Introduction to LDAP: Part 5: Adding LDAP to your WebSphere Enterprise Application

Document options Document options requiring JavaScript are not displayed Sample code Rate this page Help us improve this content

Level: Intermediate

Fred Simmons (fredsid@us.ibm.com), Consultant for Software Services for WebSphere, IBM
Jeng Yoong Tan (jtan@us.ibm.com), Consultant for Software Services for WebSphere, IBM

28 May 2005

In the previous articles, you have developed a WebSphere Application using IBM Tivoli Directory Server that implemented

ºServlets protected by J2EE form authentication,
ºAn Enterprise Java Bean (EJB) that could access Lightweight Directory Access Protocol (LDAP) data,
ºBean level security on the EJB using the BillingSecurityRole which mapped to the LDAP group, cn=billingsecurity,dc=ibm,dc=com.

In this article you will extend the EJB security to make it more grandular. The BillingSecurityRole will be replaced with three separate security roles. These new security roles based on LDAP groups will protect the access to the LDAP data and also determine what information is returned.

More Enhancements to the Billing Department Enterprise Application

In the previous article, the enhanced Billing Department application displayed the following employee data for any user who is a member of the BillingSecurityRole:

• full user name
• address
• telephone number

The Billing Department manager, Barbara Jensen, also hired a consultant, Diego Miralles, to assist her team. Diego was not permitted to access any LDAP data. Barbara is impressed with Diego's productivity and decides to hire two additional contractors, Pavitr Prabhakar and Arval Benicoeur. In addition she wants to expand the Billing Department application so that the contractors could view the following LDAP fields.

• full user name
• address
• telephone number

Barbara now wants all permanent members of the Billing Department to access:

• full user name
• address
• telephone number
• job title

She also wanted the Billing Department manager to see:

• full user name
• address
• telephone number
• job title
• mobile telephone number

Back to top

Requirements for the Green Page

Due to the expanding number of Billing Department employees, Barbara wants to enhance the Billing Department's public web page into a concept that she named the Green Page. The top of the Green Page should list the names of the members of the Billing Department, their company ids and passwords differentiated by whether they are permanent or temporary employees. The Green Page will have just a single link to the secure Billing Department web pages, not separate links to logon pages for the Billing Department manager and employees. Since Barbara is increasing the number of employees in her department, she wants the Green Page to include a telephone search capability. Everyone with access to the Green Page should be able to look up the business telephone number of a Billing Department member by just entering the employee's last name. Several employees have long surnames so Barbara wants a wild card search capability. A Green Page user can enter Ben* and retrieve the business telephone number for Arval Benicoeur.

Back to top

Refinement of your LDAP data

Barbara has decided to give the temporary members of the Billing Department access to the LDAP data. In order to implement this design you must create a new group containing just the temporary billing department members, Diego Miralles, Pavitr Prabhakar and Arval Benicoeur. Name this group cn=billingtemp,dc=ibm,dc=com. The temporary Billing Department members have their own group so you must remove the entry for Diego Miralles, uid=t0001,ou=people,dc=ibm,dc=com from cn=billingdept,dc=ibm,dc=com. Only the permanent members of the Billing Department will be contaned in cn=billingdept,dc=ibm,dc=com. Barbara will still be a member of both the cn=billingdeptmgr,dc=ibm,dc=com and cn=billingdept,dc=ibm,dc=com groups.

In this project you add a new EJB to act as the business rules engine for Business Department application. Decisions such as which LDAP fields a role can view will be encapsulated in this new EJB. The original AccessLDAP EJB from the previous project will now act as a gateway between the LDAP server and the business rules EJB.

In the previous article, all users in the cn=billingsecurity,dc=ibm,dc=com group could access LDAP data. You must prevent Billing Department members such as the wily Billy Parker from writing an application to bypass the business rules EJB and connecting directly to the AccessLDAP EJB. If Billy has direct access to the LDAP server information, he can discover Carla Van Dyke's mobile telephone number. Carla would prefer to limit her contact with Billy to the office. Create a new role uid=accessldapbind,cn=roles,dc=ibm,dc=com and a new group for this role, cn=accessldap,dc=ibm,dc=com. Add the role, uid=accessldapbind,cn=roles,dc=ibm,dc=com, to the cn=accessldap,dc=ibm,dc=com group. Change the AccessLDAP EJB to allow only the cn=accessldap,dc=ibm,dc=com group to invoke its methods. This will prevent anyone from directly accessing the AccessLDAP EJB unless they have the password for the cn=accessldap,dc=ibm,dc=com user.

By the end of this article you will have seven permanent department members, three termporary members, three roles for system administration and four groups in your Billing Department LDAP.

Table 1. Billing Department employees and roles, their WebSphere roles and LDAP group membership

The setup4.ldif included with this article performs a complete LDAP setup for the Billing Department. It inserts Pavitr Prabhakar and Arval Benicoeur into ou=people,dc=ibm,dc=com, builds the new group for Billing Department temporary members, cn=billingtemp,dc=ibm,dc=com, and moves Diego Miralles from the cn=billingdept,dc=ibm,dc=com into the new cn=billingtemp,dc=ibm,dc=com group. It also creates the cn=accessldap,dc=ibm,dc=com with one member, uid=accessldapbind,cn=roles,dc=ibm,dc=com.

Adding entries using IBM Tivoli Directory Server Configuration Tool

If you prefer to use a graphical user inferface to add the new LDAP entries, then stop the LDAP server and navigate to Start => All Programs => IBM Tivoli Directory Server 5.2 => Directory Configuration and launch the IBM Tivoli Directory Server Configuration Tool.

Add to your LDAP the employee entries for temporary employees Pavitr and Arval, the role uid=accessldapbind,cn=roles,dc=ibm,dc=com, the cn=accessldap,dc=ibm,dc=com group and the cn=billingtemp,dc=ibm,dc=com group. Select Import LDIF data. Browse to the setup4.ldif file. Select the Remove trailing spaces in Standard Import or Bulkload check box. This is a Standard import. Click the Import button. After the import completes, press Clear results. Then press the Close button. The LDAP server cannot be running when you are importing LDIF (Lightweight Data Interchange Format) data using the Directory Configuration Tool.

