3

I run a WebSphere 7.0 Portal. One has to log in to be able to see any information which is fine for all portlets. But additionally there are a couple of servlets that a deploy in the same war file that produce some raw data for AJAX-scripts.

Currently one can bypass the authentication from WebSphere Portal if one knows the URL to that particular servlet. I want to change this and check if the user is currently logged in to the Portal. How do I do this? I tried ((PumaHome) new InitialContext().lookup(new CompositeName(PumaHome.JNDI_NAME))).getProfile().getCurrentUser(); but this returns null.

yankee
  • 38,872
  • 15
  • 103
  • 162

1 Answers1

6

WebSphere Application Server returns principal and remote user only if you configure it to use the JavaEE security context for your web application. Edit your web.xml to contain something like

<security-constraint>
 <display-name>userConstraint</display-name>
 <web-resource-collection>
  <web-resource-name>secure</web-resource-name>
  <url-pattern>/*</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
  <description>user</description>
  <role-name>user</role-name>
 </auth-constraint>
</security-constraint>
<security-role>
 <description>secrole</description>
 <role-name>user</role-name>
</security-role>

and redeploy your application. After deploying your application take a look at the application's settings in the Administrative Console. You will notice "User/role mapping". Add "all authenticated users from trusted realms" to the newly added role. Restart the application.

After that anonymous users can not access your application anymore. Also, the getRemoteUser and other APIs will return the user properly.

erloewe
  • 1,319
  • 9
  • 20
  • 2
    After this configuration you can also use the ordinary [Securing Web Applications methods](http://download.oracle.com/javaee/5/tutorial/doc/bncas.html) – erloewe Feb 06 '11 at 13:35
  • For the record: The User/role mapping can be found in WebSphere's "Integrated solutions console" (not the portal administration page) at Applications > Application Types > Enterprise Applications > NAME_OF_APP > Security role to user/group mapping > Map users/groups. Huge thanks! :-). – yankee Feb 06 '11 at 13:48
  • Btw, it is only visible if the application's web.xml already contains the security context configuration. Thanks to yankee for this pointer. – Christoph Wurm Aug 19 '11 at 08:59