Paullkha
asked on
WEbsphere form based security
I am using form based security in my web-app. I have created security constraints, login jsp page, user role, web resource collection, everything according to examples I have seen. However, every time I test this app on my local server, all pages are accessible. The login.jsp is never required to be displayed, and the userrole is meainingless.
Help.
Here is xml:
<servlet>
<servlet-name>TestProtectS ervlet</se rvlet-name >
<display-name>TestProtectS ervlet</di splay-name >
<servlet-class>protectedRe source.Tes tProtectSe rvlet</ser vlet-class >
<security-role-ref>
<description></description >
<role-name>FU</role-name>
<role-link>FunkyUser</role -link>
</security-role-ref>
</servlet>
<servlet-mapping>
<servlet-name>action</serv let-name>
<url-pattern>*.do</url-pat tern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TestProtectS ervlet</se rvlet-name >
<url-pattern>/TestProtectS ervlet</ur l-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>TestProtectS ervlet</se rvlet-name >
<url-pattern>/servlet/Test ProtectSer vlet</url- pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.html</ welcome-fi le>
<welcome-file>index.htm</w elcome-fil e>
<welcome-file>index.jsp</w elcome-fil e>
<welcome-file>default.html </welcome- file>
<welcome-file>default.htm< /welcome-f ile>
<welcome-file>default.jsp< /welcome-f ile>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protect ed Pages</web-resource-name>
<description>Example Security Constraint</description>
<url-pattern>/*</url-patte rn>
<url-pattern>*.*</url-patt ern>
<http-method>
GET</http-method>
<http-method>
PUT</http-method>
<http-method>
HEAD</http-method>
<http-method>
TRACE</http-method>
<http-method>
POST</http-method>
<http-method>
DELETE</http-method>
<http-method>
OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<description></description >
<role-name>FunkyUser</role -name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-me thod>
<form-login-config>
<form-login-page>/login.js p</form-lo gin-page>
<form-error-page>/fail_log in.html</f orm-error- page>
</form-login-config>
</login-config>
<security-role>
<description></description >
<role-name>FunkyUser</role -name>
</security-role>
Help.
Here is xml:
<servlet>
<servlet-name>TestProtectS
<display-name>TestProtectS
<servlet-class>protectedRe
<security-role-ref>
<description></description
<role-name>FU</role-name>
<role-link>FunkyUser</role
</security-role-ref>
</servlet>
<servlet-mapping>
<servlet-name>action</serv
<url-pattern>*.do</url-pat
</servlet-mapping>
<servlet-mapping>
<servlet-name>TestProtectS
<url-pattern>/TestProtectS
</servlet-mapping>
<servlet-mapping>
<servlet-name>TestProtectS
<url-pattern>/servlet/Test
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.html</
<welcome-file>index.htm</w
<welcome-file>index.jsp</w
<welcome-file>default.html
<welcome-file>default.htm<
<welcome-file>default.jsp<
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protect
<description>Example Security Constraint</description>
<url-pattern>/*</url-patte
<url-pattern>*.*</url-patt
<http-method>
GET</http-method>
<http-method>
PUT</http-method>
<http-method>
HEAD</http-method>
<http-method>
TRACE</http-method>
<http-method>
POST</http-method>
<http-method>
DELETE</http-method>
<http-method>
OPTIONS</http-method>
</web-resource-collection>
<auth-constraint>
<description></description
<role-name>FunkyUser</role
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-me
<form-login-config>
<form-login-page>/login.js
<form-error-page>/fail_log
</form-login-config>
</login-config>
<security-role>
<description></description
<role-name>FunkyUser</role
</security-role>
You have to turn on global security in the WAS console. Until you do that, all security setup in your app is ignored.
BTW if you are using WSAD, it's a little tricky to get global security to work for WTE. I never could get it working in 4.0.3, although I haven't tried it in 5.1.
ASKER
WAS console, how would i do that for my LOCAL server?
WSAD4.0.3 - that is prod server, (5.1 is development server)what problems did you have with FORM based authentication?
