Security Realm for an application within WebSphere 7.0 - security

We are testing using security realms with our web application. In test we will be going against Microsoft Active Directory. Production will go against a custom realm. I have the working great in Tomcat, but can't seem to get this working in WebSphere. I have created a Security Domain (foo-ldap) within WebSphere that can connect to the AD. For now I have applied foo-ldap to the server1 scope. I'm not getting redirected to authenticate.faces when hitting /servlet/LoginServlet.
Web.xml and Tomcat config included below.
Tomcat config:
<Realm className="org.apache.catalina.realm.JNDIRealm"
connectionURL="ldap://ActiveDirectorySrv:389"
connectionName="CN=ldap user,CN=Users,DC=foo,DC=com"
connectionPassword="Password1"
referrals="follow"
userBase="CN=Users,DC=foo,DC=com"
userSearch="(&(objectCategory=user)(sAMAccountName={0}))"
userSubtree="true"
userRoleName="memberOf"
roleBase="CN=Users,DC=foo,DC=com"
roleSubtree="true"
roleName="cn"
roleSearch="(member={0})"/>
Web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/servlet/LoginServlet</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>Developers</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/authenticate.faces</form-login-page>
<form-error-page>/loginFailed.faces</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>Developers</role-name>
</security-role>

The issue I was running into was two fold.
The configuration for the security context exists in the web.xml. It must be present the installed war at application install time. We had the config commented out so developers wouldn't need to give credentials when debugging and I was trying to uncomment after deploying the war.
You must map roles to your security realm at install time. We have a script that deploys the applications and without modification, the roles were not mapped and the ability to map roles after install was not available. Even installing from the ibm console site, you have to select detailed install and map groups at install time or the link to map is not available.
Once I got the security installed and the redirect to the login page working, we had one other issue. I'm not sure if this is an issue with our JSF code or not, but I could not redirect to a page that used JSF within WebSphere (works fine with Tomcat). Our solution was to just use a jsp page for the authentication page.
Hope this helps someone else.

Related

How to make welcome page unprotected for form based authentication in websphere

My welcome screen is kind of home screen of any website (should be unprotected resource).
Say http://domain:port/myApp which redirects to the jsp file configured in welcome-file-list of web.xml say welcome.jsp.
But on click of any link present on welcome.jsp, those resources must be protected and corresponding urls will be like http://:port/myApp/someRequest
I have used below changes in deployment descriptor :
<security-constraint>
<web-resource-collection>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>SuperUser</role-name>
</auth-constraint>
<user-data-constraint>
<description>Encryption is not required for the application in general.
</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<url-pattern>/styles/*</url-pattern>
<url-pattern>/welcome.jsp</url-pattern>
</web-resource-collection>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyRealm</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>
The issue is still my home page i.e. welcome.jsp is protected and application redirecting to login screen for WebSphere Application server but working fine in tomcat and Wildfly.
how to make http://:port/myApp unprotected in WebSphere.
the WebContainer does not determine if it needs to use a welcome page for a specific request until the request is processed by the default servlet. When the WebContainer determines that there are no servlets mapped to this request, it will set the default servlet as the target which will then check if a welcome page is needed. Before servicing the default servlet, the WebContainer invokes the security checks, which is where the request URI will be compared against the defined security constraints. The request URI in this scenario (/myApp) matches the /* constraint defined, so the authentication process will be triggered.
This is working as designed. In order to get the desired behavior, the security constraints will need to be made more specific instead of just /*. One possibility is to keep all static resources intended to be secured in a separate directory and define a constraint for that directory, for example /secured/*. For servlets you can define a servlet mapping pattern to use for secured servlets and add a more specific constraint to your security configuration to match that pattern similarly to the static resource example above.

Websphere extendedDocumentRoot how to restrict by security role

We are using Websphere 8.5.5 Traditional
I have added an extended document root to Websphere's ibm-web-ext.xml file and set file sharing to true.
<fileServingAttribute name="extendedDocumentRoot" value="C:/extdocroot"/>
<enable-file-serving value="true"/>
inside the extended document root folder (C:/extdocroot) is a folder called pdfs. I would like to restrict the pdfs folder to only users who have logged in and have a particular role of 'school'.
the URL to serve up the pdf's is https://domain-name:9080/context-path/pdf/pdf-name.pdf
I added a security constraint in the web.xml file
<security-constraint>
<display-name>school PDFs</display-name>
<web-resource-collection>
<web-resource-name>School PDFs</web-resource-name>
<url-pattern>/pdf/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>school</role-name>
</auth-constraint>
</security-constraint>
No matter what role a user is logged in as the PDF's will get served by the the server. Websphere is ignoring the security constraint for the URL that serves up PDF's from the extended document root. Is it possible to constrain these PDF's by the roles a logged in user has.
Note: My company has asked me to try and put these files outside of the ear file and also have Websphere secure the files using user's role. I was also instructed not to use the Apache HTTP Server to host these files since it is in the DMZ.
I have found that this was a bug in Websphere 8.5.5.11. After upgrading to 8.5.5.12 I was able to add security constraints in the web.xml for folders that were in the extended document root.
I have also tested this in Websphere 9.0.0.5 and everything worked as it should.

