In Websphere admin console, it provides the ability to use Standalone LDAP registry as a method to authenticate user to login to the admin console.
Security > Secure administration, applications, and infrastructure > Standalone LDAP registry
And then enable Enable administrative security checkbox in the admin security section.
Is there a way to leverage this LDAP connection from application point of view? e.g. The J2EE application runs on top of the Websphere also uses the LDAP connection to do application user authentication. Currently the application have classes like import javax.naming.ldap.LdapContext, and create a separate LDAP connection context to authenticate the user at application level. Is it possible to use the same connection make in the admin console, or is it totally impossible?
I searched the redbook WAS8 Administration and Configuration Guide.pdf www.redbooks.ibm.com/redbooks/pdfs/sg247971.pdf and didn't find anything.
and also checked http://pic.dhe.ibm.com/infocenter/wasinfo/v8r0/index.jsp?topic=%2Fcom.ibm.websphere.base.doc%2Finfo%2Faes%2Fae%2Ftsec_ldap.html didn't find anthing.
I am using Websphere 8
You can enable the Application Security from the Console in order to use the Websphere(i.e. Java EE) security scheme.
You can do this by checking the "Enable application security" checkbox in Global Security page of WAS Console and make the appropriate changes in your app. For more look in the following Redbook for Application security.
However you should know that you might need to adapt your application to Java EE Security Standards, which might be difficult.
Related
We have an existing Java EE application running under WebLogic and I want to authenticate a user programmatically as though the user was logged in via the existing web login process. That is to say, in the end, I want to have a valid session (cookie) that can be returned to the caller and later returned back the server without re-authentication. (This is to enable JAX-WS stateful Web Service calls).
We have a custom LoginModule that, when the user logs in via Forms Authentication, is eventually called via j_security_check. I guess what I'd like to do is to somehow get WebLogic to invoke that LoginModule on my behalf, ask me for the credentials, and yield an authenticated session and a valid subject etc. (i.e. all the JAAS goodness).
Is this a JAAS thing? Is there a WebLogic call?
You can do this using the HttpServletRequest#login method. This will trigger the same kind of login chain that would otherwise be executed if your used accessed a protected resource.
WebLogic security uses a security service plug-in (SSPI) architecture that allows you to implement security providers. Container (such as servlet) authentication is handled by authentication providers that use the SSPI. An authentication provider wraps a JAAS login module.
Writing and configuring security providers is extensively documented.
If you implement an authentication provider to wrap your login module and configure it for the WebLogic domain, it will be called automatically by the WebLogic security framework for all container authentication.
Is there an identity management mechanism available to control/manage user access to a service running on the cloudbees RUN#cloud platform i.e. force log in / sign up etc?
Thanks,
/W
Users you added to your cloudbees domain ("account") can access all services. For a FOSS account, resources are accessible read-only without authentication, but in all other cases login to the platform is required.
Only administrators can subscribe to new services. Jenkins on DEV#Cloud adds RBAC plugin so you can control fine-grain access to jobs and folders.
As far as I know there is no special support from the CloudBees platform for authentication of users of your application: this is just something you would implement in your app using any of numerous available libraries according to language and web framework, using the authentication system of your choice such as OpenID.
In my opinion you should consider Identity access management solutions from TeleSign. You should be able to control user access to services running on Cloudbees Run#cloud platform with ease.
I'm involved in an Java Web Application Migration project to IBM Websphere Portal (IBM WP) Platform.
The actual application in production environment validates manually user credentials (username and password) against a Database Table that stores the data. I understand that the idea behind a Portal application is that the Portal Container handles this Security issues, but I'm not sure how IBM WP can consume the credentials that now are on Database.
There's a brand new Tivoli Directory Server in the Company, and I'm aware that I can't connect IBM WP to this LDAP Server so, do I need to migrate every user in the Database to this LDAP Server, or there's a Way that Tivoli recognize the credentials that are on the database?
Trust Association Interceptor are powerful, but they totally override Websphere Authentication mechanisms, so be sure to write a quite robust one! As Carlos Gavidia suggested, I'd also give a look to Custom User Registry. I'd also suggest to consider Property Extenstion Repository (also know as Lookaside), so you can define your own attributes and read/write them directly from Portal API
http://www-01.ibm.com/support/docview.wss?uid=swg21248674
You can hook in any kind of custom authentication you need using a Trust Association Interceptor. Your custom authenticator would probably work a lot like the authentication code in your existing system. It would display a page prompting the user for their credentials, and then check them against the DB.
I'm not sure how this relates to your Tivoli LDAP, but there seems to be a provided TAI for TAM integration: Tivoli Access Manager Trust Association Interceptor (TAI++)
I want to use a role based access control for the authorization of one of the applications on a WebSphere application server, but as far as I've seen the users and roles are defined on application server level, and not for a single application. Is it right, or in case it isn't could you please tell me how the define the roles in for my application?
The problem with declaring the roles on server level is that there are multiple independent applications on the server.
1) To do this kind of role based mapping you need to have security enabled in WAS.
2) After you installed your application, open the admin console of WebSphere Application Server. List the installed application, click on your application. You should find a link called "Security role to user/group mapping". The wizard will then guide you to map the role you want to the application.
this is my first time trying spring security and ldap. I have couple of novice questions. My main confusions are:
How do we assign roles to users? Is it done on ldap server? or done via a configuration file in my webapp? By roles I mean, Couple of users would have all the access to webapp features(Admins), Regular users (Read only access to webapp data), Analytic group (Users which can run a report in webapp)
Currently application uses j_security_check for normal user authentication with ldap server. (Where is Websphere do we hook up ldap connection settings for this authentication?)
I found it confusing too, and developed my own module which ties in with Java EE Security.
Basically the webapp is set up with standard Java EE Security, and methods on spring beans can be given the #RolesAllowed annotation, in which case the logged in user's roles are checked against the required roles just before calling the method. See here for details.
You can use LDAP or a database or a file - where the roles and users are stored is up to you. Normally for production, you will use LDAP or a connector to some kind of directory server. Sorry I can't help with WebSphere - been a while since I set it up for security.