Solved

WEbsphere form based security

Posted on 2004-08-12
16
7,564 Views
Last Modified: 2013-12-10
I am using form based security in my web-app. I have created security constraints, login jsp page, user role, web resource collection, everything according to examples I have seen. However, every time I test this app on my local server, all pages are accessible. The login.jsp is never required to be displayed, and the userrole is meainingless.

Help.  

Here is xml:
      <servlet>
            <servlet-name>TestProtectServlet</servlet-name>
            <display-name>TestProtectServlet</display-name>
            <servlet-class>protectedResource.TestProtectServlet</servlet-class>
            <security-role-ref>
                  <description></description>
                  <role-name>FU</role-name>
                  <role-link>FunkyUser</role-link>
            </security-role-ref>
      </servlet>
      <servlet-mapping>
            <servlet-name>action</servlet-name>
            <url-pattern>*.do</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
            <servlet-name>TestProtectServlet</servlet-name>
            <url-pattern>/TestProtectServlet</url-pattern>
      </servlet-mapping>
      <servlet-mapping>
            <servlet-name>TestProtectServlet</servlet-name>
            <url-pattern>/servlet/TestProtectServlet</url-pattern>
      </servlet-mapping>
      <welcome-file-list>
            <welcome-file>index.html</welcome-file>
            <welcome-file>index.htm</welcome-file>
            <welcome-file>index.jsp</welcome-file>
            <welcome-file>default.html</welcome-file>
            <welcome-file>default.htm</welcome-file>
            <welcome-file>default.jsp</welcome-file>
      </welcome-file-list>

      <security-constraint>
            <web-resource-collection>
                  <web-resource-name>Protected Pages</web-resource-name>
                  <description>Example Security Constraint</description>
                  <url-pattern>/*</url-pattern>
                  <url-pattern>*.*</url-pattern>
                  <http-method>
                  GET</http-method>
                  <http-method>
                  PUT</http-method>
                  <http-method>
                  HEAD</http-method>
                  <http-method>
                  TRACE</http-method>
                  <http-method>
                  POST</http-method>
                  <http-method>
                  DELETE</http-method>
                  <http-method>
                  OPTIONS</http-method>
            </web-resource-collection>
            <auth-constraint>
                  <description></description>
                  <role-name>FunkyUser</role-name>
            </auth-constraint>
      </security-constraint>
      <login-config>
            <auth-method>FORM</auth-method>
            <form-login-config>
                  <form-login-page>/login.jsp</form-login-page>
                  <form-error-page>/fail_login.html</form-error-page>
            </form-login-config>
      </login-config>
      <security-role>
            <description></description>
            <role-name>FunkyUser</role-name>
      </security-role>
0
Comment
Question by:Paullkha
  • 7
  • 7
16 Comments
 
LVL 7

Expert Comment

by:damonf
Comment Utility
You have to turn on global security in the WAS console.  Until you do that, all security setup in your app is ignored.
0
 
LVL 7

Expert Comment

by:damonf
Comment Utility
BTW if you are using WSAD, it's a little tricky to get global security to work for WTE.  I never could get it working in 4.0.3, although I haven't tried it in 5.1.
0
 
LVL 2

Author Comment

by:Paullkha
Comment Utility
WAS console, how would i do that for my LOCAL server?

WSAD4.0.3 - that is prod server, (5.1 is development server)what problems did you have with FORM based authentication?
0
 
LVL 2

Author Comment

by:Paullkha
Comment Utility
Allright, got to it. What the hell is on this screen:
Enable
Enforce java 2
active user registry

???????????

I just want to run an example, hopefully w/o screwing up other development Ears....
0
 
LVL 7

Expert Comment

by:damonf
Comment Utility
I'm a little confused.  Are you trying to do this in WebSphere Studio or on the WAS server?

If you're trying to do it on WAS 4.0.3 server, you should have no problem.

