Enabling application security on WAS 6.1 - Websphere

This is a discussion on Enabling application security on WAS 6.1 - Websphere ; Security role to user/group mappings*, I can find the group to which I would like to give access to the app. I have added the group however, the application can still be access by everyone. Appreciate your comments and suggestions. ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: Enabling application security on WAS 6.1

  1. Enabling application security on WAS 6.1

    Security role to user/group mappings*, I can find the group to which I would like to give access to the app. I have added the group however, the application can still be access by everyone.

    Appreciate your comments and suggestions.

    Thanks,
    vangogh

  2. Re: Enabling application security on WAS 6.1

    When users access the application url, I want windows authentication dialog box to pop up and only members of a specific windows group should be able to access the application.

    Please find attached the admin console security configuration and the application security console screen-shots.

    Would greatly appreciate if someone could give some suggestions..

    Thanks.

  3. Re: Enabling application security on WAS 6.1

    Are the application URLs themself protected?
    From what you have described above I could only say that the DD references one group which you have mapped to your AD group.

  4. Re: Enabling application security on WAS 6.1

    Yes. I have enabled application url protection and yes the DD reference only one group. The issue I have is that the application is still exposed to other groups even after the protection has been enforced. Could this be due to the admin user id not having admin rights to the windows group?

  5. Re: Enabling application security on WAS 6.1

    Could this be due to the admin user id not having admin rights to the windows group?
    No, it does not matter at all. If you was able to find the group in your registry then it should be enough.
    I would rather expect some misconfiguration issues in the DD. Please provide (replacing the sensitive info of course) the -portion of your DD.

    Or take a look at the Servlet Specification for examples (i.e. the Section SRV.12.7.2 in JSR-154).

  6. Re: Enabling application security on WAS 6.1

    Hi Katran,
    Thanks for taking interest in this issue.

    The DD details are given below:
    {code}

    abc

    abcEJB.jar



    abcWeb.war
    abcweb




    abcServiceWeb.war
    abcServiceWeb




    internalUsers


    {code}


    However, I still think it has to do with ldap settings that I have made. Here are the DN details.
    Admin user DN:
    *CN=vangogh,OU=Vendor_Access_IDs,OU=Users,OU=lmn,D C=xyz,DC=com*

    and the windows domain group that I want to give access to the app:
    *CN=GRP_TO_BE_ADDED,OU=Managed_Groups,OU=Groups,OU =lmn,DC=xyz,DC=com*

    user *vangogh* is part of the group *GRP_TO_BE_ADDED* but yet if I use the Base DN as *OU=Managed_Groups,OU=Groups,OU=lmn,DC=xyz,DC=com* , I get an error message - No user found.

    I have included the configuration and advance ldap settings screen-shot in the updated attachment. Please let me know where I am wrong.

    Thanks again!!

  7. Re: Enabling application security on WAS 6.1

    In addition, is there any active directory specific security settings that I am missing?

  8. Re: Enabling application security on WAS 6.1

    Hi,

    defining the in DD is not enough. You have to define resources which can only be accessed by users having that role.
    Please take a look at for instance (s. Code below)

    Link: [http://wiki.metawerx.net/wiki/Web.xml]


    The important portions are and in which itself lies within
    . Without those the resources are not protected even if there are some security roles mapped. The primary role of these security-roles is to allow checks "isUserInRole" in the code (programmatic security). In case the declarative security is needed you have to add resource protection entries in your DD.

    PS1: if you checked "All authenticated" (during / after the deployment) you override the security-settings of the application. Thus the group membership will not be checked and every authenticated user is allowed to access the protected resources. Please do not select "All autheticated" in WAS if you want only the specified group to access.

    PS2: the AD settings in WAS should be correct if one is able to find groups and users for mapping during deployment.










    admin


    cms_editors





    Security constraint for the /private folder



    Protected Area
    /private/*



    !--
    DELETE
    GET
    POST
    PUT





    admin
    cms_editors




  9. Re: Enabling application security on WAS 6.1

    Thanks Katran. Indeed the security-contraints were missing from the web.xml file. the tags were removed for a different environment that we were building.
    The application was rebuild by including security-contraint tags in web.xml and redeployed. It worked.

    Thanks again.

+ Reply to Thread