Bluemix SSO with Liberty: Stuck with AuthFailed (CWWKS9104A)

Question

I am experimenting with Bluemix and am trying to add single-sign-on to my WebSphere Liberty WebApp. Therefore I followed the guide. Added a SSO service, with a Cloud Directory Identity Provider, bound my WebApp to it, and modified the XML configurations.

I started off with the demo app and tailored it from there.

src/main/webapp/WEB-INF/web.xml

<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="3.0"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<display-name>MyApp</display-name>

<security-constraint>
    <display-name>MyApp</display-name>
    <web-resource-collection>
        <web-resource-name>chat-web</web-resource-name>
        <url-pattern>/</url-pattern>
        <url-pattern>/*</url-pattern>
        <url-pattern>/chat-web/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>PUT</http-method>
        <http-method>HEAD</http-method>
        <http-method>TRACE</http-method>
        <http-method>POST</http-method>
        <http-method>DELETE</http-method>
        <http-method>OPTIONS</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>any-authenticated</role-name>
    </auth-constraint>
</security-constraint>

src/main/wlp/server.xml

<featureManager>
    <feature>servlet-3.1</feature>
</featureManager>

<httpEndpoint id="defaultHttpEndpoint" host="*" httpPort="9080">
    <tcpOptions soReuseAddr="true" />
</httpEndpoint>

<application name="chat-web" context-root="chat-web"
    location="${appLocation}" type="war">
    <application-bnd>
        <security-role name="any-authenticated">
            <special-subject type="ALL_AUTHENTICATED_USERS" />
        </security-role>
    </application-bnd>
</application>

I created a test user "tobi" in the Cloud Directory which is linked to my SSO service. When I deploy the application, I can see that the SSO dependencies/code is composed/assembled into the app bundle. Yet if I try to login on the app, it fails, and I always see the following error:

1/2/2016 5:31:10 PM OUT App [INFO    ] JSPG8502I: The value of the JSP attribute jdkSourceLevel is "15".
1/2/2016 5:31:10 PM OUT App [INFO    ] CWWKS9122I:  For URL /redirect/* in application com.ibm.ws.security.openidconnect.client, the following HTTP methods are uncovered, and accessible: GET POST PUT DELETE HEAD OPTIONS TRACE
1/2/2016 5:31:11 PM OUT App [INFO    ] SRVE0242I: [com.ibm.ws.security.openidconnect.client] [/oidcclient] [OpenIdConnectClientRedirectServlet]: Initialization successful.
1/2/2016 5:31:11 PM OUT RTR chat.bluemix.byte23.net - [02/01/2016:17:31:10 +0000] "GET /oidcclient/redirect/qbZkQ73jmu?scope=openid&code=tXTJ80u1D69dCHPIhCQrahyBcCS51G&state=ok8OQCSJKnAQX324drvI HTTP/1.1" 302 0 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.7 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.7" 108.168.250.151:58431 x_forwarded_for:"94.114.26.231" x_forwarded_proto:"https" vcap_request_id:aa1dc020-8cbf-4338-7b1a-7b079d189a60 response_time:0.222157618 app_id:4c20dc63-d050-49f7-bb10-6e5cccab965d x_global_transaction_id:"3540714463"
1/2/2016 5:31:12 PM OUT App [AUDIT   ] CWWKS9104A: Authorization failed for user chat-p6ydtq2fkr-cp16.iam.ibmcloud.com/www.ibm.com/tobi while invoking myapp on /. The user is not granted access to any of the required roles: [any-authenticated].

"The user is not granted access to any of the required roles" How do I grant the user access to the required role "any-authenticated"? The Cloud Directory seems to have no user/role mapping functionality. Where is my mistake?

Thanks for any support, Tobias

Answer 1

The starter package for liberty webapps provides a server.xml in the wlp/ subfolder. This one does apparently not get picked up by the Bluemix runtime environment, thus this section is basically not interpreted at all.

 <application-bnd>
    <security-role name="any-authenticated">
        <special-subject type="ALL_AUTHENTICATED_USERS" />
    </security-role>
</application-bnd>

If you delete the server.xml file, you get the same result. Thus I was researching how to get the application-bnd parameter interpreted.

Therefore I stumbled upon this article: https://developer.ibm.com/bluemix/2015/04/14/easy-single-sign-bluemix-web-applications-using-company-credentials/

It works if you create the following file:

src/main/webapp/META-INF/ibm-application-bnd.xml

<?xml version="1.0" encoding="UTF-8"?>
<application-bnd xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns="http://websphere.ibm.com/xml/ns/javaee"
    xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee
    http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_0.xsd"
    version="1.0">
  <security-role name="any-authenticated">
    <special-subject type="ALL_AUTHENTICATED_USERS" />
  </security-role>
</application-bnd>

This will get picked up by the bluemix runtime and voila the 403 / Authentication Failure is gone. Could have probably fixed it with the server.xml somehow but quit researching after it worked. If someone has a suggestion / cleaner solution, please share.

Thanks :-)