RBAC for single application on WebSphere App Server - authorization

I want to use a role based access control for the authorization of one of the applications on a WebSphere application server, but as far as I've seen the users and roles are defined on application server level, and not for a single application. Is it right, or in case it isn't could you please tell me how the define the roles in for my application?
The problem with declaring the roles on server level is that there are multiple independent applications on the server.

1) To do this kind of role based mapping you need to have security enabled in WAS.
2) After you installed your application, open the admin console of WebSphere Application Server. List the installed application, click on your application. You should find a link called "Security role to user/group mapping". The wizard will then guide you to map the role you want to the application.

Related

Row Level Security using Azure Active Directory Authentication - WEB API

I'm designing a Single Page Application in React + .NET Core and now I'm facing with the concept of visibility related to the application profiles (for example Admin will see all data, Team Leader will see all the data related to his team and so on...).
My solution involves Row Level Security in Azure SQL Server using Azure Active Directory authentication (a AD group containing all the application users), however in this way a smart user can directly connect to the database doing what he prefers (because using this type of connection I must provide Read/Write permissions to the group). I want to avoid this!
So, there is a way to avoid direct connection to the database and limit AAD authentication only through web app? Or I must choose a different approach (using SESSION_CONTEXT for example)?
You can configure firewall rules of the Azure SQL to allow only the single page application (web app) to connect.
The steps are mentioned in the below stack overflow post:
Configure Azure SQL Database Firewall for just my Web App

Always error authenticating through ADFS 2.0

I've managed to setup two virtual machines in my local windows 7 laptop. Both of them are Windows server 2008 R2. One acts as Active Directory Domain controller and also as Active Directory Federation Services, and one other as the web app server. This second one is where I've set up my claims aware asp.net mvc web application and I also plan to setup ThinkTecture Identity Server later as my way to authenticate against custom username and password outside AD.
I've successfully implemented the installation and configuration needed for connecting our ASP.NET MVC apps through ADFS. They include :
Configure first server as Domain Controller and add domain account store (add user as testing -> this user belongs to Domain Users Group).
Configure first server also as active directory federation services.
configure relying party trust identifier from federation metadata generated from FedUtil.exe in second server.
Configure group claim mapping and assign Domain Users to this group.
Configure web apps server to be claims aware agent.
The one that's always troubled me is that every time I access my apps, it successfully prompts login dialog box. Once I enter My AD account and password, it always gives me the following error message : "There was a problem accessing the site. Try to browse to the site again.
If the problem persists, contact the administrator of this site and provide the reference number to identify the problem.
Reference number: c558ed55-b203-42cc-b6bd-3d66bddb96cd".
Any idea from you guys how to get this to work?? Any suggestion and ideas will be highly appreciated.
Have you looked in the event log?
Open Event Viewer > Go to Applications and Services Logs > AD FS 2.0
You'll see an list of errors which should give you some more guidance.
If you see the ADFS login screen, you can get to ADFS so I suspect it's something to do with your RP configuration.
Just to check - you are using ADFS 2.0 which you downloaded?

IBM Application Center - Create groups / users

In IBM Worklight Application Center Group / User management. I don't have LDAP, WAS User list.
I am able to create new groups and if i try to create some users, Application center will search for the users in LDAP/WAS user group, If that user is not available in the LDAP or WAS user group. It will create the user with username and display name. How to set the password for those users.
You cannot set password for users internally inside IBM Worklight Application Center, that is, there is no Application Center UI for it. You must set it by configuring the web server. The web server authorizes who can access the web application, but Application Center (as web application) does not manipulate the authorization mechanism of the web server itself. Application Center is no web server administration tool (and that's by design, for web server security reasons). Hence it assumes the user list and passwords is handled externally to Application Center.
For instance, in Tomcat, you edit tomcat-users.xml. In Websphere Application Server, including Liberty profile, there are several mechanisms, for instance edit server.xml. If you use LDAP, you must add the user to your LDAP. All this happens outside Application Center.

Authentication in IBM Websphere Portal

I'm involved in an Java Web Application Migration project to IBM Websphere Portal (IBM WP) Platform.
The actual application in production environment validates manually user credentials (username and password) against a Database Table that stores the data. I understand that the idea behind a Portal application is that the Portal Container handles this Security issues, but I'm not sure how IBM WP can consume the credentials that now are on Database.
There's a brand new Tivoli Directory Server in the Company, and I'm aware that I can't connect IBM WP to this LDAP Server so, do I need to migrate every user in the Database to this LDAP Server, or there's a Way that Tivoli recognize the credentials that are on the database?
Trust Association Interceptor are powerful, but they totally override Websphere Authentication mechanisms, so be sure to write a quite robust one! As Carlos Gavidia suggested, I'd also give a look to Custom User Registry. I'd also suggest to consider Property Extenstion Repository (also know as Lookaside), so you can define your own attributes and read/write them directly from Portal API
http://www-01.ibm.com/support/docview.wss?uid=swg21248674
You can hook in any kind of custom authentication you need using a Trust Association Interceptor. Your custom authenticator would probably work a lot like the authentication code in your existing system. It would display a page prompting the user for their credentials, and then check them against the DB.
I'm not sure how this relates to your Tivoli LDAP, but there seems to be a provided TAI for TAM integration: Tivoli Access Manager Trust Association Interceptor (TAI++)

Spring security and ldap

this is my first time trying spring security and ldap. I have couple of novice questions. My main confusions are:
How do we assign roles to users? Is it done on ldap server? or done via a configuration file in my webapp? By roles I mean, Couple of users would have all the access to webapp features(Admins), Regular users (Read only access to webapp data), Analytic group (Users which can run a report in webapp)
Currently application uses j_security_check for normal user authentication with ldap server. (Where is Websphere do we hook up ldap connection settings for this authentication?)
I found it confusing too, and developed my own module which ties in with Java EE Security.
Basically the webapp is set up with standard Java EE Security, and methods on spring beans can be given the #RolesAllowed annotation, in which case the logged in user's roles are checked against the required roles just before calling the method. See here for details.
You can use LDAP or a database or a file - where the roles and users are stored is up to you. Normally for production, you will use LDAP or a connector to some kind of directory server. Sorry I can't help with WebSphere - been a while since I set it up for security.