If you are trying to do it in WebSphere Studio, i.e. WebSphere Test Environment, you'll need to configure the WTE using the console.   Refer to this Q for instructions on configuring WTE using the normal WAS Admin Console:  http://www.experts-exchange.com/Web/Application_Servers/Websphere/Q_21073816.html

You won't screw up other development EARs ... if they don't have any security constraints they will be wide open.

As to what's on the screen ... well is it WAS 4.0.3 or WAS 5.1?  In 4.0.3, launch the admin console, and select Console | Security Center from the top line menu.  In the first tab of security center, check "enable security".

Based on what you are seeing, I think you are running WAS 5 or 5.1, which means you need to check "enable".  Don't check "enforce Java 2 security" for now ... that has to do with Java file/package security.  For active user registry, you want "LocalOS".  If you're on windows, that will use the windows registry for security, meaning that when the user logs in they will put in their windows userId and password.  If you have domain/AD security, that will be used first, then the local registry.

NOTE:  after you do this I think you'll have to redeploy your application.  When you redeploy, it will ask you to map the security role FunkyUser to some Windows group, user, or "all authenticated users" ... the last one is an easy way to test.
0
 
LVL 2

Author Comment

by:Paullkha
Comment Utility
Windows 2000 Pro
Running
WebSphere Studio Application Developer (Windows)
Version: 5.1.0

Run App On Server, so I assume Universal Test Client



Actually production WAS is 4.x on ?AS400

0
 
LVL 7

Expert Comment

by:damonf
Comment Utility
Okay, so you're really running this in WebSphere Test Environment (WTE), which is just a stripped down version of WAS.   To turn on security for your test server, go to the server perspective in WSAD, double click your server, go to the security tab, check "enable", and type in the name and password of a user account on your box.  For starters you could use your own account.  Save, restart the server.  Then everything should work.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 2

Author Comment

by:Paullkha
Comment Utility
No this did not work. I can not start the server when I check enable security.

com.ibm.websphere.security.auth.WSLoginFailedException: Authentication failed for user x with the following error message A required privilege is not held by the client.
I put in server ID = x, pwrd = x.

I just want form-based sercurity model.  
Navigator:
LoginProject
RunOnServer
Websphere Test Environment 5.0
1st page that is displayed s/b login screen.
0
 
LVL 7

Expert Comment

by:damonf
Comment Utility
I realize that you just want form based security model, but if don't turn on security it's not going to work.

When you say server ID = x pwrd = x  ... what did your really use there?  This has to be a user that exists in your user registry on the workstation.  Keep in mind, the id and password you put here it NOT what the user will type in ... it's the ID under which the server will access the user registry.  So the ID has to have admin privileges.
0
 
LVL 2

Author Comment

by:Paullkha
Comment Utility
Steps:
Package Explorer, double click .wsi file
Webspehre server, click security tab.
In cell settings section, chk checkbox Enable Security(not win98 winme)
Enter serverid = usernamex
server pwrd = userpwrd (same as win2000 login)

Goto to Control Panel, Users and Passwords.
usernamex/companydomain = admin
usernamex/computer = admin


