFile parameter, of course the username and password are encrypted. Since it is a database authentication, by default we shall use SQLAuthenticator to do user validation in Weblogic Security, but Agile uses its own security provider, that is AgileAuthenticator, a customized extension. Let's see how it works during Weblogic start up.


AgileAuthenticator

From config.xml, we see the default authenticator is agile-authenticatorType. The xsi type is ext, not wls, and xsd implements weblogic/security/extension, not weblogic/security.


It is a "unnamed" authentication provider (with no sec:name definition), so Weblogic will lookup a provider named "AgileAuthenticator". The definition of AgileAuthenticator could be found in agileSecurityProviders.jar file which locates in WLS_HOME/server/lib/mbeantypes/. If extract this file, we will find this provider's XML Schema Definition like element, namespace, and type. Also we see AgileAuthenticator.xml has below java implementation definition.


The definition clearly show us the implementation is AgileAuthenticationProviderImpl.class, so if we look at the class file and check what type of Login class wrapped in AppConfigurationEntry to be sent to Java Authentication and Authorization Service (JAAS), we get the concrete login class, that is "WLSLoginModule"

  
  private AppConfigurationEntry getConfiguration(HashMap paramHashMap)
  {
    paramHashMap.put("database", this.database);
    return new AppConfigurationEntry("com.agile.admin.security.weblogic.WLSLoginModule", this.controlFlag, paramHashMap);
  }

JAAS then transfers the authentication to WLSLoginModule.class to manage. The module then check the superadmin user account (need to decrypt the username and password first if Agile is 9.3.2 and 9.3.3) against the database.


DB Connection

Many people are confused why Agile defines db connection parameters in two places. One is in agile.properties and the other one is in which is defined in CP-AgileContentPool-jdbc.xml as a Connection Pool.

agile.properties definition

CP-AgileContentPool-jdbc.xml definition

This is a correct design, not a redundance. During superadmin authentication, many Weblogic components are not initialized that connection pool is not ready. So WLSLoginModule cannot get a connection from the AgileContentPool. In this case, WLSLoginModule set up a direct jdbc connection to remote database with parameters from agile.properties, we call it a LocalConnection, which uses the traditional register function listed below.

  
Class.forName("oracle.jdbc.driver.OracleDriver");


Comments:

Hi Jie Chen,

I am See Xiang from Singapore, I having some trouble about weblogic deployer automation script, everytime issue a command for weblogic deployer, I will set the -username and password on the script. for Example. java weblogic.... -username $username -password $password ...... However, is it possible to grant Domain user(from computer) as a superadmin for weblogic access so that I don't need to key in user name and password.. And everytime when i running this command, it will recognized this domain user and grant access?

Posted by Taymindis on February 24, 2015 at 10:59 PM CST #

You can use weblogic.system.BootIdentityFile parameter to specify a boot.properties file with username and password in it.

Posted by Jie Chen on February 25, 2015 at 03:03 PM CST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Search

Categories
Archives
« May 2015
SunMonTueWedThuFriSat
     
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
      
Today