I had used container managed authentication with form based login-config element in web.xml and a jdbc data source for the users in tomcat, jboss and glassfish in the past but the configuration needed in weblogic is very complicated. I have managed to create an authentication provider that is linked to a data source by following this tutorial http://biemond.blogspot.gr/2008/12/using-database-tables-as-authentication.html but when my user is logged in HttpServletRequest.isUserInRole returns false for the roles that I have defined in my web.xml obviously because I have not mapped the groups to which the user is mapped to any roles. I have a very simple database with a table USERS that has the column "email" which is the username and the column "password" which is the password. Also the table USERS_GROUPS contains a mapping between users and groups. It have two columns "email" and "groupname". I have also created an authenticator provider "Summary of Security Realms >myrealm >Providers >WEB_DEMO_SQLAuthenticator". I have set all the queries that it requires and my config.xml in my domain has this form:
<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
<name>demoWebApp</name>
<domain-version>12.1.3.0.0</domain-version>
<security-configuration>
<name>demoWebApp</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType">
<sec:name>DefaultAuthenticator</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:name>DefaultIdentityAsserter</sec:name>
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:sql-authenticatorType">
<sec:name>WEB_DEMO_SQLAuthenticator</sec:name>
<sec:control-flag>SUFFICIENT</sec:control-flag>
<wls:data-source-name>WEB_DEMO</wls:data-source-name>
<wls:plaintext-passwords-enabled>true</wls:plaintext-passwords-enabled>
<wls:descriptions-supported>false</wls:descriptions-supported>
<wls:sql-get-users-password>SELECT PASSWORD FROM USERS WHERE EMAIL = ?</wls:sql-get-users-password>
<wls:sql-user-exists>SELECT EMAIL FROM USERS WHERE EMAIL = ?</wls:sql-user-exists>
<wls:sql-list-member-groups>SELECT EMAIL FROM USERS_GROUPS WHERE EMAIL = ?</wls:sql-list-member-groups>
<wls:sql-list-users>SELECT EMAIL FROM USERS WHERE EMAIL LIKE ?</wls:sql-list-users>
<wls:sql-list-groups>SELECT GROUPNAME FROM USERS_GROUPS WHERE GROUPNAME LIKE ?</wls:sql-list-groups>
<wls:sql-group-exists>SELECT GROUPNAME FROM USERS_GROUPS WHERE GROUPNAME = ?</wls:sql-group-exists>
<wls:sql-is-member>SELECT EMAIL FROM USERS_GROUPS WHERE GROUPNAME = ? AND EMAIL = ?</wls:sql-is-member>
<wls:password-style>PLAINTEXT</wls:password-style>
<wls:sql-remove-user>DELETE FROM USERS WHERE EMAIL = ?</wls:sql-remove-user>
<wls:sql-remove-group-memberships>DELETE FROM USERS_GROUPS WHERE EMAIL = ? OR GROUPNAME = ?</wls:sql-remove-group-memberships>
<wls:sql-set-user-password>UPDATE USERS SET PASWORD = ? WHERE EMAIL = ?</wls:sql-set-user-password>
<wls:sql-create-group>INSERT INTO USERS_GROUPS VALUES ( ? , ? )</wls:sql-create-group>
<wls:sql-add-member-to-group>INSERT INTO USERS_GROUPS VALUES( ?, ?)</wls:sql-add-member-to-group>
<wls:sql-remove-member-from-group>DELETE FROM USERS_GROUPS WHERE GROUPNAME = ? AND EMAIL = ?</wls:sql-remove-member-from-group>
<wls:sql-remove-group>DELETE FROM USERS_GROUPS WHERE GROUPNAME = ?</wls:sql-remove-group>
<wls:sql-remove-group-member>DELETE FROM USERS_GROUPS WHERE GROUPNAME = ?</wls:sql-remove-group-member>
