Topic
  • 2 replies
  • Latest Post - ‏2013-10-28T10:26:07Z by S7DB_Marius_Venter
S7DB_Marius_Venter
S7DB_Marius_Venter
2 Posts

Pinned topic WAS 8.5.0 JEE Security exclude rest resource

‏2013-10-25T05:17:27Z |

Hi

I am having a problem with my JEE security after enabling Application Security in WAS 8.5.0 ND. This is a stateless application that provides jax-rs services to clients. Once a client logs in via the login rest service a token is returned to the client. On subsequent calls the client returns the token to the server and I have a custom TAI to validate the token.

My problem is after I enable application security Websphere seems to ignore the <security-constraint> I've added to allow access to the login service without the client needing to be logged in.

Here is a piece of my web.xml for JEE application.

<security-role>
<role-name>users</role-name>
</security-role>
<security-constraint>
<web-resource-collection>
<web-resource-name>Private</web-resource-name>
<description>Matches all pages.</description>
<url-pattern>/rest/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>users</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Public</web-resource-name>
<description>Do not authenticate for these pages.</description>
<url-pattern>/rest/Users/Login</url-pattern>
<http-method>DELETE</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
<http-method>OPTIONS</http-method>
<http-method>TRACE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
<!-- No auth-constraint means everybody has access! -->
</security-constraint>

The first constraint called Private works, however the second one called Public seems to be ignored and WAS requires the client to be logged in for it to available.

Does anyone have any idea?

  • kark
    kark
    26 Posts

    Re: WAS 8.5.0 JEE Security exclude rest resource

    ‏2013-10-25T17:42:23Z  

    Hi,

    The web.xml seem to be fine. So when you access /rest/Users/Login you are being prompted to login? If so, you can open a problem report for our support team to look into this more.

    Also, to narrow the issue, does it make a difference if you remove the <http-method> elements (implying all http methods)?  if you  enable the security trace (com.ibm.ws.security.*=all on full profile)  you should be able to see the url that is being accessed (in the trace.log) to make sure that it is same as configured in the web.xml.

    --Ajay

     

  • S7DB_Marius_Venter
    S7DB_Marius_Venter
    2 Posts

    Re: WAS 8.5.0 JEE Security exclude rest resource

    ‏2013-10-28T10:26:07Z  
    • kark
    • ‏2013-10-25T17:42:23Z

    Hi,

    The web.xml seem to be fine. So when you access /rest/Users/Login you are being prompted to login? If so, you can open a problem report for our support team to look into this more.

    Also, to narrow the issue, does it make a difference if you remove the <http-method> elements (implying all http methods)?  if you  enable the security trace (com.ibm.ws.security.*=all on full profile)  you should be able to see the url that is being accessed (in the trace.log) to make sure that it is same as configured in the web.xml.

    --Ajay

     

    Hi Ajay

    Thanks for the reply, after struggling for a while I realized I had the option checked in was - "Authenticate when any URI is accessed"

    I though it was relating to SSL vs Non-SSL connections.