In our recent Label Security presentation we used a feature called Proxy Authentication. This allowed us to connect to the database as one user, but proxy the credentials of another so that we can access resources that proxied user can see. Without this we wouldn’t be able to use Label Security with our OSB services. It’s been brought to my attention that this is a useful feature that others would be interested in, but it’s hidden within my other post. So I’ve extracted the material out here to its own post so it can be found easier. Enjoy!
The first step in configuring Proxy Authentication is creating our proxy user. This user will be able to connect to the database and proxy the other users, but won’t be able to see any tables.
To configure this in your database run the following in SQLPlus to create a new super user called ‘sec_osb’
connect dvacctmgr/welcome1; create user sec_osb identified by welcome1; GRANT CONNECT TO sec_osb;
Now we have to let the proxy user proxy as each of our users. In my previous demo I had 2 users, so the SQL would be:
alter user SECDEMO_jcooper GRANT CONNECT THROUGH sec_osb; alter user SECDEMO_cdoyle GRANT CONNECT THROUGH sec_osb;
Now that we’ve configured our proxy user we need to create our database connection in WebLogic. You could install your own version of WebLogic, but the for this demo I’m just going to use the integrated WebLogic that comes with JDeveloper (make sure to download the SOA Quickstart version which includes OSB). Just click ‘Run’->’Start Server Instance’ from the menu to start WebLogic. Once it’s started go to ‘localhost:7101/console’ and lets start configuring our data source.
- Go to ‘Services->Data Sources’ and click ‘New (Generic Data Source)’
- Enter a name (SecureOSB) and a JNDI name (jdbc/proxy/sec_osb).
- Keep moving through the wizard until you get to the ‘Connection Properties’ page. Enter the details as follows:
- Database Name: orcl
- Host name: localhost
- Port: 1521
- Database User Name: sec_osb
- Password: welcome1
- Click ‘Next’ and on the next tick the box next to ‘Default Server’ to target this data source to our server
Before we proceed we need to create some users in our WebLogic security realm. We will use these users later when we are authenticating with our web service. This is pretty straight forward, just go to ‘Security Realms’ from the left hand menu and click the default realm (myrealm). In a real-world example you may not have to create users as you could use your LDAP/Active Directory service that you configured in WebLogic. Click ‘Users and Groups’ and add 2 users: jcooper and cdoyle.
Now go back to the data source we created and click the ‘Oracle’ tab (under ‘Configuration’). Check the box next to ‘Oracle Proxy Session’. This will tell WebLogic to use Proxy Authentication when connecting to the database.
Now we need a way to map the WebLogic users we created to their respective database user (ie: jcooper = SECDEMO_jcooper). To do this go to the ‘Security’ tab and click ‘Credential Mappings’. Add 2 mappings to map between our WebLogic users and our remote database users.
Note: This may seem like an onerous task, if we were using this in real-life we might have to map between hundreds of logins! But you can simplify this process by using the Oracle Identity and Access Management tools. Talk to your local friendly Oracle representative for more details.
And with that you’ve configured a data source in WebLogic that can use Proxy Authentication.