Create a Realm in Websphere Application Server 8.5 - security

I am looking for a simple way to create a "realm" within WAS 8.5. I am specifically looking for something similar to the APACHE realm system in which a user, upon first access to a site, is presented with a javaScript username / password dialog and, if authenticated, is allowed to use the site. In Tomcat, this is accomplished by modifying the tomcat-users.xml file, adding a username, passowrd and role. Any suggestions are appreciated.

In WebSphere it is already built in, you just need to configure repository from where you want to take users e.g internal file based, or LDAP.
Than you need to enable Application security via Global Security.
Check this page for more details Enabling security

I followed these steps to implement basic authentication. http://itcareergrowth.com/blog/2018/02/25/configuring-basic-authentication-in-web-sphere-application-server/#.WpQiSOdMGUk

Related

Propagate user access right from an authentication web page to other html only web pages on the server?

I want to create a web page, that will serve to authenticate users based on credentials I give them (user1, pswd1 etc).
Only after a user authenticated, he should have access to a few other web sites,
on different folders of the web server, but which have no server side code(otherwise it would be simple.)
The user should be allowed access to the other sites, e.g. based on his IP,
for 24 hours or another period, or while he has the authentication site open on his browser.
The purpose if that the user will not have to enter credentials on each site,
and will enter his credentials only once, or once a day.
Restrictions:
I don't want to modify the target web site javascript code at all, e.g. to query a web service.
The user should be granted access using any browser,
so I assume I cannot use cookies.
If I would develop such a mechanism on Apache,I could, for example, have the authentication site PHP code add a line "Allow from ip" to the htaccess file of each target web folder, whenever a user authenticated successfully.
The issue is that I don't want to develop it as I am sure a solution already exists, and also I need a similar mechanism for both Apache and node.js (although i can live with two different solutions)
What information does the user have to identify themselves? How do you guarantee the user is who they say they are?
The whole point of authentication is to establish the user is who they say they are and that may create a session so that users need not reauthenticate.
If you want the user to authenticate in a single location and then reuse that "session" or set of credentials elsewhere, what you are looking for is single-sign-on / identity federation.
For instance, take airbnb.com. I do not need to authenticate there. All I have to do is authenticate with a third-party e.g. Google or Facebook. As a matter of fact, SO works in the same way.
One of the standards behind this technique is called Open ID Connect. Look into that. If you are willing to dish out money, you can look into commercial solutions e.g. Ping Identity. There is an open source implementation provided by Mitre / the MIT. It's available here.
In fact it occurs to me I can use simple routing.
In the top level folder have php code that does the authentication.
If the user is authenticated, route/redirect to the requested target site,
based on the requested url.
The url should be for example http://mysite/site1, where the authentication code is in the folder mysite, and site1 is not directly accessible.
Perhaps I can use something like php-express to reuse the same php code on node.js.

Websphere Application Login

I was trying to register an Application Login Module in Websphere but I don´t find any easy example in web.
There are a lot of IBM documents, but too much complex, and I can´t figure out how to register an Application Login Module.
I already have success with a System Login Module bounded to WEB_INBOUND, it works, but affects all my system. I want a Login Module to serve only my applications web, with JAAS authentication.
I´ve tried to bound a login module to existing WSLogin but it doesn´t seems to be working.
Any help ?
tks[]
You need to setup security domains to get the separation you are looking for wrt to the login configurations. The security framework uses the WEB_INBOUND login configuration to authenticate the user for all web applications irrespective of adminConsole or user applications. When you create a security domain and customize the WEB_INBOUND configuration at the server/cluster domain level, it will be used for all the user web applications deployed in those processes. You need to setup the multidomain in a cell topology and assign the domain to the server/cluster where you applications are deployed.
Once you setup the domains, the WEB_INBOUND configuration at the server/cluster domain will be used by the user applications hosted in that server/cluster while the WEB_INBOUND configuration at the admin/global domain will be used for the adminConsole application at the Deploymener Management process where it is deployed.
The application JAAS login configurations are meant to be used by the applications directly. One can create an application login configuration and programmatically use it in the application to perform direct login -
LoginContext lc = new LoginContext("myAppLoginCfg1", callBackHandler);
I asked around and this is the answer that comes from the owner of container security:
The WEB_INBOUND is a JAAS system login that is always configured by default. However, you can specify your own JAAS application login or customize the existing WEB_INBOUND system login. If you want only one application to use a different JAAS login from all your other applications, you can use a security domain that has those different security configurations. The only catch is that application server has to be in a separate server from the other apps. That way, you can map your security domain to that server.
Here's an info center article about security domains:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/tsec_sec_domains_config.html?cp=SS7K4U_8.5.5%2F1-8-2-33-1
And one on application logins:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/rsec_logmod.html?cp=SS7K4U_8.5.5
And system logins:
http://www-01.ibm.com/support/knowledgecenter/#!/SS7K4U_8.5.5/com.ibm.websphere.zseries.doc/ae/usec_sysjaas.html
And here is a much more practical answer that comes from the security dev lead:
So an additional question is - why would you want to do that? Do you want to do anything specific for just one app during login that you do not want for other app logins? (I would think so) You can get the app name in your custom login module and can use that to provide your own app based login requirement in your login module (or skip it) if needed.
Me: Ya, this is what I would do. You can also implement this based on what is in the request. I did one where it would request a SAML token from an STS and put it on the runas subject if I could tell that the request came from WebSeal (and not if it didn't).
If what you need to do for the 'app-specific' case requires skipping what is done in ltpaLoginModule and wsMapDefaultInboundLoginModule (that should run for the other apps), you can't really do that. However, you can modify their behavior.
Read through the task I've given a link to below. Yes, I understand it is a WS-Security task, but its about using APIs. You'll get what I'm talking about if you read closely, particularly the 3rd ("When a caller...") and 5th ("To use a..") paragraphs. The parts that you should be concerned about in the code is the WSCREDENTIAL* stuff.
http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/twbs_config_wssec_caller_no_reg.html

