Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I get basic authentication working on WebSphere?

Okay, so I've been running a Java/Jersey webservice on Tomcat with basic authentication which works perfectly fine. I've got permissions set up in the web.xml file of my project, and users set up in tomcat-users.xml on the server. Works great.
Problem is, now I have to transfer this project to WebSphere, which has nowhere near as simple of an implementation of basic authentication.

I've seen this question: Websphere 6.1 and BASIC Authentication and looked at Chapter 7 of this pdf like suggested, but I can't seem to find the right settings (I have no option labeled 'enable global security' like most methods use), and am trying to run my project, while the pdf is extremely project specific.

So to ask my question clearly, what is the easiest way to enable basic authentication on WebSphere 6.1?

like image 521
ZKSteffel Avatar asked Jun 10 '11 13:06

ZKSteffel


2 Answers

After writing all this below I remember I have blogged about this for myself here:

WebSphere 6.1 and Application Authentication

As I understand you have setup your web.xml correctly thus:

     <security-role>
    <role-name>myrole</role-name>
  </security-role>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>mySec</web-resource-name>
      <url-pattern>/yourUrl</url-pattern>
      <http-method>DELETE</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>HEAD</http-method>
      <http-method>TRACE</http-method>
      <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>myrole</role-name>
    </auth-constraint>
    <user-data-constraint>
      <description>SSL or MSSL not required</description>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>my login</realm-name>
  </login-config>

This is if you are using the administration console you dont state that you are not so go to the console:

http://localhost:9060/ibm/console

Then login (if you have administrative security setup)

Then go here

  1. left hand panel click Security
  2. Secure administration, applications, and infrastructure
  3. There is then a section on the page Application security
  4. Check the box Enable application security
  5. click apply, then save to master config.

Then you have application security turned on. Now you need to map the users of your application to users within websphere.

Go here

  1. List item
  2. Applications > Enterprise Applications
  3. Click your application
  4. Under the Detailed Properties section you will see a link Security role to user/group mapping
    you will only see this link if your web.xml is setup correctly
  5. click the Security role to user/group mapping
  6. Select the roles you wish to use for authentication
  7. Click look up users or look up groups
  8. click search and select users (that are setup in your websphere under Users and Groups menu
  9. use the arrows to move the selected users/groups to the right hand box
  10. click ok and save to master configuration.
  11. restart your server.

Administration security (security of Websphere itself) must be turned on for it to work.

WebSphere can be complex but it is powerful and capable.

like image 188
Gurnard Avatar answered Sep 30 '22 19:09

Gurnard


You shouldn't list http-methods. Doing so means that the security-constraint ONLY applies to those methods and can be bypassed with so-called "extension" methods, like the JEFF method. Just remove them and the constraint will apply to everything. There's a paper on http verb tampering at https://www.aspectsecurity.com/research/aspsec_presentations/download-bypassing-web-authentication-and-authorization-with-http-verb-tampering/

like image 40
Jeff Williams Avatar answered Sep 30 '22 17:09

Jeff Williams