Topic
  • 11 replies
  • Latest Post - ‏2013-10-25T15:50:46Z by gas
zach_c
zach_c
11 Posts

Pinned topic JEE security roles mapping to LDAP user groups with WebSeal

‏2013-10-04T00:13:19Z |

How can I map the roles that are defined in my web.xml (eg "upload", "delete") to the user groups defined in ldap? I have tried using ibm-application-bnd.xml. This works in my local env which doesn't use ldap (uses WAS/Portal internal users & groups), but fails in dev test environment that does have ldap. I have verified users that I log in with are members of the appropriate group and that those users and groups are defined in ldap. However, the request.isUserInRole() always returns false. I am a dev not an admin. WAS/Portal 7.0 and WebSeal 6.

web.xml

<security-role>
  <description>Access to upload</description>
  <role-name>upload</role-name>
</security-role>
<security-role>
  <description>Access to delete</description>
  <role-name>delete</role-name>
</security-role>

 

ibm-application-bnd.xml

<security-role name="upload">
  <group name="cn=uploadersinternal,ou=groups,dc=mydomain,dc=com"  />
</security-role>
<security-role name="delete">
  <group name="cn=deletersinternal,ou=groups,dc=mydomain,dc=com" />
</security-role>

also tried...

<security-role name="upload">
  <group name="uploadersinternal" access-id="group:my-ip:my-port/cn=uploadersinternal,ou=groups,dc=mydomain,dc=com" />
</security-role>
<security-role name="delete">
  <group name="deletersinternal" access-aid="group:myRealmName/cn=deletersinternal,ou=groups,dc=mydomain,dc=com" />
</security-role>

 

Updated on 2013-10-08T16:49:51Z at 2013-10-08T16:49:51Z by zach_c
  • gas
    gas
    922 Posts

    Re: JEE security roles in web.xml map to LDAP user groups

    ‏2013-10-07T08:39:49Z  

    Hi,

    In the ibm-application-bnd.xmi file you should have something like this:

    <authorizationTable xmi:id="AuthorizationTable_1">
        <authorizations xmi:id="RoleAssignment_1">
            <role href="META-INF/application.xml#SecurityRole_1183122147906"/>
          <groups xmi:id="Group_1381134275500" name="mygroup1" accessId="group:defaultWIMFileBasedRealm/CN=mygroup1,CN=Users,DC=demo,DC=com"/>
        </authorizations>
      </authorizationTable>
     

    however exact form of the accessId is related to your security configuration (whether you use ferderated or stnad alone ldap).

    The best way to do it is map users to roles during application installation (in map users step) or post installation via applications ->application name -> Security role mapping.

    Then save the changes and export applicationn. In the exported ear you will find updated ibm-application-bnd file for further usage.

    Gas

  • zach_c
    zach_c
    11 Posts

    Re: JEE security roles in web.xml map to LDAP user groups

    ‏2013-10-07T17:01:42Z  
    • gas
    • ‏2013-10-07T08:39:49Z

    Hi,

    In the ibm-application-bnd.xmi file you should have something like this:

    <authorizationTable xmi:id="AuthorizationTable_1">
        <authorizations xmi:id="RoleAssignment_1">
            <role href="META-INF/application.xml#SecurityRole_1183122147906"/>
          <groups xmi:id="Group_1381134275500" name="mygroup1" accessId="group:defaultWIMFileBasedRealm/CN=mygroup1,CN=Users,DC=demo,DC=com"/>
        </authorizations>
      </authorizationTable>
     

    however exact form of the accessId is related to your security configuration (whether you use ferderated or stnad alone ldap).

    The best way to do it is map users to roles during application installation (in map users step) or post installation via applications ->application name -> Security role mapping.

    Then save the changes and export applicationn. In the exported ear you will find updated ibm-application-bnd file for further usage.

    Gas

    Generating the mappings thru the admin console produced the following output in ibm-application-bnd.xml

    <security-role name="delete">

      <group name="cn=deletersinternal,ou=groups,dc=mydomain,dc=com" access-aid="group:1.1.1.1:392/cn=deletersinternal,ou=groups,dc=mydomain,dc=com" />
    </security-role>

    [where "1.1.1.1" and "mydomain" is replaced by my real IP and domain]

    However, this is still not working. Also, where did you get the <authorizationTable>? I don't see this tag available in the schema?

