®

IBM Software Group

© 2006 IBM Corporation

Securing Your Application With WebSphere Security

You will need to develop Login procedures for your web applications. This short section describes how to do this for WebSphere Application Servers, connected to an authentication Server such as LDAP – or any other security realm

Note that this is an involved lab – that will take at least an hour. Ideally you should get assistance from your WebSphere administrator, before starting.

2Last update: 12/04/2007

WebSphere Security - Overview

You will perform the following tasks, to enable WebSphere security for your project:1. Create a Login Page – that conforms to the WebSphere Security requirements

(Optionally) Create an Error page – that can be specified to your WAR file, as the page to automatically re-direct to, when a Login error occurs

2. Enable security for your WebSphere Application Server3. Enable security for your WAR (web.xml) file4. Enable security for your WebSphere Server Configuration5. Setup security for your Enterprise Application Resource (EAR) file6. Code your EGL calls to J2EELIB – to:

Return the user-ID Determine if the user is in a particular role

In this lab, we will show you how to enable WebSphere for Local operating system security. If you wanted to actually integrate LDAP, RACF or any other security “realm” your WebSphere administrator would have to assist you with this.

WARNINGWARNING – In fact, you should probably obtain assistance from your WebSphere

administrator before starting this section. Because: These processes are complex – a great deal of security semantics are involved You could actually – if you make mistakes in doing this, you could conceivably cause

WebSphere to not be able to boot. Period.

3Last update: 12/04/2007

1. WebSphere and LDAP Security – Create Login and Error Pages

WebSphere requires that you define a .JSP page, that calls WebSphere internal methods passing specific-named variables as parameters within the form.

At this point in time, this can not be an EGL/JSF page (it must be .JSP/Java) In the Notes section of this slide we’ve given you an example of such a page. To

implement in your project: Create a new page in \WebContent\ named: login.jsp From the notes section of this slide, copy and paste all of the .JSP and HTML source Using Page Designer, edit your login.jsp in Source mode Select all of the existing source (Ctrl/A) Paste your copied source in (Ctrl/V) Save and test by running the page on the server

4Last update: 12/04/2007

Next you will setup the WebSphere Server to enable Security on a given “realm” The Security realm could be:

RACF LDAP Local operating system

The Security realm authenticates the User-ID/Password combination passed to it, by WebSphere

In this section you will: Define a Security configuration for using your local operating system as the Security realm Enable WebSphere for Security

2. WebSphere and LDAP Security – Server Security Overview

LDAPLDAP…or…

SecuritySecurityRealmRealm

LDAPLDAPDatabaseDatabase

WebSphereWebSphere

• SecuritySecurity

LoginLoginPagePage

Sends User-ID/Password to…Sends User-ID/Password to…

Which connects to…Which connects to…

Which performs authenticationWhich performs authentication

5Last update: 12/04/2007

Login to the WebSphere Administrative Console

With WebSphere started: From the Servers tab, right-

click over your Server configuration and select Run Administrative Console

Login

6Last update: 12/04/2007

Setup WebSphere Local Operating System Security – 1 of 3

With WebSphere started: From the Security tab

Click: Secure administration, applications and infrastructure

From Available realm definitions, select Local operating system

Click: Configure

7Last update: 12/04/2007

Setup WebSphere Local Operating System Security – 2 of 3

From Secure administration, applications and infrastructure

Specify the Primary administrative user name

Note that this would be youryour Windows login user name.

Click OK Note that if WebSphere cannot find the

user name in the Windows registry you will not be able to continue

8Last update: 12/04/2007

Setup WebSphere Local Operating System Security – 3 of 3

From Secure administration, applications and infrastructure

Check: Enable administrative security Un-check Use Java 2 security Click Apply Click Save

From the top of the Administration Console Logout

From the Servers tab Restart WebSphere ***Notes***Notes

9Last update: 12/04/2007

3. Secure the WAR (web.xml) File – 1 of 4 – Add a Security Role

Now you will add one or more Security Roles to your WAR (web.xml) file (example: user, admin, manager, etc.)(example: user, admin, manager, etc.).

You will then add one or more Security Constraints – and for each constraint, you will specify: Web resource collection – Essentially, these are constraint rules, or what a defined

constraint allows an application user to “do” Authorized users – which of the Security Roles is assigned to the constraint – effectively

limiting individuals who login to the application to be able to “do” what you want them to (and only what you want them to )

From Project Explorer – Expand \WebContent\WEB-INF\ and open web.xml From the Security tab, Add… one or more Security roles

10Last update: 12/04/2007

Secure the WAR (web.xml) File – 2 of 4 – Add a Security Constraint

From the Security Constraints part of the Security tab Click Add…Add… Name your Security Constraint

From the Web resource collectionWeb resource collection part of the Security tab (with your new Constraint selected):

Click Add…Add…

From Add Web Resource: Name the resource Leave all the checkboxes un-checked

From the Pattern area Click Add.. Specify: /*/*

***Notes***Notes

11Last update: 12/04/2007

Secure the WAR (web.xml) File – 3 of 4 – Add Authorized Roles

From the Authorized Roles part of the Security tab (with your constraint selected) Click Add…Add… Type a Description Check the Role Names you wish to add to this web application

12Last update: 12/04/2007

Secure the WAR (web.xml) File – 4 of 4 – Add a Security Constraint

From the Pages tab – within the Login section: Open the Authentication method: Select Form

For the Login and Error pages: Click Browse… Select login.jsp

Save and close web.xml

13Last update: 12/04/2007

4. Enable Security for Your WebSphere Server Configuration

From your Servers tab, Double-click on your WebSphere Server to open the server settings Click the Security “twisty” Check: Security is enabled on this server, and enter your Windows logon User ID and

Password values

Close …and… Save

***Notes***Notes

14Last update: 12/04/2007

5. Setup Security for Your EAR File

From Project Explorer – open the EAR file’s Deployment Descriptor, and from the Security tab: Click Gather… Check: All authenticated users

Close …and… Save

15Last update: 12/04/2007

5. Code Calls to the Security – 1 of 2

From Project Explorer – open any jsfhandler .EGL file (here we are using allcustomers.egl) Add:

A String variable for the userID A Boolean variable for isUserInRole(…) Calls to the j2eelib. functions

Save your edits

From Page Designer/Page Data Select both variables Drag them on to the page

Restart the Server Run the page on the server

16Last update: 12/04/2007

5. Code Calls to the Security – 2 of 2

Your Security form should be invoked. After you login successfully, the page you ran on the server should be invoked If your login fails, WebSphere should redirect to your Login Error Page Note the new WebSphere port – for secured applications

17Last update: 12/04/2007

LDAP Example – From the Samples Gallery

If you are actually working with your WebSphere Administrator to hook LDAP into your project, from the product Help, open the Sample Gallery, and follow the steps therein, for an excellent, tutorial example.