I have a JAX-RS web service deployed on IBM WebSphere and I want to secure this WS when it receives the requests (delegated from other server).
So I use the basic auth and set the username and password on BasicAuthSecurityHandler object and delegate the request to other server.
Now when the other server receives the request I use Federated repository in WAS under Global security and do the authentication.
If I comment out the auth-constraint in the deployment descriptor, the authentication is not taking place.
I want to do only authentication and no authorization.
I tried using #PermitAll annotation on the Jax-WS method but the authorization is also happening before the Jax-WS method is executed.
So is there any way I can skip the authorization and still do the authentication?
I dont have any rules associated to my users, so I want to skip the authorization.
<security-constraint id="SecurityConstraint_1">
<display-name>RESTSecurity</display-name>
<web-resource-collection id="WebResourceCollection_1">
<web-resource-name>DelegateReqComApp</web-resource-name>
<description>
Protection area for Rest resource /addresses
</description>
<url-pattern>/rest/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<!-- Authorization Constraint commented out -->
<auth-constraint id="AuthConstraint_1">
<description>
Used to guard resources under this url-pattern
</description>
<role-name>iapawas012</role-name>
</auth-constraint>
</security-constraint>
Create the auth-constraint and map iapawas012 role to the special subject ALL_AUTHENTICATED. It basically says that any user, which successfully authenticates is authorized to invoke your service.
You can do it either in the web admin console on the Enterprise Application > yourApplication > Security role to user/group mapping or via binding file ibm-application-bnd.xml in the EAR in META-INF folder:
<?xml version="1.0" encoding="UTF-8"?>
<application-bnd
xmlns="http://websphere.ibm.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_2.xsd"
version="1.2">
<security-role name="iapawas012">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
Related
I have a spring app.
It is consistently giving me this error in websphere liberty. This is my login settings .
in web.xml for spring security.
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="http://www.springframework.org/schema/security"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">
<!-- ===== SECURITY CONFIGURATION ===== -->
<!-- All requests matching pattern below will bypass the security filter chain completely -->
<security:http pattern="/image/**" security="none"/>
<!-- security:http pattern="/login.jsp*" security="none" / -->
<!-- Defines who can access each URL. -->
<!--
Spring Security 3.0 introduced the ability to use Spring EL expressions as an authorization mechanism in addition to the simple use
of configuration attributes and access-decision voters which have seen before. Expression-based access control is built on the same
architecture but allows complicated boolean logic to be encapsulated in a single expression.
http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html
-->
<security:http auto-config="true" use-expressions="true">
<!-- URL restrictions (order is important!) Most specific matches should be at top -->
<!-- Don't set any role restrictions on login.jsp. Any requests for the login page should be available for anonymous users -->
<security:intercept-url pattern="/login.jsp*" access="isAuthenticated()" />
...
Anonymous access to the login page doesn't appear to be enabled. This is almost certainly an error. Please check your configuration allows unauthenticated access to the configured login page. (Simulated access was rejected: org.springframework.security.access.AccessDeniedException: Access is denied)
I have configured LDAP but I do not know how to tie LDAP settings to server authentication as similar to WAS 7.0 global security activation so the application is not able to authenticate .
Can someone give me further infomation as how the access-id in security settings relates to LDAP Realm.
<jaasLoginContextEntry id="system.WEB_INBOUND" loginModuleRef="HashLogin, certificate, hashtable, token, userNameAndPassword" name="system.WEB_INBOUND"/>
<jaasLoginContextEntry id="WSLogin" loginModuleRef="WSLoginId, certificate, hashtable, token, userNameAndPassword" name="WSLoginId" />
<jaasLoginModule id="WSLoginId" className="com.ibm.ws.security.common.auth.module.WSLoginModuleImpl" libraryRef="${com.ibm.ws.security.wim.*}"></jaasLoginModule>
</server>
I have looked at the Liberty profile documents so I would appreciate a more detailed information then linking me to IBM documents because I have read those and several information out in internet a lot and have exhausted all resources that I can do look up on so I would really appreciate a more detailed explanation which would explain how to implement global security and application security enablement as WAS 7.0 does when we configure LDAP repository in WAS . My LDAP is Microsoft Active Directory. And my application security is handled by spring container.
