Failed to implement a custom UserNameMapper
Ya Ji
Sender: "Ya Ji" <cell...@21cn.com>
Reply-To: "Ya Ji" <cell...@21cn.com>
Subject: Failed to implement a custom UserNameMapper
Newsgroups: weblogic.developer.interest.security
X-User-Info: 218.88.5.21
NNTP-Posting-Host: 218.88.5.21
X-Original-NNTP-Posting-Host: 218.88.5.21
Message-ID: <3f30e36d$1...@newsgroups.bea.com>
Date: 6 Aug 2003 04:15:57 -0700
X-Trace: newsgroups.bea.com 1060168557 218.88.5.21 (6 Aug 2003 04:15:57 -0700)
X-Original-Trace: 6 Aug 2003 04:15:57 -0700, 218.88.5.21
Organization: BEA NEWS SITE
Lines: 149
XPident: Unknown
Path: newsgroups.bea.com!not-for-mail
Xref: newsgroups.bea.com weblogic.developer.interest.security:10441
Hi,
Environment:
WebLogic Server 8.1,configured Two-way SSL successfully
I need to implement a custom UserNameMapper to validate whether client certificate
is revoked.
The custom UserNameMapper should get the client certificate's serialnumber and
check whether it is in CRL.If this serialnumber is in CRL,then the class should
return BAD_CERTIFICATE to terminate SSL connection.
I find a similar question post on newsgroup.Below is the URL of the post:
http://groups.google.com/groups?hl=en&|lang_en&ie=UTF-8&oe=UTF-8&threadm=3da5c7ad%40newsgroups.bea.com&rnum=2&prev=/groups%3Fhl%3Den%26lr%3Dlang_zh-CN%257Clang_zh-TW%257Clang_en%26ie%3DUTF-8%26oe%3DUTF-8%26q%3Dusernamemapper%26sa%3DN%26tab%3Dwg
In this post,Tom Hegadorn provided a custom UserNameMapper code and instructions
of configuration.
But I still failed to get my WLS running normally with custom UserNameMapper.
Below is Tom Hegadorn's instruction.In the parenthesis is what I do.
- Enable two-way SSL for your server
(Yes,my WLS can establish two-way SSL connection successfully)
- Install a client certificate in your browser
(Sure)
- Configure the following values in the admin console under
Security->Realms->myrealm->Providers->
AuthenticationProviders->DefaultIdentityAsserter
User Name Mapper Class Name = MyUserNameMapper
Trusted Client Principals = *
Active Types = AuthenticatedUser X.509 (add X.509)
(Yes,I configured these values,but I entered "weblogic.security.providers.authentication.MyUserNameMapper"
in the "User Name Mapper Class Name"
Below is a part of config.xml:
<Security Name="examples"
PasswordPolicy="wl_default_password_policy"
Realm="wl_default_realm" RealmSetup="true">
<weblogic.security.providers.authentication.DefaultAuthenticator
Name="Security:Name=myrealmDefaultAuthenticator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authentication.DefaultIdentityAsserter
ActiveTypes="X.509|AuthenticatedUser"
Name="Security:Name=myrealmDefaultIdentityAsserter"
Realm="Security:Name=myrealm" TrustedClientPrincipals="" UserNameMapperClassName="weblogic.security.providers.authentication.MyUserNameMapper"/>
<weblogic.security.providers.authorization.DefaultRoleMapper
Name="Security:Name=myrealmDefaultRoleMapper" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAuthorizer
Name="Security:Name=myrealmDefaultAuthorizer" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.authorization.DefaultAdjudicator
Name="Security:Name=myrealmDefaultAdjudicator" Realm="Security:Name=myrealm"/>
<weblogic.security.providers.credentials.DefaultCredentialMapper
Name="Security:Name=myrealmDefaultCredentialMapper" Realm="Security:Name=myrealm"/>
<weblogic.management.security.authentication.UserLockoutManager
Name="Security:Name=myrealmUserLockoutManager" Realm="Security:Name=myrealm"/>
<weblogic.management.security.Realm
Adjudicator="Security:Name=myrealmDefaultAdjudicator"
AuthenticationProviders="Security:Name=myrealmDefaultAuthenticator|Security:Name=myrealmDefaultIdentityAsserter"
Authorizers="Security:Name=myrealmDefaultAuthorizer"
CredentialMappers="Security:Name=myrealmDefaultCredentialMapper"
DefaultRealm="true" DisplayName="myrealm"
Name="Security:Name=myrealm"
RoleMappers="Security:Name=myrealmDefaultRoleMapper" UserLockoutManager="Security:Name=myrealmUserLockoutManager"/>
</Security>
)
- Set <login-config> <auth-method>CLIENT-CERT</auth-method>
</login-config> and set up a security constraint in
web.xml for a security role.
