Solved

Integrating login security with JSP and Websphere

Posted on 2012-03-14
11
4,355 Views
Last Modified: 2012-08-14
Hi. As mentioned in the topic, I am designing a log-in that caters to both internal and external users by utilizing JSP. My applications are hosted on Websphere and my users are on an Active Directory. I will be relying on Form Authentication, "j_security_check", and "request.getRemoteUser()".

The basic idea is for people to access the application directly if they are internal users within the domain that have been authenticated. For external users, they will be directed to a log-in page and upon successful authentication, will be directed to the application. The application I currently have is just to display a "Hello, <user>".

A brief sequence would be:
- User to access /protected/index.jsp
- If not authenticated, to be directed back to /login.jsp
- Once authenticated, the index.jsp should display the User's ID

I am currently facing two problems. Below are the details.

My /WEB-INF/web.xml file as per the site here:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app  PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
  "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    <description>Try login page</description>
    <display-name>Login Page</display-name>
	<welcome-file-list>
        <welcome-file>/protected/index.jsp</welcome-file>
    </welcome-file-list>
	<error-page>
		<error-code>403</error-code>
		<location>/denied.jsp</location>
	</error-page>
    <security-constraint>
        <web-resource-collection>
			<url-pattern>/protected/*</url-pattern>
			<http-method>DELETE</http-method>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
			<http-method>PUT</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
			<role-name>admin</role-name>
			<role-name>users</role-name>
	<user-data-constraint>
			<transport-guarantee>NONE</transport-guarantee>
		</user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
		<realm-name>Example Login</realm-name>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/error.jsp</form-error-page>
        </form-login-config>
    </login-config>
    <security-role>
        <description>Administrator</description>
        <role-name>admin</role-name>
    </security-role>
	<security-role>
        <description>Users</description>
        <role-name>users</role-name>
    </security-role>
</web-app>

Open in new window


I gathered my login.jsp would be something like the site here.

The index.jsp is as follows:
    <body>
	<h1>Index</h1>
        <p>
        Hello1, <% request.getRemoteUser(); %>
        </p>
	<p>
	Hello2, <% request.getUserPrincipal().getName(); %>
	</p>
    </body>

Open in new window


First Problem: Error 403
When I try to access index.jsp, I am automatically redirected to login.jsp.  Incorrect login will redirect me to error.jsp. Correct login will result in a "http://<url>/j_server_check" with a "Error 403 : This website requires you to log in."
This means that it is actually working to verify with my Active Directory, but some settings require to be changed. My user in AD is under Administrator as well as Domain Admin so I am baffled why an Error 403 will occur.
Furthermore, I was previously unable to access the snoop page but after successful login with Error 403, I am able to access the snoop page but it indicates BASIC authentication. I am confused at this point.

Second Problem: Blank Username
I tried adjusting the web.xml to allow all users by changing variations of the <url-pattern>, the <auth-constraint>, as well as the <security-role>. In all ways of accessing the index.jsp, it all results in a blank result. Logging into the system as an internal and accessing the index.jsp, I am greeted with a "Hello, null." for both request.getRemoteUser() and request.getUserPrincipal().getName() which is equally frustrating.

I feel like I am pretty close to the solution, which I feel is somewhere within the settings. However, I hope someone who has experienced this before can shed light on this issue.

Thank you.
0
Comment
Question by:pcssecure
  • 5
  • 4
  • 2
11 Comments
 
LVL 26

Expert Comment

by:mrcoffee365
ID: 37723028
You can't make the login page protected -- people who are not logged in have to be able to get to it.  Typically you put all the pages which require login in a directory where you can put the url pattern and say the roles of users you allow.  You can also list urls explicitly, if a directory has both protected and public pages in it.

A valid user does not have to have a name, but I can see where you would expect it to be retrieved if you're using AD.
0
 

Author Comment

by:pcssecure
ID: 37723055
Hi mrcoffee365,

Under the web.xml, I put this: <url-pattern>/protected/*</url-pattern>

The files are are located in the file structure as follows:
/login.jsp
/error.jsp
/denied.jsp
/protected/index.jsp


I have Administrator and Users as my roles. I checked with Active Directory. Even assigning a role to a user, I type the words 'admin', it will autocorrect and add for me 'Administrator'. So by right, I should be able to access the login.jsp as I can get rejected for incorrect uid:pwd combo and go through for correct one.
0
 
LVL 26

Expert Comment

by:mrcoffee365
ID: 37723351
You're right -- I misread the web.xml .  It's index.jsp that's under /protected.

The roles are fine.

What does this mean?:
"Even assigning a role to a user, I type the words 'admin', it will autocorrect and add for me 'Administrator'. "
Login doesn't do any autocorrect.  

In any case, I think what you want to do is more complex than the configuration you're working from.

You want Windows-authenticated users to be able to get through and be automatically logged in to your webapp.  All others get a different login.

I would develop those as 2 different things.  Leave out the AD work and just get the form authentication to work.  

Then do the AD login.