Close the Directory Server Configuration Tool by selecting in the menu bar File => Close. Start the LDAP server. You must update the billingdept group and delete the billingsecurity group. Skip the following step and continue at Updating the cn=billingdept,dc=ibm,dc=com using the Command Line.

Adding entries using the Command Line

If you prefer the command line to add entries, execute ldapadd with the input setup4.ldif file. During the execution the LDIF file adds entries for contractors Pavitr and Arval, the role uid=accessldapbind,cn=roles,dc=ibm,dc=com plus the cn=billingtemp,dc=ibm,dc=com and cn=accessldap,dc=ibm,dc=com groups. The two important options included in this ldapadd command are –a option indicating that the default operation is to add an entry and the –c option indicating that the processing should continue on error. The order of the parameters is important. For your LDAP configuration only cn=root can add or update entries. The LDAP server must be running if you use ldapadd.

 
ldapadd -a -c -h ldap://<ldaphostname> 
-D "cn=root" -w ibm4root  -f <ldif_directory_path>setup4.ldif 

Updating the cn=billingdept,dc=ibm,dc=com using the Command Line

If you used either the Directory Server Configuration Tool or the command line ldapadd, you added new entries to your LDAP tree. The cn=billingdept,dc=ibm,dc=com group needs to be updated to remove Diego Miralles since he is now a member of the cn=billingtemp,dc=ibm,dc=com group. The ldapadd command supports a replace paramenter, –r. Update the Billing Department LDAP using the following command.

 	
ldapadd -c -r -h ldap://<ldaphostname> 
-D "cn=root" -w ibm4root 
-f <ldif_directory_path>setup4.ldif  

Delete the cn=billingsecurity,dc=ibm,dc=com using the Command Line

At this point you must delete the group cn=billingsecurity,dc=ibm,dc=com. In the previous article you used the cn=billingsecurity,dc=ibm,dc=com and the BillingSecurityRole to restrict access to LDAP data to permanent members of the Billing Department. Now that temporary members of the Billing Department can access the LDAP data you no longer need this group. Remove the cn=billingsecurity,dc=ibm,dc=com group using the ldapdelete command.

 	
ldapdelete -h ldap://<ldaphostname> 
-D "cn=root" -w ibm4root "cn=billingsecurity,dc=ibm,dc=com"

Your LDAP entries should now be ready for use by your Green Page application.

Back to top

Installation of the Green Page application on the IBM Software Rational Development Platform

The Green Page application provided with this article will implement the design as defined by Barbara Jensen.

The GreenPage contains three parts:

• the AccessLDAP EJB,
• the BusinessRules EJB
• and the GreenPageWeb application.

Launch the IBM Software Rational Application Development Platform to review and test the parts of this enterprise application. Develop this project using the J2EE perspective. From the menu bar, navigate to Window =>Open Perspective =>J2EE.

Install the GreenPage enterprise application by selecting on the menu bar File => Import => EAR file. Press Next. Browse to the GreenPage.ear file. Set the Target Server to the one you built in the previous article, WebSphere v6.0 with LDAP. Click Finish to import the enterprise application.

This is a complete WebSphere application based on Barbara's design. It is ready to be deployed to your WebSphere Application Server. Review the implementation to understand the J2EE security design strategies.

Back to top

The GreenPageWeb dynamic web project

Using the Project Explorer, expand the directories in the Dynamic Web Projects => GreenPageWeb directory.

The GreenPageWeb requires the BusinessRules EJB project in its java build path. Right click on the GreenPageWeb, select Properties and then Java Build Path. Add the BusinessRules to the Projects tab. The GreenPageWeb application should never directly access the AccessLDAP EJB. Its interaction with LDAP must be through the BusinessRules EJB, which acts as the broker to the AccessLDAP EJB and subsequently the LDAP server.

This web application consists of two servlets: BillingDeptServlet and the GreenPageServlet. Seven JSPs are used. Three WebSphere security roles, BillingMgrRole, BillingTempRole and BillingDeptRole, restrict access to LDAP data and determine which JSP is displayed by the BillingDeptServlet.

Table 2. JSP, the servlet that invokes it, the security role, web page color and the JSP's purpose

JSP name	Invoked by Servlet	Security Role protecting JSP access	Page Color	Purpose of the JSP
billingDeptMgr.jsp	BillingDeptServlet	BillingMgrRole		This JSP is displayed for the Billing Department manager, Barbara Jensen.
billingDeptTemp.jsp	BillingDeptServlet	BillingTempRole		This JSP is displayed for the Billing Department temporary employees: Diego Miralles, Pavitr Prabhakar and Arval Benicoeur.
billingDeptUser.jsp	BillingDeptServlet	BillingDeptRole		This JSP is displayed for the Billing Department permanent employees: Stu Pretzman, Varad Singh, Steven Moyer, Carla VanDyke, Billy Parker and Susan Baker.
greenPage.jsp	GreenPageServlet	none		The Green Page is the public page for the Billing Department.
loginBillingDept.jsp	BillingDeptServlet	none		This is the logon page for the Billing Department.
loginBillingDept BadIdPass.jsp	BillingDeptServlet	none		If the user enters an incorrect user name or password then this is logon page for the Billing Department.
unauthorized.jsp	BillingDeptServlet	none		If the user enters a valid LDAP user id and password but the user is not a member of a Billing Department then this page is displayed.

The GreenPageWeb application consists of two servlets:

• the GreenPageServlet
• and the BillingDeptServlet.

The diagram below shows the design of the GreenPageServlet and its interaction with the AccessLDAP and BusinessRules EJB's.

The next diagram shows the more complex design of the BillingDeptServlet and its interaction with the AccessLDAP and BusinessRules EJB's. The colors associated with each of the security roles, BillingMgrRole, BillingTempRole and BillingDeptRole, are from the BillingDeptServlet JSP's. The division between the Public and Billing Department is only enforced by the security constrants placed on access to the BillingDeptServlet.

Both servlets use the BusinessRules EJB to obtain LDAP data. The BusinessRules EJB has no bean or method level security protection. It is set to run as uid=accessldapbind,cn=roles,dc=ibm,dc=com so that it can call the searchWithFilter() method in the AccessLDAP EJB. The searchWithFilter() method is available only to the AccessLDAPRole (cn=accessldap,dc=ibm,dc=com). The security mechanisms used in the EJB's will be discussed below.

