Using OAM With WLS Applications
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (198.74 KB, 16 trang )
7
Using Oracle Access Manager With WebLogic
Applications
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Road Map
•
•
•
•
7-2
Objectives
Protecting WLS applications with OAM
Identity assertion providers
OAM authenticator
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Objectives
After completing this lesson, you should be able to:
• Describe scenarios in which Oracle Access Manager
protects WebLogic applications
• Configure a WebLogic identity assertion provider
• Describe a WebLogic OAM authenticator
7-3
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Road Map
•
•
•
•
7-4
Objectives
Protecting WLS applications with OAM
Identity assertion providers
OAM authenticator
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Java EE Authentication and Authorization
•
The following can be hard-coded in Java EE applications:
– Users and roles
– Authentication
– Authorization
•
•
The more authentication and authorization details coded
into applications, the more cumbersome the applications
are to maintain.
Using Java EE-compliant servers, such as WebLogic
Server, you can delegate security deployment:
– Users and roles can be stored in external data stores, such
as LDAP databases.
– Authentication and authorization can be performed outside
of the application, either by the web container or by products
that reside on the perimeter of the web container.
7-5
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Using OAM for Perimeter Authentication and
Authorization With a WebGate
•
You can configure authentication and authorization for
WebLogic applications as follows:
– Define policies in Oracle Access Manager
– Configure the mod_wl_ohs.conf file
•
7-6
You can then configure WebLogic Server to return the
identity of the authenticated user to WebLogic applications
by deploying an Oracle Access Manager identity assertion
provider in the WebLogic security realm.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Using OAM for Perimeter Authentication Without
a WebGate
You can also configure authentication for WebLogic
applications by configuring an OAM authenticator:
• WebLogic Server collects the user name and password
and passes them to the Oracle Access Manager server.
• The Oracle Access Manager server validates the
credentials.
7-8
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Road Map
•
•
•
•
7-9
Objectives
Protecting WLS applications with OAM
Identity assertion providers
OAM authenticator
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Identity Assertion Providers
Called by WebLogic Server when:
• Configured as authentication providers in the security
realm
• A token is present in the user’s HTTP request
• Java EE application’s authentication method is set to the
CLIENT-CERT method in the application's deployment
descriptor
7 - 10
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Oracle Access Manager Identity Assertion
Provider
•
Must be configured to expect one of the following tokens in
the user's HTTP request:
– The OAM_REMOTE_USER header variable (for 10g and 11g
WebGates)
– The ObSSOCookie cookie (for OAM 10g WebGates and
OAM 10g deployments without WebGates)
•
7 - 11
Makes identities available to Java EE applications.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
OAM Identity Assertion Provider Event Sequence
User
Web Server with
10g or 11g WebGate
Oracle Access
Manager Server
Request protected
Java EE application
Authenticate
Insert OAM_REMOTE_USER
header variable in HTTP
request and forward
request to run application
7 - 12
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
WebLogic
Server
Road Map
•
•
•
•
7 - 14
Objectives
Protecting WLS applications with OAM
Identity assertion providers
OAM authenticator
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
OAM Authenticator
•
•
•
7 - 15
Java EE application's authentication method is set to a
method that collects the user name and password. For
example, the BASIC method.
When the application is accessed, the Java EE container
invokes the authentication method to collect the
credentials.
The Java EE container then calls the Oracle Access
Manager server for credential validation.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Quiz
Which of the following steps must you perform when
configuring a Oracle Access Manager identity assertion
provider:
a. Verify that the application's deployment descriptor uses the
BASIC authentication method.
b. Configure the Oracle Access Manager server to set the
ObSSOCookie cookie in all users' browser after successful
authentication. The ObSSOCookie cookie is required by
the OAM identity asserter.
c. Add the OAM identity assertion provider to the WebLogic
Server security realm.
d. Configure any 11g WebGates in your deployment to write
the OAM_REMOTE_USER HTTP header variable.
7 - 16
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Summary
In this lesson, you should have learned how to:
• Describe scenarios in which Oracle Access Manager
protects WebLogic applications
• Configure a WebLogic identity assertion provider
• Describe a WebLogic OAM authenticator
7 - 17
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Practice 7 Overview:
Using an Identity Assertion Provider
This practice covers the following topics:
• Review a sample application that uses HTTP basic
authentication provided by WebLogic Server
• Modify the deployment descriptor so the application uses
an external authenticator
• Configure the OHS instance protected by the 11g
WebGate to access the sample application
• Configure WebLogic Server to use the identity assertion
provider
7 - 18
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
