I have defined LDAP user registry and made a custom form login page in my Dynamic Web Application which running at Websphere Liberty Profile 8.5.5
How can I bind my form from login page to LDAP user registry, so all user's credentials will be checked against this LDAP registry?
Thank you.
1) One way is to define mapping in server.xml - see Setting up BasicRegistry and role mapping on the Liberty profile, although it says about Basic registry, defining mapping is the same:
<application type="war" id="myWebApp" name="myWebApp"
location="${server.config.dir}/apps/myWebApp.war">
<application-bnd>
<security-role name="user">
<user name="Bob" />
<user name="user1" />
<group name="mygroup" />
</security-role>
</application-bnd>
</application>
2) If you don't want to change server.xml you can define these mappings in the application in the binding file - ibm-application-bnd.xml - like this:
<?xml version="1.0" encoding="UTF-8"?>
<application-bnd
xmlns="http://websphere.ibm.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd"
version="1.0">
<security-role name="user">
<user name="user1" />
<group name="mygroup" />
</security-role>
</application-bnd>
If you are packaging app in the EAR, put that file in the META-INF folder.
If you are deploying war, create META-INF folder and put it there (this is currently undocumented feature, but is working at least in 8.5.5.6).
Here is the information to configure LDAP registry
https://www-01.ibm.com/support/knowledgecenter/SSD28V_8.5.5/com.ibm.websphere.wlp.core.doc/ae/twlp_sec_ldap.html
In addition to that, you may also need to set the realm-name in your form-login declaration. For example,
<login-config>
<auth-method>FORM</auth-method>
<realm-name>MyRegistryRealmName</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
Related
I'm trying to get familiar with TomEE, or at least TomCat 7 that is used in an older application I'm currently working.
In the tomcat location there is a web.xml. As far as I understood this is used for all servlets that have no own web.xml, right? Or will this be also used for those servlets that have an own one?
Not sure about the hierachy of this configuration files.
Tried to get a basic authentication working for a module that can be assigned by a url like \localhost:8080\AB
The tomcat-users for \localhost:8080\manager is working fine.
But can't get an login for \localhost:8080\AB
I tried modify the web.xml like:
<security-role>
<role-name>users</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>basic demo resource</web-resource-name>
<url-pattern>\AB\*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
But still no login is required for accessing this servlet.
Than I found out, that there is another web.xml in this Java project, which I also tried to modify with the code above.
I know I'm doing something wrong, but don't get what it is right now.
The role "users" was created in tomcat-users.xml and a user is also assigned to that group.
You have define only security constraint not roles. You need to define tomcat user and crossponding roles like.
<tomcat-users>
<role rolename="AB"/> <!-- you have to define all roles -->
<user username="myname" password="mypassword" roles="AB"/>
<!-- you have to assign login and roles -->
</tomcat-users>
The web.xml in the tomcat directory contains the default settings. A webapp can override definitions in its own web.xml.
To access to /AB you need:
to use FORWARD slashes: <url-pattern>/AB/*</url-pattern>
to have a user with role users in your user database
to enter the username and password in the login popup dialog.
Hello I'm trying to setup a list of users to access the MFPF Operations Console using the different role. I changed the server.xml as follow but without positive result.
basicRegistry added group and users:
<group name="mfpdeployergroup"/>
<member name="guest"/>
<member name="demo"/>
</group>
<user name="guest" password="guest"/>
<user name="demo" password="demo"/>
Added for Administration service and Operations console applications the role mapping:
<security-role name="mfpdeployer">
<group name="mfpdeployergroup"/>
</security-role>
Still receiving the error:
[12/2/16 17:36:11:368 CET] 000000fb .ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl A CWWKS9104A: Authorization failed for user demo while invoking mfpconsole on /index.html. The user is not granted access to any of the required roles: [mfpadmin, mfpmonitor, mfpoperator, mfpdeployer].
Can you help?
Thanks
It's not really clear if you're trying to add a user in the devkit or in liberty or what...?
In the devkit I have edited the mfpserver\usr\servers\mfp\server.xml file.
