We use a WebSphere Liberty server behind a reverse proxy. We enabled the appSecurity-2.0 feature to add a custom TAI which validates HTTP request between the proxy and Liberty. To use the batch framework that comes with WebSphere Liberty, we enabled the feature batchManagement-1.0 and added the required role configuration as described here https://www.ibm.com/support/knowledgecenter/en/was_beta_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_batch_securing.html.
It is possible to submit a batch through the REST API, if the tag authorization-roles is added to the server.xml and the role batchAdmin is assigned to a user from the basic registry. However, if we add the authorization-roles tag Liberty restricts the HTTP request from the proxy(frontend users) to the deployed web-app and reports that the user has not the required permission to access the resources.
Is it possible to disable the batch security in WebSphere Liberty independent of the appSecurity feature?
You could grant everyone batchAdmin role access simply by:
<authorization-roles id="com.ibm.ws.batch">
<security-role name="batchAdmin">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</authorization-roles>
OR:
<authorization-roles id="com.ibm.ws.batch">
<security-role name="batchAdmin">
<special-subject type="EVERYONE" />
</security-role>
</authorization-roles>
However, there is not a way to disable batch security with security enabled.
Related
I have some Java code running on Liberty Profile which authenticates with MS Active Directory and makes LDAP searches. The code use JNDI and does what it is intended to do. The problem is that the LDAP parameters are hard coded in Java. Works, but could be improved:
ldap.put(Context.PROVIDER_URL, "ldap://ad.foo.bar:389");
ldap.put(Context.SECURITY_PRINCIPAL, "CN=account,OU=A,DC=ad,DC=foo,DC=bar");
ldap.put(Context.SECURITY_CREDENTIALS, "apoorlykeptsecret");
...
ldapCtxt = new InitialDirContext(ldap);
Is it possible to pick the LDAP properties up from an ldapRegistry element in the server.xml file instead? Or am I on the wrong track? Is there a better way to approach this?
Yes, you should be able to configure that using the <ldapRegistry> element in server.xml.
For example:
<ldapRegistry id="ldap" realm="SampleLdapADRealm"
host="ldapserver.mycity.mycompany.com" port="389"
baseDN="cn=users,dc=adtest,dc=mycity,dc=mycompany,dc=com"
bindDN="cn=testuser,cn=users,dc=adtest,dc=mycity,dc=mycompany,dc=com"
bindPassword="testuserpwd"
ldapType="Microsoft Active Directory">
<activedFilters
userFilter="(&(sAMAccountName=%v)(objectcategory=user))"
groupFilter="(&(cn=%v)(objectcategory=group))"
userIdMap="user:sAMAccountName"
groupIdMap="*:cn"
groupMemberIdMap="memberOf:member" >
</activedFilters>
</ldapRegistry>
For full doc see: Configuring LDAP user registries in Liberty
As an alternative quick approach, you could put those values in your server.xml configuration as JNDI entries and obtain the values in your application by JNDI lookup. For example:
<jndiEntry jndiName="ldap/provider_url" value="ldap://ad.foo.bar:389"/>
<jndiEntry jndiName="ldap/secuirty_principal" value="CN=account,OU=A,DC=ad,DC=foo,DC=bar"/>
<!-- WARNING: Storing passwords is JNDI is not secure -->
<jndiEntry jndiName="ldap/security_credentials" value="apoorlykeptsecret"/>
String providerUrl = InitialContext.doLookup("ldap/provider_url");
// etc...
Is there a way to configure LDAP as IDP provider for SSO.
I used the spring saml demo project (which shows sso circle as idp provider) and able to configure two apps (sps) with SSO.
Now, I want to use the LDAP for populating user data (for authentication and autherization). Is there a good demo or tutorial to learn and follow?
Thanks in advance
I can't say I use SAML (so can't speak to that), but I use the following for configuring my LDAP (AD) in Spring.
<security:ldap-server
url="${ldap.url}"
manager-dn="${ldap.manager.user}"
manager-password="${ldap.manager.password}"
/>
<security:authentication-manager>
<security:ldap-authentication-provider
user-search-base="${ldap.search.user.base}"
user-search-filter="${ldap.search.user.filter}"
group-search-filter="${ldap.search.group.base}"
group-role-attribute="${ldap.search.group.filter}"
group-search-base="${ldap.search.group.attribute}"
/>
</security:authentication-manager>
In WAS Full Profile you can change the values for env-entries defined in an application's web.xml file while and after deployment. Is there any such feature in WebSphere Liberty profile?
Sample env-entry:
<env-entry>
<description>Some Config String</description>
<env-entry-name>MyConfigString</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>Dev-Value to be replaced in Production during deployment</env-entry-value>
</env-entry>
This env-entry is injected with an #Resource(name = "MyConfigString") annotation.
The infocenter for IBM Worklight (which runs on Liberty) describes a way using jndiEntry elements in server.xml . I tried this on Liberty 8.5.5.3 but it does not work and still injects the default value from web.xml.
Has anybody found a working way to configure env-entry values in Liberty?
The Liberty profile doesn't currently support configuring bindings without modifying the ibm-*-bnd.xml files in the application. As a workaround, you can use:
#Resource(lookup="MyConfigString")
...in the application and:
<jndiEntry jndiName="MyConfigString" value='"xyz"'/>
...in server.xml as described in the knowledge center.
