How do I get basic authentication working on WebSphere?

Question

Okay, so I've been running a Java/Jersey webservice on Tomcat with basic authentication which works perfectly fine. I've got permissions set up in the web.xml file of my project, and users set up in tomcat-users.xml on the server. Works great.
Problem is, now I have to transfer this project to WebSphere, which has nowhere near as simple of an implementation of basic authentication.

I've seen this question: Websphere 6.1 and BASIC Authentication and looked at Chapter 7 of this pdf like suggested, but I can't seem to find the right settings (I have no option labeled 'enable global security' like most methods use), and am trying to run my project, while the pdf is extremely project specific.

So to ask my question clearly, what is the easiest way to enable basic authentication on WebSphere 6.1?

Answer 1

After writing all this below I remember I have blogged about this for myself here:

WebSphere 6.1 and Application Authentication

As I understand you have setup your web.xml correctly thus:

     <security-role>
    <role-name>myrole</role-name>
  </security-role>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>mySec</web-resource-name>
      <url-pattern>/yourUrl</url-pattern>
      <http-method>DELETE</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>HEAD</http-method>
      <http-method>TRACE</http-method>
      <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>myrole</role-name>
    </auth-constraint>
    <user-data-constraint>
      <description>SSL or MSSL not required</description>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>my login</realm-name>
  </login-config>

This is if you are using the administration console you dont state that you are not so go to the console:

http://localhost:9060/ibm/console

Then login (if you have administrative security setup)

Then go here

1. left hand panel click Security
2. Secure administration, applications, and infrastructure
3. There is then a section on the page Application security
4. Check the box Enable application security
5. click apply, then save to master config.

Then you have application security turned on. Now you need to map the users of your application to users within websphere.

Go here

1. List item
2. Applications > Enterprise Applications
3. Click your application
4. Under the Detailed Properties section you will see a link Security role to user/group mapping
   you will only see this link if your web.xml is setup correctly
5. click the Security role to user/group mapping
6. Select the roles you wish to use for authentication
7. Click look up users or look up groups
8. click search and select users (that are setup in your websphere under Users and Groups menu
9. use the arrows to move the selected users/groups to the right hand box
10. click ok and save to master configuration.
11. restart your server.

Administration security (security of Websphere itself) must be turned on for it to work.

WebSphere can be complex but it is powerful and capable.

Answer 2

You shouldn't list http-methods. Doing so means that the security-constraint ONLY applies to those methods and can be bypassed with so-called "extension" methods, like the JEFF method. Just remove them and the constraint will apply to everything. There's a paper on http verb tampering at https://www.aspectsecurity.com/research/aspsec_presentations/download-bypassing-web-authentication-and-authorization-with-http-verb-tampering/