1

https://github.com/WASdev/sample.batch.sleepybatchlet

I am trying to run the above git sample. I was able to configure and run a ant build java batch project in liberty. but when it comes to maven project, i was not able to use the rest service to control the jobs.i have issues with user authentication problems using defaultKeyStore. i noticed there was a server.xml in the above maven project, but i was not able to create a keystore password. it says "no liberty runtime could be found".

in liberty server.xml i have used one user in basicRegistry and security-role as "batchadmin" for the same user

what changes should be done in the server.xml inside project to pass the server authentication.

PremStephenIrudayaraj
  • 11
  • 1
  • 1
  • 5
  • Can you provide more details, e.g. a copy of your server.xml, the exact commands you are performing, and the corresponding error commands? The sample itself as you know doesn't include any maven automation executing any tests or deploying the WAR to Liberty, so I can't tell exactly what you're attempting to do. – Scott Kurz May 03 '16 at 13:46
  • Again, I don't know how you're configuring security, but if you've been making changes you might try deleting **/resources/security/key.jks** and letting the server regenerate on restart. – Scott Kurz May 03 '16 at 14:24
  • – PremStephenIrudayaraj May 03 '16 at 14:49
  • i cannot post the server.xml code .. but the authorization roles mentioned in this link was the once i referred to. https://www.ibm.com/support/knowledgecenter/was_beta_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_batch_securing.html – PremStephenIrudayaraj May 03 '16 at 14:53
  • thanks for the reply in advance scott :) your have been our only hope on java batch – PremStephenIrudayaraj May 03 '16 at 14:55
  • Not sure without seeing more of the server config, and also the specific error messages upon specific operations. – Scott Kurz May 03 '16 at 15:42

1 Answers1

0

In order to perform batch operations from a servlet when batch role-based authentication is configured, you need to add an authentication challenge to the servlet so that it runs under a specific user rather than UNAUTHENTICATED.

You could add this to the sample like this:

import javax.servlet.annotation.HttpConstraint;
import javax.servlet.annotation.HttpMethodConstraint;
import javax.servlet.annotation.ServletSecurity;
import javax.servlet.annotation.WebServlet;

// ...
@ServletSecurity(value = @HttpConstraint(transportGuarantee = ServletSecurity.TransportGuarantee.CONFIDENTIAL),
    httpMethodConstraints = { @HttpMethodConstraint(value = "POST", emptyRoleSemantic = ServletSecurity.EmptyRoleSemantic.PERMIT),
                              @HttpMethodConstraint(value = "GET", emptyRoleSemantic = ServletSecurity.EmptyRoleSemantic.PERMIT),
                              @HttpMethodConstraint(value = "PUT", emptyRoleSemantic = ServletSecurity.EmptyRoleSemantic.PERMIT) })
@WebServlet(urlPatterns = { "/joboperator" })
public class JobOperatorServlet extends HttpServlet {

That's in addition to defining the user registry and the users, and granting them access to the batch roles as in the doc you referenced, and here is a snippet of that:

<httpEndpoint httpPort="9080" httpsPort="9443" id="defaultHttpEndpoint"/>

<keyStore id="defaultKeyStore" password="Liberty"/>

<basicRegistry id="basic" realm="ibm/api">
    <user name="bob" password="bobpwd"/>
    <user name="jane" password="janepwd"/>
</basicRegistry>

<authorization-roles id="com.ibm.ws.batch">
    <security-role name="batchSubmitter">
        <user name="bob"/>
    </security-role>
    <security-role name="batchAdmin">
        <user name="jane"/>
    </security-role>
</authorization-roles>

Now, there's a separate but related question of how do you configure batch security, i.e. which features bring batch security into the picture. But I'll leave that for a follow-up question and take it for granted here that it's present.

Scott Kurz
  • 4,985
  • 1
  • 18
  • 40
  • I have specified the exact configuration in my liberty's server.xml . but when i place the maven build war file inside the dropins directory and start the server , i am not able to start the job by using the rest link . it says " user UNAUTHUNTICATED does not have the permission to start the job" – PremStephenIrudayaraj May 03 '16 at 17:59
  • OK, I answered the question: "How do you write a servlet to function given that batch security is enabled?" That assumes you really wanted to run with batch security. Note, though, that you can use the batch REST interface without necessarily running with batch security. If all you wanted to do was run the sample, experiment with the REST interface and the tools, etc., without having to worry about some of these security details at this phase, that is certainly an option. If that's really what you wanted, please open a separate question and I'll answer that then. – Scott Kurz May 03 '16 at 18:48
  • thanks scott.But this is the exact answer i want . i have specified the above configurations inside the servlet as well as in both server.xml. still it says "User UNAUTHENTICATED is not authorized to start batch jobs.".. which means it has not taken the users i have specified . – PremStephenIrudayaraj May 04 '16 at 08:34
  • when i placed this in security role batch admin it started working .. but i still dont know to restrict things based on users. for now its fixed . thanks a lot for this help man. – PremStephenIrudayaraj May 04 '16 at 08:55