0

I have a spring app. It is consistently giving me this error in websphere liberty. This is my login settings . in web.xml for spring security.

<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:security="http://www.springframework.org/schema/security"
    xsi:schemaLocation="http://www.springframework.org/schema/beans
        http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
        http://www.springframework.org/schema/security
        http://www.springframework.org/schema/security/spring-security-3.1.xsd">

    <!-- ===== SECURITY CONFIGURATION ===== -->

    <!-- All requests matching pattern below will bypass the security filter chain completely -->
    <security:http pattern="/image/**" security="none"/>
    <!--   security:http pattern="/login.jsp*" security="none" / -->

    <!-- Defines who can access each URL. -->
    <!-- 
    Spring Security 3.0 introduced the ability to use Spring EL expressions as an authorization mechanism in addition to the simple use 
    of configuration attributes and access-decision voters which have seen before. Expression-based access control is built on the same 
    architecture but allows complicated boolean logic to be encapsulated in a single expression.
    http://static.springsource.org/spring-security/site/docs/3.0.x/reference/el-access.html
    -->
    <security:http auto-config="true" use-expressions="true">
         <!-- URL restrictions (order is important!) Most specific matches should be at top -->

         <!-- Don't set any role restrictions on login.jsp.  Any requests for the login page should be available for anonymous users -->    
         <security:intercept-url pattern="/login.jsp*" access="isAuthenticated()" />

...

Anonymous access to the login page doesn't appear to be enabled. This is almost certainly an error. Please check your configuration allows unauthenticated access to the configured login page. (Simulated access was rejected: org.springframework.security.access.AccessDeniedException: Access is denied)

I have configured LDAP but I do not know how to tie LDAP settings to server authentication as similar to WAS 7.0 global security activation so the application is not able to authenticate .

Can someone give me further infomation as how the access-id in security settings relates to LDAP Realm.

    <jaasLoginContextEntry id="system.WEB_INBOUND" loginModuleRef="HashLogin, certificate, hashtable, token, userNameAndPassword" name="system.WEB_INBOUND"/>
    <jaasLoginContextEntry id="WSLogin" loginModuleRef="WSLoginId, certificate, hashtable, token, userNameAndPassword" name="WSLoginId" />
    <jaasLoginModule id="WSLoginId" className="com.ibm.ws.security.common.auth.module.WSLoginModuleImpl" libraryRef="${com.ibm.ws.security.wim.*}"></jaasLoginModule>

</server>

I have looked at the Liberty profile documents so I would appreciate a more detailed information then linking me to IBM documents because I have read those and several information out in internet a lot and have exhausted all resources that I can do look up on so I would really appreciate a more detailed explanation which would explain how to implement global security and application security enablement as WAS 7.0 does when we configure LDAP repository in WAS . My LDAP is Microsoft Active Directory. And my application security is handled by spring container.

As resource I looked at this but this did not seem to help.

How to map security role to ldap group in websphere liberty profile

Community
  • 1
  • 1
user2358826
  • 221
  • 1
  • 5
  • 17

1 Answers1

0

Here is how access-id in the Liberty profile can be defined assuming the LDAP server definition has realm name as ldapRealm in server.xml.

<!- Sample LDAP definition -->
<ldapRegistry id="TivoliLdap" host="myHost.rtp.raleigh.ibm.com" realm="ldapRealm"  port="389" ldapType="IBM Tivoli Directory Server" ignoreCase="false" baseDN="o=mycompany,c=us">
</ldapRegistry>

<!-- Application binding sample for using access-id attribute for user or group element -->
 <application-bnd>
          <security-role name="Employee">
              <user name="Bob" access-id="user:ldapRealm/Bob"/>
              <group ame="developers" access-id="group:ldapRealm/developers"/>
          </security-role>
   </application-bnd>
M. Tamboli
  • 386
  • 1
  • 6
  • Thanks , I tried something like this before and it does not work. I did something similar .. .. but that did not help either... – user2358826 Feb 02 '16 at 17:27
  • Should access-id be as you have put it matching to user and group name like user:realmName/userName and group:realmName/groupName or should it have full cn information like user:realmName/ou=myou,cn=mycn.cn=companycn,cn=org – user2358826 Feb 02 '16 at 17:37
  • access-id is used for authorization. If your user/groups belong to active registry, we really do not need to specify access-id. You are correct that, you may need to use cn=mycn,OU=... for explicit access-id. – M. Tamboli Feb 03 '16 at 21:35
  • Since "ALL_AUTHENTICATED_USERS" does not work, it does not seem like authorization is an issue. Hope someone else is able to help with your original question. – M. Tamboli Feb 03 '16 at 21:43