All Examples  All Security Examples

package examples.security.cert

about this example

SimpleCertAuthenticator.java is a class that implements the weblogic.security.acl.CertAuthenticator interface. A class that implements this interface takes a client certificate presented during two-way SSL authentication and returns an authenticated WebLogic user.

SimpleCertAuthenticator maps the email name (the portion preceding the '@' symbol) in the client certificate to a WebLogic user. It calls realm.getUser() to look up the name in the WebLogic realm.

Other CertAuthenticator implementations could map a certificate to a WebLogic user in different ways. For example, you could look up the certificate holder in an LDAP server or RDBMS to find the WebLogic Server username.

how to use this example

To use this example:

1. Set up your development environment as described in Setting your development environment.

2. Compile the SimpleCertAuthenticator class with a command like this one for Windows NT:

     javac -d %SERVER_CLASSES% SimpleCertAuthenticator.java

3. Install the class in WebLogic Server by setting this property in your weblogic.properties file:

     weblogic.security.realm.certAuthenticator=\
       examples.security.cert.SimpleCertAuthenticator

4. Make sure you have set up two-way authentication. See Using WebLogic SSL for instructions.

5. Set up WebLogic Server users for clients with certificates by adding weblogic.password.username=password properties to the weblogic.properties file. The username must match the email name in the certificate.

   You can test this example using the demonstration certificates in the myserver subdirectory of your WebLogic installation. The democert1024.pem file is a client certificate that contains the email address "support@weblogic.com". To authenticate a client that submits this certificate, you must set up a "support" user in the weblogic.properties file by adding a property such as:

     weblogic.password.support=anything

   Although SimpleCertAuthenticator accepts the certificate as the client's credential, if the client connects without using SSL, the password must be supplied.

6. Grant permissions to the new users by creating or modifying Acls in the weblogic.properties file.

7. Start WebLogic Server.

8. Connect to WebLogic Server using two-way authentication. You can do this from a browser by requesting an HTTPS connection to an Acl-protected resource. The client certificate must be installed in the browser. If you use the demonstration certificate, you cannot use a browser to test the CertAuthenticator; use a Java client instead.

   From a Java client, you set the authentication parameters in the JNDI environment before you get the InitialContext. Specify the T3S protocol and the WebLogic Server SSL listen port in the Context.PROVIDER_URL environment variable, for example t3s://localhost:7002. Pass the client certificate file and private key in an InputStream array in the Context.SECURITY_CREDENTIALS environment variable. See AltClient.java in the weblogic.security.acl for an example of two-way authentication from a Java client using the demonstration certificate.

If you connect from a browser to a protected resource using the plain HTTP port, the browser should request a username and password. However, when you connect using the HTTPS port, SimpleCertAuthenticator establishes your identity without your having to log in.

there's more...

For more information about WebLogic SSL and certificates, see Using WebLogic SSL.