The Carbon Java Framework  

The Carbon Authorization Security Module

Weblogic 7 User Manager Adapter

Author: Jordan Reed (jreed at sapient.com)
Version:
Created:

Overview

Purpose

This module provides adapter classes to allow one to tie Weblogic 7 into the Carbon User Manager service. This allows one to protect Weblogic resources such as Servlets, JSPs, EJBs, Data sources, etc., using a standardized User Management service that can also be used by the application for managing users.

Who needs it and why

This module is needed by anyone using a Weblogic 7 release that is using a user store which is not one natively supported by Weblogic. This will allow one to tie Weblogic directly into the security service and allow full use of the J2EE security model.

Dependencies

  • Weblogic 7
  • Any dependencies used by the User Manager implementation.

Application Server Setup

  1. Install Carbon to the main Application Server Classpath
  2. Install/Configure the Carbon Security Realm MBean for Weblogic
  3. Setup the Weblogic Deployment Descriptors for the J2EE application

This will describe the process of setting up Carbon using the Weblogic console. At the end of this documentation is the snippet from the config.xml created by Weblogic after these steps are completed.

The App Server Classpath

The classes used here, and all dependencies must be installed into Weblogic's root classpath. This means one must edit the startWeblogic file for the environment to properly setup the classpath and any other Carbon deployment properties. This allows Carbon, and including the User Manager service this depends on, to run within the main application server sandbox and give proper access to all the needed classes and memories locations.

The consequence is that only instance of Carbon can run in the application server. This instance will be initialized when the application server starts. All applications installed within the application server context will use the main applications instance of Carbon. Any deployment properties set using CarbonDeploymentConfig.properties inside and application specific classpath (the EAR, WAR or JAR) will not be used.

JMX Conflict Issues

To use the Weblogic Security Adapter along with Weblogic's MBeanServer requires some special Carbon configuration. Because the JMX assistant will attempt to make a JNDI connection to Weblogic, Weblogic will attempt to validate this connection with the security service. This can easily cause cycles in startup that will break the Carbon startup process.

Example

  1. Startup service begins.
  2. Startup Component has JMX Assistant
  3. JMX Assistant attempts JNDI connection to Weblogic
  4. Weblogic calls to authentication provides (including Carbon Security)
  5. Carbon security attempts to bootstrap, but is missing components it depends on (DeploymentService, ConfigurationTypeService, etc).
  6. Carbon fails to load

The solution is to have a second, separate ComponentTemplate, that does not contain the JMX assistant. All components the Security Service is dependent on must use the non-JMX ComponentTemplate. This will include the DeploymentService, ConfigurationTypeService and any components in the UserManagerService (such as the ConnectionFactory and StatementFactory for the RDBMS implementation).

This does not remove the ability to JMX administer the security service. Simply add a UserManagerJmxAdapter which uses the default component template with JMX. Make sure this service initializes AFTER the User Manager service has started.

Weblogic Documentation

To setup the Carbon User Manager requires defining a new custom security realm is referenced by the J2EE application. Weblogic provides complete instructions on the generic process available from their online help at:

Configuring a WebLogic Authentication Provider

Create/Configure Custom Realm

After starting the application server the custom realm must be configured. This tells Weblogic which classes are used to work with the realm. The following steps are done in the Weblogic console, usually accessible at http://localhost:7001/console

  1. Before starting Weblogic, copy the "carbon-security-weblogic7.jar" file to the Weblogic MBean directory, (e.g. d:\bea\weblogic700\server\lib\mbeantypes).
  2. In the left, go to [domain name]->Security->Realms->[realm name]->Providers->Authentication Providers
  3. Click "Configure a new Weblogic Carbon Authenticator..."
  4. Give the Authenticator a name. This example uses WeblogicCarbonAuthenticator
  5. Click the "Create" button
  6. Update the control flag if needed. It it suggested to switch the control to "SUFFICIENT". This will allow the Weblogic file system to continue to authenticate the "system" account without passing the Carbon authentication.
  7. Switch the "DefaultAuthenticator" and update the Control Flag appropriately. It is suggested to switch the control to "SUFFICIENT". This will allow the Weblogic file system to continue to authenticate the "system" account, but will also allow the new Carbon Authenticator to work independently.
  8. Reboot Weblogic
  9. Update the location of the UserManager service using a JMX tool. To use Weblogic's enter: Java weblogic.Admin -username system -password administrator SET -mbean Security:Name=myrealmWeblogicCarbonAuthenticator -property UserManagerLocation /new/location. IMPORTANT: Weblogic's Admin tool has a bug in it which often keeps it from updating user created MBeans. If an error is given, it will require the use of a third party tool like MC4J to update the value.
Copyright © 2001-2003, Sapient Corporation