I run a WebSphere 7.0 Portal. One has to log in to be able to see any information which is fine for all portlets. But additionally there are a couple of servlets that a deploy in the same war file that produce some raw data for AJAX-scripts.
Currently one can bypass the authentication from WebSphere Portal if one knows the URL to that particular servlet. I want to change this and check if the user is currently logged in to the Portal. How do I do this? I tried ((PumaHome) new InitialContext().lookup(new CompositeName(PumaHome.JNDI_NAME))).getProfile().getCurrentUser(); but this returns null.
WebSphere Application Server returns principal and remote user only if you configure it to use the JavaEE security context for your web application. Edit your web.xml to contain something like
<security-constraint>
<display-name>userConstraint</display-name>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>user</description>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<description>secrole</description>
<role-name>user</role-name>
</security-role>
and redeploy your application. After deploying your application take a look at the application's settings in the Administrative Console. You will notice "User/role mapping". Add "all authenticated users from trusted realms" to the newly added role. Restart the application.
After that anonymous users can not access your application anymore. Also, the getRemoteUser and other APIs will return the user properly.
Related
I know the users can be configured in server.xml like this way :
<!-- The users defined here are members of group "appcentergroup", thus have role "appcenteradmin", and can therefore perform administrative tasks through the Application Center Console. -->
<user name="appcenteradmin" password="admin"/>
<user name="demo" password="demo"/>
<group name="appcentergroup">
<member name="appcenteradmin"/>
<member name="demo"/>
</group>
But if there is thoundsand of users, how to configure mobileFirst using the user credential in database to login mobile client (IBMAppcenter)?
The default configuration added by IBM Application Center is to read a limited set of users from basic file based registry. The pre-defined roles are mapped to these users.
When you have thousands of users, it is most likely in a LDAP. In this scenario, you should configure your application server with this LDAP and have Application center validate the users against the LDAP. Role mappings are associated such that after the user validates successfully against the LDAP, it is assigned the appropriate role.
More details here:
Configuring LDAP with Liberty
Configuring LDAP ACL management
AppCenter LDAP JNDI parameters
I published my API application into Azure using APP Service. But I want to restrict my API’s from the external users.
I know there is an API management concept is there in Azure but it’s a big concept. and also there is an ipSecurity feature to restrict the specified IP addresses but I don't want this.
so I want simple way to restrict the external users to access my production API’s.
Can you please tell me what are the best enterprise practices for implementing the above feature?
To prevent unauthorized access to your API, you should protect the API using Azure AD and enforce users to authenticate/authorize themselves before they can access the API.
You would need to create an application in Azure AD for that. To prevent external users from accessing your API, you should make this application single tenant. This will ensure that only users from the Azure AD where the application is created can access the application.
Please see this link for more details on how you can accomplish this: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad.
Depending whether your App is a B2B or B2C app, Azure has two Identity as a Service offer:
Azure Active Directory B2C
Azure Active Directory (B2B)
You can restrict based on IP. In App Service go to properties to find Outbound IP Addresses, for those apps you want to be able to connect to the API. Then in the web.config of the API, deny all apart from those. This can be used in addition to authentication.
<configuration>
<system.webServer>
<security>
<ipSecurity allowUnlisted="true"> <!-- this line blocks all apart those listed below -->
<clear/>
<add ipAddress="xx.xx.xx.xx"/> <!-- block an IP -->
<add ipAddress="90.100.100.23" subnetMask="255.255.255.0"/> <!--block network 90.100.100.0 to 90.100.100.0-->
</ipSecurity>
</security>
...
...
</system.webServer>
</configuration>
Haven't done enough web development, and have searched a bit here, and have not found an answer yet.
I wanted to find out how to configure my website/web.config to allow me to use SUSER_NAME() on my audit triggers in Microsoft SQL Server.
Currently we are connecting to our database with a service account, but other users are authenticating and accessing the web site. When a record is changed, we want to capture the user that made the change, and not the service account used to log into the database.
The App Pool is configured to the service account and the web site is configured using Windows authentication and ASP.NET Impersonation (but this keeps getting turned off somehow).
The web.config has
<identity impersonate="true" />
and Windows authentication.
Any help would be greatly appreciated.
Using WAS 8558 and on one of the URL pattern, need to invoke JAAS module.
Entry in web.xml
<security-constraint>
<display-name>SampleConstraint</display-name>
<web-resource-collection>
<web-resource-name>Sample</web-resource-name>
<url-pattern>/wasauth</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>
Users allowed access to spoke Identity Provider</description>
<role-name>FIMAnyAuthenticated</role-name>
<role-name>FIMUserSelfCareAnyAuthenticated</role-name>
</auth-constraint>
Entry in server.xml
<jaasLoginContextEntry id="system.FIM_OUTBOUND" name="system.FIM_OUTBOUND" loginModuleRef="myCustom, hashtable, userNameAndPassword, certificate, token"/>
<jaasLoginModule id="myCustom" className="com.*.SampleLoginModule" controlFlag="REQUIRED" libraryRef="customLoginLib">
</jaasLoginModule>
<library id="customLoginLib" apiTypeVisibility="spec, ibm-api, api">
<fileset dir="/" includes="com.**_8.0.0.jar"/>
This flow is using Federated repository feature (Liberty) for authentication.
Above mentioned settings allow user to get authenticated against repository however JAAS module is not getting invoked.
If I convert JAAS entry to system.WEB_INBOUND using WSLoginModuleProxy - JAAS module gets invoked.
Liberty does have appSecurity-2.0 feature enabled.
Is there any other configuration which needs to be done?
When the Liberty profile performs authentication for protected web resources it uses the system.WEB_INBOUND JAAS login configuration entry. So any custom login modules that you have configured in it will be called.
If you have configured your custom login modules in your own or a different JAAS configuration it will not be called by the server during web authentication. Your application. however, can call it directly.
I am deploying a J2EE ear in weblogic 10.3.5. it uses Oracle internet directory LDAP , for authentication. after entering username and password in the login page, I was able to see the authentication Allowed in the AdminServer.logs, but the login page is not changing.
on click of username and password I am getting the same login page again. application is not moving to other secure pages, I don't know what to do.
I would greatly appreciate your help.
I have added the role configured in the OID LDAP server in the web.xml and weblogic.xml, after that it was started working.
at least one role of the login should be configured in web.xml and weblogic.xml, this will solve the login problem.