In <basicRegistry> I've added: <user name="idan" password="idan"/>
In <application id="mfpconsole" name="mfpconsole" location="mfp-admin-ui.war" type="war">, under <security-role name="mfpdeployer"> I've added: <user name="idan"/>.
I was then able to login using idan\idan.
I've enabled the wl anaytics on my environment, (WLP v8,5 and WL6.2) but it's entry point is unprotected.
So I've looked around and found this article.
http://www-01.ibm.com/support/knowledgecenter/SSZH4A_6.2.0/com.ibm.worklight.monitor.doc/monitor/t_securing_op_analytics.html
And figured I should be able to protected it with LDAP as well.
However When I follow those steps I can't protect my analytics.
My next step was to go to worklightconsole.war and copy the configuration to have form enabled authentication.
So I've ended up with my web.xml from the analytics.war with the following:
<login-config>
<auth-method>FORM</auth-method>
<realm-name>worklightRealm</realm-name>
<form-login-config>
<form-login-page>/login.html</form-login-page>
<form-error-page>/loginError.html</form-error-page>
</form-login-config>
</login-config>
I even copied into the WAR the login.html and loginError.html.
However after I uploaded to my apps folder the modified analytics.war it still doesn't ask me for authentication and just pops open.
The configuration I have on server.xml of analytics is:
<application context-root="/analytics"
id="analytics"
location="analytics.war"
name="analytics"
type="war">
<application-bnd>
<security-role name="worklightadmin">
<user name="<someUserOnMyLDAP>"/>
</security-role>
</application-bnd>
<classloader delegation="parentLast"/>
</application>
Does anyone have any clues on what I'm doing wrong?
The security put in place only protects the data entry point which is the endpoint at which the worklight server sends data to the analytics platform. If you wish to also protect the actual console with Basic Auth, then you'll need to modify the server.xml for the WAR file. I think its something along these lines:
<security-constraint>
<web-resource-collection>
<web-resource-name>analytics</web-resource-name>
<url-pattern>/console/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
But I haven't tested this.
does anyone knows if tomcat is able to password protect file (like apache .htaccess )?
i mean when user request a file from tomcat webapp its prompt a dialogue to enter user-name and password and made this using configuration.
or protect the file depend on its IP address .
hope someone can help me ?
regads
you can set basic authentication in tomcat.
Add your user to tomcat-users.xml. Something like :
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="tomcat"/>
<user username="tomcat" password="tomcat" roles="tomcat"/>
<user username="myname" password="mypassword" roles="tomcat"/>
<user username="test" password="test"/>
</tomcat-users>
And Add configuration to your apps web.xml. like:
<!-- Define a Security Constraint on this Application -->
<security-constraint>
<web-resource-collection>
<web-resource-name>Entire Application</web-resource-name>
<url-pattern>/references/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>your-role</role-name>
</auth-constraint>
</security-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Application</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the Manager Application
</description>
<role-name>your-role</role-name>
</security-role>
links to understand more:
http://www.avajava.com/tutorials/lessons/how-do-i-use-basic-authentication-with-tomcat.html
The problem
A tomcat manager page can not be accessed by a user granted a manager role.
The things I tryed to do
I added a user with a manager role into tomcat-users.xml:
<role rolename="manager"/>
<user username="emanemos" password="password" roles="manager"/>
I also looked up the $CATALINA_HOME/webapps/manager/WEB-INF/web.xml to be sure that manager role is really used to access the application:
<auth-constraint>
<!-- NOTE: This role is not present in the default users file -->
<role-name>manager</role-name>
</auth-constraint>
<!-- Define the Login Configuration for this Application -->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Tomcat Manager Application</realm-name>
</login-config>
<!-- Security roles referenced by this web application -->
<security-role>
<description>
The role that is required to log in to the Manager Application
</description>
<role-name>manager</role-name>
</security-role>
However, the manager application still asks for a login-password pair in an endless loop ignoring my input.
Does anybody have any ideas?
Did you restart Tomcat after making the changes to tomcat-users.xml?