There could be a scenario when a proper LDAP is not available to store users/groups for weblogic/SOA human task application etc. And this scenario is very much possible. In such situations weblogic SQL Authenticator comes to the rescue. SQL authenticator is provided to use database as authentication provider.
Listed down here are the steps to configure database as authentication provider using SQL Authenticator. Note that these steps are based on document available at -
https://support.us.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1499679.1&h=Y
1. Create tables that will store the user & group details with below scripts -
CREATE TABLE USERS (
U_NAME VARCHAR(200) NOT NULL,
U_PASSWORD VARCHAR(50) NOT NULL,
U_DESCRIPTION VARCHAR(1000))
;
ALTER TABLE USERS
ADD CONSTRAINT PK_USERS
PRIMARY KEY (U_NAME)
;
CREATE TABLE GROUPS (
G_NAME VARCHAR(200) NOT NULL,
G_DESCRIPTION VARCHAR(1000) NULL)
;
ALTER TABLE GROUPS
ADD CONSTRAINT PK_GROUPS
PRIMARY KEY (G_NAME)
;
CREATE TABLE GROUPMEMBERS (
G_NAME VARCHAR(200) NOT NULL,
G_MEMBER VARCHAR(200) NOT NULL)
;
ALTER TABLE GROUPMEMBERS
ADD CONSTRAINT PK_GROUPMEMS
PRIMARY KEY (
G_NAME,
G_MEMBER
)
;
ALTER TABLE GROUPMEMBERS
ADD CONSTRAINT FK1_GROUPMEMBERS
FOREIGN KEY ( G_NAME )
REFERENCES GROUPS (G_NAME)
ON DELETE CASCADE
2. Create a datasource of the database having user and group tables.
3. Create SQL Autenticator. For this first goto security realm > myrealm > Providers and click New to create a new authentication provider as shown in the image.
6. Reorder the authentication provider so that DB provider comes at top.
7. Restart the server & managed servers and verify the db users and groups appear in "Users & Groups" tab.
8. Change the default realm from jazn.com to myrealm. In EM console and goto System Mbean browser Application Defined Mbeans > oracle.as.soainfra.config > Server > WorkflowIdentityConfig > human-workflow > WorkflowIdentityConfig.ConfigurationType > jazn.com
Invoke the setRealmName operation with value "myrealm".
9. Download the workflow-120-SQLIdentityProvider.zip from Note 1194815.1. the link of which is provided above. Unzip it and copy dbprovider.jar to MW_HOME/user_projects/domains/{soa_domain}/lib
10. Shutdown weblogic server.
11. Navigate to HOME/user_projects/domains/{domain_name}/config/fmwconfig and take backup of jps-config.xml.
12. Edit jps-config.xml to update following -
a) Add below xml fragment in serviceProviders element.
<serviceProvider type="IDENTITY_STORE" name="custom.provider" class="oracle.security.jps.internal.idstore.generic.GenericIdentityStoreProvider">
<description>Custom IdStore Provider</description>
</serviceProvider>
b) Add below xml fragment in serviceInstances element.
<serviceInstance name="idstore.custom" provider="custom.provider" location="dumb">
<description>Custom Identity Store Service Instance</description>
<property name="idstore.type" value="CUSTOM"/>
<property name="ADF_IM_FACTORY_CLASS" value="org.sample.providers.db.DBIdentityStoreFactory"/>
<property name="DB_SERVER_NAME" value="localhost"/>
<property name="DB_SERVER_PORT" value="1521"/>
<property name="DB_DATABASE_NAME" value="XE"/>
<property name="ST_SECURITY_PRINCIPAL" value="Admin"/>
<property name="ST_SECURITY_CREDENTIALS" value="welcome1"/>
</serviceInstance>
c) Change <serviceInstanceRef
ref="idstore.ldap"/> to <serviceInstanceRef
ref="idstore.custom"/>.
Listed down here are the steps to configure database as authentication provider using SQL Authenticator. Note that these steps are based on document available at -
https://support.us.oracle.com/oip/faces/secure/km/DocumentDisplay.jspx?id=1499679.1&h=Y
1. Create tables that will store the user & group details with below scripts -
CREATE TABLE USERS (
U_NAME VARCHAR(200) NOT NULL,
U_PASSWORD VARCHAR(50) NOT NULL,
U_DESCRIPTION VARCHAR(1000))
;
ALTER TABLE USERS
ADD CONSTRAINT PK_USERS
PRIMARY KEY (U_NAME)
;
CREATE TABLE GROUPS (
G_NAME VARCHAR(200) NOT NULL,
G_DESCRIPTION VARCHAR(1000) NULL)
;
ALTER TABLE GROUPS
ADD CONSTRAINT PK_GROUPS
PRIMARY KEY (G_NAME)
;
CREATE TABLE GROUPMEMBERS (
G_NAME VARCHAR(200) NOT NULL,
G_MEMBER VARCHAR(200) NOT NULL)
;
ALTER TABLE GROUPMEMBERS
ADD CONSTRAINT PK_GROUPMEMS
PRIMARY KEY (
G_NAME,
G_MEMBER
)
;
ALTER TABLE GROUPMEMBERS
ADD CONSTRAINT FK1_GROUPMEMBERS
FOREIGN KEY ( G_NAME )
REFERENCES GROUPS (G_NAME)
ON DELETE CASCADE
Populate this tables with some users and groups.