In the BillingDeptServlet, the doGet() method uses the BusinessRules EJB to determine the role of the user. Based the user's role, the appropriate JSP is displayed. First the user is checked for membership to the BillingMgrRole [B]. If the user is the Billing Department manager, Barbara Jensen then the billingDeptMgr.jsp [C] will be displayed. If the user is a permanent member of the Billing Department [D] then the billingDeptUser.jsp [E] will be rendered. Since Barbara Jensen is a permanent member of the Billing Department, it is important that line [B] occur before [D]. Otherwise Barbara would never see the Billing Manager page. If the user is a contractor, then line [F] will evaluate to true and the billingDeptTemp.jsp [G] will be displayed. If all of these conditions fail then unauthorized.jsp [A] will be shown to user. Since the form login protects the access to this servlet, [A] should rarely be displayed.

After determining which JSP should be displayed to the user, the getAttributeValue() method is invoked and the BusinessRules EJB returns back the appropriate LDAP fields for this user. Unlike the determination of which JSP should be displayed the LDAP data is restricted by the business logic in the BusinessRules EJB. Any servlet can use the getAttributeValue() [H] method and the servlet can only display the attributes returned from the BusinessRules EJB. This BusinessRules prevents a servlet from determining which LDAP attributes it should display.

 			
public void doGet(HttpServletRequest req, HttpServletResponse resp) 
 throws ServletException, IOException {
final String sFunctionName = "doGet";
try {
	RequestDispatcher disp;
// assume an unauthorized user that doesn't belong here
[A]	String jspName = "unauthorized.jsp";
req.setAttribute("userID", req.getRemoteUser());

if (MiscFuncs.bMiscDebug) {
	MiscFuncs.printTrace(sClassName, sFunctionName, "get for "
		+ req.getRemoteUser());
	}
	try {
	if (null != businessRulesSession) {
// is this request from a manager of the billing department?
[B]	if (businessRulesSession.isManager()) {
[C]	jspName = "billingDeptMgr.jsp";
	}
// is this request from a permanent member of the billing
// department?
[D]	else if (businessRulesSession.isPermanent()) {
[E]	jspName = "billingDeptUser.jsp";
	}
// is this a request from a contractor?
[F]	else if (businessRulesSession.isTemporary()) {
[G]	jspName = "billingDeptTemp.jsp";
	}
try {
[H]	Attributes busAttr = businessRulesSession
			.loadRequest(req.getRemoteUser());
	if (null != busAttr) {
			if (MiscFuncs.bMiscDebug) {
			MiscFuncs.printTrace(sClassName, sFunctionName,
				"Business rules returned attributes");
			}
// attr
String attr = businessRulesSession
	.getAttributeValue(busAttr
	.get("userName"));
			MiscFuncs.printTrace(sClassName, sFunctionName,
				"attr " + attr);
			req.setAttribute("userName",
			businessRulesSession
				.getAttributeValue(busAttr
				.get("userName")));
			req.setAttribute("address", businessRulesSession
				.getAttributeValue(busAttr
				.get("postalAddress")));
			req.setAttribute("phone", businessRulesSession
				.getAttributeValue(busAttr.get("phone")));
			req.setAttribute("title", businessRulesSession
				.getAttributeValue(busAttr.get("title")));
			req.setAttribute("mobile",
				businessRulesSession
				.getAttributeValue(busAttr
				.get("mobile")));
	if (MiscFuncs.bMiscDebug) {
			MiscFuncs.printTrace(sClassName, sFunctionName,
				"servlet - business attribute user name "
				+ busAttr.get("userName")
				+ " address "
				+ busAttr.get("postalAddress")
				+ " phone "
				+ busAttr.get("phone")
				+ " mobile phone "
				+ busAttr.get("mobile")
				+ " title "
				+ busAttr.get("title"));
		}
	} else {
			MiscFuncs.printTrace(sClassName, sFunctionName,
				"Null attributes");
			}

// catch any authentication errors
	} catch (Throwable t) {
		if (MiscFuncs.bMiscDebug) {
			MiscFuncs.printTrace(sClassName, sFunctionName,
				"EJB error occurred for "
				+ req.getRemoteUser() + " Error : "
				+ t.toString());
			}
		}
	} else {
		MiscFuncs.printTrace(sClassName, sFunctionName, "Null EJB");
		}
// catch any authentication errors
	} catch (Throwable t) {
	if (MiscFuncs.bMiscDebug) {
		MiscFuncs.printTrace(sClassName, sFunctionName,
			"EJB error occurred for " + req.getRemoteUser()
			+ " Error : " + t.toString());
		}
	}
disp = getServletContext().getRequestDispatcher(jspName);
disp.forward(req, resp);
	} catch (Exception e) {
		MiscFuncs.handleException(sClassName, sFunctionName, e,
			"Exception occurred");
if (e instanceof ServletException) {
		throw ((ServletException) e);
	} else if (e instanceof IOException) {
		throw ((IOException) e);
	}
}
}

The GreenPageServlet renders the greenPage.jsp in the doGet() method. In its doPost() method the input from the Search for last name field is retrieved from the searchName field [I]. In the search name is not empty then the loadGreenPagesRequest() [J] in the BusinessRules EJB is invoked. If a result is returned from the LDAP search then it is inserted into the userName [K] and phone[L] fields. The loadGreenPagesRequest() method has no security constraints since the greenPage.jsp is a public web page.

 
public void doPost(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
final String sFunctionName = "doPost";
        try {
 // did the search name parameter get filled in?
[I]  Object searchNameObj = req.getParameter("searchName");
 // if null object from search name parameter don't bother calling
 // the
 // business session bean
 if (null != searchNameObj) {
String searchName = (String) searchNameObj;
 if (MiscFuncs.bMiscDebug) {
 MiscFuncs.printTrace(sClassName, sFunctionName,
     "search for " + searchName);
       }
       try {
 if (null != businessRulesSession) {
// 
 try {
[J] Attributes busAttr = businessRulesSession
  .loadGreenPagesRequest(searchName);
 // got an attributes object back from the EJB
 if (null != busAttr) {
// found a matching user name
if (null != businessRulesSession
 .getAttributeValue(busAttr
 .get("userName"))) {
[K] req.setAttribute("userName",
 businessRulesSession
  .getAttributeValue(busAttr
  .get("userName")));
[L] req.setAttribute("phone",
businessRulesSession
  .getAttributeValue(busAttr
  .get("phone")));
   }
 // null user name - did not find match
 // set return userName to <NOTFOUND>
else {
MiscFuncs.printTrace(sClassName,
sFunctionName, "Null user name");
req.setAttribute("userName", "<NOTFOUND>");
 }
if (MiscFuncs.bMiscDebug) {

