I'm able to protect Worklight console with an user inside worklight.properties file (on Liberty or WAS environment).
How can I protect console with a LDAP user (outside of the worklight.properties file)?
Yes, you can do this.
You will need to edit your authenticationConfig.xml as follows:
Add a LDAP loginModule
Add a LDAP realm
Update the existing "WorklightConsole" custom securityTest to use the new realm
After the above changes, once loading Worklight Console and entering the user credentials,
these should be handled by the loginModule to authenticate against the LDAP server.
See the following IBM Worklight Getting Started training module, which is about this very topic:
Using LDAP Login Module to authenticate users with LDAP server
Related
We're using Worklight in a WAS environment and we need to protect the WL console from just anybody logging in and manipulating applications. We have a working configuration using WASLTPAModule going against Active Direcotry. The WAS cluster is using global security with a federated AD configuration. This configuration works to provide authentication into the console.
The problem is that anybody that has a valid account in AD can login to the console.
I have not seen any documentation or information on how to constrain the authorization to use the console to specific AD groups. How is this done?
In Worklight 6.1, the WebSphereLoginModule has an optional "role" parameter to specify the JEE role that the user must belong to in order to successfully authenticate:
http://pic.dhe.ibm.com/infocenter/wrklight/v6r1m0/topic/com.ibm.worklight.dev.doc/devref/r_wasltpamodule_login_module.html
Then in WebSphere, you would use the usual role mapping capability to map your AD groups to that role.
In Websphere admin console, it provides the ability to use Standalone LDAP registry as a method to authenticate user to login to the admin console.
Security > Secure administration, applications, and infrastructure > Standalone LDAP registry
And then enable Enable administrative security checkbox in the admin security section.
Is there a way to leverage this LDAP connection from application point of view? e.g. The J2EE application runs on top of the Websphere also uses the LDAP connection to do application user authentication. Currently the application have classes like import javax.naming.ldap.LdapContext, and create a separate LDAP connection context to authenticate the user at application level. Is it possible to use the same connection make in the admin console, or is it totally impossible?
I searched the redbook WAS8 Administration and Configuration Guide.pdf www.redbooks.ibm.com/redbooks/pdfs/sg247971.pdf and didn't find anything.
and also checked http://pic.dhe.ibm.com/infocenter/wasinfo/v8r0/index.jsp?topic=%2Fcom.ibm.websphere.base.doc%2Finfo%2Faes%2Fae%2Ftsec_ldap.html didn't find anthing.
I am using Websphere 8
You can enable the Application Security from the Console in order to use the Websphere(i.e. Java EE) security scheme.
You can do this by checking the "Enable application security" checkbox in Global Security page of WAS Console and make the appropriate changes in your app. For more look in the following Redbook for Application security.
However you should know that you might need to adapt your application to Java EE Security Standards, which might be difficult.
I've set my authenticationConfig.xml to work with LTPAAuthentication in this way:
It works well with application where i require LTPA Authentication.
But there are some apps deployed on the WL Console that not need any authentication, they just call adapters. From browser (PReview common resource) they work as well as before, but if i run them from my android i get those error on Logcat:
...................................... (all the login.html page)
It returns me the entire login.html page as it does with application that requires LTPA mobile test, here you can see the application-descriptor.xml that highlight no need of security tests:
Any suggestion?
EDIT: this is the adapter, it doesn't require security tests
So it looks like you have an adapter that you have protected using WASLTPA security that you want to be accessible by all devices regardless of whether or not they have been authenticated by the WASLTPARealm. I think the solution is to re-design how your security and adapters behave.
If you wish for an adapter to be called from an application that does not need to be authenticated, then don't protect the adapter using a security realm. If being logged into the WASLTPARealm is not a requirement for accessing the resources that this adapter is exposing, then there is no point in using the realm to protect it.
For the apps that do require login, you should separate the authentication logic from the adapter calls. You can still require the client to login in order to use the app and call adapters without having to protect the adapter with the security test. There are APIs to check if a user is logged in and to prompt them to login to a realm. You don't have to use the challenge sent back from adapter to prompt a login.
An adapter should be protected by a security test only if being logged into that realm defined by the security test is a requirement for using that adapter. From reading your post, it does not seem to be a requirement.
From browser (PReview common resource) they work as well as before, but if i run them from my android i get those error on Logcat
I have a strong feeling that in your browser you have an LTPA token which is why this is working from an app that hasn't logged in to the LTPA realm. Try clearing your cookies and trying to do this again to confirm.
I am deploying a J2EE ear in weblogic 10.3.5. it uses Oracle internet directory LDAP , for authentication. after entering username and password in the login page, I was able to see the authentication Allowed in the AdminServer.logs, but the login page is not changing.
on click of username and password I am getting the same login page again. application is not moving to other secure pages, I don't know what to do.
I would greatly appreciate your help.
I have added the role configured in the OID LDAP server in the web.xml and weblogic.xml, after that it was started working.
at least one role of the login should be configured in web.xml and weblogic.xml, this will solve the login problem.
how can i setup security realm in weblogic 10.3? i wan't to add user roles and let weblogic server to check those users for what resources they can access. Where weblogic stores authentication data? how can authentication data can be accessed and updated by weblogic server automatically?
Thanks in advance.....
Your question is a bit vague since there are a lot of ways to configure security within Weblogic. Oracle's documentation would be a good starting point.
You can setup the security realm under Security Realms in the console. There are some default groups with specific roles that you could assign to user accounts (for example, monitor = readonly).
LDAP data is stored in the internal LDAP folder within the domain directory. However, you can configure it to use an external LDAP.