Monday, August 2, 2010

Is WebLogic Server needs to be integrated with Oracle Access Manager always?

I have had this question in my mind for a while that whether WebLogic Server needs to be integrated with Oracle Access Manager always?
Well, No! It depends on what task needs to be achieved. It is apparent that in order to protect a sample application deployed in WebLogic Server using Oracle Access Manager, we need to integrate using Identity Asserter (a common method). If the weblogic application is just reading some header variables passed by front end system (which can be Reverse Proxy) and if the WebLogic server can be configured with Provider that communicates to backend of Oracle Access Manager to fetch the user/group for role membership to set the user subject then Integration is not required.

My research results are:
You have very simple application (that just reads http header variables) deployed on WebLogic Server. A security provider (Authenticator) needs to be created in WebLogic realm to talk to OAM user directory (an LDAP). Employ a Reverse proxy in-line with WebLogic server with a WebGate on it. Assume you have protected the application using an authentication scheme in OAM.
When you access the application, Oracle Access Manager prompts for login details. After OAM authenticates and authorizes the user, the control reaches the WebLogic server where the principal will be set and the Authenticator fetches for group membership details to set the WebLogic user subject. This means that user authenticated by the OAM will be present (part of) in WebLogic Server.

Next research would be to test the sample application, but this time I am going to take the userid from container rather than taking it from header variable.

So keep tuned to this blog for more interesting topics!