How to automatically redirect user to a protected page after login with j_security_check

I have a web application developed using JSF1.2 running on JBoss AS7. Except for the login page, all other pages are protected. I also have a custom FormAuthenticator valve that needs to get triggered as part of the authentication processs.
The login page uses j_security_check.
My core requirements are:
Present the user with the login page when the try to access a protected page (and take the user to the originally requested page after successful login).
If the user access the login page directly, take the user to a welcome page after successful login.
Requirement #1 works fine, when I attempt to access http://server.com/my-app/faces/protected1.jsp.
However, I get a 404 when attempting to access the web application by its context-root (i.e. http://server.com/my-app/).
I tried to use welcome-file attribute in web.xml and my web.xml looks as follows:
<welcome-file-list>
<welcome-file>/faces/protected1.jsp</welcome-file>
</welcome-file-list>
...
<!-- login config -->
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
<!-- security constraints -->
<security-constraint>
<display-name>protected1</display-name>
<web-resource-collection>
<web-resource-name>protected1</web-resource-name>
<url-pattern>/faces/protected1.jsp</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>protected1Group</description>
<role-name>WebUserRole</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>WebUserRole</role-name>
</security-role>
I have 2 questions:
Am I on the correct track trying to get welcome-file to behave as the default landing page after login (when the user access either the context-root of my app or the login.jsp directly)?
Why does the same thing work flawlessly if I change the welcome-file to an unprotected jsp (e.g. hello.jsp that has no security constraints)?
Any ideas are much appreciated! Thanks.
It doesn't make any sense to me to have your welcome file protected. Normally that would be the home page of a site, which anybody should be able to see. Then, if they click on some link to a protected resource such as 'My Stuff', that would take them to /faces/mystuff.something, which would be protected, so there would be a login before they got there.

Configure username and password on Tomcat 5.5 application

I have a Tomcat 5.5 server and i deploy a application on it.
I have something like this http://tocatServer:8088/MyApp
I want to limit the acces of users at this address by putting an username and password, but i need help. I know that i must add roles on web.xml, i try it but without success.
If possible i want to send the URL like this
http://username:password#tocatServer:8088/MyApp
This url is sent from a java swing application for getting license from the serlet
Thanks
To restrict the access to a webapp (or to a folder in the webapp URL) in Tomcat:
in webapps/MyApp/WEB-INF/web.xml add
<security-constraint>
<web-resource-collection>
<web-resource-name>
Entire webapp
</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>member</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<!-- pay attention: BASIC in insecure, use it only for test, search for a more secure method -->
<auth-method>BASIC</auth-method>
<realm-name>Text reported when prompting the user for un and pw</realm-name>
</login-config>
and in conf/tomcat-users.xml add
<role rolename="member"/>
<user username="bubi" password="bubi" roles="member"/>
Then reload the webapp and maybe restart Tomcat too.
Source: O'Reilly's Top Ten Tomcat Configuration Tips - 5. Configuring Basic Authentication
About the second question, I don't know how to realize it.

Configuring container-managed security in Weblogic

Anyone know of any guides for this? I'm a complete newbie to weblogic and to container-managed security. What I've done already is:
setup an LDAP authenticator in Weblogic
created a simple webapp in Eclipse
Configure web.xml: Added security-constraint, security-role and login-config elements. The realm name used is "myrealm" which already exists in Weblogic. The role name I used is "Admin" which is a global role in Weblogic
Create a simple jsp page "login.jsp". It doesn't actually do any logging in but just a Hello World type of thing. I set this page as form-login-page and form-error-page in login-config in web.xml
Export this webapp to a war file and deploy it in Weblogic
I test it by accessing http://weblogic-server/test/login.jsp, and I expect that I'll be asked to login using an LDAP user first. This doesn't happen, it just shows the Hello World jsp.
I've also tried adding a weblogic.xml to map the "Admin" role to a specific LDAP user (didn't work).
Any advice? It seems there's a lack of online references for this sort of thing (or I don't really know what I should be searching for)
Edit: I've also tried using BASIC auth instead of FORM (no luck)
My web.xml settings are below:
<security-constraint>
<display-name>Test SC</display-name>
<web-resource-collection>
<web-resource-name>Test WR</web-resource-name>
<url-pattern>/hello.jsp</url-pattern>
<http-method>*</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Admin</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>Admin</role-name>
</security-role>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>myrealm</realm-name>
</login-config>
The login page must do some sort of logging in, with the 2 required fields. You have protect the hello_world.jsp page in the web.xml and go to that pages, the login page will be presented.
Edit:
The order is incorrect: it should be security-constraint, login-config and security-role.
Within the web-resource-collection the value of * is invalid for http-method. If you want to protect every method just leave it away.
Note: the server logging whould have hinted the incorrect order of elements in your web.xml.

Resources