MiscFuncs.printTrace(sClassName,
sFunctionName,
 "Greenpages business attribute user name "
+ busAttr.get("userName")
+ " phone "
 + busAttr.get("phone"));

 }
 }
// we should always get an attributes object back
// from the EJB.
else {
MiscFuncs.logError(sClassName, sFunctionName,
"Null busAttr object");

}

// catch any authentication errors
 } catch (Throwable t) {
if (MiscFuncs.bMiscDebug) {
MiscFuncs.printTrace(sClassName, sFunctionName,
 "EJB error occurred for "
+ req.getRemoteUser()
+ " Error : " + t.toString());
			}
		}
} else {
MiscFuncs.printTrace(sClassName, sFunctionName,
 "Null Business Rules EJB");
}
// catch any authentication errors
} catch (Throwable t) {
if (MiscFuncs.bMiscDebug) {
MiscFuncs.printTrace(sClassName, sFunctionName,
"EJB error occurred for " 
+ req.getRemoteUser()
+ " Error : " + t.toString());
                    }
                }
            }
 // just display the greenPage.jsp no matter what.
RequestDispatcher disp = getServletContext().getRequestDispatcher(
"greenPage.jsp");
disp.forward(req, resp);

} catch (Exception e) {

MiscFuncs.handleException(sClassName, sFunctionName, e,
"Exception occurred");
if (e instanceof ServletException) {
throw ((ServletException) e);
            } else if (e instanceof IOException) {
 throw ((IOException) e);
            }
        }
}

On the Green Page you enter Ben* in the Search for last name field. Press the Search button. The searchName field [I] is set to Ben*. This value is sent to loadGreenPagesRequest() [J] in the BusinessRules EJB. The return value Arval Benicoeur is inserted into the userName [K] variable. The value +1 632 3299 is set in the phone [L] variable.

Back to top

Green Page Web deployment descriptor

If you open the web deployment descriptor, web.xml, and press the Servlets tab you will see the BillingDeptServlet and GreenPageServlet. The BillingDeptServlet is mapped to BillingDept and GreenPageServlet is mapped to GreenPage and *.

Select the Security tab. This application supports three different access roles: the Billing Department permanent member role (BillingDeptRole), the Billing Department manager role (BillingMgrRole) and the Billing Department temporary member role (BillingTempRole) . These correspond with the LDAP groups cn=billingdept,dc=ibm,dc=com, cn=billingdeptmgr,dc=ibm,dc=com and cn=billingtemp,dc=ibm,dc=com.

The table below shows the relationship between the WebSphere roles, the LDAP groups and the web application resources.

Table 3. Web resources and security roles

Role with Access	Servlet	JSP	Page Color	LDAP Attributes
BillingDeptRole mapped to cn=billingdept,dc=ibm,dc=com	BillingDeptServlet mapped to BillingDept	billingDeptUser.jsp		full user name address telephone number job title
BillingTempRole mapped to cn=billingtemp,dc=ibm,dc=com	BillingDeptServlet mapped to BillingDept	billingDeptTemp.jsp		full user name address telephone number
BillingMgrRole mapped to cn=billingdeptmgr,dc=ibm,dc=com	BillingDeptServlet mapped to BillingDept	billingDeptMgr.jsp		full user name address telephone number job title mobile telephone number

The restricted web resource for the GreenPage application, the mapping for the BillingDept servlet, must be protected by security constraints. Three security constraints have been created for the BillingDeptServlet. This servlet is contrained for use only by the BillingDeptRole, BillingTempRole or BillingMgrRole.

Click on the Pages tab. In the Login section the loginBillingDept.jsp is configured as the gatekeeper to the application. All Billing Department members must sign in using this form JSP in order to access the servlet. If an error occurs the loginBillingDeptBadIdPass.jsp is invoked. This second JSP prompts the user again for a correct user id and password.

The unauthorized.jsp is invoked whenever a 403 error occurs - the result of an LDAP user who is not a member of the Billing Department attempt to login.

Finally, press the Extensions tab. Class reloading is enabled for debugging. The default error page is unauthorized.jsp. This web application does not allow file serving, directory browsing or serving servlets by classname. The only access to web content for this application is through the BillingDeptServlet and GreenPageServlet servlets.

Back to top

Enterprise Java Bean Security

As you will discover later in this article when you review Billy Parker's Pink Page application, it is important to protect EJB data from unwanted access. The previous article, the BillingDepartmentEnhanced application used bean level security for the AccessLDAP EJB. Only members of the BillingSecurityRole could access LDAP data using the methods in the AccessLDAP EJB. However, this allowed anyone in the Billing Department who was a member of the BillingSecurityRole to write an application that could access whatever LDAP data they wanted.

Barbara's Green Page implementation refines this LDAP access. By using method and instance level security in an EJB you can limit access to certain LDAP attributes based on different security roles. If bean level security access were a sword then method and instance level would be a scalpel.

Back to top

BusinessRules Enterprise Java Bean

The Green Page application uses the BusinessRules EJB as the broker between web application and the LDAP data available from the AccessLDAP EJB. This EJB is the conduit to allow web applications to retrieve data from LDAP. In addition, it restricts the access to LDAP attributes based on a user's WebSphere security role.

The BusinessRules EJB needs the AccessLDAP EJB project in its java build path. Right click on the BusinessRules, select Properties and then Java Build Path. Add the AccessLDAP to the Projects tab.

The BusinessRules EJB supports the following six methods.

