Our current application uses JSF/JPA technology and is deployed on Weblogic 12.1.2 and does the following:
Authenticates a user through an IDP
The IDP after authenticating the user sends back the Groups the user belong to
Using Web.xml and WebLogic.xml we map the Groups to Roles
Our Application Scoped roles are very granular and it helps us do the following:
Hide UI pages or components on UI
use RolesAllowed annotation on methods
Since Group to Role mapping is in Weblogic.xml, our application users can't change the groups to roles mapping and this is the problem that I have to solve.
My goal is to do the following:
Authenticate a user through our IDP
The IDP will send us the Groups user belongs to
Define the roles in web.xml
Define tables that our application will read to find Group to Role mapping
Use Weblogic API to do Group to Role Mapping
Create a UI to allow our users to change the Group to Role mapping
The problem that i am running into is that i can't find how to do Group to Role Mapping dynamically using WebLogic since i can't get access to WebLogic API that will allow me to change Group to Role mapping in my deployed application. Has anyone done this before?
I have looked at creating a custom Role mapper but i am not sure how to get the handle to this custom Role Mapper in our deployed application.
As of Java EE 7, this is not possible based on this thread
dynamic roles on a Java EE server
If someone does want this feature added to Java EE 8 then please vote for the following two open feature requests in Java EE 8
https://java.net/jira/browse/JAVAEE_SECURITY_SPEC-8
https://java.net/jira/browse/JASPIC_SPEC-22
Not really a concrete answer, but it can be done using a Weblogic specific solution.
See examples in:
https://docs.oracle.com/cd/E13212_01/wles/docs42/dvspisec/examples.html
You have to implement the getRoles method:
import weblogic.security.spi.RoleMapper;
import weblogic.security.spi.RoleProvider;
public final class MyRoleMapperProviderImpl implements RoleProvider, RoleMapper
{
public Map getRoles(Subject subject, Resource resource,
ContextHandler handler)
{
...
}
}
You can generate a MBean for it as well to establish automatic loading:
https://docs.oracle.com/middleware/1213/wls/DEVSP/generate_mbeantype.htm#DEVSP617
java -DMDF=xmlfile -Dfiles=filesdir -DcreateStubs=true
weblogic.management.commo.WebLogicMBeanMaker
The result can be added as a jar to the server classpath and the implementation is available on server startup.
Related
Has anybody connected Kafka and ACL to a Payara/Glassfish server that uses declared security annotations like #DeclaredRoles #RolesAllowed?
I’m interested in the translation/connection from the ACL’s roles to the roles defined in the security realm used in the Payara server.
/Jan
I want the #RolesAllowed to work with the credentials of the calling user
I am using Keycloak 18.0 for Angular 13 + Spring Boot App. The solution utilizes Microservices architecture pattern for this app so basically Keycloak already guards access to other solution resources. I am using only Keycloak REST API.
The problem is Keycloak security itself:
I want to restrict Keycloak client token only to user creation.
Any user has to be able:
1. Fully access and manage ONLY his own profile.
2. Has restricted access to profiles of other users.
3. Any other operation of viewing other users, adjusting
roles etc. should be enabled only if authenticated user
has some kind of permission to do it.
For example:
Anybody can create user (signup).
After user is verified, some role is assigned to that user.
User logs in and acquire its token that has permissions to fully manage only his own resources including user itself and has restricted access to other users and user resources.
I am not sure I want to integrate Keycloak as resource security manager (i am considering that option but for now, only Spring Boot Adapter was implemented to control corresponding resources security) but at least i would like to prevent e.g. reading full list of users using Keycloak client token.
I have basic understanding of Keycloak Resource/Policy/Permission Feature but I am not sure i understand how can i apply it to Keycloak users itself.
Thanks a lot in advance for your help.
I am using WSO2 Identity Server 5.7.0 and WSO2 API Manager 2.6.0. We want to use the user management and role & permissions management of WSO2 itself, but the as per requirement we cannot use WSO2 carbon management GUI for user creattion, role mapping etc.
We need to have a separate GUI but integrate with WSO2 User, Role and Permission management.
For this purpose, WSO2 must have some kind of APIs exposed for third party application integration?
For example, I have checked user creation, user update etc operations are having corresponding SCIM REST APIs which can be used by our applications.
Is there similar APIs for :
1) Creating Service providers
2) Creating permissions at service provider level
3) Creating role mapping at service provider level
4) Creating roles
5) Associating permissions with roles
6) Associating Users with Roles.
Please let me know details of such REST APIs provided by WSO2 if any.
Is it possible to export the roles added to a keycloak server instance?
I have created some composite roles on a development server which I'd like to mirror across some other instances (e.g. in an integration\development) environment.
The only thing I can think of is using the Admin API to retrieve the details of the roles and use for some sort of insert script to be run in a different environment.
Is this possible?
Keycloak 3.2.0.Final and later has a "Export" menu item in its admin console. There you can export groups and roles (global and client roles) to a JSON file.
How can I create multiple instances of a bundle that consumes an external webservice?
An external webservice requires clients to logon before using the services. I have multiple accounts. The problem is I want to be able to add multiple instances; one for each account. Each instance is an osgi declarative service that consumes the external service.
Do I have to deploy a new bundle for each account? This does not feel like the right way to solve this.
What you need is multiple instances of an OSGi component or service, not multiple instances of a bundle.
I'd recommend a service factory, where each OSGi config that you create (account parameters in your case) for your service causes a new instance of a service to be created.
Neil Bartlett's tutorial at http://njbartlett.name/2010/07/19/factory-components-in-ds.html looks like a good starting point for that.
Is that bundle under your control - can you refactor it ?
If yes, it might be useful to expose a client factory service, rather than client service itself.
Then each instance can log into a different account.