I have java web application deployed in same IBM BPM websphere.when user open bpm screen I provide a link to the web application .
I want only the user who logged in BPM should able to access the link but not others How to achieve the same?
If your application is in the same WebSphere cell, the SSO between apps is enabled by default. Check this page Single sign-on for authentication using LTPA cookies, your second application just have to have security constraints defined (role, resources) and mapped to specific group of users or all authenticated.
If other app is in different WebSphere cell you would need to import there LTPA key from your BPM cell. Also see other constraints from the link above.
Related
I am running a JAX-WS web service client on an IBM WebSphere 8.5.5.10 traditional server. The WSDL requires encryption and signing. I am configuring the WS-Security in an Application Policy set and General Client policy set and attaching those to the application.
The service provider expects EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"
WebSphere is sending
Can someone tell me how to change the EncryptionMethod Algorithm to xmlenc#rsa-oaep-mgf1p in the Policy set?
Thanks in advance.
Got this from IBM. It answered my question.
https://www.ibm.com/support/knowledgecenter/SSAW57_8.0.0/com.ibm.websphere.nd.doc/info/ae/ae/uwbs_wsspsal.html
To view this administrative console page:
1. Click Services > Policy sets > Application policy sets > policy_set_name.
2. Click the WS-Security policy in the Policies table.
3. Click the Main policy link or the Bootstrap policy link.
4. Click the Algorithms for symmetric tokens link or the Algorithms for asymmetric tokens link.
This administrative console page applies only to Java API for XML Web Services (JAX-WS) applications.
We currently have an installation of IBM content navigator that we built a feature inside, this feature shows another web application installed on the same server inside an iFrame, this application connects to CPE using Java WS APIs to do some operations using the ICN logged in user credentials.
The main problem we are facing is that in our current solution the user logs in twice, once to log in to the ICN, and another to log in to the web application, which is undesirable and we need to eliminate this second login and implement some sort of SSO.
One option available is using Kerberos, however as it currently stands the FileNet Java api does not support Kerberos at the moment (only .Net).
Any ideas are much appreciated
References
Using Kerberos on an API Client - https://www.ibm.com/support/knowledgecenter/SSGLW6_5.2.1/com.ibm.p8.ce.dev.ce.doc/sec_procedures.htm
If your web application is deployed on the same WebSphere Cell, you don't need to use Kerberos. Kerberos need to support SSO between WAS and client only, not between application and client.
You don't need to use createSubject(), just get it from security context and provide it to CPE.
I am looking for some information about using multiple authentication provider with WebSphere Liberty at the same time. Requirement is to have AD (LDAP) auth as main authentication and for users not allowed to be listed in AD have a simple database for authentication.
Thanks for any hints.
You can implement a custom user registry to meet these requirements:
http://www-01.ibm.com/support/knowledgecenter/#!/was_beta_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_sec_custmr.html
If you're looking for the solution of security domains provided in WAS Classic (the full profile), please open an RFE and be sure to vote for it!
https://www.ibm.com/developerworks/rfe/?BRAND_ID=181
This is what I want to happen.
Current Setup: Two wars deployed in Websphere v8 (App1 and App2). Both have a login feature where users enter username and password to get in the app. This is not using LDAP or JAAS, its just plain query from the db to check if username and password is correct.
Problem: There had been a move to "combine" the two apps where authenticated users in App1 can now access App2 directly without logging in and having the same session. If user accesses a module in App2 without logging, user will be directed to login page of App1 to login.
Other factors:
App1 and App2 are in the same websphere instance in the same box and in the same cell.
Question:
Is it possible to implement SSO and shared session between App1 and App2 in websphere?
From what I read you are either performing the authentication on your own with App1 and App2, meaning without using WebSphere Security or you have both applications inside two different WebSphere Cells where no SSO is setup.
If it is option 1 I strongly recommend you to take a look at WebSphere Security and what the container provides you there.
Which brings me to option two cells without SSO
WebSphere Application server builds out by default a Cell wide SSO model. A cell means a collection of servers which are controlled together. By default WebSphere uses a token named LTPA_Token or since 6.1 LTPA_Token2. At the cell level the security is configuired which includes the SSO domain, which is in fact "just" the cookie domain. WebSphere persists the authentication state inside of the token as a cookie and the browser will submit this to the server matching to the cookie domain.
Having said that. If you have two cells you can exchange the security keys between these two and so they can both understand the security Token created by both of them. You need to ensure some additional information like realm, security domain, attached user repository.
As you mentioned App2 should send all users to App1 you probably need to define the End point to handle the Authentication within your web.xml and have it point direct to App2 or write a TAI (Trust Association Interceptor) on App2 to send all not authenticated requests to App1
In addition you could as well put an authentication proxy in front of the two applications which will only ensure the authentication state and establish the security state as the request is passed to the backend.
For reference
WebSphere Application Server Infocenter Topic
We have a vendor portal that is public and a Moodle site that is also public. They are both setup to use the same Active Directory.
Is there a way to configure sso between them?
I've looked into this issue before, and all that I've found is about keeping the user credential in the global Portal session and posting them to the server Moodle login form.
It seems that Moodle does not support LTPA, since this is a proprietary IBM protocol designed for Websphere and Domino. Also the LTPA token do not include the actual password, so Moodle would have to trust Websphere when it says that a particular user has been authenticated at a certain time (timestamp).
May be some one else might have more input on the subject...