Table 4. Remote methods in the BusinessRules EJB

The loadRequest(String) is the critical method in the BusinessRules EJB for the BillingDeptServlet. This method secures the access to LDAP attributes at the instance level. Users in different roles who call this method receive a different return value. The input to loadRequest(String) is a Billing Department logon id along with the intrisic WebSphere security role for the user. At [M] the searchWithFilter() method in the AccessLDAP EJB is called with the search attribute uid. A complete list of Attributes is returned for the user. The caller's role is then checked to see if he is a member of the BillingMgrRole [N]. If the user is Barbara Jensen, Billing Department manager then her full name, address, telephone number, job title and mobile telephone number are returned to the BillingDeptServlet. If the caller is a contractor and a member of the BillingTempRole then at [O] the full name, address and telephone number are returned. Finally if the caller is a permanent member of the Billing Department and subsequently a member of BillingDeptRole then the full name, address, title and telephone number are returned at step [P]. Once again since Barbara is a member of both the BillingMgrRole and the BillingDeptRole it is important that [N] occurs before [P].

public Attributes loadRequest(String userID) {
     final String sFunctionName = "loadRequest";
     Attributes newAttr = new BasicAttributes();
     try {
[M]    Attributes attr = ldapSession.searchWithFilter("uid=" + userID);
         if (null != attr) 
// --------------------------------------------
// managers get
//  full user name
//  address
//  telephone number
//  job title
//  mobile telephone number
[N] if (mySessionCtx.isCallerInRole("BillingMgrRole")) {
newAttr.put("userName", getAttributeValue(attr.get("cn")));
newAttr.put("phone", getAttributeValue(attr
.get("telephoneNumber")));
newAttr.put("title", getAttributeValue(attr.get("title")));
newAttr.put("address", getAttributeValue(attr
.get("postalAddress")));
newAttr.put("mobile", getAttributeValue(attr
.get("mobile")));
if (MiscFuncs.bMiscDebug) {
MiscFuncs.printTrace(sClassName, sFunctionName,
"completed lookup for Billing manager " + newAttr.get("userName")
+ "title " + newAttr.get("title")
+ " address "
+ newAttr.get("postalAddress")
+ " mobile phone "
+ newAttr.get("mobile") 
+ " name "
+ newAttr.get("userName")
+ " phone "
+ newAttr.get("phone"));
                  }
             }
// --------------------------------------------
// temporary workers get
//  full user name
//  address
//  telephone number
[O] else if (mySessionCtx.isCallerInRole("BillingTempRole")) {
newAttr.put("userName", getAttributeValue(attr.get("cn")));
newAttr.put("address", getAttributeValue(attr
.get("postalAddress")));
newAttr.put("phone", getAttributeValue(attr
.get("telephoneNumber")));
 if (MiscFuncs.bMiscDebug) {
MiscFuncs.printTrace(sClassName, sFunctionName,
"completed lookup for Temp worker " 
+ newAttr.get("userName")
+ " address "
+ newAttr.get("postalAddress")
+ " name "
+ newAttr.get("cn")
+ " phone "
+ newAttr.get("telephoneNumber"));
                 }
             }
 // --------------------------------------------
// billing department permanent worker
//  full user name
//  address
//  telephone number
//  job title
[P]  else if (mySessionCtx.isCallerInRole("BillingDeptRole")) {
newAttr.put("userName", getAttributeValue(attr.get("cn")));
newAttr.put("title", getAttributeValue(attr.get("title")));
newAttr.put("address", getAttributeValue(attr
.get("postalAddress")));
newAttr.put("phone", getAttributeValue(attr
.get("telephoneNumber")));
if (MiscFuncs.bMiscDebug) {
MiscFuncs.printTrace(sClassName, sFunctionName,
"completed lookup for Generic user name " 
+ newAttr.get("cn")
+ " address "
+ newAttr.get("postalAddress")
+ "title " + newAttr.get("title")
+ " phone "
+ newAttr.get("telephoneNumber"));
                 }
             }
        } else {
MiscFuncs.printTrace(sClassName, sFunctionName,
"Null attributes");
            }
// catch any authentication errors
       } catch (Throwable t) {
if (MiscFuncs.bMiscDebug) {
MiscFuncs.printTrace(sClassName, sFunctionName,
"EJB error occurred for " 
+ userID 
+ " Error : "
+ t.toString());
         }
      }
      return newAttr;
}

Back to top

BusinessRules EJB Deployment Descriptor

The deployment descriptor for BusinessRules EJB is simple. Since it is both a public and private Billing Department gateway to the LDAP data it has no bean or method level security.

Click on the Access tab. The Security Identity (Bean Level) is set to AccessLDAPRole. This changes the WebSphere role to any other EJB calls to AccessLDAPRole

The following diagram demonstrates how the Security Identity (Bean Level) works. Contractor Diego Miralles, uid=t0001,ou=people,dc=ibm,dc=com, displays the temporary Billing Department web page. This causes the BillingDeptServlet to invoke the loadRequest() method in the BusinessRules EJB. This request comes into the BusinessRules EJB with the BillingTempRole. The BusinessRules EJB must invoke the searchWithFilter() method in the AccessLDAP EJB to obtain the LDAP data for Diego. The BusinessRules EJB transforms the owner of this request to uid=accessldapbind,cn=roles,dc=ibm,dc=com, the only member of the AccessLDAPRole, before calling the AccessLDAP EJB.

Back to top

AccessLDAP Enterprise Java Bean

The final component for the Green Page application is the AccessLDAP EJB. This EJB is the conduit to allow the BusinessRules EJB to retrieve data from LDAP. TheAccessLDAP EJB has only one remote method, searchWithFilter(). Given an input LDAP search string, e.g. a company id uid=t0001, the LDAP tree is searched for a matching entry and the result is returned in an Attributes object. If no matching object is found a null is returned.

Back to top

AccessLDAP EJB Deployment Descriptor

Open the deployment descriptor for the AccessLDAP EJB. Click on the Beans tab. Select the AccessLDAPSession. Three Environment Variables must be configured for the AccessLDAP EJB. These define the name of the IBM Tivoli Directory Server, a user id and password. If you are not using localhost, edit the LDAP_SERVER variable and enter the name of your LDAP server. Click OK. The LDAP_USER and LDAP_PASSWORD should be correctly defined to uid=wsbind,cn=roles,dc=ibm,dc=com and was4me respectively.

Environment variables allow you to add configurable parameters to your enterprise application. These values can have a default setting and be altered during deployment.

Table 5. AccessLDAP EJB environment variables and default values

Click on the Assembly tab. Only another component running as a member of the AccessLDAPRole has permission to invoke the the searchWithFilter() method in the AccessLDAP EJB.

