2

I am absolutely new to Weblogic and j_security_check. In my readings over the past days, all I see is the order of operations for the call protected data on a server and how it gets routed to the j_security_check. (e.g. j_security_check redirect)

What I am trying to understand is where the configuration is that tells the server what to check the username and password against?

When a form is submitted to the server that passes username/password, what code is executed? Is the source available to me to look at? How does it know where it is going to check the values against?

I am on a project and NOBODY knows how to use Weblogic because ALL the previous devs jumped ship.

The web.xml and weblogic.xml file have nothing in them to shed any light on how any mapping to a database exists. How does the system know what database or even what column in the database to check the username and password field against?

In looking through the Weblogic portal I can see 'DefaultAuthenticator, DefaultIdentityAsserter, and an OpenLDAPAuthenitcator' but there is nothing in any of the sub level pages that shows me how any of the fields are being processed and validated.

What should I be looking for, am I looking in the wrong place, what timeline should one expect to have to spend to understand what is going on with this whole Weblogic and j_security_check process?

Any suggestions on how to proceed with this topic would be most welcome.

Community
  • 1
  • 1
Elijah M
  • 29
  • 1
  • 2

1 Answers1

2

So you're in need of the very basics. I can explain some stuff but you will need to read up some links that I point to. Also clarify if your app is deployed on Weblogic Server or also using WL Portal? My answer is based on WL Portal which you've mentioned in your post

j_security_check is a Java EE standard, so any login form pointing to j_security_check will be authenticated by the container - in this case Weblogic Server.

The configuration of Which pages/URLs to protect goes in web.xml along with which roles are allowed to access those protected pages.

A primer on this aspect is here

http://docs.oracle.com/javaee/1.4/tutorial/doc/Security5.html

Read the sections on "Form-based login authentication" and then http://docs.oracle.com/javaee/1.4/tutorial/doc/Security5.html#wp280108

Now you've mentioned Weblogic Portal. This is different from a simple Java EE container (such as WLogic Server) since this has additional Security, Authentication and Authorization mechanisms added.

These will be visible and accessible from your Portal Administration Console - not this is not the Weblogic Server Console but a separate app running with the URL /portalApp or something similar. See here for more http://docs.oracle.com/cd/E13155_01/wlp/docs103/users/users.html#wp1013658

There is a default Authentication Provider called SQLAuthenticator which stores the users/roles/groups in the local database usually this is a Pointbase DB unless your team has specified separate connections to an external RDBMS like Oracle

Read this for knowing what Users/Groups/Roles are in WLPortal context http://docs.oracle.com/cd/E13155_01/wlp/docs103/users/index.html Note these are Portal specific configurations and API which are in use - hence you wont see code directly looking up the DB or user tables, it will be wrapped with JSP tags or other API. Perhaps like so http://docs.oracle.com/cd/E13155_01/wlp/docs103/users/developusers.html

finally here are the DB details including the default Pointbase http://docs.oracle.com/cd/E13155_01/wlp/docs103/pdf/db.pdf Login to your DB and see if you can see the User tables.

Arjan Tijms
  • 37,782
  • 12
  • 108
  • 140
JoseK
  • 31,141
  • 14
  • 104
  • 131
  • >> JoseK - Thank you so much for this guidance as I have been just guessing on directions and just going back and forth amongst various pieces not knowing where to start. As I stated nobody here knows or can direct me where to even begin so I sincerely appreciate your time in your guidance write up. Again, Thank you. – Elijah M May 15 '12 at 13:22
  • Reading up on the Weblogic Portal I realized we are talking two different things. I was referring to the Weblogic Server Administration Consoles section 'Security Realms >> myNamedRealm >> Providers(tab) >> Authentication (tab) items; 'DefaultAuthenticator, DefaultIdentityAsserter, and an OpenLDAPAuthenitcator'. I finished reading most of what you had linked off to and have more knowledge on things but actually modifying or implementing changes to the application I am still very unsure of what to do. – Elijah M May 15 '12 at 16:06
  • @ElijahM: Fine, you're not using WLP. So which of the Realms are the highlighted option in your WLS? Is it a `DefaultAuthenticator` or LDAP ? In any case, even in WLS there will be a link at the bottom for u – JoseK May 16 '12 at 08:25
  • link at the bottom for Users/Groups/Roles in your console. Any users you add via that route will be able to login to your app – JoseK May 16 '12 at 08:27
  • The way the project is setup, it has both the DefaultAuthenticator and an LDAP defined. – Elijah M May 17 '12 at 14:12