As resource I looked at this but this did not seem to help.
How to map security role to ldap group in websphere liberty profile
Here is how access-id in the Liberty profile can be defined assuming the LDAP server definition has realm name as ldapRealm in server.xml.
<!- Sample LDAP definition -->
<ldapRegistry id="TivoliLdap" host="myHost.rtp.raleigh.ibm.com" realm="ldapRealm" port="389" ldapType="IBM Tivoli Directory Server" ignoreCase="false" baseDN="o=mycompany,c=us">
</ldapRegistry>
<!-- Application binding sample for using access-id attribute for user or group element -->
<application-bnd>
<security-role name="Employee">
<user name="Bob" access-id="user:ldapRealm/Bob"/>
<group ame="developers" access-id="group:ldapRealm/developers"/>
</security-role>
</application-bnd>
I followed this article and created simplest websocket echo application. Although article is about Glassfish, I successfully run my app under Jetty 9, as they are using standard javax.websocket API in article.
It works just fine, but now I want to secure websocket connection. I googled around and found most examples are written as standalone Java application (with public static void main() method). They create new ConnectionFactory and starts server from their code (like here for example).
But I want to run my app under Jetty as a container, so I want to just specify some options in web.xml or something, to secure my connection. So I found this article and modified my web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected resource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<!-- https -->
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
</web-app>
The problem is it doesn't work. Probably because article is about Glassfish again.
How it is does NOT work:
My IDE (IDEA) shows red all tags inside <security-constraint>, that means schema validation is failed and these tags can not be contained inside <security-constraint>
When I try to open index.html over HTTPS I get error ssl_error_rx_record_too_long in browser and also there are two errors in Jetty output:
Illegal character 0x16 in state=START for buffer HeapByteBuffer
and
badMessage: 400 Illegal character 0x16 for HttpChannelOverHttp
So.. What I am doing wrong? How to make secured websocket via Jetty or application configuration?
The security constraint tag you described is mostly used for specify BASIC authentication mode in application server.
I guess you want to enable HTTPS and not authentication. For enabling HTTPS you may follow this article: https://wiki.eclipse.org/Jetty/Howto/Configure_SSL
I have a problem and I believe it boils down to a misfit with our load-balancer, webserver(ihs), https configuration and Java EE form security with j_security_check.
I understand that when a client tries to hit a secure page, the server (websphere) sends a redirect with the url of the signin form, which is what we see in our dev & tst environment. However the production set up has a webserver (ihs), which consumes the https url, knocks out the s and forwards the http url to websphere (known as ssl offloading). When Websphere replies with the redirect it does that without https but with http://server-name/loginform
and I see a browser error that it can't access the http://server-name/loginform.
The relevant part of web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Whitelist</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>authenticated-users</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>login</web-resource-name>
<url-pattern>/keepalive</url-pattern>
<url-pattern>/signin</url-pattern>
<url-pattern>/signin/error</url-pattern>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-role>
<description>Any LDAP authenticated user</description>
<role-name>authenticated-users</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/signin</form-login-page>
<form-error-page>/signin/error</form-error-page>
</form-login-config>
</login-config>
I'm wondering whether that's a misconfiguration on the java side (my responsibility), I expect the url in form-login-page (/login) to be relative on the browser. But I also think that the load-balancer should automatically convert a http call to https call (someone else's responsibility). I hope someone has suggestions.
You should provide a bit more information in your question such as what load balancer are you using, is it going straight to WAS or via IHS, how your web application is configured (web.xml).
So here are some general hints that might be useful for you.
Redirecting to SSL in WebSphere
If you already have security configured and login form correctly being displayed in http, you just need to add the following to web.xml:
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
This will ensure that WebSphere will generate redirect to https when client is trying to access protected pages.
SSL offloading
If your load balancer is configured to offload SSL and froward request to WebSphere using plain http, then you need to configure WebSphere to be aware of that. This is done by configuring httpsIndicatorHeader custom property, and adding custom header in load balancer.
