Enabling role based security in Websphere7

4
votes

My web application(created using struts2 ,Contains 2 page

  • 1)Raise Request
  • 2)Approve Request

) deployed in websphere 7.I need to enable role based security for this application. I have two Roles

1)user(who can raise a request)

2)Approver

both having different credentials.I am not using anyback end for authentication. How to do this using websphere security features by web.xml and mapping users.

1
jakarta-eestruts2websphere-7security-roles
i will not suggest you to go with only server based authentication and will strongly suggest you to go with some security framework like spring securityUmesh Awasthi
I interpret back-end as DB... do you mean you want to hard code all the authentication into the containers xml file?Quaternion

1 Answers

1
votes

I invite you to read JavaEE 6 Tutorial chapter "Getting Started Securing Web Applications" and in particular provided examples.

Your application has to declare the two security roles user and approver and the web.xml has to protect servlet path thanks to security-constraints.

Here is such a setup as a starting point:

<security-constraint>
    <display-name>Raise Request</display-name>
    <web-resource-collection>
        <web-resource-name>raiserequestservlet</web-resource-name>
        <description/>
        <url-pattern>/raiserequest</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>user</role-name>
    </auth-constraint>
</security-constraint>
<security-constraint>
    <display-name>Approve Request</display-name>
    <web-resource-collection>
        <web-resource-name>approverequestservlet</web-resource-name>
        <description/>
        <url-pattern>/approverequest</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <description/>
        <role-name>approver</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>BASIC</auth-method>
    <realm-name>WebSphere</realm-name>
</login-config>

<security-role>
    <description>Security Role required to raise a request</description>
    <role-name>user</role-name>
</security-role>
<security-role>
    <description>Security Role required to approve a request</description>
    <role-name>approver</role-name>
</security-role>

For first tests, I have chosen basic authentication but there are other options.

Then, when deploying the WAR package into WebSphere, the wizard will allow you to map the two application roles to LDAP groups as far as you use LDAP as backend for authentication and permissions, what is highly recommended.

The server instance which runs the application is configured to use the Global security by default, but you can create a dedicated Security domain for your server/application couple to use a dedicated backend. Here is the network deployment reference documentation security section to guide you for that aspects.