securing your application with websphere security
DESCRIPTION
Securing Your Application With WebSphere Security. You will need to develop Login procedures for your web applications. This short section describes how to do this for WebSphere Application Servers, connected to an authentication Server such as LDAP – or any other security realm - PowerPoint PPT PresentationTRANSCRIPT
®
IBM Software Group
© 2006 IBM Corporation
Securing Your Application With WebSphere Security
You will need to develop Login procedures for your web applications. This short section describes how to do this for WebSphere Application Servers, connected to an authentication Server such as LDAP – or any other security realm
Note that this is an involved lab – that will take at least an hour. Ideally you should get assistance from your WebSphere administrator, before starting.
2Last update: 12/04/2007
WebSphere Security - Overview
You will perform the following tasks, to enable WebSphere security for your project:1. Create a Login Page – that conforms to the WebSphere Security requirements
(Optionally) Create an Error page – that can be specified to your WAR file, as the page to automatically re-direct to, when a Login error occurs
2. Enable security for your WebSphere Application Server3. Enable security for your WAR (web.xml) file4. Enable security for your WebSphere Server Configuration5. Setup security for your Enterprise Application Resource (EAR) file6. Code your EGL calls to J2EELIB – to:
Return the user-ID Determine if the user is in a particular role
In this lab, we will show you how to enable WebSphere for Local operating system security. If you wanted to actually integrate LDAP, RACF or any other security “realm” your WebSphere administrator would have to assist you with this.
WARNINGWARNING – In fact, you should probably obtain assistance from your WebSphere
administrator before starting this section. Because: These processes are complex – a great deal of security semantics are involved You could actually – if you make mistakes in doing this, you could conceivably cause
WebSphere to not be able to boot. Period.
3Last update: 12/04/2007
1. WebSphere and LDAP Security – Create Login and Error Pages
WebSphere requires that you define a .JSP page, that calls WebSphere internal methods passing specific-named variables as parameters within the form.
At this point in time, this can not be an EGL/JSF page (it must be .JSP/Java) In the Notes section of this slide we’ve given you an example of such a page. To
implement in your project: Create a new page in \WebContent\ named: login.jsp From the notes section of this slide, copy and paste all of the .JSP and HTML source Using Page Designer, edit your login.jsp in Source mode Select all of the existing source (Ctrl/A) Paste your copied source in (Ctrl/V) Save and test by running the page on the server
4Last update: 12/04/2007
Next you will setup the WebSphere Server to enable Security on a given “realm” The Security realm could be:
RACF LDAP Local operating system
The Security realm authenticates the User-ID/Password combination passed to it, by WebSphere
In this section you will: Define a Security configuration for using your local operating system as the Security realm Enable WebSphere for Security
2. WebSphere and LDAP Security – Server Security Overview
LDAPLDAP…or…
SecuritySecurityRealmRealm
LDAPLDAPDatabaseDatabase
WebSphereWebSphere
• SecuritySecurity
LoginLoginPagePage
Sends User-ID/Password to…Sends User-ID/Password to…
Which connects to…Which connects to…
Which performs authenticationWhich performs authentication
5Last update: 12/04/2007
Login to the WebSphere Administrative Console
With WebSphere started: From the Servers tab, right-
click over your Server configuration and select Run Administrative Console
Login
6Last update: 12/04/2007
Setup WebSphere Local Operating System Security – 1 of 3
With WebSphere started: From the Security tab
Click: Secure administration, applications and infrastructure
From Available realm definitions, select Local operating system
Click: Configure
7Last update: 12/04/2007
Setup WebSphere Local Operating System Security – 2 of 3
From Secure administration, applications and infrastructure
Specify the Primary administrative user name
Note that this would be youryour Windows login user name.
Click OK Note that if WebSphere cannot find the
user name in the Windows registry you will not be able to continue
8Last update: 12/04/2007
Setup WebSphere Local Operating System Security – 3 of 3
From Secure administration, applications and infrastructure
Check: Enable administrative security Un-check Use Java 2 security Click Apply Click Save
From the top of the Administration Console Logout
From the Servers tab Restart WebSphere ***Notes***Notes
9Last update: 12/04/2007
3. Secure the WAR (web.xml) File – 1 of 4 – Add a Security Role
Now you will add one or more Security Roles to your WAR (web.xml) file (example: user, admin, manager, etc.)(example: user, admin, manager, etc.).
You will then add one or more Security Constraints – and for each constraint, you will specify: Web resource collection – Essentially, these are constraint rules, or what a defined
constraint allows an application user to “do” Authorized users – which of the Security Roles is assigned to the constraint – effectively
limiting individuals who login to the application to be able to “do” what you want them to (and only what you want them to )
From Project Explorer – Expand \WebContent\WEB-INF\ and open web.xml From the Security tab, Add… one or more Security roles
10Last update: 12/04/2007
Secure the WAR (web.xml) File – 2 of 4 – Add a Security Constraint
From the Security Constraints part of the Security tab Click Add…Add… Name your Security Constraint
From the Web resource collectionWeb resource collection part of the Security tab (with your new Constraint selected):
Click Add…Add…
From Add Web Resource: Name the resource Leave all the checkboxes un-checked
From the Pattern area Click Add.. Specify: /*/*
***Notes***Notes
11Last update: 12/04/2007
Secure the WAR (web.xml) File – 3 of 4 – Add Authorized Roles
From the Authorized Roles part of the Security tab (with your constraint selected) Click Add…Add… Type a Description Check the Role Names you wish to add to this web application
12Last update: 12/04/2007
Secure the WAR (web.xml) File – 4 of 4 – Add a Security Constraint
From the Pages tab – within the Login section: Open the Authentication method: Select Form
For the Login and Error pages: Click Browse… Select login.jsp
Save and close web.xml
13Last update: 12/04/2007
4. Enable Security for Your WebSphere Server Configuration
From your Servers tab, Double-click on your WebSphere Server to open the server settings Click the Security “twisty” Check: Security is enabled on this server, and enter your Windows logon User ID and
Password values
Close …and… Save
***Notes***Notes
14Last update: 12/04/2007
5. Setup Security for Your EAR File
From Project Explorer – open the EAR file’s Deployment Descriptor, and from the Security tab: Click Gather… Check: All authenticated users
Close …and… Save
15Last update: 12/04/2007
5. Code Calls to the Security – 1 of 2
From Project Explorer – open any jsfhandler .EGL file (here we are using allcustomers.egl) Add:
A String variable for the userID A Boolean variable for isUserInRole(…) Calls to the j2eelib. functions
Save your edits
From Page Designer/Page Data Select both variables Drag them on to the page
Restart the Server Run the page on the server
16Last update: 12/04/2007
5. Code Calls to the Security – 2 of 2
Your Security form should be invoked. After you login successfully, the page you ran on the server should be invoked If your login fails, WebSphere should redirect to your Login Error Page Note the new WebSphere port – for secured applications
17Last update: 12/04/2007
LDAP Example – From the Samples Gallery
If you are actually working with your WebSphere Administrator to hook LDAP into your project, from the product Help, open the Sample Gallery, and follow the steps therein, for an excellent, tutorial example.