[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4619
  • Last Modified:

Integrating login security with JSP and Websphere

Hi. As mentioned in the topic, I am designing a log-in that caters to both internal and external users by utilizing JSP. My applications are hosted on Websphere and my users are on an Active Directory. I will be relying on Form Authentication, "j_security_check", and "request.getRemoteUser()".

The basic idea is for people to access the application directly if they are internal users within the domain that have been authenticated. For external users, they will be directed to a log-in page and upon successful authentication, will be directed to the application. The application I currently have is just to display a "Hello, <user>".

A brief sequence would be:
- User to access /protected/index.jsp
- If not authenticated, to be directed back to /login.jsp
- Once authenticated, the index.jsp should display the User's ID

I am currently facing two problems. Below are the details.

My /WEB-INF/web.xml file as per the site here:
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app  PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
  "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    <description>Try login page</description>
    <display-name>Login Page</display-name>
	<welcome-file-list>
        <welcome-file>/protected/index.jsp</welcome-file>
    </welcome-file-list>
	<error-page>
		<error-code>403</error-code>
		<location>/denied.jsp</location>
	</error-page>
    <security-constraint>
        <web-resource-collection>
			<url-pattern>/protected/*</url-pattern>
			<http-method>DELETE</http-method>
			<http-method>GET</http-method>
			<http-method>POST</http-method>
			<http-method>PUT</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>admin</role-name>
			<role-name>admin</role-name>
			<role-name>users</role-name>
	<user-data-constraint>
			<transport-guarantee>NONE</transport-guarantee>
		</user-data-constraint>
    </security-constraint>
    <login-config>
        <auth-method>FORM</auth-method>
		<realm-name>Example Login</realm-name>
        <form-login-config>
            <form-login-page>/login.jsp</form-login-page>
            <form-error-page>/error.jsp</form-error-page>
        </form-login-config>
    </login-config>
    <security-role>
        <description>Administrator</description>
        <role-name>admin</role-name>
    </security-role>
	<security-role>
        <description>Users</description>
        <role-name>users</role-name>
    </security-role>
</web-app>

Open in new window


I gathered my login.jsp would be something like the site here.

The index.jsp is as follows:
    <body>
	<h1>Index</h1>
        <p>
        Hello1, <% request.getRemoteUser(); %>
        </p>
	<p>
	Hello2, <% request.getUserPrincipal().getName(); %>
	</p>
    </body>

Open in new window


First Problem: Error 403
When I try to access index.jsp, I am automatically redirected to login.jsp.  Incorrect login will redirect me to error.jsp. Correct login will result in a "http://<url>/j_server_check" with a "Error 403 : This website requires you to log in."
This means that it is actually working to verify with my Active Directory, but some settings require to be changed. My user in AD is under Administrator as well as Domain Admin so I am baffled why an Error 403 will occur.
Furthermore, I was previously unable to access the snoop page but after successful login with Error 403, I am able to access the snoop page but it indicates BASIC authentication. I am confused at this point.

Second Problem: Blank Username
I tried adjusting the web.xml to allow all users by changing variations of the <url-pattern>, the <auth-constraint>, as well as the <security-role>. In all ways of accessing the index.jsp, it all results in a blank result. Logging into the system as an internal and accessing the index.jsp, I am greeted with a "Hello, null." for both request.getRemoteUser() and request.getUserPrincipal().getName() which is equally frustrating.

I feel like I am pretty close to the solution, which I feel is somewhere within the settings. However, I hope someone who has experienced this before can shed light on this issue.

Thank you.
0
pcssecure
Asked:
pcssecure
  • 5
  • 4
  • 2
2 Solutions
 
mrcoffee365Commented:
You can't make the login page protected -- people who are not logged in have to be able to get to it.  Typically you put all the pages which require login in a directory where you can put the url pattern and say the roles of users you allow.  You can also list urls explicitly, if a directory has both protected and public pages in it.

A valid user does not have to have a name, but I can see where you would expect it to be retrieved if you're using AD.
0
 
pcssecureAuthor Commented:
Hi mrcoffee365,

Under the web.xml, I put this: <url-pattern>/protected/*</url-pattern>

The files are are located in the file structure as follows:
/login.jsp
/error.jsp
/denied.jsp
/protected/index.jsp


I have Administrator and Users as my roles. I checked with Active Directory. Even assigning a role to a user, I type the words 'admin', it will autocorrect and add for me 'Administrator'. So by right, I should be able to access the login.jsp as I can get rejected for incorrect uid:pwd combo and go through for correct one.
0
 
mrcoffee365Commented:
You're right -- I misread the web.xml .  It's index.jsp that's under /protected.

The roles are fine.

What does this mean?:
"Even assigning a role to a user, I type the words 'admin', it will autocorrect and add for me 'Administrator'. "
Login doesn't do any autocorrect.  

In any case, I think what you want to do is more complex than the configuration you're working from.

You want Windows-authenticated users to be able to get through and be automatically logged in to your webapp.  All others get a different login.

I would develop those as 2 different things.  Leave out the AD work and just get the form authentication to work.  

Then do the AD login.