<wls:sql-list-group-members>SELECT EMAIL FROM USERS_GROUPS WHERE GROUPNAME = ? AND EMAIL LIKE ?</wls:sql-list-group-members>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType">
<sec:name>XACMLRoleMapper</sec:name>
</sec:role-mapper>
<sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType">
<sec:name>XACMLAuthorizer</sec:name>
</sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType">
<sec:name>DefaultAdjudicator</sec:name>
</sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType">
<sec:name>DefaultCredentialMapper</sec:name>
</sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType">
<sec:name>WebLogicCertPathProvider</sec:name>
</sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
<sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
<sec:name>SystemPasswordValidator</sec:name>
<pas:min-password-length>8</pas:min-password-length>
<pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
</sec:password-validator>
</realm>
<default-realm>myrealm</default-realm>
<credential-encrypted>{AES}HT7HPcfOUpYRXY6xa6XuJkpi9HxOSG83CxvdVS9swJI2kHYubpy204U5NvKB9qfP78k8NID6f3MU6YOE8dmCG3XypBM2hs3TFBDVNY+qA/SpNC6Sh89ly0eM0trBaylW</credential-encrypted>
<node-manager-username>weblogic</node-manager-username>
<node-manager-password-encrypted>{AES}O0ZR1sqaUUhJ2dJw6vGSuipZ7/65q3AFcGqf8uenlUs=</node-manager-password-encrypted>
</security-configuration>
<server>
<name>AdminServer</name>
<ssl>
<name>AdminServer</name>
<enabled>true</enabled>
</ssl>
<listen-address></listen-address>
<web-service>
<name>AdminServer</name>
<web-service-persistence>
<name>AdminServer</name>
<web-service-logical-store>
<name>WseeStore</name>
<persistence-strategy>LOCAL_ACCESS_ONLY</persistence-strategy>
<request-buffering-queue-jndi-name>weblogic.wsee.BufferedRequestQueue</request-buffering-queue-jndi-name>
<response-buffering-queue-jndi-name>weblogic.wsee.BufferedResponseQueue</response-buffering-queue-jndi-name>
</web-service-logical-store>
</web-service-persistence>
</web-service>
<coherence-cluster-system-resource>defaultCoherenceCluster</coherence-cluster-system-resource>
</server>
<production-mode-enabled>true</production-mode-enabled>
<embedded-ldap>
<name>demoWebApp</name>
<credential-encrypted>{AES}ZJssc/1PU9tdjuviahUTvExJtL9ksS4c+7zKUC1IEJfl13jH/gns/tIil0D2g+rN</credential-encrypted>
</embedded-ldap>
<configuration-version>12.1.3.0.0</configuration-version>
<app-deployment>
<name>state-management-provider-memory-rar-12.1.3</name>
<target>AdminServer</target>
<module-type>rar</module-type>
<source-path>C:/Oracle/Middleware/Oracle_Home/oracle_common/modules/com.oracle.state-management.state-management-provider-memory-rar-impl_12.1.3.rar</source-path>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode>nostage</staging-mode>
</app-deployment>
<app-deployment>
<name>_auto_generated_ear_</name>
<target>AdminServer</target>
<module-type>ear</module-type>
<source-path>C:\dev\eclipse_workspaces\WebAppDemo\.metadata\.plugins\org.eclipse.wst.server.core\tmp0\demoWebApp\_auto_generated_ear_</source-path>
<security-dd-model>DDOnly</security-dd-model>
<staging-mode xsi:nil="true"></staging-mode>
<plan-staging-mode xsi:nil="true"></plan-staging-mode>
<cache-in-app-directory>false</cache-in-app-directory>
</app-deployment>
<jms-server>
<name>WseeJaxwsJmsServer</name>
<target>AdminServer</target>
<persistent-store>WseeJaxwsFileStore</persistent-store>
