We use WebSphere 4.0.6 security (Form based authentication) for authenticating users against LDAP servers. We have only one role in our application "Auth Role" which is mapped to "All Authenticated Users" built in group. While deploying the application, we mapped "Auth Role" to "All Authenticated Users" built in group. However, when we tried to login with valid user id /password I am getting a 403 Forbidden page and the log file shows this error :
[12/5/04 2:28:01:183 MST] 4047b7bb WebCollaborat A SECJ0129A: Authorization failed for psudhakar while invoking GET on default_host:/services/iibv/welcome.wss, Authorization failed, Not granted any of the required roles: Auth Role
The same setup works in our dev and test environment but not in production. I am really stuck with this problem and any help is greatly appreciated.
Sudha, I think the only way to figure the problem out for sure is to do a detailed compare on test vs. production configuration, but on the face of it, it sounds suspiciously like a problem we had recently. LDAP had the right person in the right group & the right permissions asigned to the group, but WebSphere didn't recognise the person as belonging to the group. If you think this might be your problem too, try setting up the permissions in application.xml for individual users rather than groups. If this fixes it, then you should go into the 'Advanced LDAP Settings" in the admin cnosole & play around with the values of "Group Member ID Map". "group:member; memberof:member" works for us, but I think it depends what implementation of LDAP you're using (ours is Active Directory).
Good luck! Louise
If you are using a rototiller, you are doing it wrong. Even on this tiny ad: