I�m trying to migrate an application from JBoss to WebSphere 6.1.
I don�t know how to do the JAAS onfiguration in WebSphere.
Does anybody know how to: 1- configure a JAAS repository in Websphere to validate users in database (Oracle) 2- configure a custom login module JAAS
Thanks in advance Kris
Joined: Aug 07, 2008
desconsider my question. I�ve already discover.
Thks anyway. Kris
Joined: Aug 07, 2008
People I put some extra information trying to help who had the same problem based on a tutorial some friends have done.
1.How to configure WAS 6.1 to use LDAP (Apache DS) and enable security
From 6.1 version, WebSphere separates administrative security from application security. The term administrative security means you need username and password to administer the server. This task includes getting server status, stopping the server (somehow it doesn't include starting the server, you can start the server without supplying username and password) and administer the server through admin console or through wsadmin scripts. The term application security means you can protect resources in your application (e.g. you can protect /profile url), assign application security roles to those protected resources and map users or groups from LDAP to those roles.
This assumes that: 1.You have already created a WebSphere 6.1 profile with security disabled; 2.WAS is running; 3.You have installed a LDAP Server (Apache DS) and created users and groups; 4.LDAP Server (Apache DS) is running.
Follow the steps bellow to enable administrative and application security: 1.Go to WAS admin console <a href="http://<host>" target="_blank" rel="nofollow">http://<host> ort/admin. For example, http://localhost:9060/admin 2.Click on Security > Secure administration, applications, and infrastructure 3.Select Standalone LDAP registry in Available realm definitions dropdown and click Configure 4.Enter the following values in the screen: �Primary administrative username: wasadmin (the admin user already created in ldap); �Select Server identity that is stored in the repository radio button (because we don't want WebSphere to generate an id for us); �Type of LDAP server: Custom (Apache DS is NOT one of the supported LDAP servers); �Host: localhost (server where Apache DS is running) �Port: 10389 (port on which Apache DS is listening); �Base distinguish name (DN): dc=example,dc=com (all our groups and users are under this base dn); �Bind distinguish name (DN): uid=wasadmin,ou=people,dc=example,dc=com (entry that uniquely identifies wasadmin user); �Bind password: <password for wasadmin user you used in when you created user in LDAP>; �Leave default values for other options; �Click Apply; �Click Save directly to the master configuration link;
5.Click Advanced Lightweight Directory Access Protocol (LDAP) user registry settings link under Additional Properties section; �User filter: (&(uid=%v)(objectclass=inetOrgPerson)) �Group filter: (&(cn=%v)(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames))) �User ID map: *:uid �Group ID map: *:cn �Group member ID map: groupOfNames:member;groupOfUniqueNames:uniqueMember �Click OK; �Click Save directly to the master configuration link at the top of the page;
6.Click OK and Save again; 7.Click Security > Secure administration, applications, and infrastructure link on the left hand panel; 8.Select Enable administrative security checkbox; 9.Select Enable application security checkbox; 10.Select Standalone LDAP registry in Available realm definitions dropdown and click Set as current button; 11.Click Apply button; 12.Click Save directly to the master configuration link;
We have enabled administrative security but the change will not take effect until restart the server. Restart the server and go to admin console. Since security is enabled, you will be asked to accept a certificate and login using the WAS admin username and password you specified in LDAP.
2.How to configure WAS 6.1 to use Java Authentication and Authorization Service (JAAS).
Use this section to define the login module for a Java Authentication and Authorization Service (JAAS) login configuration. You can define the JAAS login modules for application and system logins. To define these login modules in the administrative console, complete the following steps:
1.Click Security > Secure administration, applications, and infrastructure. 2.Click New button and put as alias whatever name you want.
3.Click OK and Save directly to the master configuration link at the top of the page; 4.Under Authentication, click Java Authentication and Authorization Service > Application logins or System logins > MyAppLogin. 5.Under Additional properties, click JAAS login modules. �Module class name: com.ibm.ws.security.server.lm.ltpaLoginModule
�Click OK and Save directly to the master configuration link at the top of the page; 3.How to map security role to user/group in WAS 6. Now that everything is configured, it is necessary map application roles to LDAP user/group. To define these mapping in the administrative console, complete the following steps: 1.Click Applications > Enterprise Applications. 2.Click the application you want to define the mappings. 3.Click Security role to user/group mapping.
4.Select an application role and press button Look up groups to map role to groups or press button Look up users to map role to users. From now on, it will be shown how to map roles to group because to map users has similar steps.
5.Press button Search. Groups available will be shown on the left panel.
6.Select groups that will be applied to the role and press button >>.
7.Click OK. Click OK again and directly to the master configuration link at the top of the page;