  • gas
    gas
    922 Posts

    Re: JEE security roles in web.xml map to LDAP user groups

    ‏2013-10-07T19:59:50Z  
    • zach_c
    • ‏2013-10-07T17:01:42Z

    Generating the mappings thru the admin console produced the following output in ibm-application-bnd.xml

    <security-role name="delete">

      <group name="cn=deletersinternal,ou=groups,dc=mydomain,dc=com" access-aid="group:1.1.1.1:392/cn=deletersinternal,ou=groups,dc=mydomain,dc=com" />
    </security-role>

    [where "1.1.1.1" and "mydomain" is replaced by my real IP and domain]

    However, this is still not working. Also, where did you get the <authorizationTable>? I don't see this tag available in the schema?

    IP:port suggests that you are using stand alone ldap configuration. Any reason why you are not using federated regsistry with added ldap repository?

    If you are using standalone ldap registry configuration ensure that "Group member ID map" is set correctly and that ldap type is active directory.

    As it looks like your groups are correctly found in the registry, howerver user to group association is not working.

    authorizaionTable is from older .xmi files, for .xml files your form is correct.

  • zach_c
    zach_c
    11 Posts

    Re: JEE security roles in web.xml map to LDAP user groups

    ‏2013-10-08T16:48:18Z  

    I verified today that this issue occurs when logged in thru WebSeal. When I log in directly to WAS/Portal the security roles/mapping work as expected. Any suggestions on how WebSeal would impact this issue?

  • gas
    gas
    922 Posts

    Re: JEE security roles in web.xml map to LDAP user groups

    ‏2013-10-08T21:54:31Z  
    • zach_c
    • ‏2013-10-08T16:48:18Z

    I verified today that this issue occurs when logged in thru WebSeal. When I log in directly to WAS/Portal the security roles/mapping work as expected. Any suggestions on how WebSeal would impact this issue?

    In case of webseal, here are some suggestions (probably webseal is not passing groups correctly):

    - verify that WAS and WebSeal are using same LDAP
    - are you using LTPA integration or TAI? is the configuration correct?

    You can check which groups are passed with the current user using code like this(simplification):

    Subject callerSubject = WSSubject.getCallerSubject();
    Set<WSCredential> credentials = callerSubject.getPublicCredentials(WSCredential.class);
    WSCredential cred = credentials.iterator().next();
    ArrayList groupIds = cred.getGroupIds();
    System.out.println("getGroupIds: " + groupIds);

    Check if groupIds is not empty.
     

     

  • zach_c
    zach_c
    11 Posts

    Re: JEE security roles in web.xml map to LDAP user groups

    ‏2013-10-09T17:06:47Z  
    • gas
    • ‏2013-10-08T21:54:31Z

    In case of webseal, here are some suggestions (probably webseal is not passing groups correctly):

    - verify that WAS and WebSeal are using same LDAP
    - are you using LTPA integration or TAI? is the configuration correct?

    You can check which groups are passed with the current user using code like this(simplification):

    Subject callerSubject = WSSubject.getCallerSubject();
    Set<WSCredential> credentials = callerSubject.getPublicCredentials(WSCredential.class);
    WSCredential cred = credentials.iterator().next();
    ArrayList groupIds = cred.getGroupIds();
    System.out.println("getGroupIds: " + groupIds);

    Check if groupIds is not empty.
     

     

    WebSeal/TAM and WAS each have their own ldap. Yes, WAS ldap is stand-alone. I do not know why we are not using federated registry. I believe the 'Group member ID map" is groupOfNames:member. LTPA tokens are used and see TAI for com.ibm.portal.auth.tai.HTTPBasicAuthTAI and com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus.

    OK, using the code you provided I see that when logged in thru WebSeal I see the groups defined for the WebSeal TAM ldap, which is a basic group that says I can access the WAS/Portal app behind the WebSeal. When logged in directly thru WAS/Portal I see the groups (eg uploadersinternal) that I would expect/need for role based authorizations.

    This environment has been in place for years, this is just the first time we have tried to implement JEE programmatic role based authorizations from our app code. Thank you.

  • gas
    gas
    922 Posts

    Re: JEE security roles in web.xml map to LDAP user groups

    ‏2013-10-10T11:13:39Z  
    • zach_c
    • ‏2013-10-09T17:06:47Z

    WebSeal/TAM and WAS each have their own ldap. Yes, WAS ldap is stand-alone. I do not know why we are not using federated registry. I believe the 'Group member ID map" is groupOfNames:member. LTPA tokens are used and see TAI for com.ibm.portal.auth.tai.HTTPBasicAuthTAI and com.ibm.ws.security.web.TAMTrustAssociationInterceptorPlus.

    OK, using the code you provided I see that when logged in thru WebSeal I see the groups defined for the WebSeal TAM ldap, which is a basic group that says I can access the WAS/Portal app behind the WebSeal. When logged in directly thru WAS/Portal I see the groups (eg uploadersinternal) that I would expect/need for role based authorizations.

    This environment has been in place for years, this is just the first time we have tried to implement JEE programmatic role based authorizations from our app code. Thank you.

    You're welcome.
    Recommended practice in case of WebSeal/TAM is to use same LDAP in WAS to avoid situation like yours that directories are not in sync.

    Gas

  • zach_c
    zach_c
    11 Posts

    Re: JEE security roles in web.xml map to LDAP user groups

    ‏2013-10-10T12:13:10Z  
    • gas
    • ‏2013-10-10T11:13:39Z

    You're welcome.
    Recommended practice in case of WebSeal/TAM is to use same LDAP in WAS to avoid situation like yours that directories are not in sync.

    Gas

    I seriously doubt that those who manage our ldaps will make any changes and we will have to remain with two separate ldaps. Is there any way that you know of to still make this work in this case? Otherwise we have to drop the JEE security and come up with a custom security implementation, which would be a shame.

  • gas
    gas
    922 Posts

    Re: JEE security roles in web.xml map to LDAP user groups

    ‏2013-10-11T13:23:44Z  
    • zach_c
    • ‏2013-10-10T12:13:10Z

    I seriously doubt that those who manage our ldaps will make any changes and we will have to remain with two separate ldaps. Is there any way that you know of to still make this work in this case? Otherwise we have to drop the JEE security and come up with a custom security implementation, which would be a shame.

    Hmm... The best would be to add required groups to TAM LDAP. But if you cant do it and your primary user registry is in fact WAS LDAP, you could do as following:

    1) By pass WebSeal and authenticate directly on WAS (you just allow everybody on configuring Uri for portal in WebSeal)

    2) ..or only pass userID from WebSeal to WAS. I didnt configure WAS with WebSeal lately, but it should be possible to set junction to use LTPA token instead of iv-creds. Then WAS will only receive userId from WebSeal and will load groups from local LDAP. You will need to export LTPA key from WAS and add it to WebSeal config. You will need to disable TAI++ also in that case as LTPA will be responsible for authentication.
     

  • zach_c
    zach_c
    11 Posts

    Re: JEE security roles mapping to LDAP user groups with WebSeal

    ‏2013-10-25T15:39:00Z  

    Our WebSeal/TAM protects other stand-alone apps in other environments, which is why it is vanilla and does not contain application specific user groups. We are looking into the Extended Tivoli Access Manager Trust Association Interceptor Plus to potentially not use the groups that come from TAM, but use the ones that come from WAS/Portal.

    http://www-01.ibm.com/support/docview.wss?uid=swg24016601

  • gas
    gas
    922 Posts

    Re: JEE security roles mapping to LDAP user groups with WebSeal

    ‏2013-10-25T15:50:46Z  
    • zach_c
    • ‏2013-10-25T15:39:00Z

    Our WebSeal/TAM protects other stand-alone apps in other environments, which is why it is vanilla and does not contain application specific user groups. We are looking into the Extended Tivoli Access Manager Trust Association Interceptor Plus to potentially not use the groups that come from TAM, but use the ones that come from WAS/Portal.

    http://www-01.ibm.com/support/docview.wss?uid=swg24016601

    Hi,

    Heve you tried to configure junction for your portal to use LTPA? It might be easier to configure than using Extended TAI.

    http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/topic/com.ibm.itame.doc_6.0/rev/am60_webseal_admin206.htm?path=3_10_3_6_0_6_0_2_1_10_0_3#sso-ltpa-websphere

    Changing one junction shouldnt be a problem, unless you have only one junction for all apps.

    Gas