2. Create a datasource of the database having user and group tables.
3. Create SQL Autenticator. For this first goto security realm > myrealm > Providers and click New to create a new authentication provider as shown in the image.
4. Select the newly created provider and set the control flag to SUFFICIENT. Set the control flag of "DefaultAuthenticator" to OPTIONAL if you want to login BPM worklist application with database users.
5. Save changes and click Provider Specific tab. Enter the datasource name created earlier in step 2. Ensure that the following values are selected -
Plaintext Passwords Enabled: select
Data Source Name: <datasource name>
Group Membership Searching:unlimited
Max Group Membership Search Level: 0
Password Style Retained: select
Password Algorithm: SHA-1
Password Style: PLAINTEXT
6. Reorder the authentication provider so that DB provider comes at top.
7. Restart the server & managed servers and verify the db users and groups appear in "Users & Groups" tab.
8. Change the default realm from jazn.com to myrealm. In EM console and goto System Mbean browser Application Defined Mbeans > oracle.as.soainfra.config > Server > WorkflowIdentityConfig > human-workflow > WorkflowIdentityConfig.ConfigurationType > jazn.com
Invoke the setRealmName operation with value "myrealm".
9. Download the workflow-120-SQLIdentityProvider.zip from Note 1194815.1. the link of which is provided above. Unzip it and copy dbprovider.jar to MW_HOME/user_projects/domains/{soa_domain}/lib
10. Shutdown weblogic server.
11. Navigate to HOME/user_projects/domains/{domain_name}/config/fmwconfig and take backup of jps-config.xml.
12. Edit jps-config.xml to update following -
a) Add below xml fragment in serviceProviders element.
<serviceProvider type="IDENTITY_STORE" name="custom.provider" class="oracle.security.jps.internal.idstore.generic.GenericIdentityStoreProvider">
<description>Custom IdStore Provider</description>
</serviceProvider>
b) Add below xml fragment in serviceInstances element.
<serviceInstance name="idstore.custom" provider="custom.provider" location="dumb">
<description>Custom Identity Store Service Instance</description>
<property name="idstore.type" value="CUSTOM"/>
<property name="ADF_IM_FACTORY_CLASS" value="org.sample.providers.db.DBIdentityStoreFactory"/>
<property name="DB_SERVER_NAME" value="localhost"/>
<property name="DB_SERVER_PORT" value="1521"/>
<property name="DB_DATABASE_NAME" value="XE"/>
<property name="ST_SECURITY_PRINCIPAL" value="Admin"/>
<property name="ST_SECURITY_CREDENTIALS" value="welcome1"/>
</serviceInstance>
13. Restart server and you should be able to login to worklist application with the user configured in the database
Thanks For you post
ReplyDeleteAdded SOAAdmin as a group and associated this group to user weblogic.Once try using authenticate on behalf of user jcooper using TaskQueryService.authenticateOnBehalfOfUser(...) it does not work. It gives error. Gives error like Insufficient admin privilege.
Can you provide solution to it.
Hi Vish - The custom provider jar (dbprovider.jar) provided by support doesn't seems to implement all the methods. Its has limited functionality to demonstrate the custom db provider capability. You need to implement the functions as per your requirement.
DeleteHello Ashish,
ReplyDeleteGreat Note!! However the Oracle Support Link you have mentioned above is not working, can you please share the correct Oracle support link.
Thanks.
Hi Rashi - Looks like support has temporarily removed the document or moved it for Oracle internal. Will update the link as soon as I found the reference. Thanks for pointing.
DeleteThanks very much, this what I am looking for and it is working perfectly :)
ReplyDeleteHI Ashish,
ReplyDeleteThanks a lot for the above steps.
I just followed the same and I have configured the all custom user details.
But I am unable to login to BPM worklist using the custom usernames ans pwds. Its throwing below error. can you Please advise what could be the wrong?
####<28 Dec, 2016 11:46:36 PM IST> <[ACTIVE] ExecuteThread: '9' for queue: 'weblogic.kernel.Default (self-tuning)'> <> <> <2c571170edfbf9c6:-519b46ae:159469d4e01:-8000-000000000000016b> <1482948996412> <[ServletContext@608083147[app:worklistapp module:/integration/worklistapp path:/integration/worklistapp spec-version:2.5]] Servlet failed with Exception
java.lang.IllegalStateException: Response already committed
at weblogic.servlet.internal.ServletResponseImpl.objectIfCommitted(ServletResponseImpl.java:1629)
at weblogic.servlet.internal.ServletResponseImpl.sendRedirect(ServletResponseImpl.java:845)
at javax.servlet.http.HttpServletResponseWrapper.sendRedirect(HttpServletResponseWrapper.java:136)
at com.sun.faces.context.ExternalContextImpl.redirect(ExternalContextImpl.java:421)