I have new problem with container security . On the server i have two ears first call service from second. On service there is #RolesAllowed("Authenticated"). My configuration in server.xml looks like this:
<featureManager>
<feature>jndi-1.0</feature>
<feature>distributedMap-1.0</feature>
<feature>localConnector-1.0</feature>
<feature>wasJmsClient-2.0</feature>
<feature>jdbc-4.1</feature-->
<feature>javaMail-1.5</feature>
<feature>json-1.0</feature>
<feature>adminCenter-1.0</feature>
<feature>appSecurity-2.0</feature>
<feature>beanValidation-2.0</feature>
<feature>cdi-2.0</feature>
<feature>jsf-2.3</feature>
<feature>mdb-3.2</feature>
<feature>ejbHome-3.2</feature>
<feature>ejbLite-3.2</feature>
<feature>ejbRemote-3.2</feature>
<feature>jca-1.7</feature>
<feature>concurrent-1.0</feature>
<feature>jms-2.0</feature>
<feature>appClientSupport-1.0</feature>
<feature>ldapRegistry-3.0</feature>
</featureManager>
<basicRegistry id="basic" realm="customRealm">
<user password="{xor}Ozo5Kiw6LQ==" name="defuser" />
</basicRegistry>
Both ears contains identical configuration
<application-bnd>
<security-role name="All Role">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
The second ear contains ibm-application-ibd.xml file but i can not edit it. Best would be to override it.
When i call service from second ear i still get exception :
Caused by: javax.ejb.EJBAccessException: CWWKS9400A: Authorization failed for user UNAUTHENTICATED while invoking
Eny ideas ?
Liberty allows you to override application binding files using the server config element application-bnd, see IBM KnowledgeCenter topic https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.liberty.autogen.base.doc/ae/rwlp_config_enterpriseApplication.html#application-bnd and https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/twlp_sec_rolebased.html for details.
According to my experience configuring the authentication with Websphere Liberty, the login showed up only for restricted pages only, so the app needs to definen some security constraint in the web.xml like this example:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secured API</web-resource-name>
<url-pattern>/s/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>user</role-name>
</security-role>
Related
I'm following the Containerizing, packaging, and running a Spring Boot application guide. After getting it to run, I want to use my own Spring Boot application. So I took my jar, put it into the target directory and updated the server.xml file accordingly:
<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">
<featureManager>
<feature>servlet-4.0</feature>
<feature>springBoot-2.0</feature>
</featureManager>
<httpEndpoint id="defaultHttpEndpoint"
host="*"
httpPort="9080"
httpsPort="9443" />
<springBootApplication id="guide-spring-boot"
location="myOwnApp.jar"
name="guide-spring-boot" />
<!--springBootApplication id="guide-spring-boot"
location="thin-guide-spring-boot-0.1.0.jar"
name="guide-spring-boot" /-->
</server>
Alas, after restarting the Open Liberty server this configuration seems to be totally ignored and my application is not started.
I need to implement HTTP digest authentication for my Springboot Application. I have tried configuring this from Tomcat setup (How to use digest authentication in Tomcat 8.5? ut since Springboot doesn't generate any web.xml, I couldn't configure this. Can someone, please, give a piece of advice as for is there any alternative?
Steps Followed
1.generated sha -256 password
digest.bat -s 0 -a sha-256 tomcat
2. updated tomcat user file
<role rolename="admin-gui"/>
<user username="tomcat" password="ce066452368a3498047a43323cff46a00222945691d728747a2283273506a0a7"
roles="manager-gui,manager,admin"></user>
3. updated tomcat conf/server.xml
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
<CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="SHA-256" />
</Realm>
</Realm>
4. updated tomcat conf/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>MySecureResource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin-gui</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin-gui</role-name>
</security-role>
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>UserDatabase</realm-name>
</login-config>
I am new to WebSphere Liberty profile. I am working on 17.0.0.4 version. What I am trying to achieve is to have custom JAAS login setup for the application. The application works fine on WebSphere 8.5.
