Hello I'm trying to setup a list of users to access the MFPF Operations Console using the different role. I changed the server.xml as follow but without positive result.
basicRegistry added group and users:
<group name="mfpdeployergroup"/>
<member name="guest"/>
<member name="demo"/>
</group>
<user name="guest" password="guest"/>
<user name="demo" password="demo"/>
Added for Administration service and Operations console applications the role mapping:
<security-role name="mfpdeployer">
<group name="mfpdeployergroup"/>
</security-role>
Still receiving the error:
[12/2/16 17:36:11:368 CET] 000000fb .ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl A CWWKS9104A: Authorization failed for user demo while invoking mfpconsole on /index.html. The user is not granted access to any of the required roles: [mfpadmin, mfpmonitor, mfpoperator, mfpdeployer].
Can you help?
Thanks
It's not really clear if you're trying to add a user in the devkit or in liberty or what...?
In the devkit I have edited the mfpserver\usr\servers\mfp\server.xml file.
In <basicRegistry> I've added: <user name="idan" password="idan"/>
In <application id="mfpconsole" name="mfpconsole" location="mfp-admin-ui.war" type="war">, under <security-role name="mfpdeployer"> I've added: <user name="idan"/>.
I was then able to login using idan\idan.
Related
I'm trying to install the latest version of MobileFirst Server 7.1 onto WAS Liberty 8.5.5.9 and am having difficulty enabling login for the installed WARs. This is a brand new installation. adminCenter-1.0 was installed before installing MobileFirst Server.
This page describes the root issue, but there appears to be something missing from the instructions. The instructions as written don't make sense to me in that in one sentence it says to "move" content added by the installation process, but in another sentence in that same paragraph says to "delete" it from server.xml.
As I've interpreted the instructions, I now have two basicRegistry elements with different ids as follows:
<basicRegistry id="basic" realm="BasicRealm">
<user name="admin" password="adminpwd" />
</basicRegistry>
<!-- Declare the user registry for the Application Center. -->
<basicRegistry id="applicationcenter-registry" realm="ApplicationCenter">
<!-- The users defined here are members of group "appcentergroup", thus have role "appcenteradmin", and can therefore perform administrative tasks through the Application Center console. -->
<user name="appcenteradmin" password="admin"/>
<user name="demo" password="demo"/>
<group name="appcentergroup">
<member name="appcenteradmin"/>
<member name="demo"/>
</group>
</basicRegistry>
But what I don't see is how to tie the new applicationcenter-registry to the MobileFirst Application Center. And sure enough, this configuration doesn't allow me to log into the WAS adminCenter, or the MobileFirst Application Center. It also generates the message that you'd expect:
There are multiple available UserRegistry implementation services; the system cannot determine which to use.
What is the proper server.xml configuration that will allow me to log in to both of these applications?
Thanks,
John
Within the server.xml, you can only have one basicRegistry. The documentation basically tells you to copy the content inside the <basicRegistry id="applicationcenter-registry" realm="ApplicationCenter">
to your <basicRegistry id="basic" realm="BasicRealm">
Then remove <basicRegistry id="applicationcenter-registry" realm="ApplicationCenter">
so you only have one basicRegistry, your own
<basicRegistry id="basic" realm="BasicRealm">, in the server.xml.
Check your server log to see if there is any error. If there is error related to the database, make sure your database is accessible and it has been started with root/admin right.
I believe the instructions are saying you should do this:
<basicRegistry id="basic" realm="BasicRealm">
<user name="admin" password="adminpwd" />
<!-- Declare the user registry for the Application Center. -->
<!-- The users defined here are members of group "appcentergroup", thus have role "appcenteradmin", and can therefore perform administrative tasks through the Application Center console. -->
<user name="appcenteradmin" password="admin"/>
<user name="demo" password="demo"/>
<group name="appcentergroup">
<member name="appcenteradmin"/>
<member name="demo"/>
</group>
</basicRegistry>
i.e., you should have a single <basicRegistry>, and it should contain your original users/groups (if any) and the users/groups for Application Center.