Back to top

Green Page Enterprise Application

Open the GreenPage.ear deployment descriptor. In the EAR deployment descriptor, press the Security tab. The AccessLDAPRole is mapped to the LDAP security group cn=accessldap,dc=ibm,dc=com.

The BillingTempRole roles for the temporary workers is mapped to the cn=billingtemp,dc=ibm,dc=com group.

In order to access your LDAP server from the AccessLDAP EJB you need to add server.jar to the Utility JARs. Right click on the Utility JARs, select Import and then File system. Click Next. Browse to <WAS Install Dir> \java\jre\lib\server.jar. Press Finish.

Back to top

Use of a was.policy file

Below is a diagram demonstrating how the was.policy works within the Green Page application.The first line, grant codeBase "file:AccessLDAP.jar", indicates that the AccessLDAP EJB code base will be given special permissions. The next line, permission java.net.SocketPermission "*:389", "connect", allows the AccessLDAP to connect to any LDAP server on port 389. The third line, permission java.lang.RuntimePermission "modifyThread", is needed by the implementation of the LDAP connection classes found in <WAS Install Dir> \java\jre\lib\server.jar.

Back to top

Installation of the Green Page Application on the WebSphere v6.0 Server

You are now ready to install the enterprise application. In the Servers view right click on your WebSphere v6.0 Server. Choose Start. After the server initializes right click and choose Run administrative console. When the console appears, in the left navigation tree, choose Applications => Enterprise Applications. Click on the Install button. Browse to the GreenPage.ear file.

Click Next. Do not override any bindings. Click Next again.

The Application Security Warnings page alerts you to the presence of a was.policy file in the GreenPage application. A WebSphere Application Server administrator should be aware of any extraordinary security warnings. On a production server you would limit the connection access to a single LDAP server using permission java.net.SocketPermission " LDAP Server Name :389", "connect". Press the Continue button.

On the Installation options panel, select the Enable class reloading checkbox for your test server. Click Next.

The GreenPage application has three modules displayed on the Map modules to servers panel. These modules are:

• the BusinessRulesSession EJB,
• the AccessLDAP EJB,
• the GreenPage web application.

In a production system the two EJB's may not reside on the same server as the web application. Click Next.

The Provide JNDI Names for Beans panel lists the Java Naming and Directory Interface (JNDI) name for the AccessLDAP and BusinessRulesSession EJB's. The JNDI names, ejb/AccessLDAP and ejb/BusinessRules are defined in their respective EJB deployment descriptors. The servlets and the BusinessRules EJB use these JNDI names to load the EJB's. Press the Next button.

The Map EJB references to beans panel shows that the BusinessRulesSession has a reference defined for ejb/AccessLDAP. The BusinessRulesSession acts as a gateway for the web application to the AccessLDAP. Since both EJB's reside on same server, you do not need to modify the JNDI reference ejb/AccessLDAP. Press the Next button.

Map virtual hosts for Web modules panel. Click Next.

On the Map security roles to users/groups panel, the correct LDAP groups should already be filled in for the four roles: , BillingDeptRole, BillingMgrRole, BillingTempRole and AccessLDAPRole. Press the Next button.

The Map RunAs roles to users panel will secure the access between the BusinessRulesSession and the AccessLDAP. The AccessLDAPRole must be mapped to a specific LDAP user. Enter the username uid=accessldapbind,cn=roles,dc=ibm,dc=com and was4me for the pasword. Select the checkbox next to AccessLDAPRole.

Click Apply. The Map RunAs roles to users panel should display the User name as uid=accessldapbind,cn=roles,dc=ibm,dc=com. Press Next.

The Ensure all unprotected 2.x methods have the correct level of protection panel allows you to modify the method security access to either EJB. The BusinessRulesSession has no method protection since it can be called by any web application. It restricts access to LDAP data by using programatic checking of security. The AccessLDAP needs only one protected method, searchWithFilter(). This method permission was defined in the AccessLDAP deployment descriptor. Keep the default methodProtection.uncheck. Click the Next button.

On the Summary panel just press the Finish button.

Save the configuration. You will return to the Enterprise Applications panel.

Enterprise applications are always left in the stopped state after installation. Start the GreenPage application by selecting the checkbox and pressing the Start button.

You are now ready to begin your testing.

Back to top

Using the Green Page Application

Launch the public web page in your web browser with the address http://localhost:9080/GreenPage/. The page lists all the user ids and passwords in addition to the link for the Billing Department login and a telephone search.

Click on the link for the Billing Department member. You will be directed to the login page. Enter c0001 for the user id and babs1me for the password. Press the Login button.

You should now be logged into the Billing Department secure page as Barbara Jensen. Using the LDAP data supplied by the BusinessRules EJB, Barbara's full name, title, address and business and mobile telephone numbers are displayed.

Press the Logout button. You will return to the login page.

On the login page enter invalid data for the user id and password. Click Login. You will be prompted again with an error message displayed on the page.

Now try Stu Pretzman, a permanent Billing Department member. Enter user id c0002 and retire1 for the password. Stu sees his full name, title, address and business telephone number.Press Logout.

Login as contractor Diego Miralles. Enter t0001 and money4me for the password. Press the Login button. Diego is temporary so his name and telephone number are displayed. Press Logout.

To test the protection against invalid access enter uid=accessldapbind,cn=roles,dc=ibm,dc=com and was4me. This is a valid LDAP user id and password but it not permitted any access to the Billing Department web site.

On the Green Page, enter Ben* in the Search for last name field. Press the Search button. Arval Benicoeur's telephone number should be displayed. Close your web browser.

The figure below shows the relationship between the Billing Department members, their security roles and the pages that they can view. Barbara Jensen is a member of both the BillingDeptRole and the BillingMgrRole roles. However the web application will display the Billing Department manager page (light yellow) for her. The permanent members can only see the secure page for the Billing Department (grey). Diego Miralles, Pavitr Prabhakar and Arval Benicoeur view the temporary Billing Department member page (dark yellow).

Back to top

Billy's Requirements for his Pink Page

Billy Parker's desire to discover Carla Van Dyke's mobile telephone number inspires him to implement a concept that he names the Pink Page. Pink is Carla's favorite color. Billy designs his Pink Page to bypass the Business Rules session bean and directly connect to the AccessLDAP session bean. Once his web application connects to the AccessLDAP session bean, it will perform an LDAP search for Carla's mobile telephone number. Billy will use this information to call her for a date.