WSAD4.0.3 - that is prod server, (5.1 is development server)what problems did you have with FORM based authentication?
ASKER
Allright, got to it. What the hell is on this screen:
Enable
Enforce java 2
active user registry
???????????
I just want to run an example, hopefully w/o screwing up other development Ears....
Enable
Enforce java 2
active user registry
???????????
I just want to run an example, hopefully w/o screwing up other development Ears....
I'm a little confused. Are you trying to do this in WebSphere Studio or on the WAS server?
If you're trying to do it on WAS 4.0.3 server, you should have no problem.
If you are trying to do it in WebSphere Studio, i.e. WebSphere Test Environment, you'll need to configure the WTE using the console. Refer to this Q for instructions on configuring WTE using the normal WAS Admin Console: https://www.experts-exchange.com/questions/21073816/How-to-store-environment-specific-values.html
You won't screw up other development EARs ... if they don't have any security constraints they will be wide open.
As to what's on the screen ... well is it WAS 4.0.3 or WAS 5.1? In 4.0.3, launch the admin console, and select Console | Security Center from the top line menu. In the first tab of security center, check "enable security".
Based on what you are seeing, I think you are running WAS 5 or 5.1, which means you need to check "enable". Don't check "enforce Java 2 security" for now ... that has to do with Java file/package security. For active user registry, you want "LocalOS". If you're on windows, that will use the windows registry for security, meaning that when the user logs in they will put in their windows userId and password. If you have domain/AD security, that will be used first, then the local registry.
NOTE: after you do this I think you'll have to redeploy your application. When you redeploy, it will ask you to map the security role FunkyUser to some Windows group, user, or "all authenticated users" ... the last one is an easy way to test.
If you're trying to do it on WAS 4.0.3 server, you should have no problem.
If you are trying to do it in WebSphere Studio, i.e. WebSphere Test Environment, you'll need to configure the WTE using the console. Refer to this Q for instructions on configuring WTE using the normal WAS Admin Console: https://www.experts-exchange.com/questions/21073816/How-to-store-environment-specific-values.html
You won't screw up other development EARs ... if they don't have any security constraints they will be wide open.
As to what's on the screen ... well is it WAS 4.0.3 or WAS 5.1? In 4.0.3, launch the admin console, and select Console | Security Center from the top line menu. In the first tab of security center, check "enable security".
Based on what you are seeing, I think you are running WAS 5 or 5.1, which means you need to check "enable". Don't check "enforce Java 2 security" for now ... that has to do with Java file/package security. For active user registry, you want "LocalOS". If you're on windows, that will use the windows registry for security, meaning that when the user logs in they will put in their windows userId and password. If you have domain/AD security, that will be used first, then the local registry.
NOTE: after you do this I think you'll have to redeploy your application. When you redeploy, it will ask you to map the security role FunkyUser to some Windows group, user, or "all authenticated users" ... the last one is an easy way to test.
ASKER
Windows 2000 Pro
Running
WebSphere Studio Application Developer (Windows)
Version: 5.1.0
Run App On Server, so I assume Universal Test Client
Actually production WAS is 4.x on ?AS400
Running
WebSphere Studio Application Developer (Windows)
Version: 5.1.0
Run App On Server, so I assume Universal Test Client
Actually production WAS is 4.x on ?AS400
Okay, so you're really running this in WebSphere Test Environment (WTE), which is just a stripped down version of WAS. To turn on security for your test server, go to the server perspective in WSAD, double click your server, go to the security tab, check "enable", and type in the name and password of a user account on your box. For starters you could use your own account. Save, restart the server. Then everything should work.
ASKER
No this did not work. I can not start the server when I check enable security.
com.ibm.websphere.security .auth.WSLo ginFailedE xception: Authentication failed for user x with the following error message A required privilege is not held by the client.
I put in server ID = x, pwrd = x.
I just want form-based sercurity model.
Navigator:
LoginProject
RunOnServer
Websphere Test Environment 5.0
1st page that is displayed s/b login screen.
com.ibm.websphere.security
I put in server ID = x, pwrd = x.
