How do I get basic authentication working on WebSphere?

java web-services websphere basic-authentication websphere-6.1

20,608

Solution 1

After writing all this below I remember I have blogged about this for myself here:

WebSphere 6.1 and Application Authentication

As I understand you have setup your web.xml correctly thus:

     <security-role>
    <role-name>myrole</role-name>
  </security-role>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>mySec</web-resource-name>
      <url-pattern>/yourUrl</url-pattern>
      <http-method>DELETE</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>HEAD</http-method>
      <http-method>TRACE</http-method>
      <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>myrole</role-name>
    </auth-constraint>
    <user-data-constraint>
      <description>SSL or MSSL not required</description>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>my login</realm-name>
  </login-config>

This is if you are using the administration console you dont state that you are not so go to the console:

http://localhost:9060/ibm/console

Then login (if you have administrative security setup)

Then go here

left hand panel click Security
Secure administration, applications, and infrastructure
There is then a section on the page Application security
Check the box Enable application security
click apply, then save to master config.

Then you have application security turned on. Now you need to map the users of your application to users within websphere.

Go here

List item
Applications > Enterprise Applications
Click your application
Under the Detailed Properties section you will see a link Security role to user/group mapping
you will only see this link if your web.xml is setup correctly
click the Security role to user/group mapping
Select the roles you wish to use for authentication
Click look up users or look up groups
click search and select users (that are setup in your websphere under Users and Groups menu
use the arrows to move the selected users/groups to the right hand box
click ok and save to master configuration.
restart your server.

Administration security (security of Websphere itself) must be turned on for it to work.

WebSphere can be complex but it is powerful and capable.

Solution 2

You shouldn't list http-methods. Doing so means that the security-constraint ONLY applies to those methods and can be bypassed with so-called "extension" methods, like the JEFF method. Just remove them and the constraint will apply to everything. There's a paper on http verb tampering at https://www.aspectsecurity.com/research/aspsec_presentations/download-bypassing-web-authentication-and-authorization-with-http-verb-tampering/

20,608

Author by

ZKSteffel

I hit buttons to make lights flash.

Updated on July 09, 2022

Comments

ZKSteffel almost 2 years

Okay, so I've been running a Java/Jersey webservice on Tomcat with basic authentication which works perfectly fine. I've got permissions set up in the web.xml file of my project, and users set up in tomcat-users.xml on the server. Works great.
Problem is, now I have to transfer this project to WebSphere, which has nowhere near as simple of an implementation of basic authentication.

I've seen this question: Websphere 6.1 and BASIC Authentication and looked at Chapter 7 of this pdf like suggested, but I can't seem to find the right settings (I have no option labeled 'enable global security' like most methods use), and am trying to run my project, while the pdf is extremely project specific.

So to ask my question clearly, what is the easiest way to enable basic authentication on WebSphere 6.1?
ZKSteffel about 13 years

This is soooo much clearer than any answer I've seen about this before. THANK YOU SO MUCH. I still need to try this out, but I appreciate how thorough you are on this.
Admin about 12 years

@Gurnard - I'm trying to follow your instructions. I assign the User to the Group. Then on step 10 when I System Administration > Save change to master repository it says Total changed documents: 0 and the user-group relationship never gets saved. Am I doing something wrong?
Gurnard about 12 years

@RobertHume Just checking that you made these steps. Click Security role to user/group mapping in your application properties. Check the checkbox beside the role as described in your web.xml. Click map users/map groups. Click search. Select a user or group from available list. Click the arrow pointing right. User or group shows in selected box. Click OK. Click OK again. Click Save directly to master configuration in the messages box at the top of the page. I think the problem is you are going to the system admin menu maybe or missing one of the ok buttons.
Gurnard about 12 years

@RobertHume what version of WebSphere are you using?
Admin about 12 years

@Gurnard WebSphere 7. But the way I'm running WebSphere from within IBM RAD 7.5. Thanks!
Admin about 12 years

@Gurnard I realize now that when I do your first steps 1-5, the "Save" link appears in a box at the top of the screen. However, when I do your second steps 1-11, the "Save" link and box never appears. The change (user-to-group mapping) appears in the on screen table, but there's no "Save" link to save the changes so they vanish as soon as I click away. Any ideas?
Admin about 12 years

@Gurnard Hi Gurnard, I posted a detailed version of my question here ... please help if you can! Thanks. stackoverflow.com/questions/10725362/…