</jms-server>
<jms-server>
<name>WseeJmsServer</name>
<target>AdminServer</target>
<persistent-store>WseeFileStore</persistent-store>
</jms-server>
<jms-server>
<name>WseeSoapjmsJmsServer</name>
<target>AdminServer</target>
<persistent-store>WseeSoapjmsFileStore</persistent-store>
</jms-server>
<self-tuning>
<work-manager>
<name>weblogic.wsee.jaxws.mdb.DispatchPolicy</name>
<target>AdminServer</target>
</work-manager>
<work-manager>
<name>weblogic.wsee.mdb.DispatchPolicy</name>
<target>AdminServer</target>
</work-manager>
</self-tuning>
<file-store>
<name>WseeJaxwsFileStore</name>
<directory>WseeJaxwsFileStore</directory>
<target>AdminServer</target>
</file-store>
<file-store>
<name>WseeFileStore</name>
<directory>WseeFileStore</directory>
<target>AdminServer</target>
</file-store>
<file-store>
<name>WseeSoapjmsFileStore</name>
<directory>WseeSoapjmsFileStore</directory>
<target>AdminServer</target>
</file-store>
<jms-system-resource>
<name>WseeJaxwsJmsModule</name>
<target>AdminServer</target>
<sub-deployment>
<name>WseeJaxwsJmsServerSub</name>
<target>WseeJaxwsJmsServer</target>
</sub-deployment>
<descriptor-file-name>jms/wseejaxwsjmsmodule-jms.xml</descriptor-file-name>
</jms-system-resource>
<jms-system-resource>
<name>WseeJmsModule</name>
<target>AdminServer</target>
<sub-deployment>
<name>BEA_JMS_MODULE_SUBDEPLOYMENT_WSEEJMSServer</name>
<target>WseeJmsServer</target>
</sub-deployment>
<descriptor-file-name>jms/wseejmsmodule-jms.xml</descriptor-file-name>
</jms-system-resource>
<jms-system-resource>
<name>WseeSoapjmsJmsModule</name>
<target>AdminServer</target>
<sub-deployment>
<name>WseeSoapjmsJmsServerSub</name>
<target>WseeSoapjmsJmsServer</target>
</sub-deployment>
<descriptor-file-name>jms/wseesoapjmsmodule-jms.xml</descriptor-file-name>
</jms-system-resource>
<admin-server-name>AdminServer</admin-server-name>
<jdbc-system-resource>
<name>WEB_DEMO</name>
<target>AdminServer</target>
<descriptor-file-name>jdbc/WEB_DEMO-1358-jdbc.xml</descriptor-file-name>
</jdbc-system-resource>
<saf-agent>
<name>ReliableWseeJaxwsSAFAgent</name>
<target>AdminServer</target>
<store>WseeJaxwsFileStore</store>
</saf-agent>
<saf-agent>
<name>ReliableWseeSAFAgent</name>
<target>AdminServer</target>
<store>WseeFileStore</store>
</saf-agent>
<coherence-cluster-system-resource>
<name>defaultCoherenceCluster</name>
<descriptor-file-name>coherence/defaultCoherenceCluster-coherence.xml</descriptor-file-name>
</coherence-cluster-system-resource>
</domain>I can see the users that I create in the weblogic console and their associated groups under Summary of Security Realms myrealm >Users and Groups, but I don't know basically how to associate groups with roles. Can anyone help me with that? Thanks! I would prefer that my role to group association would be defined either in the database or in the weblogic.xml ...
OK I've found the problems. First of all my sql-list-member-groups query was wrong
SELECT EMAIL FROM USERS_GROUPS WHERE EMAIL = ?
The right one is of course: SELECT GROUPNAME FROM USERS_GROUPS WHERE EMAIL = ?
Secondly the mapping between groups and roles is done via the weblogic.xml runtime descriptor using this element
In my case I assign the same name to the groups and roles. principal-name actually can also refer to a group! Which I didn't know, I thought it could only refer to user names.