I have configured Tomcat 6 with in-memory session replication. I am also using IIS 7 (I know, I know) and the AJP connector via isapi_redirector. The cluster is working properly and I am able to replicate session attributes using the SessionExample in the examples war. The problem is that I am unable to do the same in my custom application. I have added the distributable tag to the web.xml file on both servers in my test cluster. However, I don't see any message in the logs mentioning the attributes getting sent to the cluster (I see them for SessionExample). The only primary differences that I can see in my app from the examples:
The examples war uses servlet 2.5. I am still required to use 2.4.
My application uses SSO and requires the user to login.
The application is a portal application.
Also, in the code of the application, I am setting a simple string in the attribute, so nothing fancy.
So, I was wondering if anyone has some tips to get this working?
Thanks
Here is the cluster section within of my server.xml:
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"
channelSendOptions="6">
<Manager className="org.apache.catalina.ha.session.DeltaManager"
expireSessionsOnShutdown="false"
notifyListenersOnReplication="true"/>
<Channel className="org.apache.catalina.tribes.group.GroupChannel">
<Membership className="org.apache.catalina.tribes.membership.McastService"
address="228.0.0.104"
port="45564"
frequency="500"
dropTime="10000"/>
<Receiver className="org.apache.catalina.tribes.transport.nio.NioReceiver"
address="auto"
port="4000"
autoBind="100"
selectorTimeout="7000"
maxThreads="6"
timeout="15000"/>
<Sender className="org.apache.catalina.tribes.transport.ReplicationTransmitter">
<Transport className="org.apache.catalina.tribes.transport.nio.PooledParallelSender"
timeout="70000"/>
</Sender>
<Interceptor className="org.apache.catalina.tribes.group.interceptors.TcpFailureDetector"/>
<Interceptor className="org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor"/>
</Channel>
<Valve className="org.apache.catalina.ha.tcp.ReplicationValve"
filter=".*\.gif;.*\.js;.*\.jpg;.*\.png;.*\.htm;.*\.html;.*\.css;.*\.txt;"/>
<Valve className="org.apache.catalina.ha.session.JvmRouteBinderValve"/>
<Deployer className="org.apache.catalina.ha.deploy.FarmWarDeployer"
tempDir="/apache-tomcat-6.0.37/war-deploy/war-temp/"
deployDir="/apache-tomcat-6.0.37/webapps/"
watchDir="/apache-tomcat-6.0.37/war-deploy/war-listen/"
watchEnabled="true"/>
<ClusterListener className="org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener"/>
<ClusterListener className="org.apache.catalina.ha.session.ClusterSessionListener"/>
</Cluster>
Sorry. I found the issue. I was expecting to see messages in the log regarding the creation of the session attributes. I didn't realize that the examples project had a session listener that was outputting the messages to the log. I was thinking that it was simply from the log level that I had set.
Thanks to anyone who read this post.
I'm trying to configure my Spring application to use an SSL certificate I purchased from a CA. I followed the directions for the Tomcat 6.0 configuration and have imported the key into my Tomcat keystore and uncommented the SSL connector in the server.xml. When I start Tomcat, I see the connector start on port 8443 in the Tomcat logs, but when I go to https://example.com:8443 or http: //example.com:8443 or https: //example.com (without the spaces - I don't have the reputation to post links), it times out. What other configuration do I need to do to enable SSL for my Spring application. Do I have to change the application configuration?
I'd also like to only have some URLs over SSL (login, edit profile, etc.). How can I allow this in the Spring configuration? If I have to have all URLs accessible over SSL, that would be ok, but not desirable. I haven't found any tutorials that are Spring specific.
What you'll need to do is to edit your server.xml file to enable ssl. Here's Tomcat's guide, please check it out:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
In order to programmatically know if a request has arrived through port 80 or 443, you need to inspect the value returned by request.isSecure().
To secure URLs altogether, I'd recommend using a Filter.
I don't remember how all of this is handled by Spring, but I don't think you'll have any problems to obtain the request object.
Hope that helps.
After you've configured Tomcat as per the document cited by #mschonaker, he simplest thing is to define the action in the j_security_check and edit profile forms, etc, specify the https: protocol, e.g. in a Facelet, https://#{request.serverName}:8443#{request.contextPath}/j_security_check. Then when the user hits the login button, the form POSTs via HTTPS, so they are secure.
This leaves you in HTTPS for the rest of the session: to get back to HTTP but still stay in the same session, just provide a link to a fully-specified HTTP url, e.g. in a Facelet, http://#{request.serverName}:8443#{request.contextPath}/some link.
If you have other pages you want secured when read, define appropriate security-constraint, user-data-constraint, and transport-guarantee CONFIDENTIAL elements for them in web.xml.
about the second point
I'd also like to only have some URLs over SSL (login, edit profile, etc.). ???
you could determine it by modify configration in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>securedapp</web-resource-name>
<!-- <url-pattern>/*</url-pattern> --> <!--all pages-->
<url-pattern>/yourapp/login</url-pattern>
<url-pattern>/yourapp/edit</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
hope that help you