If all your users have AD logins, then you can set up the realm in server.xml for login to go to Active Directory, similarly to this:
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"

           connectionURL="ldap://youradsserver:389"
           alternateURL="ldap://youradsserver:389"        
           userRoleName="member"
           userBase="cn=Users,dc=yourdomain"
           userPattern="cn={0},cn=Users,dc=yourdomain"
           roleBase="cn=Users,dc=yourdomain"
           roleName="cn"
           roleSearch="(member={0})"
           roleSubtree="false"
           userSubtree="true"
   />

See more discussion of this here:
http://stackoverflow.com/questions/267869/configuring-tomcat-to-authenticate-using-windows-active-directory 

If all of your users do not have AD logins, then you have to have a more complex setup.  You could put a filter on Tomcat to read the user info, validate against AD, then automatically log the user in.  All other users would pass through to the normal Tomcat login.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
pcssecureAuthor Commented:
Hi mrcoffee365,

I was referring to the assigning of roles to a user in the Active Directory Users and Computers console. I create a user named user01 and can assign him to a role of Admin, or Domain Admin, or User. I tried to match the text to the same as in the Web.xml like "admin" and "users" but under the AD, it will always display Administrator instead of "admin". I am not too sure whether it must be a match to pass through successfully.

Basically I have a domain XXX where users can log into Windows via their computers in the network. These are my internal users and require no additional logging in, something like SSO. There are also external users which connect from outside and require this log-in page.

Currently, I am able to perform the form authentication. With an account uid:pwd of user01:password01 on the AD, I enter incorrect password and it redirects me to error.jsp, I enter it correctly and it redirects me to index.jsp. The problem is when it goes to index.jsp, it informs me of an Error 403, that I am "able to connect to" the page but I am "not authorized to do so".

Yes, all my users have to be in the AD. I read most sites recommend the use of modifying the /conf/tomcat-users.xml but considering I am using Websphere, I am unsure where to go about this.
0
 
Tomas Helgi JohannssonCommented:
Hi!

Regarding the role names then you are saying :
"I have Administrator and Users as my roles. I checked with Active Directory. Even assigning a role to a user, I type the words 'admin', it will autocorrect and add for me 'Administrator'. So by right, I should be able to access the login.jsp as I can get rejected for incorrect uid:pwd combo and go through for correct one."

However your role names are : 'admin'  and 'users' (case sensitive)
So in your case if you logg in as a user with the role 'Administrator' (as seen from the AD) then you get a 403 error because the role is 'admin' not 'Administrator' as seen from WebSphere.

Hope this helps.

Regards,
    Tomas Helgi
0
 
pcssecureAuthor Commented:
Hi Tomas,

I will check out the case-sensitive <role-name> and see how it goes.

If that's good, I should be able to get onto the second issue.

Cheers.
0
 
pcssecureAuthor Commented:
Hi,

I have tried to modify the web.xml to cater to the users' roles with case sensitivity involved. Unfortunately, it still leads me to the Error 403. No way to get it working. This means I have to get a working sample of another method instead.

I tried a sample code provided by, and utilized the "j_spring_security_check" which works as required. Unfortunately, it uses a user-table embedded within the code. I guess I will have to modify this sample code to access Active Directory via LDAP instead.

Cheers.
0
 
mrcoffee365Commented:
Yes -- as I pointed out in the previous post, you have to have everything configured to use LDAP.  You didn't post your configuration, but from your questions it sounded as if not all the pieces were correctly configured.  

Configuring LDAP through Tomcat is not for the faint of heart.  Try reading the link I posted above.
0
 
Tomas Helgi JohannssonCommented:
Hi!

Take a look at this Redbook on WebSphere 7 ( I'm guessing that you are using version 7)
http://www.redbooks.ibm.com/Redbooks.nsf/RedbookAbstracts/sg247660.html?OpenDocument

There is a good chapter ( 4 as well as 7 and 8) on how to configure WebSphere against any LDAP server and securing Web/Enterprice apps.

Hope this helps.

Regards,
    Tomas Helgi
0
 
pcssecureAuthor Commented:
In case anyone is wondering, I figured it out and the problems were easily solved with configurations.

1) Assigning roles of Admin and User in Web.xml, one must go into Websphere and under Enterprice Applications > project.war > Security role to user/group mapping, physically assign the roles to Mapped Users such as "All Authenticated in Application's Realm". This will enable the user to access the page and remove the 403 error.

2) Also with the Websphere configuration under SPNEGO Configurations, one must append to the list "|project" to enable it so that request. Thereafter, authenticated users in the domain will access the item straight away, while external users will be redirected to a login page. The request.getRemoteUser() now works.

3) One must also enable SPNEGO and check the box to "Allow fall back to the application authentication mechanism" which will allow for automatic login for internal users and for external users to be redirected to the login.jsp.

4) There is a Spring Security sample that works. The only problem is that it accesses a local Authentication-Provider in its ApplicationContextSecurity.xml instead of the Active Directory. To protect the channel, under <transport-guarantee>NONE</transport-guarantee>, the NONE should be replaced with CONFIDENTIAL.

Thank you.
0
 
mrcoffee365Commented:
Great -- thanks very much for posting back how you solved the problem.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

  • 5
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now