When I do a http get on my websphere liberty profile v8.5.5 (let's assume http://my.domain.com) I'm presented with a nice page that says amongs other things
"Welcome to the WebSphere Application Server V8.5 Liberty Profile"
It looks like this http://rdt1.demos.ibm.com/
How do I configure my server to not display this page and perhaps redirect my request to a login page on https?
Is this a configuration related to a new context root of a new app to be installed? Like this answer below?
How to make "HTTPS redirect" work on WebSphere Application Server Liberty Profile?
I feel like this should be something configured on server.xml but I can't find any reference to this.
Thanks in advance!
You can turn that page off by adding the following to your server.xml file:
<httpDispatcher enableWelcomePage="false" />
http://www-01.ibm.com/support/knowledgecenter/api/content/nl/en-us/SSRTLW_9.0.0/com.ibm.websphere.wlp.nd.multiplatform.doc/autodita/rwlp_metatype_4ic.html#mtFile119
edit:
I should clarify, the other answer is also correct. If you install an application with "/" as the context root, it will be used instead of the main page.
If you add something like the following to that application's web.xml:
<security-constraint>
<display-name>Some constraint</display-name>
<web-resource-collection>
<web-resource-name>All</web-resource-name>
<description>All URLs</description>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<description>All users</description>
<role-name>User</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
You will get the https redirect that you're asking for.
Additional edit (per comment), the following is a more complete example of how to set up the redirect:
How to make "HTTPS redirect" work on WebSphere Application Server Liberty Profile?
Just create your application and in the server.xml specify context root as follows:
<webApplication id="MyApp" location="MyApp.war" name="MyApp" contextRoot="/"/>
If you want to redirect to login page and ssl, then you will need to do all steps in the post you quoted and of course provide login page in your application.
If you want just to disable the welcome page, add to server.xml fragment provided by ebullient or even extend it by adding some javascript code which would make the redirect:
<httpDispatcher enableWelcomePage="false" appOrContextRootMissingMessage='<script>document.location.href="/MyApp/";</script>'></httpDispatcher>
I'm trying to connect Mule 3.5 to the Google API (Tasks, Calender etc) but I'm having all sorts of problems with the OAuth2 authentication.
Could anybody give me an example .xml file of a Mule project with a working Google OAuth2 Example (and maybe the settings in Google's API Console), please.
A link would do too.
You need to create an application in your Google Developer account (https://console.developers.google.com/) using the create project button. Take note of your project ID you will need this in the Google connector configuration.
You then need to click on the application and go to APIs & Auth. Make sure the API that you need is set to status 'ON'. In this case you probably want to turn Calendar on and anything else you don't need off. Be aware that significant numbers of calls to the Calendar service might incur costs or quota limits.
Also under the APIs & Auth section of the left side of the Google developer console you need to select credentials. Then click the red button Create new client ID. This will give you two critical pieces of information:
Client ID - This goes into your 'consumerKey' in the Google connector in Mule
Client Secret - This goes into your 'consumerSecret' in the Mule
connector
The other important thing to set up is the redirect URI. This will need to be something like:
http://localhost:8081/oauth2callback
This needs to match what you put into your connector configuration. If you're running your Mule server behind a firewall you will need to configure things such as your proxy so this callback can reach your server.
Here is a crude example that I've managed to get working. Be sure to replace the clientID clientSecret and application name as appropriate.