If your EJB security is working properly, Billy's Pink Page will not be able to connect to the AccessLDAP. The Websphere security role AccessLDAPRole should prevent access to any methods in the AccessLDAP EJB. Carla will be able to enjoy her quiet evenings without any interruptions from Billy.

Back to top

Installation of the Pink Page application on the IBM Software Rational Development Platform

The Pink Page application provided with this article will implement the devious design as defined by Billy Parker.

Like Barbara's Green Page, Billy's Pink Page also contains three parts:

• the BusinessRules EJB,
• the AccessLDAP EJB and
• the PinkPageWeb application.

Install the PinkPage enterprise application by selecting on the menu bar File => Import => EAR file. Press Next. Browse to the PinkPage.ear file. Set the Target Server to the one you used for the Green Page. Click Finish to import the enterprise application.

This is a complete WebSphere application and ready to be deployed to a WebSphere Application Server. Review Billy's crafty implementation in the sections below to understand his mischevious design strategies and how they are foiled by the EJB security model.

Back to top

The PinkPageWeb dynamic web project

Using the Project Explorer, expand the directories in the Dynamic Web Projects =>PinkPageWeb directory.

The PinkPageWeb requires the AccessLDAP and BusinessRules EJB projects in its java build path. Right click on the PinkPageWeb, select Properties and then Java Build Path. Add the AccessLDAP and BusinessRules to the Projects tab. Both of these EJB's are deployed on the Billing Department's server to support Barbara's Green Page application. In a production environment Billy would make his PinkPageWeb application reference the existing EJB's. His PinkPageWeb application will attempt to access the AccessLDAP EJB and bypass the BusinessRules EJB. Billy hopes that this will permit his Pink Page application to gain unprotected access to the LDAP data and subsequently Carla's mobile telephone number.

The BusinessRules EJB needs the AccessLDAP EJB project in its java build path. Right click on the BusinessRules EJB, select Properties and then Java Build Path. Add the AccessLDAP to the Projects tab.

This web application consists of two servlets: HelloCarlaServlet and the PinkPageServlet. Billy coded five JSPs. Billy is familiar with only one WebSphere security role, BillingDeptRole. Since he is a permanent Billing Department member, he is a member of that role. Billy hopes by writing a servlet that uses the BillingDeptRole for security, he will be able to directly invoke the AccessLDAP EJB.

Table 6. JSP, the servlet that invokes it, the security role, web page color and the JSP's purpose

JSP name	Invoked by Servlet	Security Role protecting JSP access	Page Color	Billy's Purpose for the JSP
helloCarla.jsp	HelloCarlaServlet	BillingDeptRole		Billy hopes that this JSP will display Carla's mobile telephone number. It also contains a script inviting her to the Red Dragon Chinese Restaurant and then to the new kick boxing movie, Terrible Fists of the LDAP Monkey.
loginBilly.jsp	HelloCarlaServlet	BillingDeptRole		This is the logon page for Billy Parker.
billingDeptUser.jsp	HelloCarlaServlet	BillingDeptRole		This is the logon page displayed if Billy happens to make a mistake during logon. Of course, Billy rarely makes mistakes.
youAreNotBilly.jsp	HelloCarlaServlet	none		If someone other than Billy attempts to logon to this application then this page is displayed.
pinkPage.jsp	PinkPageServlet	none		This is the public page to begin Billy's quest to find Carla's mobile telephone number.

The PinkPageWeb application consists of two servlets:

• the PinkPageServlet
• and the HelloCarlaServlet.

The interesting portion of Billy's code is located in the HelloCarlaServlet. The loadRequest() and doGet() methods demonstrate Billy's attempt to retrieve Carla's mobile telephone number from LDAP. At [Q], the searchWithFilter() method from the AccessLDAP EJB is invoked with the search parameter cn=Carla VanDyke. Billy's servlet is running under the BillingDeptRole It does not have the correct role to access the AccessLDAP EJB. An Authorization exception is thrown and caught at [R]. If the BillingDeptRole could invoke the searchWithFilter() method then at [T] it would set the mobile servlet request variable to the LDAP value. The BusinessRules EJB is instantiated so that the getAttributeValue() can be called should [T] ever occur. However, if the EJB security is working properly then at [U] the mobile servlet request variable is set to Access Denied. At [S] Billy has hardcoded a check that will only allow his user id, c0006, to display the helloCarla.jsp. All other users in the Billing Department will see youAreNotBilly.jsp. Hardcoding user ids into a servlet is a very bad practice.

private Attributes loadRequest(String commonName) {
final String sFunctionName = "loadRequest";
Attributes newAttr = null;
try {
MiscFuncs.printTrace(sClassName, sFunctionName,
"Search filter cn=" + commonName);
[Q]  newAttr = ldapSession.searchWithFilter("cn=" + commonName);
if (null != newAttr) {
// use the business rules session bean to get the attribute
// value.
newAttr.put("userName", businessRulesSession
.getAttributeValue(newAttr.get("cn")));
newAttr.put("mobile", businessRulesSession
.getAttributeValue(newAttr.get("mobile")));
if (MiscFuncs.bMiscDebug) {
MiscFuncs
.printTrace(sClassName, sFunctionName,
"Load request data "
+ newAttr.get("userName")
+ " mobile "
+ newAttr.get("mobile"));
}
} else {
"Null attributes");
}
// catch any authentication errors
[R]  } catch (Throwable t) {
if (MiscFuncs.bMiscDebug) {
MiscFuncs.printTrace(sClassName, sFunctionName,
"EJB error occurred for " + commonName + " Error : "+ t.toString());
         }
     }
return newAttr;
}

