Friday Apr 06, 2012

Finding the groups of a user in WLS with OPSS

How to find the group memberships for a user from a web application running in Weblogic server ?  This is useful for building up the profile of the user for security purposes for example.

WLS as a container offers an identity store service which applications can access to query and manage identities known to the container.  This article for example shows how to recover the groups of the current user, but how can we find the same information for an arbitrary user ?

It is the Oracle Platform for Securtiy Services (OPSS) that looks after the identity store in WLS and so it is in the OPSS APIs that we can find the way to recover this information.

This is explained in the following documents.  Starting from the FMW 11.1.1.5 book list, with the Security Overview document we can see how WLS uses OPSS:


Proceeding to the more detailed Application Security document, we find this list of useful references for security in FMW. We can follow on into the User/Role API javadoc. The Application Security document explains how to ensure that the identity store is configured appropriately to allow the OPSS APIs to work.  We must verify that the jps-config.xml file where the application  is deployed has it's identity store configured--look for the following elements in that file:

  • <serviceProvider type="IDENTITY_STORE" name="idstore.ldap.provider" class="oracle.security.jps.internal.idstore.ldap.LdapIdentityStoreProvider">
                 <description>LDAP-based IdentityStore Provider</description>
      </serviceProvider>
  • <serviceInstance name="idstore.ldap" provider="idstore.ldap.provider">
                 <property name="idstore.config.provider" value="oracle.security.jps.wls.internal.idstore.WlsLdapIdStoreConfigProvider"/>
                 <property name="CONNECTION_POOL_CLASS" value="oracle.security.idm.providers.stdldap.JNDIPool"/>
    </serviceInstance>
  • <serviceInstanceRef ref="idstore.ldap"/>

The document contains a code sample for using the identity store here.

Once we have the identity store reference we can recover the user's group memberships using the RoleManager interface:

            RoleManager roleManager = idStore.getRoleManager();
            SearchResponse grantedRoles = null;
            try{
                System.out.println("Retrieving granted WLS roles for user " + userPrincipal.getName());
                grantedRoles = roleManager.getGrantedRoles(userPrincipal, false);
                while( grantedRoles.hasNext()){
                      Identity id = grantedRoles.next();
                      System.out.println("  disp name=" + id.getDisplayName() +
                                 " Name=" + id.getName() +
                                 " Principal=" + id.getPrincipal() +
                                 "Unique Name=" + id.getUniqueName());
                     // Here, we must use WLSGroupImpl() to build the Principal otherwise
                     // OES does not recognize it.
                      retSubject.getPrincipals().add(new WLSGroupImpl(id.getPrincipal().getName()));
                 }
            }catch(Exception ex) {
                System.out.println("Error getting roles for user " + ex.getMessage());
                ex.printStackTrace();
            }
        }catch(Exception ex) {
            System.out.println("OESGateway: Got exception instantiating idstore reference");
        }

This small JDeveloper project has a simple servlet that executes a request for the user weblogic's roles on executing a get on the default URL.  The full code to recover a user's goups is in the getSubjectWithRoles() method in the project.

About

user12587121

Search

Categories
Archives
« April 2012
SunMonTueWedThuFriSat
1
2
4
5
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
     
       
Today