<?xml version="1.0" encoding="UTF-8"?>
<mule xmlns:json="http://www.mulesoft.org/schema/mule/json"
xmlns:https="http://www.mulesoft.org/schema/mule/https"
xmlns:tracking="http://www.mulesoft.org/schema/mule/ee/tracking"
xmlns:objectstore="http://www.mulesoft.org/schema/mule/objectstore"
xmlns:http="http://www.mulesoft.org/schema/mule/http"
xmlns:google-calendars="http://www.mulesoft.org/schema/mule/google-calendars"
xmlns="http://www.mulesoft.org/schema/mule/core"
xmlns:doc="http://www.mulesoft.org/schema/mule/documentation"
xmlns:spring="http://www.springframework.org/schema/beans" version="EE-3.4.1"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-current.xsd
http://www.mulesoft.org/schema/mule/core
http://www.mulesoft.org/schema/mule/core/current/mule.xsd
http://www.mulesoft.org/schema/mule/http
http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd
http://www.mulesoft.org/schema/mule/google-calendars
http://www.mulesoft.org/schema/mule/google-calendars/1.0/mule-google-calendars.xsd
http://www.mulesoft.org/schema/mule/objectstore
http://www.mulesoft.org/schema/mule/objectstore/1.0/mule-objectstore.xsd
http://www.mulesoft.org/schema/mule/ee/tracking
http://www.mulesoft.org/schema/mule/ee/tracking/current/mule-tracking-ee.xsd
http://www.mulesoft.org/schema/mule/https
http://www.mulesoft.org/schema/mule/https/current/mule-https.xsd
http://www.mulesoft.org/schema/mule/json
http://www.mulesoft.org/schema/mule/json/current/mule-json.xsd">
<!-- The 'consumerKey' is Client ID of you google application
The 'consumerSecret' is the Client Secret of the google application
The 'applicationName' is the application name you supplied (or Google created for you) when you created your application
on the google developer console
-->
<google-calendars:config-with-oauth
name="Google_Calendars"
consumerKey="replace-with-client-ID"
consumerSecret="replace-with-client-secret" doc:name="Google Calendars"
applicationName="replace-with-application-name">
<!-- The values here need to match the redirect URL you authorized for your Google Application
In this case the callback URL would be http://localhost:8081/ouath2callback
-->
<google-calendars:oauth-callback-config
domain="localhost" localPort="8081" path="oauth2callback" remotePort="8081" />
</google-calendars:config-with-oauth>
<!-- This is the objectstore that stores your Auth key which is used in the second flow -->
<objectstore:config name="ObjectStore" doc:name="ObjectStore" />
<!-- The first flow is executed when you go to http://localhost:8080/oauth-authorize
It initiates the Google authentication and if successful gets the auth key and puts it into the object store -->
<flow name="authorizationAndAuthenticationFlow" doc:name="authorizationAndAuthenticationFlow">
<http:inbound-endpoint exchange-pattern="request-response"
host="localhost" port="8080" path="oauth-authorize" doc:name="HTTP" />
<google-calendars:authorize config-ref="Google_Calendars"
doc:name="Google Calendars" />
<!-- Your Auth token is store in the key 'accessTokenId' -->
<objectstore:store config-ref="ObjectStore" key="accessTokenId"
value-ref="#[flowVars['OAuthAccessTokenId']]" overwrite="true"
doc:name="ObjectStore" />
</flow>
<!-- This flow can be called after the authentication is complete. It uses the previously stored token and to retreive your
Calendars and return them as JSON -->
<flow name="getInformationFromCalendar" doc:name="getInformationFromCalendar">
<http:inbound-endpoint exchange-pattern="request-response"
host="localhost" port="8081" doc:name="HTTP" />
<!-- The enricher adds the access token to your message -->
<enricher target="#[flowVars['accessTokenId']]" doc:name="Message Enricher">
<objectstore:retrieve config-ref="ObjectStore"
key="accessTokenId" defaultValue-ref="#['']" doc:name="Get AccessToken" />
</enricher>
<expression-filter expression="#[flowVars['accessTokenId'] != '']"
doc:name="Is Access Token Set" />
<!-- gets your first 200 calendars using the accessToken that you enriched the message with-->
<google-calendars:get-calendar-list
config-ref="Google_Calendars" maxResults="200"
pageToken="#[flowVars['GoogleCalendar_NEXT_PAGE_TOKEN']]" doc:name="Google Calendars"
accessTokenId="#[flowVars['accessTokenId']]" />
<json:object-to-json-transformer
doc:name="Object to JSON" />
</flow>
</mule>
The Google Connectors Suite for Mule has a complete example, including a Mule XML configuration.
We've since published documentation on how to use OAuth connectors. Let us know if it's helpful.