   
public void doGet(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
final String sFunctionName = "doGet";
try {
String jspFile = "youAreNotBilly.jsp";
if (MiscFuncs.bMiscDebug) {
MiscFuncs.printTrace(sClassName, sFunctionName, "get for "
+ req.getRemoteUser());
        }
// for the helloCarla.jsp to display:
// - user must be Billy (c0006)
// - and the servlet must have an Access EJB reference
 [S]  if (("c0006".equals(req.getRemoteUser())) && (null != ldapSession)) {
 jspFile = "helloCarla.jsp";
// search for Carla's mobile phone number.
final String searchName = "Carla VanDyke";
MiscFuncs.printTrace(sClassName, sFunctionName,
"Start the search for " + searchName);
Attributes userAttr = null;
userAttr = loadRequest(searchName);
// got an attributes object back from the EJB
if (null != userAttr) {
// set the request attribute of mobile.
[T]  req.setAttribute("mobile", businessRulesSession
.getAttributeValue(userAttr.get("mobile")));
if (MiscFuncs.bMiscDebug) {
MiscFuncs.printTrace(sClassName, sFunctionName,
"Found mobile phone number "
+ businessRulesSession
.getAttributeValue(userAttr
.get("mobile")));
                }
             }
// we should always get an attributes object back
// from the EJB.
else {
MiscFuncs.logError(sClassName, sFunctionName,
"Null userAttr object");
[U] req.setAttribute("mobile", "Access Denied");
             }
} else {
MiscFuncs.printTrace(sClassName, sFunctionName,
"Null LDAP access EJB");
req.setAttribute("mobile", "Access Denied");
         }
// just display the helloCarla.jsp
RequestDispatcher disp = getServletContext().getRequestDispatcher(
 jspFile);
disp.forward(req, resp);
     } catch (Exception e) {

MiscFuncs.handleException(sClassName, sFunctionName, e,
"Exception occurred");
if (e instanceof ServletException) {
 throw ((ServletException) e);
         } else if (e instanceof IOException) {
 throw ((IOException) e);
         }
     }
 }

Back to top

Installation of the Pink Page Application on the WebSphere v6.0 Server

You are now ready to install Billy's enterprise application. In the Servers view right click on your WebSphere v6.0 Server. Choose Start. After the server initializes right click and choose Run administrative console. When the console appears, in the left navigation tree, choose Applications => Enterprise Applications. Click on the Install button. Browse to the PinkPage.ear file.

Click Next. Do not override any bindings. Click Next again.

The Application Security Warnings page alerts you to the presence of a was.policy file in the PinkPage application. Billy would never let security warnings stop him from his pursuit of Carla's cellular phone number. Press the Continue button.

On the Installation options panel, click Next.

Billy's PinkPage application has three modules displayed on the Map modules to servers panel. These modules are:

• the BusinessRulesSession EJB,
• the AccessLDAP EJB,
• the PinkPage web application.

In a production system the two EJB's would not reside in Billy's web application. Click Next.

The Provide JNDI Names for Beans panel lists the Java Naming and Directory Interface (JNDI) name for the AccessLDAP and BusinessRulesSession EJB's. The JNDI names, ejb/AccessLDAP and ejb/BusinessRules are defined in their respective EJB deployment descriptors. The servlets and the BusinessRules EJB use these JNDI names to load the EJB's. Press the Next button.

The Map EJB references to beans panel shows that the BusinessRulesSession has a reference defined for ejb/AccessLDAP. Press the Next button.

Map virtual hosts for Web modules panel. Click Next.

On the Map security roles to users/groups panel, the correct LDAP groups should already be filled in for the two roles, BillingDeptRole and AccessLDAPRole. Press the Next button.

The Map RunAs roles to users panel will secure the access between the BusinessRulesSession and the AccessLDAP. The AccessLDAPRole must be mapped to a specific LDAP user. Billy doesn't know the correct user id or password for the AccessLDAPRole. This security role keeps his Pink Page application from accessing the LDAP data. Press Next.

The Ensure all unprotected 2.x methods have the correct level of protection panel allows you to modify the method security access to either EJB. Billy certainly does not want to increase any EJB security. He is having enough trouble with the existing method and instance level EJB security. Click the Next button.

On the Summary panel press the Finish button.

Save the configuration. You will return to the Enterprise Applications panel.

Enterprise applications are always left in the stopped state after installation. Start the PinkPage application by selecting the checkbox and pressing the Start button.

You are now ready to attempt to discover Carla's mobile telephone number.

Back to top

Using Billy's Pink Page Application

Launch Billy's web page in your web browser with the address http://localhost:9080/PinkPage/. The page lists Billy's user id and password and a link for the login.

Click on the link for If you want to discover Carla Van Dyke's home telephone number.... You will be directed to the login page. Enter c0006 for the user id and password gun2s3. Press the Login button.

You should now be logged into the Hello Carla secure page. Billy hopes that using the LDAP data supplied by the AccessLDAP EJB, Carla's mobile telephone number will be displayed. Of course, the EJB security should prevent this scenario from occurring. Note the Access Denied message.

In the WebSphere Application server log you will find the following message:

00000026 SecurityColla A   
SECJ0053E: Authorization failed for localhost:389/c0006 
while invoking (Bean)ejb/AccessLDAP 
searchWithFilter(java.lang.String):
1 securityName: localhost:389/c0006;
accessID: user:localhost:389/uid=c0006,ou=people,dc=ibm,dc=com 
is not granted any of the required roles: AccessLDAPRole 

Press the Logout button. You will return to Billy's login page. Now try using the user id, c0006, with an invalid password, was4me. You are prompted to logon using the following screen.

Finally try logging on as Barbara Jensen with her user id c0001 and password babs1me. Since Billy has added [S] to the servlet, only his user id has access. Barbara will see the following page.

Billy's romantic plans have been thwarted due to EJB security.

Back to top

Conclusion

In this article you learned how to refine your LDAP group structure and your EJB security methods.

• You can restrict access to LDAP data based on WebSphere Roles.
• You understand how to use method and instance level EJB security and the underlying LDAP groups.
• You know how to protect your data from access by crafty employees such as Billy Parker.

Back to top

Download

	Information about download methods

Resources

• The IBM Tivoli Directory Server for Windows is available from IBM
  
  
• A very good web resource for LDAP is the The Directory Pages.
  
  
• To learn more about WebSphere Application Server version 6, visit the WebSphere Infocenter site..
  
  
• Get more information regarding the IBM Tivoli Directory Server by participating in Security Management developerWorks forum.
  
  
• The WebSphere Application Server has a lively community in the WebSphere developerWorks forum.
  
  
• Share you experiences with other developers on the Rational Software Application Developer forum.
  
  
• IBM offers a wide range of Software Services for WebSphere.
  

About the authors

		Fred Simmons is a consultant for Software Services for WebSphere at IBM.

		Jeng Yoong Tan is a consultant for Software Services for WebSphere at IBM.

Rate this page