Using the Domino Web Login and secondary NAB for non-notes web applications

I tried to do some research on this matter but couldn't really find anything. So, I was just wondering if anyone ever did something like this or if it would even make sense to do it that way:
Lets say, you have a secondary NAB for users who don't have a notes ID but need access to your web-enabled Notes / XPages applications.
Now, a non-notes web application wants to allow the same set of users access to their application.
Could this application use the Domino Web Login, so, user can log in into the non-notes web application?
How would a redirect work after a successful / failed log in attempt?
Would you use JSON / WebServices for that, or how would you implement it?
I know it is a rather general question, but I was just wondering.
Any response would be highly appreciated.
Thank you.
Daniel
If the other server can use LDAP for authentication, then you can configure Domino's LDAP task and set up Domino's Directory Assistance to expose your secondary address book to LDAP, and configure the other server to use the Domino LDAP as it's authentication source.
Note that this is not a single sign-on solution, so separate login will still be required for the non-Domino application. It does get you a single authentication source, though.

Liferay: Using the roles configured in an external application

Whether liferay can use the roles/permissions that is configured outside liferay? The reason behind is that the legacy application have its own mechanism for user and role configuration.
Can any one please help me on this?
Regards
Vishal G
Liferay does integrate with LDAP, should you configure it so, so that your LDAP directory holds the users and their roles etc. You can likely add some other code to interface with another user database, but I'd start with the LDAP environment, as you don't say what kind of technology you're talking about.
If it's homegrown, I'd consider either exporting to LDAP or taking the LDAP interface as blueprint for embedding your own solution.

How can I protect ASP.NET sites behind a Windows password and forms authentication?

I'm developing an ASP.NET MVC site that utilizes forms authentication for part of the application. During development, I need to be able to give external parties access to a development server hosting the site. Since I don't want to expose the site to the entire internet, I need to password protect it while still allowing forms authentication to be in use.
Mixing of Windows and forms authentication doesn't work. Is there a standard way of doing this? I would have to think this is a common scenario. The article on MSDN doesn't seem to apply to my situation: http://msdn.microsoft.com/en-us/library/ms972958.aspx
Update: The first two answers suggest adding in standard IIS basic/digest authentication. As far as I know, this is not compatible with forms authentication because the user's identity will be set to the Windows account, not the identity used through forms authentication. I need the two to be completely independent. Any thoughts?
You could protect it in IIS, give those details to the external parties, and leave the forms auth as it is.
Disable anonomous access to force the users to login via a windows account before accessing the site.
I knew a guy who did this using Apache and a reverse proxy.
http://www.apachetutor.org/admin/reverseproxies
Well unfortunately what you're trying to do is not possible in IIS7 (integrated mode), but there is a workaround. I suggest you to read this article written by Mike Volodarsky a former program manager for IIS7 at Microsoft. Article addresses your problem and there is even a sample code you could use.

Resources