File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Websphere and the fly likes How to secure servlet in websphere? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Java Interview Guide this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Products » Websphere
Bookmark "How to secure servlet in websphere?" Watch "How to secure servlet in websphere?" New topic

How to secure servlet in websphere?

Gurumurthy Ramamurthy
Ranch Hand

Joined: Feb 13, 2003
Posts: 273

I have written a HelloWorld servlet, it just returns "Hello World" to the client.

I am deploying this as .war module.

I want to secure this servlet i.e. when someone gives the URL to access this servlet, this should ask username/password before displaying Hello World i.e. I want to utilize Java / J2EE security model of WAS.

Ulf Dittmer

Joined: Mar 22, 2005
Posts: 42965
The servlet specification provides for a username/password/role scheme that every servlet container must support. The user interface is either a little dialog box in the browser where the user enters username and password, or there can be a cutom-designed login page. The latter approach is described here. Websphere would have a different mechanism of looking up user account information - consult the Websphere documentation for details.
[ September 09, 2006: Message edited by: Ulf Dittmer ]
Cameron Wallace McKenzie
author and cow tipper
Saloon Keeper

Joined: Aug 26, 2006
Posts: 4968

WebSphere is going to use the same security mechanism as any J2EE compliant application server.

Going about testing security may depend on where you're doing the testing. Testing on the embedded WAS test server is a little different from configuring security on a WAS application server.

My website has an awesome multimedia tutorial on how to turn WAS security on, configure the WebSphere Application Server to use an LDAP server for user authentication, and then deploy an application that uses security constraints to restrict access to Servlets and JSPs, and map the roles associated to the security constraints to users and groups in the LDAP server. It certainly shows you what's involved in configuring WAS 5 an WAS 6.1 security.


Gurumurthy Ramamurthy
Ranch Hand

Joined: Feb 13, 2003
Posts: 273
Great buddy!

Can you mind us giving the website URL running multimedia on was security?

Gurumurthy Ramamurthy
Ranch Hand

Joined: Feb 13, 2003
Posts: 273

1. I have enabled administrator security in websphere. When I give the admin page, it asks me username/password, it works well.
2. I have written a HelloWorld servlet (deployed in websphere app server) and given the BASIC authentication mechanism in web.xml as follows:

<?xml version="1.0" encoding="ISO-8859-1"?>

< !DOCTYPE web-app<br /> PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"<br /> "">

Example servlets








If I give the URL to access this servlet, the window security box appears but when I give the username/password, it says "You are not authorized to view this page".
Gurumurthy Ramamurthy
Ranch Hand

Joined: Feb 13, 2003
Posts: 273
Just for simplicity:

<role-name> administrator </role-name>

<role-name> Administrator </role-name>

<role-name> admin </role-name>

<role-name> Admins </role-name>

<role-name> operator </role-name>

<role-name> All Role </role-name>
None of the role names working

Brian Hennessy
Ranch Hand

Joined: Oct 24, 2005
Posts: 57
Hi Guru
Is this tutorial of any use to you ?
Gurumurthy Ramamurthy
Ranch Hand

Joined: Feb 13, 2003
Posts: 273
Thanks Guys. I coud solve the issues by doing the following:

1. I have given the username/password of my local Administrator in the user repositories.
2. I have enabled the global security.
3. I restarted the server; I could successfully enter my username/password and see the admin page.
4. After this, I deployed the servlet and in the security role I have given "AllAuthenticated" so that anyone who has username and password can enter and see the servlet.
5. This worked out very well. Now, the servlet is secured.

Also, I have noted that not only the web.xml changes is enough also, during the deployment, you have an option like "mapping the security to roles". I have check the check-box saying "AllAuthenticated", restarted the application, then only it worked.

Now, the question for me is that I am automating this process means I am writing a script/jacl/wsadmin through which I am going to deploy. I want to know which script/command is there to map the users to roles.

Thanks a lot guys,
I agree. Here's the link:
subject: How to secure servlet in websphere?
It's not a secret anymore!