I just want form-based sercurity model.
Navigator:
LoginProject
RunOnServer
Websphere Test Environment 5.0
1st page that is displayed s/b login screen.
I realize that you just want form based security model, but if don't turn on security it's not going to work.
When you say server ID = x pwrd = x ... what did your really use there? This has to be a user that exists in your user registry on the workstation. Keep in mind, the id and password you put here it NOT what the user will type in ... it's the ID under which the server will access the user registry. So the ID has to have admin privileges.
When you say server ID = x pwrd = x ... what did your really use there? This has to be a user that exists in your user registry on the workstation. Keep in mind, the id and password you put here it NOT what the user will type in ... it's the ID under which the server will access the user registry. So the ID has to have admin privileges.
ASKER
Steps:
Package Explorer, double click .wsi file
Webspehre server, click security tab.
In cell settings section, chk checkbox Enable Security(not win98 winme)
Enter serverid = usernamex
server pwrd = userpwrd (same as win2000 login)
Goto to Control Panel, Users and Passwords.
usernamex/companydomain = admin
usernamex/computer = admin
[8/20/04 14:04:44:547 EDT] 31670e6b ManagerAdmin I TRAS0017I: The startup trace state is *=all=disabled.
[8/20/04 14:04:46:094 EDT] 31670e6b AdminInitiali A ADMN0015I: AdminService initialized
[8/20/04 14:04:48:891 EDT] 31670e6b Configuration A SECJ0215I: Successfully set JAAS login provider configuration class to com.ibm.ws.security.auth.l ogin.Confi guration.
[8/20/04 14:04:49:031 EDT] 31670e6b SecurityDM I SECJ0231I: The Security component's FFDC Diagnostic Module com.ibm.ws.security.core.S ecurityDM registered successfully: true.
[8/20/04 14:04:49:266 EDT] 31670e6b SecurityCompo I SECJ0309I: Java 2 Security is disabled.
[8/20/04 14:04:49:297 EDT] 31670e6b SecurityCompo I SECJ0212I: WCCM JAAS configuration information successfully pushed to login provider class.
[8/20/04 14:04:49:328 EDT] 31670e6b SecurityCompo I SECJ0240I: Security service initialization completed successfully
[8/20/04 14:04:49:359 EDT] 31670e6b JMSRegistrati A MSGS0602I: WebSphere Embedded Messaging Client only has been installed
[8/20/04 14:04:56:375 EDT] 31670e6b SASRas A JSAS0001I: Security configuration initialized.
[8/20/04 14:05:00:844 EDT] 31670e6b SASRas A JSAS0002I: Authentication protocol: CSIV2/IBM
[8/20/04 14:05:00:859 EDT] 31670e6b SASRas A JSAS0003I: Authentication mechanism: SWAM
[8/20/04 14:05:00:875 EDT] 31670e6b SASRas A JSAS0004I: Principal name: localhost/usernamex
[8/20/04 14:05:01:188 EDT] 31670e6b SASRas A JSAS0005I: SecurityCurrent registered.
[8/20/04 14:05:01:203 EDT] 31670e6b SASRas A JSAS0006I: Security connection interceptor initialized.
[8/20/04 14:05:01:281 EDT] 31670e6b SASRas A JSAS0007I: Client request interceptor registered.
[8/20/04 14:05:01:547 EDT] 31670e6b SASRas A JSAS0008I: Server request interceptor registered.
[8/20/04 14:05:01:688 EDT] 31670e6b SASRas A JSAS0009I: IOR interceptor registered.
Login failed for usernamex/localhost com.ibm.websphere.security .auth.WSLo ginFailedE xception: Authentication failed for user usernamex with the following error message A required privilege is not held by the client.
com.ibm.websphere.security .PasswordC heckFailed Exception: Authentication failed for user usernamex with the following error message A required privilege is not held by the client.
Package Explorer, double click .wsi file
Webspehre server, click security tab.
