Hi Cesar, You are right that there is no "easy" option to just select CAS authentication in weblogic. I wish there was :)
I started working on something similar and had it working for a basic weblogic server (used it for BPW, not webcenter). Unfortunately I never finished it but I do intend to get back to it soon. You don't have to write a full authentication provider (although you can). What I did was make a custom weblogic Identity Asserter, which also implements the "ServletAuthenticationFilter" interface. This allows you to inspect the http request and issue a redirect if there is no "ticket" parameter. The filter can pass a context which includes the ticket as a string to the identity asserter, whose "assertIdentity" method can use the normal CAS java API to fetch the username. This can be returned via a Name CallbackHandler. Then the filter can use the callback to get the name and finally populate the weblogic subject/principal data. You can then add this identity asserter to your security realm and use it in combination with a delivered weblogic authentication provider, eg LDAP - probably to match whatever you back CAS with. In this configuration, the authentication provider knows about users/groups via direct access to LDAP, but defers authentication to the identity asserter (ie, CAS). This may be all very confusing if you're not familiar with the weblogic security framework (I am still fairly confused). There is lots of oracle documentation about their security framework, in particular read this and referenced books: http://download.oracle.com/docs/cd/E17904_01/web.1111/e13718/ia.htm However there are very few useful examples of custom security providers. There are two other options I thought of but haven't tried: 1) Front your weblogic server with apache, using mod_auth_cas and combine with the SimpleSampleIdentityAsserter (you can find this in samplecode.oracle.com). The SimpleSample ID asserter would have read the username populated by mod_auth_cas somehow and populate the weblogic subject. 2) Modify CAS's SAML implementation so that it works with weblogic. This is probably the best solution, since no customisation of weblogic would be required; I did not try it because I do now know enough about SAML. Regards, Tim On 01/10/11 04:05, CESAR ORE wrote: > Hi. We use some Oracle products (Webcenter, SSXA, IRM, UBR, UCM, SOA BPM, > WC_COlaboration, etc). > > We need to connect these applications with other external applications using > CAS (SSO). > > We think the solution is change the Authentication Provider in Oracle > Weblogic Security Realms config. > > But when we was reading the options in authentication provider menu, does not > appear any option for CAS: > > ------------------------ > > WebLogic Server offers the following types of Authentication providers: > > The WebLogic Authentication provider accesses user and group information > in WebLogic Server’s embedded LDAP server. > LDAP Authentication providers access external LDAP stores. You can use an > LDAP Authentication provider to access any LDAP server. WebLogic Server > provides LDAP Authentication providers already configured for Open LDAP, Sun > iPlanet, Microsoft Active Directory and Novell NDS LDAP servers. > RDBMS Authentication providers access external relational databases. > WebLogic Server provides three RDBMS Authentication providers: SQL > Authenticator, Read-only SQL Authenticator, and Custom RDBMS Authenticator. > The WebLogic Identity Assertion provider validates X.509 and IIOP-CSIv2 > tokens and optionally can use a user name mapper to map that token to a user > in a WebLogic Server security realm. > The SAML Authentication provider, which authenticates users based on > Security Assertion Markup Language 1.1 (SAML) assertions. > The Negotiate Identity Assertion provider, which uses Simple and > Protected Negotiate (SPNEGO) tokens to obtain Kerberos tokens, validates the > Kerberos tokens, and maps Kerberos tokens to WebLogic users. > The SAML Identity Assertion provider, which acts as a consumer of SAML > security assertions. This enables WebLogic Server to act as a SAML > destination site and supports using SAML for single sign-on. > > In addition, you can use: > > Custom (non-WebLogic) Authentication providers, which offer different > types of authentication technologies. > Custom (non-WebLogic) Identity Assertion providers, which support > different types of tokens. > > ----------------------- > > We think that we need to implement a new Authentication Provider. Is that > correct? > Or any other idea? > > Thanks. > > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
