remove the Weblogic realm authentication

k668

　　

Setting the Oracle WebLogic enforce-valid-basic-auth-credentials Flag to False

The enforce-valid-basic-auth-credentials is a domain-wide setting and this means that if a client application sends an authorisation header using basic-auth, WebLogic will intercept the call and the application user will be presented with a login prompt. If your application contains spring handlers and you do not want WL to stick it's nose into the auth, then you can set this setting to false as it is set to true by default. You can read on to learn a few tricks...



Note: For WebLogic Server versions 9.2 and later, client requests that use HTTP BASIC authentication must pass WebLogic Server authentication, even if access control is not enabled on the target resource, and this is why we want to turn it off.

============================================

Editing config.xml

To set the e enforce-valid-basic-auth-credentials flag, perform the following steps:

1. Add the <enforce-valid-basic-auth-credentials> element to config.xml within the <security-configuration> element.

<enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials>

</security-configuration>

2. Start or restart all of the servers in the domain.

=============================================

Using WebLogic Scripting Tool (WLST)

Using WLST to Check the Value of enforce-valid-basic-auth-credentials

The Administration Console does not display or log the enforce-valid-basic-auth-credentials setting. However, you can use WLST to check the value in a running server. Remember that enforce-valid-basic-auth-credentials is a domain-wide setting.

The WLST session shown below demonstrates how to check the value of the enforce-valid-basic-auth-credentials flag in a sample running server.

Example:

wls:/offline> connect('weblogic','weblogic123','t3://localhost:7002')
Connecting to t3://localhost:7002 with userid weblogic ...
Successfully connected to Admin Server 'AdminServer' that belongs to domain 'base_domain'.

Warning: An insecure protocol was used to connect to the
server. To ensure on-the-wire security, the SSL port or
Admin port should be used instead.

wls:/base_domain/serverConfig> cd('SecurityConfiguration')
wls:/base_domain/serverConfig/SecurityConfiguration> ls()
dr-- base_domain

wls:/base_domain/serverConfig/SecurityConfiguration> cd ('base_domain')
wls:/base_domain/serverConfig/SecurityConfiguration/base_domain> ls()
dr-- DefaultRealm
dr-- Realms

-r-- AnonymousAdminLookupEnabled false
-r-- ClearTextCredentialAccessEnabled false
-r-- CompatibilityConnectionFiltersEnabled false
-r-- ConnectionFilter null
-r-- ConnectionFilterRules null
-r-- ConnectionLoggerEnabled false
-r-- ConsoleFullDelegationEnabled false
-r-- Credential ******
-r-- CredentialEncrypted ******
-r-- CrossDomainSecurityEnabled false
-r-- DowngradeUntrustedPrincipals false
-r-- EnforceStrictURLPattern true
-r-- EnforceValidBasicAuthCredentials true
-r-- ExcludedDomainNames null
-r-- Name base_domain
-r-- NodeManagerPassword ******
-r-- NodeManagerPasswordEncrypted ******
-r-- NodeManagerUsername 2btxdeGF98
-r-- Notes null
-r-- PrincipalEqualsCaseInsensitive false
-r-- PrincipalEqualsCompareDnAndGuid false
-r-- Type SecurityConfiguration
-r-- WebAppFilesCaseInsensitive false

-r-x findDefaultRealm WebLogicMBean :
-r-x findRealm WebLogicMBean : String(realmDisplayName)
-r-x findRealms WebLogicMBean[] :
-r-x freezeCurrentValue Void : String(attributeName)
-r-x generateCredential [B :
-r-x isSet Boolean : String(propertyName)
-r-x unSet Void : String(propertyName)



here are the command I used to edit the setting using 
edit()
startEdit()
cd(‘SecurityConfiguration’)
cd('YOUR_DOMAIN')
set(‘EnforceValidBasicAuthCredentials’,'false’)
save()
activate()





Note: This will create an entry in your config.xml of the value false

Lets list the result in WLST






Now we have Disabled the Security Intercept!

WebLogic sometimes intercepts login requests, making it impossible for your app to authenticate correctly. You can now prevent WebLogic from intercepting login requests.

==========================

Here is a script to do this automatically

"""
This script starts an edit session, and modifies the EnforceValidBasicAuthCredentials setting which
equates to the <enforce-valid-basic-auth-credentials>false</enforce-valid-basic-auth-credentials> in config.xml 
"""

import sys
from java.lang import System

# Global Variables
usr = "weblogic"
password = "weblogic123"
domain = "base_domain"
url = "t3://localhost:7002"

def setAuth(authSetting):

connect(usr,password,url)
edit()
startEdit()
cd('SecurityConfiguration')
cd(domain)
set('EnforceValidBasicAuthCredentials',authSetting)
save()
activate()

#-----------------------------------------------------------------
# Auth setting
#-----------------------------------------------------------------
def Configure(authSetting):
if authSetting == "":
ScriptUsage()
else:
setAuth(authSetting)

#-----------------------------------------------------------------
# Usage
#-----------------------------------------------------------------
def ScriptUsage():
print "----------------------------------------------------------------------------------------------------------------"
print ""
print " ERROR: Invalid usage, correct usage is:"
print " java weblogic.WLST configureAuth.py {boolean}"
print ""
print " e.g.: java weblogic.WLST configureAuth.py false" 
print ""
print "----------------------------------------------------------------------------------------------------------------"
print ""


#-----------------------------------------------------------------
# Main
#-----------------------------------------------------------------
if len(sys.argv) != 2:
ScriptUsage()
else:
Configure(sys.argv[1