All Examples All Security Examples
SimpleCertAuthenticator.java is a class that implements the weblogic.security.acl.CertAuthenticator interface. A class that implements this interface takes a client certificate presented during two-way SSL authentication and returns an authenticated WebLogic user.
SimpleCertAuthenticator maps the email name (the portion preceding the '@' symbol) in the client certificate to a WebLogic user. It calls realm.getUser() to look up the name in the WebLogic realm.
Other CertAuthenticator implementations could map a certificate to a WebLogic user in different ways. For example, you could look up the certificate holder in an LDAP server or RDBMS to find the WebLogic Server username.
To use this example:
javac -d %SERVER_CLASSES% SimpleCertAuthenticator.java
weblogic.security.realm.certAuthenticator=\ examples.security.cert.SimpleCertAuthenticator
You can test this example using the demonstration certificates in the myserver subdirectory of your WebLogic installation. The democert1024.pem file is a client certificate that contains the email address "support@weblogic.com". To authenticate a client that submits this certificate, you must set up a "support" user in the weblogic.properties file by adding a property such as:
weblogic.password.support=anything
Although SimpleCertAuthenticator accepts the certificate as the client's credential, if the client connects without using SSL, the password must be supplied.
From a Java client, you set the authentication parameters in the JNDI environment before you get the InitialContext. Specify the T3S protocol and the WebLogic Server SSL listen port in the Context.PROVIDER_URL environment variable, for example t3s://localhost:7002. Pass the client certificate file and private key in an InputStream array in the Context.SECURITY_CREDENTIALS environment variable. See AltClient.java in the weblogic.security.acl for an example of two-way authentication from a Java client using the demonstration certificate.
If you connect from a browser to a protected resource using the plain HTTP port, the browser should request a username and password. However, when you connect using the HTTPS port, SimpleCertAuthenticator establishes your identity without your having to log in.
For more information about WebLogic SSL and certificates, see Using WebLogic SSL.