How do I get basic authentication working on WebSphere?

Asked 10/6, 2011 at 13:27 Answered 1/11, 2012 at 14:57

Solved java web-services websphere basic-authentication websphere-6.1

Okay, so I've been running a Java/Jersey webservice on Tomcat with basic authentication which works perfectly fine. I've got permissions set up in the web.xml file of my project, and users set up in tomcat-users.xml on the server. Works great.
Problem is, now I have to transfer this project to WebSphere, which has nowhere near as simple of an implementation of basic authentication.

I've seen this question: Websphere 6.1 and BASIC Authentication and looked at Chapter 7 of this pdf like suggested, but I can't seem to find the right settings (I have no option labeled 'enable global security' like most methods use), and am trying to run my project, while the pdf is extremely project specific.

So to ask my question clearly, what is the easiest way to enable basic authentication on WebSphere 6.1?

Eatable answered 10/6, 2011 at 13:27 Comment(0)

After writing all this below I remember I have blogged about this for myself here:

WebSphere 6.1 and Application Authentication

As I understand you have setup your web.xml correctly thus:

     <security-role>
    <role-name>myrole</role-name>
  </security-role>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>mySec</web-resource-name>
      <url-pattern>/yourUrl</url-pattern>
      <http-method>DELETE</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>HEAD</http-method>
      <http-method>TRACE</http-method>
      <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>myrole</role-name>
    </auth-constraint>
    <user-data-constraint>
      <description>SSL or MSSL not required</description>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>my login</realm-name>
  </login-config>

This is if you are using the administration console you dont state that you are not so go to the console:

http://localhost:9060/ibm/console

Then login (if you have administrative security setup)

Then go here

left hand panel click Security
Secure administration, applications, and infrastructure
There is then a section on the page Application security
Check the box Enable application security
click apply, then save to master config.

Then you have application security turned on. Now you need to map the users of your application to users within websphere.

Go here

List item
Applications > Enterprise Applications
Click your application
Under the Detailed Properties section you will see a link Security role to user/group mapping
you will only see this link if your web.xml is setup correctly
click the Security role to user/group mapping
Select the roles you wish to use for authentication
Click look up users or look up groups
click search and select users (that are setup in your websphere under Users and Groups menu
use the arrows to move the selected users/groups to the right hand box
click ok and save to master configuration.
restart your server.

Administration security (security of Websphere itself) must be turned on for it to work.

WebSphere can be complex but it is powerful and capable.

The answered 10/6, 2011 at 13:45 Comment(7)

This is soooo much clearer than any answer I've seen about this before. THANK YOU SO MUCH. I still need to try this out, but I appreciate how thorough you are on this. – Eatable 10/6, 2011 at 13:53

@The - I'm trying to follow your instructions. I assign the User to the Group. Then on step 10 when I System Administration > Save change to master repository it says Total changed documents: 0 and the user-group relationship never gets saved. Am I doing something wrong? – Belfort 22/5, 2012 at 18:6

@RobertHume Just checking that you made these steps. Click Security role to user/group mapping in your application properties. Check the checkbox beside the role as described in your web.xml. Click map users/map groups. Click search. Select a user or group from available list. Click the arrow pointing right. User or group shows in selected box. Click OK. Click OK again. Click Save directly to master configuration in the messages box at the top of the page. I think the problem is you are going to the system admin menu maybe or missing one of the ok buttons. – The 23/5, 2012 at 12:43

@RobertHume what version of WebSphere are you using? – The 23/5, 2012 at 12:50

@The WebSphere 7. But the way I'm running WebSphere from within IBM RAD 7.5. Thanks! – Belfort 23/5, 2012 at 15:35

@The I realize now that when I do your first steps 1-5, the "Save" link appears in a box at the top of the screen. However, when I do your second steps 1-11, the "Save" link and box never appears. The change (user-to-group mapping) appears in the on screen table, but there's no "Save" link to save the changes so they vanish as soon as I click away. Any ideas? – Belfort 23/5, 2012 at 17:51

@The Hi Gurnard, I posted a detailed version of my question here ... please help if you can! Thanks. #10725862 – Belfort 23/5, 2012 at 18:0

You shouldn't list http-methods. Doing so means that the security-constraint ONLY applies to those methods and can be bypassed with so-called "extension" methods, like the JEFF method. Just remove them and the constraint will apply to everything. There's a paper on http verb tampering at https://www.aspectsecurity.com/research/aspsec_presentations/download-bypassing-web-authentication-and-authorization-with-http-verb-tampering/

Reenareenforce answered 1/11, 2012 at 14:57 Comment(0)

Recommended topics

Hot tags