I have defined LDAP user registry and made a custom form login page in my Dynamic Web Application which running at Websphere Liberty Profile 8.5.5
How can I bind my form from login page to LDAP user registry, so all user's credentials will be checked against this LDAP registry?
Thank you.
1) One way is to define mapping in server.xml - see Setting up BasicRegistry and role mapping on the Liberty profile, although it says about Basic registry, defining mapping is the same:
<application type="war" id="myWebApp" name="myWebApp"
location="${server.config.dir}/apps/myWebApp.war">
<application-bnd>
<security-role name="user">
<user name="Bob" />
<user name="user1" />
<group name="mygroup" />
</security-role>
</application-bnd>
</application>
2) If you don't want to change server.xml you can define these mappings in the application in the binding file - ibm-application-bnd.xml - like this:
<?xml version="1.0" encoding="UTF-8"?>
<application-bnd
xmlns="http://websphere.ibm.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd"
version="1.0">
<security-role name="user">
<user name="user1" />
<group name="mygroup" />
</security-role>
</application-bnd>
If you are packaging app in the EAR, put that file in the META-INF folder.
If you are deploying war, create META-INF folder and put it there (this is currently undocumented feature, but is working at least in 8.5.5.6).
Here is the information to configure LDAP registry
https://www-01.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.wlp.core.doc/ae/twlp_sec_ldap.html
In addition to that, you may also need to set the realm-name in your form-login declaration. For example,
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyRegistryRealmName</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
Our team has installed the IBM Worklight server 6.2 in our server machine. The installation was successful and no errors occurred.
Though, when we tried to go to the Worklight Application center (localhost:8080/appcenterconsole/j_security_check). We have tried using the usual "admin" for username and password and tried the username and password we inputted during the installation, but we still could not log in to the console.
Is there another default username and password? Or is there a way we could find/change the username and password?
The info center indicates that you need explicitly to set up user/password entries for App Center.
Check in your server.xml if this has been done, and if so you'll see entries like this:
<security-role name="appcenteradmin">
<group name="appcenteradmingroup"/>
</security-role>
<security-role name="appcenteruser">
<group name="appcenterusergroup"/>
</security-role>
<basicRegistry id="appcenter">
<user name="admin" password="admin"/>
<user name="guest" password="guest"/>
<user name="demo" password="demo"/>
<group name="appcenterusergroup">
<member name="guest" />
<member name=" demo" />
</group>
<group name="appcenteradmingroup">
<member name="admin" id=”admin"/>
</group>
</basicRegistry>
If you don't have them then this explains why admin/admin is not working for you.
does anyone knows if tomcat is able to password protect file (like apache .htaccess )?
i mean when user request a file from tomcat webapp its prompt a dialogue to enter user-name and password and made this using configuration.
or protect the file depend on its IP address .
hope someone can help me ?
regads
you can set basic authentication in tomcat.
Add your user to tomcat-users.xml. Something like :
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="tomcat"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="myname" password="mypassword" roles="tomcat"/>
<user username="test" password="test"/>
</tomcat-users>
And Add configuration to your apps web.xml. like:
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/references/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>your-role</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Application</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the Manager Application
</description>
<role-name>your-role</role-name>
</security-role>
links to understand more:
http://www.avajava.com/tutorials/lessons/how-do-i-use-basic-authentication-with-tomcat.html
The problem
A tomcat manager page can not be accessed by a user granted a manager role.
The things I tryed to do
I added a user with a manager role into tomcat-users.xml:
<role rolename="manager"/>
<user username="emanemos" password="password" roles="manager"/>
I also looked up the $CATALINA_HOME/webapps/manager/WEB-INF/web.xml to be sure that manager role is really used to access the application:
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>manager</role-name>
</auth-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the Manager Application
</description>
<role-name>manager</role-name>
</security-role>
However, the manager application still asks for a login-password pair in an endless loop ignoring my input.
Does anybody have any ideas?
Did you restart Tomcat after making the changes to tomcat-users.xml?