In cell settings section, chk checkbox Enable Security(not win98 winme)
Enter serverid = usernamex
server pwrd = userpwrd (same as win2000 login)
Goto to Control Panel, Users and Passwords.
usernamex/companydomain = admin
usernamex/computer = admin
[8/20/04 14:04:44:547 EDT] 31670e6b ManagerAdmin I TRAS0017I: The startup trace state is *=all=disabled.
[8/20/04 14:04:46:094 EDT] 31670e6b AdminInitiali A ADMN0015I: AdminService initialized
[8/20/04 14:04:48:891 EDT] 31670e6b Configuration A SECJ0215I: Successfully set JAAS login provider configuration class to com.ibm.ws.security.auth.l
[8/20/04 14:04:49:031 EDT] 31670e6b SecurityDM I SECJ0231I: The Security component's FFDC Diagnostic Module com.ibm.ws.security.core.S
[8/20/04 14:04:49:266 EDT] 31670e6b SecurityCompo I SECJ0309I: Java 2 Security is disabled.
[8/20/04 14:04:49:297 EDT] 31670e6b SecurityCompo I SECJ0212I: WCCM JAAS configuration information successfully pushed to login provider class.
[8/20/04 14:04:49:328 EDT] 31670e6b SecurityCompo I SECJ0240I: Security service initialization completed successfully
[8/20/04 14:04:49:359 EDT] 31670e6b JMSRegistrati A MSGS0602I: WebSphere Embedded Messaging Client only has been installed
[8/20/04 14:04:56:375 EDT] 31670e6b SASRas A JSAS0001I: Security configuration initialized.
[8/20/04 14:05:00:844 EDT] 31670e6b SASRas A JSAS0002I: Authentication protocol: CSIV2/IBM
[8/20/04 14:05:00:859 EDT] 31670e6b SASRas A JSAS0003I: Authentication mechanism: SWAM
[8/20/04 14:05:00:875 EDT] 31670e6b SASRas A JSAS0004I: Principal name: localhost/usernamex
[8/20/04 14:05:01:188 EDT] 31670e6b SASRas A JSAS0005I: SecurityCurrent registered.
[8/20/04 14:05:01:203 EDT] 31670e6b SASRas A JSAS0006I: Security connection interceptor initialized.
[8/20/04 14:05:01:281 EDT] 31670e6b SASRas A JSAS0007I: Client request interceptor registered.
[8/20/04 14:05:01:547 EDT] 31670e6b SASRas A JSAS0008I: Server request interceptor registered.
[8/20/04 14:05:01:688 EDT] 31670e6b SASRas A JSAS0009I: IOR interceptor registered.
Login failed for usernamex/localhost com.ibm.websphere.security
com.ibm.websphere.security
does the account usernamex exist on both the local machine and the domain? If so, does it have the same password? I had this problem in WSAD 4.0.3 ... I thought they had fixed it. The solution was to have identical domain and local users. I actually contacted IBM for tech support and that was what they suggested.
I'm pretty sure that the error message you're getting is a lie: it's not that you don't have privileges. It will even tell you that if you have the wrong password.
I'm pretty sure that the error message you're getting is a lie: it's not that you don't have privileges. It will even tell you that if you have the wrong password.
ASKER
But servername and password are supposed to be my logon. Everything I did should be working.
I jsut logged in locally, (username = usernamex, domain = computer). Hoping local login would require less privileges and such. Same error.
yep local/domain username = usernamex, same password.
PS. I have Test Environment, Express Server Attach, and Server Attach available as server configuration. Is Server Attache "full" websphere 5.0. Would this be any different than Test Environment (newbie to WAS)?
I jsut logged in locally, (username = usernamex, domain = computer). Hoping local login would require less privileges and such. Same error.
yep local/domain username = usernamex, same password.
PS. I have Test Environment, Express Server Attach, and Server Attach available as server configuration. Is Server Attache "full" websphere 5.0. Would this be any different than Test Environment (newbie to WAS)?
ASKER
Never mind about test environment vs server attach. Just checked, don't believe any servers were actually installed locally.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.