(No,I didn't do that.I use WebLogic Examples Server and never configure a security
role.
Is that necessary to define a security role? )
- Map the security role from web.xml to a weblogic principal
in weblogic.xml
(No.)
- Include MyUserNameMapper class in server class path and
restart the server
(I created a directory "weblogic" and copied MyUserNameMapper.class to sub directory
"security/providers/authentication/".Then I use jar to add the class to weblogic.jar.
C:\>jar uvf weblogic.jar weblogic
adding:weblogic/(in= 0) (out= 0)(stored 0%)
adding:weblogic/security/(in= 0) (out= 0)(stored 0%)
adding:weblogic/security/providers/(in= 0) (out= 0)(stored 0%)
adding:weblogic/security/providers/authentication/(in= 0) (out= 0)(stored
0%)
adding:weblogic/security/providers/authentication/MyUserNameMapper.class(in=
12
45) (out= 675)(deflated 45%)
Then I copied weblogic.jar to BEA_HOME/server/lib and restart WLS.)
Below is the error message when I started WLS.
***************************************************************************
The WebLogic Server did not start up properly.
java.lang.NoClassDefFoundError: weblogic/security/providers/authentication/MyUse
rNameMapper (wrong name: MyUserNameMapper)
at java.lang.ClassLoader.defineClass0(Native Method)
at java.lang.ClassLoader.defineClass(ClassLoader.java:502)
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:12
3)
at java.net.URLClassLoader.defineClass(URLClassLoader.java:250)
at java.net.URLClassLoader.access$100(URLClassLoader.java:54)
at java.net.URLClassLoader$1.run(URLClassLoader.java:193)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.java:186)
at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:265)
at java.lang.ClassLoader.loadClass(ClassLoader.java:292)
at java.lang.ClassLoader.loadClass(ClassLoader.java:255)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:315)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:140)
at weblogic.security.providers.authentication.DefaultIdentityAsserterPro
viderImpl.initialize(DefaultIdentityAsserterProviderImpl.java:115)
at weblogic.security.service.SecurityServiceManager.createSecurityProvid
er(SecurityServiceManager.java:1696)
at weblogic.security.service.PrincipalAuthenticator.initialize(Principal
Authenticator.java:158)
at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuth
enticator.java:260)
at weblogic.security.service.SecurityServiceManager.doATN(SecurityServic
eManager.java:1481)
at weblogic.security.service.SecurityServiceManager.initializeRealm(Secu
rityServiceManager.java:1282)
at weblogic.security.service.SecurityServiceManager.loadRealm(SecuritySe
rviceManager.java:1216)
at weblogic.security.service.SecurityServiceManager.initializeRealms(Sec
urityServiceManager.java:1338)
at weblogic.security.service.SecurityServiceManager.initialize(SecurityS
erviceManager.java:1018)
at weblogic.t3.srvr.T3Srvr.initializeHere(T3Srvr.java:783)
at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:627)
at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:337)
at weblogic.Server.main(Server.java:32)
Reason: weblogic/security/providers/authentication/MyUserNameMapper (wrong name:
MyUserNameMapper)
***************************************************************************
Why it reported "wrong name"? Did I do something wrong?
I need your help.Any hints will be appreciated.
Thank you again.
Peter
"Ya Ji" <cell...@21cn.com> wrote in message
news:3f30e36d$1...@newsgroups.bea.com...
>
> Hi,
>
> Environment:
> WebLogic Server 8.1,configured Two-way SSL successfully
>
> I need to implement a custom UserNameMapper to validate whether client
certificate
> is revoked.
> The custom UserNameMapper should get the client certificate's serialnumber
and
> check whether it is in CRL.If this serialnumber is in CRL,then the class
should
> return BAD_CERTIFICATE to terminate SSL connection.
>
> Why it reported "wrong name"? Did I do something wrong?
> I need your help.Any hints will be appreciated.
>
I would create a separate jar with your username mapper and then put that
jar
in the classpath. You do not need to use the
weblogic/security/providers/authentication
prefix.
