2

I have a restful web service which is protected using HTTP Basic authentication with LDAP provider.

After deploying the application to WebLogic, it prompts for authentication twice upon invocation.

First by Spring Security Then by WebLogic Server.

Further investigation on the subject reveals that client requests that use HTTP BASIC authentication must pass WebLogic Server authentication, even if access control is not enabled on the target resource.

As an option (provided in the answer), WebLogic's authentication can be disabled through the following configuration in config.xml:

<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

But it will affect all the other applications deployed in the same domain. And I want this for a specific app only.

Appreciate any suggestions.

Ahsan Shah
  • 3,931
  • 1
  • 34
  • 48

3 Answers3

4

Try disabling WebLogic's authentication in config.xml:

<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

See e.g.

So you can turn this on or off on a per-domain basis. If you need to target a specific app, consider placing that app in a dedicated domain.

  • 1
    Thank you willie, but this will disable weblogic basic auth for all the other applications as well deployed in the same container. – Ahsan Shah Oct 01 '14 at 06:44
  • actually i do not want to disable the weblogic auth for all but for a specific app only. – Ahsan Shah Oct 01 '14 at 06:48
  • From the links I provided, it sounds like an all-or-nothing affair. So you might need to create a dedicated WebLogic domain for the app in question. At any rate please update your question to indicate this additional constraint. –  Oct 01 '14 at 07:55
3

Workaround, add another auth-method in the web.xml:

<login-config>
    <auth-method>CLIENT-CERT</auth-method>
</login-config>

Weblogic's basic-auth prompt won't show, only yours.

source: http://forum.spring.io/forum/spring-projects/security/35977-weblogic-9x-10x-double-prompt-for-login-basic-auth-simple

Soapr
  • 71
  • 2
1

Started working after adding below configuration. But required to add new user in weblogic console or we can use default user.

Added below configuration in WEB-INF\web.xml file

  <security-constraint>
    <display-name>Secure REST Area</display-name>
    <web-resource-collection>
        <web-resource-name>Secure REST</web-resource-name>
        <url-pattern>/api/*</url-pattern>
        <http-method>POST</http-method>
    </web-resource-collection>

    <auth-constraint>
        <role-name>Admin</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>default</realm-name>
</login-config>

<security-role>
    <role-name>Admin</role-name>
</security-role>

created weblogic descriptor file in WEB-INF\weblogic.xml and added below configuration.

<weblogic-web-app xmlns="http://www.bea.com/ns/weblogic/90"   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
 <security-role-assignment>
     <role-name>Admin</role-name>
     <!-- <principal-name>Administrators</principal-name>-->
     <externally-defined/>
 </security-role-assignment>

rsh
  • 69
  • 4