weblogic 12c basic authentication not prompting for userid

2.4k views Asked by At

I am trying to configure basic authentication for a servlet deployed on Weblogic 12c. Here is my web.xml

<security-constraint>
 <web-resource-collection>
     <web-resource-name>TestServlets</web-resource-name>
     <url-pattern>/ReasonServlet</url-pattern>
 </web-resource-collection>
 <auth-constraint>
    <role-name>TestServiceRole</role-name>
 </auth-constraint>
</security-constraint>

<login-config>
 <auth-method>BASIC</auth-method>
 <realm-name>default</realm-name>
</login-config>

<security-role>
 <role-name>TestServiceRole</role-name>
</security-role>

<servlet>
    <servlet-name>ReasonServlet</servlet-name>
    <servlet-class>com.test.go.track.servlets.ReasonServlet</servlet-class>
  </servlet>
<servlet>
<servlet-mapping>
    <servlet-name>ReasonServlet</servlet-name>
    <url-pattern>/ReasonServlet</url-pattern>
</servlet-mapping>  

Here is my weblogic.xml:

<security-role-assignment>
  <role-name>TestServiceRole</role-name>
  <principal-name>TestUsers</principal-name>
</security-role-assignment> 

I also did the following:

  1. Created a user - test, created a group - TestUsers
  2. Added the user test to TestUsers
  3. created a role - TestServiceRole, added TestUsers group as role condition.
  4. Restarted weblogic after making these changes and application deployment.

Now when I try to access my servlet via browser, I dont get any pop-up to enter http userid/password. I am able to access the servlet as if there is no security configured.

However, when I test my servlet via SoapUI/java client, and explicitly set some wrong http credentials (base64 encoded userid:wrongpassword) in HTTP header (Authorization: Basic ), then weblogic rejects the request with a 401-authorization required error.

When there is no http authorization header in the request, the access is granted.

Is there some other configuration I am missing in weblogic? I want the basic authentication check to happen always whether there is http auth header is there or not.

Please help!! Struggling with this issue for the last 2 days..

Thanks!

3

There are 3 answers

2
Guru On BEST ANSWER

It turned out to be a deployment issue from my side.. The configuration in my original post was just fine. thanks to those that responded to my question!!

1
iullianr On

You do not need to specify a realm name, it will automatically work with whatever Weblogic is providing.

0
Brian Ochs On

Use externally-defined in the weblogic.xml instead of the principal name.

<security-role-assignment>
  <role-name>TestServiceRole</role-name>
  <externally-defined/>
</security-role-assignment>