1

We use a WebSphere Liberty server behind a reverse proxy. We enabled the appSecurity-2.0 feature to add a custom TAI which validates HTTP request between the proxy and Liberty. To use the batch framework that comes with WebSphere Liberty, we enabled the feature batchManagement-1.0 and added the required role configuration as described here https://www.ibm.com/support/knowledgecenter/en/was_beta_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_batch_securing.html.

It is possible to submit a batch through the REST API, if the tag authorization-roles is added to the server.xml and the role batchAdmin is assigned to a user from the basic registry. However, if we add the authorization-roles tag Liberty restricts the HTTP request from the proxy(frontend users) to the deployed web-app and reports that the user has not the required permission to access the resources. Is it possible to disable the batch security in WebSphere Liberty independent of the appSecurity feature?

Scott Kurz
  • 4,985
  • 1
  • 18
  • 40
Patrick
  • 447
  • 8
  • 17

1 Answers1

0

You could grant everyone batchAdmin role access simply by:

<authorization-roles id="com.ibm.ws.batch">
    <security-role name="batchAdmin">
        <special-subject type="ALL_AUTHENTICATED_USERS" />
    </security-role>
</authorization-roles>

OR:

<authorization-roles id="com.ibm.ws.batch">
    <security-role name="batchAdmin">
        <special-subject type="EVERYONE" />
    </security-role>
</authorization-roles>

However, there is not a way to disable batch security with security enabled.

Scott Kurz
  • 4,985
  • 1
  • 18
  • 40
  • What does the tag actually do? Because at the time I add it to the server.xml the batch framework is working but TAI is not working anymore.Websphere logs to the console for every user: Authorization failed for user: xy – Patrick Feb 20 '18 at 10:29
  • The `` construct controls authorization to the batch operations (e.g. start/submit, stop, get/read, restart, purge). The batch runtime checks if the user calling the REST API has authorization to perform the given operation. For some operations (e.g. stop/purge), this is a check against a particular job instance, for others (list/search) the instances the user doesn't have access to are filtered out. See [here](https://www.ibm.com/support/knowledgecenter/en/SSAW57_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_batch_securing.html). – Scott Kurz Feb 20 '18 at 11:41
  • I don't have any ideas just based on that description why using batch would cause an issue with your custom TAI. Can I suggest that you open up a PMR (support ticket) with IBM? – Scott Kurz Feb 20 '18 at 11:45