Securing Weblogic with SQLAuthenticator provider

In a previous article we saw how to secure a Web Service with basic authentication (this could be used for every page in our application). We did it creating users with Weblogic Default Authenticator.

Today we will create an SQLAuthenticator in Weblogic, then the server will take users and groups from the data base.

First of all we will create a Data Source, where will be our users data base, in Weblogic console. Go to base_domain > Services > JDBC Data Soources > New, and configure the following data:

  1. Name: school
  2. JNDI name: school
  3. DB name: xe
  4. Host: 192.168.0.7
  5. Port: 1521
  6. User/pass: school/school
  7. Select the servers where we will apply this DataSource: AdminServer.

Test the connection as we see in the picture:

Creating Data Source

Now we have to create in the data base the tables where we store users/groups and the relations. For this we have the following SQL script:

CREATE TABLE USERS (
    U_NAME VARCHAR(200) NOT NULL,
    U_PASSWORD VARCHAR(50) NOT NULL,
    U_DESCRIPTION VARCHAR(1000));
 
ALTER TABLE USERS
   ADD CONSTRAINT PK_USERS
   PRIMARY KEY (U_NAME);
 
CREATE TABLE GROUPS (
    G_NAME VARCHAR(200) NOT NULL,
    G_DESCRIPTION VARCHAR(1000) NULL);
 
ALTER TABLE GROUPS
   ADD CONSTRAINT PK_GROUPS
   PRIMARY KEY (G_NAME);
 
CREATE TABLE GROUPMEMBERS (
    G_NAME VARCHAR(200) NOT NULL,
    G_MEMBER VARCHAR(200) NOT NULL);
 
ALTER TABLE GROUPMEMBERS
   ADD CONSTRAINT PK_GROUPMEMS
   PRIMARY KEY (
      G_NAME,
      G_MEMBER
   );
 
ALTER TABLE GROUPMEMBERS
   ADD CONSTRAINT FK1_GROUPMEMBERS
   FOREIGN KEY ( G_NAME )
   REFERENCES GROUPS (G_NAME)
   ON DELETE CASCADE;

We can execute it in the Data Base Eclipse perspective, executing the contextual menu option “Execute All” in SQL Editor:

Execute Script in Eclipse

After in Weblogio console go to base_domain > Security Realms > myrealm > Providers > New. Where we will configure the SQL Autentication provider:

  1. Name and type: SQLAuthenticator

Then, in its properties, in Provider Specific tab, we will configure as follows:

  1. Data Source Name: school
  2. Group MemberShip Searching: limited to 10 to avoid the recursive situations like A owns B, and B owns A.
  3. Plain Text Passwords Enabled: we can test this configuration with no encripted passwords, but not recomend it in production.

Create SQLAuthenticator

WARN!!: we have to take care that the authentication sequence in the server requires the DefaultAuthenticator permission. In base_domain > Security Realms > myrealm > Providers > Providers > DefaultAuthenticator, change to:

  1. Control Flag: SUFFICIENT. Then will not be a must the Default authentication (if we mistake this step, we could loose the consola access).

Here we have to reboot (better stop/start in eclipse control) the server to the changes take effect. Now you can execute the example Web Service basic authentication, with a user created with SQL provider.

Leave a Reply

Your email address will not be published. Required fields are marked *