Ace

JAVA 1.6 HTTP client's inherits support for SPNEGO via Java GSS. This is listed at:     http://docs.oracle.com/javase/6/docs/technotes/guides/security/jgss/jgss-features.html From WebLogic side, the answer(to the question why JAVA HTTP client only works with certianin versions) lies in simple test that is carried out using "supported" browser and JAVA fat client against same version of WebLogic and then analyzing the network dumps. Network dumps show: For JAVA fat client(not working against WebLogic 10.3.3) GSS-API Generic Security Service Application Program Interface               OID: 1.3.6.1.5.5.2 (SPNEGO - Simple Protected Negotiation)               Simple Protected Negotiation                               negTokenInit                                               mechTypes: 1 item                                                  MechType: 1.2.840.113554.1.2.2 (KRB5 - Kerberos 5) For browser (working  against WebLogic 10.3.3) GSS-API Generic Securit

In IdP initiated SSO, you might have a jsp/html resource at IdP end where SP services are defined having  similar form snippet: <input type="hidden" name="SPName" value="<%=spname%>" <input type="hidden" name="RequestURL" value="<%=requestURL%>" <input type="hidden" name="param1" value="<%=value1%>" <input type="hidden" name="param2" value="<%=value2%>" <input type="hidden" name="param3" value="<%=value3%>" However you are getting following exception whenever SP service is invoked from above jsp/html: ####<Sep 29, 2011 2:01:14 PM IST> <Debug> <SecuritySAML2Service> <MyMac> <AdminServer> <[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1311113162898>

Sometimes it might be a requirement that a JEE application, deployed on WebLogic, needs an access to MBeans (Server, domain  or custom MBeans). With WebLogic default administrator user and other users who belong to default administrator group “Administrators” such a thing is possible quite easily. However it is not a good practice as the admin credentials would unnecessarily get exposed to application (and it may in-turn have security consequences). So, the question comes up - can we avoid using these admin credentials and instead use appropriate credentials, in our application, based on role access? The answer is yes - this requirement involves working with JMX policies. WebLogic provides a way for creating new as well as modifying existing (default) JMX policies. So what you can do is use the JMX policy editor to grant non-admin user/group a write access to the required MBean. JMX policy editor is described here . Also refer this to enable the JMX policy editor if it i

I have run into this proble many  times. This happens each time I change the password of the user account under which I have set the SPNs for my WebLogic Server instance.  When I checked wireshark traces, I could see browser sending a SPNEGO token to WebLogic, and this token had kvno as "6". But when I checked my keytab file (on WebLogic side, using command " klist -ke -t mac5keytab "), I could see "5" as kvno againt HTTP principal. Digging deeper, I used "ADSIEdit.msc" on my AD server and opened the user account and could see the value of attribute "msDS-KeyVersionNumber" was "6". So password change increments this attribute value and browser sends the latest "kvno" (in agreement with KDC, I suppose). I also ran into the same error when I enrolled a windows 2008 R2 server with Windows 2003 (here my AD and KDC are located). This happened even when I had used a total different user account during enroll process.

Oracle Java SE 1.6 has an inbuild HTTP client that now supports SPNEGO Negotiate HTTP authentication scheme, with the Kerberos as well as NTLM mechanism. We can harness this client and use it in place of Internet Explorer (IE) to troubleshoot Kerberos SSO issues against Weblogic instance. This makes sense as one faces great challenge in making IE run in debug mode so that one can see what is going on behind the scene. Using JSE HTTP client, we can enable debug flags and see lot of "relevant" information easily. Here you go! 1. We will code a simple JAVA class that will use JSE 1.6 HTTP API (to turn itself into an HTTP client). Here is the sample class: 1: import java.io.BufferedReader; 2: import java.io.InputStream; 3: import java.io.InputStreamReader; 4: import java.net.URL; 5: import java.net.CookieHandler; 6: import java.net.CookieManager; 7: import java.net.CookiePolicy; 8: public class JSEHTTPClient{ 9: public static void main(S

No room for confusion! Kerberos – It is a computer network authentication protocol, which allows individuals communicating over an insecure network to prove their identity to one another in a secure manner. SPNEGO – Stands for "Simple and Protected GSS-API Negotiation Mechanism", and is a pseudo security mechanism that enables GSS-API peers to determine in-band whether their credentials support a common set of one or more GSS-API security mechanisms; if so, it invokes the normal security context establishment for a selected common security mechanism. The primary intention of SPNEGO is to allow a client and server to negotiate a security mechanism for authentication. KDC – Stands for Key Distribution Center. It is the authentication server in a Kerberos environment. Its function is to distribute tickets  for access to the services. Generally, the KDC is composed of three parts: Database as the container for entries associated with the users and services, Authenticat