发表新帖
发表新帖

How do I get basic authentication working on WebSphere?

前端 未结
关注
2 755
栀梦
栀梦 2021-02-10 06:36

Okay, so I\'ve been running a Java/Jersey webservice on Tomcat with basic authentication which works perfectly fine. I\'ve got permissions set up in the web.xml file of my proje

相关标签:
2条回答
  • 日久生厌
    2021-02-10 06:52

    You shouldn't list http-methods. Doing so means that the security-constraint ONLY applies to those methods and can be bypassed with so-called "extension" methods, like the JEFF method. Just remove them and the constraint will apply to everything. There's a paper on http verb tampering at https://www.aspectsecurity.com/research/aspsec_presentations/download-bypassing-web-authentication-and-authorization-with-http-verb-tampering/

    0 讨论(0)
  • 庸人自扰
    2021-02-10 07:07

    After writing all this below I remember I have blogged about this for myself here:

    WebSphere 6.1 and Application Authentication

    As I understand you have setup your web.xml correctly thus:

         <security-role>
    <role-name>myrole</role-name>
  </security-role>

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>mySec</web-resource-name>
      <url-pattern>/yourUrl</url-pattern>
      <http-method>DELETE</http-method>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      <http-method>PUT</http-method>
      <http-method>HEAD</http-method>
      <http-method>TRACE</http-method>
      <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint>
      <role-name>myrole</role-name>
    </auth-constraint>
    <user-data-constraint>
      <description>SSL or MSSL not required</description>
      <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>my login</realm-name>
  </login-config>

    This is if you are using the administration console you dont state that you are not so go to the console:

    http://localhost:9060/ibm/console

    Then login (if you have administrative security setup)

    Then go here

    1. left hand panel click Security
    2. Secure administration, applications, and infrastructure
    3. There is then a section on the page Application security
    4. Check the box Enable application security
    5. click apply, then save to master config.

    Then you have application security turned on. Now you need to map the users of your application to users within websphere.

    Go here

    1. List item
    2. Applications > Enterprise Applications
    3. Click your application
    4. Under the Detailed Properties section you will see a link Security role to user/group mapping
      you will only see this link if your web.xml is setup correctly
    5. click the Security role to user/group mapping
    6. Select the roles you wish to use for authentication
    7. Click look up users or look up groups
    8. click search and select users (that are setup in your websphere under Users and Groups menu
    9. use the arrows to move the selected users/groups to the right hand box
    10. click ok and save to master configuration.
    11. restart your server.

    Administration security (security of Websphere itself) must be turned on for it to work.

    WebSphere can be complex but it is powerful and capable.

    0 讨论(0)
 看不清?
提交回复
热议问题