® IBM Software Group © 2006 IBM Corporation Securing Your Application With WebSphere Security You will need to develop Login procedures for your web applications. This short section describes how to do this for WebSphere Application Servers, connected to an authentication Server such as LDAP – or any other security realm Note that this is an involved lab – that will take at least an hour. Ideally you should get assistance from your WebSphere administrator, before starting.

2 Last update: 12/04/2007  WebSphere Security - Overview  You will perform the following tasks, to enable WebSphere security for your project: 1.Create a Login Page – that conforms to the WebSphere Security requirements  (Optionally) Create an Error page – that can be specified to your WAR file, as the page to automatically re-direct to, when a Login error occurs 2.Enable security for your WebSphere Application Server 3.Enable security for your WAR (web.xml) file 4.Enable security for your WebSphere Server Configuration 5.Setup security for your Enterprise Application Resource (EAR) file 6.Code your EGL calls to J2EELIB – to:  Return the user-ID  Determine if the user is in a particular role  In this lab, we will show you how to enable WebSphere for Local operating system security. If you wanted to actually integrate LDAP, RACF or any other security “realm” your WebSphere administrator would have to assist you with this. WARNING  WARNING – In fact, you should probably obtain assistance from your WebSphere administrator before starting this section. Because:  These processes are complex – a great deal of security semantics are involved  You could actually – if you make mistakes in doing this, you could conceivably cause WebSphere to not be able to boot. Period.

3 Last update: 12/04/ WebSphere and LDAP Security – Create Login and Error Pages  WebSphere requires that you define a.JSP page, that calls WebSphere internal methods passing specific-named variables as parameters within the form.  At this point in time, this can not be an EGL/JSF page (it must be.JSP/Java)  In the Notes section of this slide we’ve given you an example of such a page. To implement in your project:  Create a new page in \WebContent\ named: login.jsp  From the notes section of this slide, copy and paste all of the.JSP and HTML source  Using Page Designer, edit your login.jsp in Source mode  Select all of the existing source (Ctrl/A)  Paste your copied source in (Ctrl/V)  Save and test by running the page on the server

4 Last update: 12/04/2007  Next you will setup the WebSphere Server to enable Security on a given “realm”  The Security realm could be:  RACF  LDAP  Local operating system  The Security realm authenticates the User-ID/Password combination passed to it, by WebSphere  In this section you will:  Define a Security configuration for using your local operating system as the Security realm  Enable WebSphere for Security 2. WebSphere and LDAP Security – Server Security Overview LDAP …or…SecurityRealm LDAPDatabase WebSphere Security Security LoginPage Sends User-ID/Password to… Which connects to… Which performs authentication

5 Last update: 12/04/2007  Login to the WebSphere Administrative Console  With WebSphere started:  From the Servers tab, right- click over your Server configuration and select  Run Administrative Console  Login

6 Last update: 12/04/2007  Setup WebSphere Local Operating System Security – 1 of 3 With WebSphere started:  From the Security tab  Click: Secure administration, applications and infrastructure  From Available realm definitions, select Local operating system  Click: Configure

7 Last update: 12/04/2007  Setup WebSphere Local Operating System Security – 2 of 3 From Secure administration, applications and infrastructure  Specify the Primary administrative user name your  Note that this would be your Windows login user name.  Click OK  Note that if WebSphere cannot find the user name in the Windows registry you will not be able to continue

8 Last update: 12/04/2007  Setup WebSphere Local Operating System Security – 3 of 3 From Secure administration, applications and infrastructure  Check: Enable administrative security  Un-check Use Java 2 security  Click Apply  Click Save From the top of the Administration Console  Logout From the Servers tab ***Notes  Restart WebSphere ***Notes

9 Last update: 12/04/2007  3. Secure the WAR (web.xml) File – 1 of 4 – Add a Security Role  Now you will add one or more Security Roles to your WAR (web.xml) file  (example: user, admin, manager, etc.)  (example: user, admin, manager, etc.).  You will then add one or more Security Constraints – and for each constraint, you will specify:  Web resource collection – Essentially, these are constraint rules, or what a defined constraint allows an application user to “do”  Authorized users – which of the Security Roles is assigned to the constraint – effectively limiting individuals who login to the application to be able to “do” what you want them to (and only what you want them to )  From Project Explorer – Expand \WebContent\WEB-INF\ and open web.xml  From the Security tab, Add… one or more Security roles

10 Last update: 12/04/2007  Secure the WAR (web.xml) File – 2 of 4 – Add a Security Constraint  From the Security Constraints part of the Security tab Add…  Click Add…  Name your Security Constraint Web resource collection  From the Web resource collection part of the Security tab (with your new Constraint selected): Add…  Click Add…  From Add Web Resource:  Name the resource  Leave all the checkboxes un-checked  From the Pattern area  Click Add.. /*  Specify: /****Notes

11 Last update: 12/04/2007  Secure the WAR (web.xml) File – 3 of 4 – Add Authorized Roles  From the Authorized Roles part of the Security tab (with your constraint selected) Add…  Click Add…  Type a Description  Check the Role Names you wish to add to this web application

12 Last update: 12/04/2007  Secure the WAR (web.xml) File – 4 of 4 – Add a Security Constraint  From the Pages tab – within the Login section:  Open the Authentication method:  Select Form  For the Login and Error pages:  Click Browse…  Select login.jsp  Save and close web.xml

13 Last update: 12/04/2007  4. Enable Security for Your WebSphere Server Configuration  From your Servers tab, Double-click on your WebSphere Server to open the server settings  Click the Security “twisty”  Check:  Security is enabled on this server, and enter your Windows logon User ID and Password values  Close …and…  Save***Notes

14 Last update: 12/04/2007  5. Setup Security for Your EAR File  From Project Explorer – open the EAR file’s Deployment Descriptor, and from the Security tab:  Click Gather…  Check:  All authenticated users  Close …and…  Save

15 Last update: 12/04/2007  5. Code Calls to the Security – 1 of 2  From Project Explorer – open any jsfhandler.EGL file (here we are using allcustomers.egl)  Add:  A String variable for the userID  A Boolean variable for isUserInRole(…)  Calls to the j2eelib. functions  Save your edits  From Page Designer/Page Data  Select both variables  Drag them on to the page  Restart the Server  Run the page on the server

16 Last update: 12/04/2007  5. Code Calls to the Security – 2 of 2  Your Security form should be invoked.  After you login successfully, the page you ran on the server should be invoked  If your login fails, WebSphere should redirect to your Login Error Page  Note the new WebSphere port – for secured applications

17 Last update: 12/04/2007 LDAP Example – From the Samples Gallery If you are actually working with your WebSphere Administrator to hook LDAP into your project, from the product Help, open the Sample Gallery, and follow the steps therein, for an excellent, tutorial example.