How to configure Websphere single signon without user role check

StackOverflow https://stackoverflow.com/questions/17639447

Question

we have application that needs to be deployed in websphere 6.1. In websphere, LDAP authentication is configured. Application that we are hosting should also have authentication enabled to enable the single signon. We need verify the particular user has entered correct user id / password. Not required to check for any role & group. No application specific role. Then how do i configure my appplication.xml, ibm.

ibm-application-bnd.xmi

 <authorizationTable xmi:id="AuthorizationTable_1298129835914">
     <authorizations xmi:id="RoleAssignment_1298129835811">      
      <users xmi:id="User_1310175154371" name="Jothi_Nadesan"/>
      <role href="META-INF/application.xml#SecurityRole_1310175154371"/>
      <groups xmi:id="Group_1305717519721" name="USSA.App_IP"/>
    </authorizations>
  </authorizationTable>
  <application href="META-INF/application.xml#Application_ID"/>

application.xml
<module id="WebModule_1340958487989">
        <web>
            <web-uri>CotyIPMasterDataWeb.war</web-uri>
            <context-root>IPMasterData</context-root>
        </web>
    </module>
    <security-role id="SecurityRole_1310175154371">
        <description>IP_AUTHENTICATION</description>
        <role-name>IP_AUTHENTICATION</role-name>
    </security-role>    

web.xml
<security-constraint>

        <web-resource-collection>
            <web-resource-name>IPMasterData</web-resource-name>
            <description></description>
            <url-pattern>/</url-pattern>
            <url-pattern>*.action</url-pattern>
            <url-pattern>*.jsp</url-pattern>
            <url-pattern>*.html</url-pattern>
            <http-method>GET</http-method>
            <http-method>PUT</http-method>
            <http-method>POST</http-method>
            <http-method>DELETE</http-method>
        </web-resource-collection>

    </security-constraint>
    <login-config>
        <auth-method>BASIC</auth-method>
    </login-config>
Was it helpful?

Solution

For this to work you must have <security-role> defined in web.xml and <security-constraint> should refer to it (* means any role present):

<security-role>
    <role-name>IP_AUTHENTICATION</role-name>
</security-role>

<security-constraint>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>

Then ibm-application-bnd.xmi must have a binding for this role to the special subject AllAuthenticatedUsers:

<authorizations xmi:id="RoleAssignment_1298129835811">
    <specialSubjects xmi:type="applicationbnd:AllAuthenticatedUsers" 
name="AllAuthenticatedUsers"/>
    <role href="META-INF/application.xml#SecurityRole_1310175154371"/>
</authorizations>
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top