I have reviewed so many link from IBM Knowledge Center for the same, but got result with either or with JAAS custom login, but not both of them together. With WebSphere 8.5 we are having level of hierarchy to decide which authentication mechanism goes where, but with Liberty if I setup Custom JAAS authentication mechanism then I can't login to WebSphere Liberty AdminCenter, and if I configure server.xml for , then it does not authenticate my application's user (because it is designed to get authenticate users via JAAS).
Here is my server.xml file.
<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>adminCenter-1.0</feature>
<feature>ssl-1.0</feature>
<feature>webProfile-7.0</feature>
<feature>appSecurity-2.0</feature>
</featureManager>
<keyStore id="defaultKeyStore" password="WASLiberty" />
<!-- Admin Center username/password -->
<!--<quickStartSecurity userName="admin" userPassword="admin123" />-->
<!-- Define an Administrator and non-Administrator -->
<basicRegistry id="basic">
<user name="admin" password="{xor}PjsyNjFubWw=" /> <!-- Encoded version of "admin123" -->
<user name="nonadmin" password="nonadmin123" />
</basicRegistry>
<!-- Assign 'admin' to Administrator -->
<administrator-role>
<user>admin</user>
</administrator-role>
<!-- JNDI Connection configuration -->
<dataSource id="MY_CUSTOM_DS" jndiName="jdbc/MY_CUSTOM_DS">
<jdbcDriver libraryRef="sqlserverjdbc"/>
<properties.microsoft.sqlserver databaseName="mydb"
serverName="localhost" portNumber="1433"
user="sa" password="root" />
</dataSource>
<!-- JDBC Driver file location -->
<library id="sqlserverjdbc">
<file name="${wlp.install.dir}/lib/sqljdbc4.jar"/>
</library>
<library id="MyLoginModuleLib">
<fileset dir="${wlp.install.dir}/lib" includes="custom_auth.jar"/>
</library>
<!-- JAAS Login Module for web application -->
<jaasLoginModule id="myCustom"
className="com.kana.auth.websphere.MyLoginModule"
controlFlag="REQUIRED" libraryRef="MyLoginModuleLib">
<options myOption1="value1" myOption2="value2"/>
</jaasLoginModule>
<!-- JAAS Login Context -->
<jaasLoginContextEntry id="system.WEB_INBOUND" name="system.WEB_INBOUND"
loginModuleRef="myCustom, hashtable, userNameAndPassword, certificate, token" />
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint"
host="*"
httpPort="9080"
httpsPort="9443" />
<webApplication contextRoot="mywebapp" location="mywebapp.war" />
<!-- Automatically expand WAR files and EAR files -->
<applicationManager autoExpand="true"/>
<!-- Enable remote file access -->
<remoteFileAccess>
<writeDir>${server.config.dir}</writeDir>
</remoteFileAccess>
</server>
Can anyone please point out where I am making mistake?
If you are using custom JAAS login module, then your custom JAAS login module need to ignore the admin center authentication and let the default login modules handle it.
The better option is to use custom TAI to handle application authentication and let the default login modules handle the admin center authentication.
Regards,
Ut Le
Many many thanks Ut Le for providing solution.
From the log file, found that the root cause was ClassNotFound exception. It does not have class which I was pointing to from <jaasLoginModule>. Later on found that I was pointing to jar file which is not at that location. So that was a silly mistake I made for configuration.
I am attempting to redirect traffic on insecure port to secure port as described here:
https://www.ibm.com/support/knowledgecenter/en/SSD28V_9.0.0/com.ibm.websphere.liberty.autogen.core.doc/ae/rwlp_config_httpProxyRedirect.html
Instead both ports are available and I see nothing in the logs. It's as if the httpProxyRedirect isn't being configured at all.
