Imagine that you have some external system — say, a Java client or perhaps even an external web server — that authenticates a user, and you now want this user to participate in actions involving WebLogic. Furthermore, you don’t want WebLogic to reauthenticate the user. Rather, you want to use some token generated by the external system to be used as an automatic WebLogic login. This is fairly typical of many single sign-on scenarios. The key to implementing this is to use an Identity Assertion Provider. Let’s look at how you can implement such a scenario.

We are going to take as an example an external Java client that has presumably performed some user authentication, and who now needs to transfer this identity to WebLogic in order to access a protected web application. First of all, let’s configure the web application to use identity assertion. Do this by setting the login-config to use a CLIENT-CERT authorization method. As this is standard J2EE, you will need to create a web.xml file with something such as the following in it:

<security-constraint>
  <!-- web resource collection omitted -->
  <auth-constraint>
    <description>nyse</description>
    <role-name>mysecrole</role-name>
  </auth-constraint>
</security-constraint>
<login-config>
  <auth-method>CLIENT-CERT</auth-method>
  <realm-name>myrealm</realm-name>
</login-config>
<security-role>
  <role-name>mysecrole</role-name>
</security-role>

Now let’s imagine we have a client (written in whatever language ...