If all your users have AD logins, then you can set up the realm in server.xml for login to go to Active Directory, similarly to this:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"

           connectionURL="ldap://youradsserver:389"
           alternateURL="ldap://youradsserver:389"        
           userRoleName="member"
           userBase="cn=Users,dc=yourdomain"
           userPattern="cn={0},cn=Users,dc=yourdomain"
           roleBase="cn=Users,dc=yourdomain"
           roleName="cn"
           roleSearch="(member={0})"
           roleSubtree="false"
           userSubtree="true"
   />

See more discussion of this here:
http://stackoverflow.com/questions/267869/configuring-tomcat-to-authenticate-using-windows-active-directory

If all of your users do not have AD logins, then you have to have a more complex setup.  You could put a filter on Tomcat to read the user info, validate against AD, then automatically log the user in.  All other users would pass through to the normal Tomcat login.
0
 

Author Comment

by:pcssecure
ID: 37723647
Hi mrcoffee365,

I was referring to the assigning of roles to a user in the Active Directory Users and Computers console. I create a user named user01 and can assign him to a role of Admin, or Domain Admin, or User. I tried to match the text to the same as in the Web.xml like "admin" and "users" but under the AD, it will always display Administrator instead of "admin". I am not too sure whether it must be a match to pass through successfully.

Basically I have a domain XXX where users can log into Windows via their computers in the network. These are my internal users and require no additional logging in, something like SSO. There are also external users which connect from outside and require this log-in page.

Currently, I am able to perform the form authentication. With an account uid:pwd of user01:password01 on the AD, I enter incorrect password and it redirects me to error.jsp, I enter it correctly and it redirects me to index.jsp. The problem is when it goes to index.jsp, it informs me of an Error 403, that I am "able to connect to" the page but I am "not authorized to do so".

Yes, all my users have to be in the AD. I read most sites recommend the use of modifying the /conf/tomcat-users.xml but considering I am using Websphere, I am unsure where to go about this.
0
 
LVL 24

Expert Comment

by:Tomas Helgi Johannsson
ID: 37723758
Hi!

Regarding the role names then you are saying :
"I have Administrator and Users as my roles. I checked with Active Directory. Even assigning a role to a user, I type the words 'admin', it will autocorrect and add for me 'Administrator'. So by right, I should be able to access the login.jsp as I can get rejected for incorrect uid:pwd combo and go through for correct one."

However your role names are : 'admin'  and 'users' (case sensitive)
So in your case if you logg in as a user with the role 'Administrator' (as seen from the AD) then you get a 403 error because the role is 'admin' not 'Administrator' as seen from WebSphere.

Hope this helps.

Regards,
    Tomas Helgi
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:pcssecure
ID: 37727417
Hi Tomas,

I will check out the case-sensitive <role-name> and see how it goes.

If that's good, I should be able to get onto the second issue.

Cheers.
0
 

Author Comment

by:pcssecure
ID: 37736637
Hi,

I have tried to modify the web.xml to cater to the users' roles with case sensitivity involved. Unfortunately, it still leads me to the Error 403. No way to get it working. This means I have to get a working sample of another method instead.

I tried a sample code provided by, and utilized the "j_spring_security_check" which works as required. Unfortunately, it uses a user-table embedded within the code. I guess I will have to modify this sample code to access Active Directory via LDAP instead.

Cheers.
0
 
LVL 26

Assisted Solution

by:mrcoffee365
mrcoffee365 earned 100 total points
ID: 37737804
Yes -- as I pointed out in the previous post, you have to have everything configured to use LDAP.  You didn't post your configuration, but from your questions it sounded as if not all the pieces were correctly configured.  

Configuring LDAP through Tomcat is not for the faint of heart.  Try reading the link I posted above.
0
 
LVL 24

Accepted Solution

by:
Tomas Helgi Johannsson earned 400 total points
ID: 37738025
Hi!

Take a look at this Redbook on WebSphere 7 ( I'm guessing that you are using version 7)
http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247660.html?OpenDocument

There is a good chapter ( 4 as well as 7 and 8) on how to configure WebSphere against any LDAP server and securing Web/Enterprice apps.

Hope this helps.

Regards,
    Tomas Helgi
0
 

Author Comment

by:pcssecure
ID: 37764063
In case anyone is wondering, I figured it out and the problems were easily solved with configurations.

1) Assigning roles of Admin and User in Web.xml, one must go into Websphere and under Enterprice Applications > project.war > Security role to user/group mapping, physically assign the roles to Mapped Users such as "All Authenticated in Application's Realm". This will enable the user to access the page and remove the 403 error.

2) Also with the Websphere configuration under SPNEGO Configurations, one must append to the list "|project" to enable it so that request. Thereafter, authenticated users in the domain will access the item straight away, while external users will be redirected to a login page. The request.getRemoteUser() now works.

3) One must also enable SPNEGO and check the box to "Allow fall back to the application authentication mechanism" which will allow for automatic login for internal users and for external users to be redirected to the login.jsp.

4) There is a Spring Security sample that works. The only problem is that it accesses a local Authentication-Provider in its ApplicationContextSecurity.xml instead of the Active Directory. To protect the channel, under <transport-guarantee>NONE</transport-guarantee>, the NONE should be replaced with CONFIDENTIAL.

Thank you.
0
 
LVL 26

Expert Comment

by:mrcoffee365
ID: 37764073
Great -- thanks very much for posting back how you solved the problem.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now