jQuery in Action, 2nd edition*
The moose likes Websphere and the fly likes How to secure servlet in websphere? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » Websphere
Bookmark "How to secure servlet in websphere?" Watch "How to secure servlet in websphere?" New topic
Author

How to secure servlet in websphere?

Gurumurthy Ramamurthy
Ranch Hand

Joined: Feb 13, 2003
Posts: 272
Hi,

I have written a HelloWorld servlet, it just returns "Hello World" to the client.

I am deploying this as .war module.

I want to secure this servlet i.e. when someone gives the URL to access this servlet, this should ask username/password before displaying Hello World i.e. I want to utilize Java / J2EE security model of WAS.

Thanks,
Guru
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41155
    
  45
The servlet specification provides for a username/password/role scheme that every servlet container must support. The user interface is either a little dialog box in the browser where the user enters username and password, or there can be a cutom-designed login page. The latter approach is described here. Websphere would have a different mechanism of looking up user account information - consult the Websphere documentation for details.
[ September 09, 2006: Message edited by: Ulf Dittmer ]

Ping & DNS - my free Android networking tools app
Cameron Wallace McKenzie
author and cow tipper
Saloon Keeper

Joined: Aug 26, 2006
Posts: 4968
    
    1

WebSphere is going to use the same security mechanism as any J2EE compliant application server.

Going about testing security may depend on where you're doing the testing. Testing on the embedded WAS test server is a little different from configuring security on a WAS application server.

My website has an awesome multimedia tutorial on how to turn WAS security on, configure the WebSphere Application Server to use an LDAP server for user authentication, and then deploy an application that uses security constraints to restrict access to Servlets and JSPs, and map the roles associated to the security constraints to users and groups in the LDAP server. It certainly shows you what's involved in configuring WAS 5 an WAS 6.1 security.

Cheers!

-Cameron
Gurumurthy Ramamurthy
Ranch Hand

Joined: Feb 13, 2003
Posts: 272
Great buddy!

Can you mind us giving the website URL running multimedia on was security?

Thanks,
Guru
Gurumurthy Ramamurthy
Ranch Hand

Joined: Feb 13, 2003
Posts: 272
Hi,

1. I have enabled administrator security in websphere. When I give the admin page, it asks me username/password, it works well.
2. I have written a HelloWorld servlet (deployed in websphere app server) and given the BASIC authentication mechanism in web.xml as follows:

<?xml version="1.0" encoding="ISO-8859-1"?>

< !DOCTYPE web-app<br /> PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"<br /> "http://java.sun.com/dtd/web-app_2_3.dtd">

<web-app>
<display-name>Examples</display-name>
<description>
Example servlets
</description>

<servlet>
<servlet-name>HelloWorld</servlet-name>
<servlet-class>HelloWorld</servlet-class>
</servlet>

<servlet-mapping>
<servlet-name>HelloWorld</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>

<security-constraint>
<web-resource-collection>
<web-resource-name>Secured</web-resource-name>
<description></description>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>PUT</http-method>
</web-resource-collection>

<auth-constraint>
<description></description>
<role-name>administrator</role-name>
</auth-constraint>

<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
<realm-name>HelloServlet</realm-name>
</login-config>


</web-app>

If I give the URL to access this servlet, the window security box appears but when I give the username/password, it says "You are not authorized to view this page".
Gurumurthy Ramamurthy
Ranch Hand

Joined: Feb 13, 2003
Posts: 272
Just for simplicity:

<role-name> administrator </role-name>

<role-name> Administrator </role-name>

<role-name> admin </role-name>

<role-name> Admins </role-name>

<role-name> operator </role-name>

<role-name> All Role </role-name>
None of the role names working

Guru
Brian Hennessy
Ranch Hand

Joined: Oct 24, 2005
Posts: 57
Hi Guru
Is this tutorial of any use to you ?

http://www-128.ibm.com/developerworks/websphere/techjournal/0303_barcia/barcia.html
Gurumurthy Ramamurthy
Ranch Hand

Joined: Feb 13, 2003
Posts: 272
Thanks Guys. I coud solve the issues by doing the following:

1. I have given the username/password of my local Administrator in the user repositories.
2. I have enabled the global security.
3. I restarted the server; I could successfully enter my username/password and see the admin page.
4. After this, I deployed the servlet and in the security role I have given "AllAuthenticated" so that anyone who has username and password can enter and see the servlet.
5. This worked out very well. Now, the servlet is secured.

Also, I have noted that not only the web.xml changes is enough also, during the deployment, you have an option like "mapping the security to roles". I have check the check-box saying "AllAuthenticated", restarted the application, then only it worked.

Now, the question for me is that I am automating this process means I am writing a script/jacl/wsadmin through which I am going to deploy. I want to know which script/command is there to map the users to roles.

Thanks a lot guys,
Guru
 
 
subject: How to secure servlet in websphere?
 
Similar Threads
Migration problem Tomcat version 6 to version 7
problem accesing the servlet
How to run servlet in Tomcat 4.0.1
Been troubleshooting for 3 days: Servlet doesn't work
What does it mean "to secure a web service"