Imagine that you have some external system — say, a Java client or perhaps even an external web server — that authenticates a user, and you now want this user to participate in actions involving WebLogic. Furthermore, you don’t want WebLogic to reauthenticate the user. Rather, you want to use some token generated by the external system to be used as an automatic WebLogic login. This is fairly typical of many single sign-on scenarios. The key to implementing this is to use an Identity Assertion Provider. Let’s look at how you can implement such a scenario.
We are going to take as an example an external Java client that has
presumably performed some user authentication, and who now needs to
transfer this identity to WebLogic in order to access a protected web
application. First of all, let’s configure the web
application to use identity assertion. Do this by setting the
login-config to use a
CLIENT-CERT authorization method. As this is
standard J2EE, you will need to create a web.xml
file with something such as the following in it:
<security-constraint> <!-- web resource collection omitted --> <auth-constraint> <description>nyse</description> <role-name>mysecrole</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>myrealm</realm-name> </login-config> <security-role> <role-name>mysecrole</role-name> </security-role>
Now let’s imagine we have a client (written in whatever language ...