<?xml version="1.0" encoding="UTF-8"?>
<server description="CAST Liberty Server">
<!-- Enable features -->
<featureManager>
<feature>webProfile-7.0</feature>
</featureManager>
<application id="app" context-root="/" type="war" location="${war.name}">
<classloader apiTypeVisibility="spec, ibm-api, api, third-party" />
</application>
<httpProxyRedirect id="defaultHttpProxyRedirect" httpPort="${http.port}" httpsPort="${https.port}" />
<keyStore id="defaultKeyStore" password="pass" />
<httpEndpoint host="*" httpPort="${http.port}" httpsPort="${https.port}" id="defaultHttpEndpoint" />
<applicationMonitor updateTrigger="mbean" />
</server>
Most likely, you are missing the security-constraints in the web.xml. This configuration tells the server which URLs need to be accessed over a secure transport and then re-directs qualifying requests from the non-secure port to the secure port. This tutorial may help: https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html
Also, keep in mind that the httpProxyRedirect configuration in the server.xml is intended for redirecting when you have a proxy server in front of your application server. For example, you may have your proxy server on the main "www.ibm.com" host - listening on HTTP port 80 and HTTPS port 443. But that host may route some requests to your Liberty application server on some other host (like "app1host.internal.ibm.com") that listens on different ports (i.e. HTTP port 9080 and HTTPS port 9443). In that case, just using the security-constraints in the web.xml would attempt to redirect the client request on the Liberty server from 9080 to 9443 but on the www.ibm.com host - where nothing is listening on those ports. In this case, you should configure httpProxyRedirect like this:
<httpProxyRedirect httpPort="80" httpsPort="443" host="www.ibm.com" />
With the configuration, a client HTTP request to a secured URL will get redirected to www.ibm.com on port 443, where the proxy server will forward the request to app1host.internal.ibm.com port 9443.
Hope this helps,
Andy
This is the security constraint that i am using in my web.xml and it works well for both Tomcat and IBM Websphere 8.5.5.15:
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Note: make sure that you put it after your <servlet-mapping>.
I am trying to configure my liberty server for client certificate authentication by these steps:
http://www.ibm.com/support/knowledgecenter/SS7K4U_liberty/com.ibm.websphere.wlp.zseries.doc/ae/twlp_sec_clientcert.html
My liberty configuration:
<server description="new server">
<!-- Enable features -->
<featureManager>
<feature>webProfile-7.0</feature>
<feature>restConnector-1.0</feature>
<feature>localConnector-1.0</feature>
<feature>monitor-1.0</feature>
<feature>jsp-2.3</feature>
<feature>adminCenter-1.0</feature>
<feature>ssl-1.0</feature>
</featureManager>
<!-- To access this server from a remote client add a host attribute to the following element, e.g. host="*" -->
<httpEndpoint id="defaultHttpEndpoint"
httpPort="9081"
httpsPort="9444" />
<application id="Sample" name="Sample" type="war" location="Sample.war"/>
<keyStore id="defaultKeyStore" location="key.jks" type="JKS" password="{xor}EzY9Oi0rJg==" />
<keyStore id="defaultTrustStore" location="truststore.jks" type="JKS" password="{xor}EzY9Oi0rJg==" />
<ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" clientAuthenticationSupported="true"/>
<webAppSecurity allowFailOverToBasicAuth="true" />
<auth-method>CLIENT-CERT</auth-method>
<basicRegistry id="basic">
<user identity="CN=Admin,O=myOrg,C=country" name="Admin" password="admin" />-->
</basicRegistry>
<administrator-role>
<user>Admin</user>
</administrator-role>
</server>
From java client I get:
CWWKX0229E: There was a problem with the user credentials provided. The server responded with code 401 and message 'Unauthorized'
I think my user mapping is wrong. Can somebody give me an example how to map client certificate with the liberty user?
Is the intent to login to web application using the certificate rather than user/password? You need to define the CLIENT-CERT in web.xml. You will have to install the certificate on your browser from where application will be accesses. Also, Liberty server will need to have the signer certificate in the trust store. You may also define certificate filter if the certificate DN name does match exactly to registry user.
Below command can be added to server.xml so that basic authentication can be use if client certificate authentication did not succeed.
You may also want to confirm that your application does work with basic authentication.
More details at:
http://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/twlp_sec_clientcert.html