[8/20/04 14:04:44:547 EDT] 31670e6b ManagerAdmin  I TRAS0017I: The startup trace state is *=all=disabled.
[8/20/04 14:04:46:094 EDT] 31670e6b AdminInitiali A ADMN0015I: AdminService initialized
[8/20/04 14:04:48:891 EDT] 31670e6b Configuration A SECJ0215I: Successfully set JAAS login provider configuration class to com.ibm.ws.security.auth.login.Configuration.
[8/20/04 14:04:49:031 EDT] 31670e6b SecurityDM    I SECJ0231I: The Security component's FFDC Diagnostic Module com.ibm.ws.security.core.SecurityDM registered successfully: true.
[8/20/04 14:04:49:266 EDT] 31670e6b SecurityCompo I SECJ0309I: Java 2 Security is disabled.
[8/20/04 14:04:49:297 EDT] 31670e6b SecurityCompo I SECJ0212I: WCCM JAAS configuration information successfully pushed to login provider class.
[8/20/04 14:04:49:328 EDT] 31670e6b SecurityCompo I SECJ0240I: Security service initialization completed successfully
[8/20/04 14:04:49:359 EDT] 31670e6b JMSRegistrati A MSGS0602I: WebSphere Embedded Messaging Client only has been installed
[8/20/04 14:04:56:375 EDT] 31670e6b SASRas        A JSAS0001I: Security configuration initialized.
[8/20/04 14:05:00:844 EDT] 31670e6b SASRas        A JSAS0002I: Authentication protocol: CSIV2/IBM
[8/20/04 14:05:00:859 EDT] 31670e6b SASRas        A JSAS0003I: Authentication mechanism: SWAM
[8/20/04 14:05:00:875 EDT] 31670e6b SASRas        A JSAS0004I: Principal name: localhost/usernamex
[8/20/04 14:05:01:188 EDT] 31670e6b SASRas        A JSAS0005I: SecurityCurrent registered.
[8/20/04 14:05:01:203 EDT] 31670e6b SASRas        A JSAS0006I: Security connection interceptor initialized.
[8/20/04 14:05:01:281 EDT] 31670e6b SASRas        A JSAS0007I: Client request interceptor registered.
[8/20/04 14:05:01:547 EDT] 31670e6b SASRas        A JSAS0008I: Server request interceptor registered.
[8/20/04 14:05:01:688 EDT] 31670e6b SASRas        A JSAS0009I: IOR interceptor registered.


 Login failed for usernamex/localhost com.ibm.websphere.security.auth.WSLoginFailedException: Authentication failed for user usernamex with the following error message A required privilege is not held by the client.
com.ibm.websphere.security.PasswordCheckFailedException: Authentication failed for user usernamex with the following error message A required privilege is not held by the client.
0
 
LVL 7

Expert Comment

by:damonf
Comment Utility
does the account usernamex exist on both the local machine and the domain?  If so, does it have the same password?  I had this problem in WSAD 4.0.3 ... I thought they had fixed it.  The solution was to have identical domain and local users.  I actually contacted IBM for tech support and that was what they suggested.

I'm pretty sure that the error message you're getting is a lie:   it's not that you don't have privileges.  It will even tell you that if you have the wrong password.
0
 
LVL 2

Author Comment

by:Paullkha
Comment Utility
But servername and password are supposed to be my logon. Everything I did should be working.

I jsut logged in locally, (username = usernamex, domain = computer). Hoping local login would require less privileges and such. Same error.

yep local/domain username = usernamex, same password.

PS. I have Test Environment,  Express Server Attach, and Server Attach available as server configuration. Is Server Attache "full" websphere 5.0. Would this be any different than Test Environment (newbie to WAS)?
0
 
LVL 2

Author Comment

by:Paullkha
Comment Utility
Never mind about test environment vs server attach. Just checked, don't believe any servers were actually installed locally.
0
 
LVL 7

Accepted Solution

by:
damonf earned 203 total points
Comment Utility
Server attach means connect to a full version of WAS installed locally.  You would have to install that yourself.  This would work differently, but I've never tried it.  Too much overhead.

It sounds to me like you set this up correctly.  Many people setup a separate admin account under which to run WAS, but there's no reason you can't use your own login.

My experience with it under WSAD 4.0.3 was such a headache that I decided to provide my own security.  I wanted WTE security to work the same way it would in WAS Server (which was working perfectly), but it wouldn't cooperate.  Sounds like you're having the same issue in 5.1.

All the steps you've gone through sound like exactly what I did.  It's frustrating that this still doesn't work.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

-Xmx and -Xms are the two JVM options often used to tune JVM heap size.   Here are some common mistakes made when using them:   Assume BigApp is a java class file for the below examples. 1.         Missing m, M, g or G at the end …
This article is about some of the basic and important steps to be used to improve the performance in web-sphere commerce application development. 1) Always leverage the Dyna-caching facility provided by the product 2) Remove the unwanted code …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now