I believe the wrong name error may be because the package name of
MyUserNameMapper does not match weblogic.security.providers.authentication.
BlackSnail
try and try.
First,I modified config.xml.The value of UserNameMapperClassName was
modified from "weblogic.security.providers.authentication.MyUserNameMapper"
to "MyUserNameMapper".
<weblogic.security.providers.authentication.DefaultIdentityAsserter
ActiveTypes="AuthenticatedUser|X.509"
Name="Security:Name=myrealmDefaultIdentityAsserter"
Realm="Security:Name=myrealm" TrustedClientPrincipals="*"
UserNameMapperClassName="MyUserNameMapper"/>
Here is MyUserNameMapper.java, which I copied from Tom Hegadorn's post:
************************************************************
import java.lang.*;
import weblogic.security.providers.authentication.UserNameMapper;
public class MyUserNameMapper implements UserNameMapper {
public String returnString = null;
public MyUserNameMapper()
{
log("MyUserNameMapper constructor entered ...");
returnString = new String("DO IT LATER");
}
public java.lang.String mapCertificateToUserName(
java.security.cert.X509Certificate[] certs,
boolean ssl)
{
log("MyUserNameMapper: mapCertificateToUserName() method entered ...");
if (certs.length > 0 )
{
log("Certificate contents follow: ");
log("\t" + certs[0].toString());
}
return returnString;
}
public java.lang.String mapDistinguishedNameToUserName(
byte[] distinguishedName)
{
return returnString;
}
private void log(String outString)
{
System.out.println(outString);
}
}
*********************************************************************
My environment CLASSPATH includes $WLSPATH/server/lib,so I put
MyUserNameMapper.class in $WLSPATH/server/lib.Then I restarted my machine
and started WLS,but it failed.
So I used "jar cvf MyUserNameMapper.jar MyUserNameMapper.class" to make a
jar file and put it to
$WLSPATH/server/lib.Insert $WLSPATH/server/lib/MyUserNameMapper.jar to
CLASSPATH,and restart machine and start WLS again. But I got the same error
as before:
============================================================================
=======
<2003-8-11 下午14时08分49秒 CST> <Info> <Logging> <000000> <FileLogger
Opened at
.\examplesServer\examplesServer.log>
<2003-8-11 下午14时08分52秒 CST> <Info> <Security> <BEA-090516> <The
RoleMapper
provider has preexisting LDAP data.>
<2003-8-11 下午14时08分52秒 CST> <Info> <Security> <BEA-090516> <The
Authorizer
provider has preexisting LDAP data.>
<2003-8-11 下午14时08分52秒 CST> <Info> <Security> <BEA-090516> <The
Authenticat
or provider has preexisting LDAP data.>
<2003-8-11 下午14时08分53秒 CST> <Info> <Security> <BEA-090511> <The
following e
xception has occurred:
java.lang.ClassNotFoundException: MyUserNameMapper
at javax.management.loading.MLet.findClass(MLet.java:800)
at java.lang.ClassLoader.loadClass(ClassLoader.java:299)
at java.lang.ClassLoader.loadClass(ClassLoader.java:255)
at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:315)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:140)
at
weblogic.security.providers.authentication.DefaultIdentityAsserterPro
viderImpl.initialize(DefaultIdentityAsserterProviderImpl.java:115)
at
weblogic.security.service.SecurityServiceManager.createSecurityProvid
er(SecurityServiceManager.java:1696)
at
weblogic.security.service.PrincipalAuthenticator.initialize(Principal
Authenticator.java:158)
......
============================================================================
======
The error almost drives me mad.I really really need some help.Thanks in
advance.
"Peter" <PeterB> :3f32...@newsgroups.bea.com...
Peter
"BlackSnail" <cell...@21cn.com> wrote in message
news:3f37...@newsgroups.bea.com...
> I feel so depressed because I can't make custom UserNameMapper working
after
> try and try.
I would double check with a program like jwhich to make sure
http://www.javaworld.com/javaworld/javatips/jw-javatip105.html
class is in classpath.
It looks like everything is setup correctly so I can't understand why you
are getting
the error. As a last resort, you could try putting the class in the
wlSecurityProviders.jar
But you should not have to do that if it is in the classpath of the server.
BlackSnail
I made a foolish mistake which made you and me waste so many time.
I didn't run setExamplesEnv.cmd before run startExamplesServer.cmd.
Now I execute setExamplesEnv.cmd first,then the server start normally.
Thank you for your help.