0

I am being new to Java EE application. I am working on one of the legacy project migration task, while doing that I need to get some idea how the authentication machanism works in the application. It is using IBM OpenLiberty server. As per the documentation it is using Webseal and LDAP in combination. But I am not getting clear picture about the authentication process. I have a class in which there , it calls a method WSSubject.getCallerPrincipal() and it gets userId as a string . But I am not able to get from where it is getting those user details and how it is communicating to LDAP for those user details.

Any direction will be appreciated.

Anonymous
  • 1,726
  • 4
  • 22
  • 47

1 Answers1

1

If your user registry is properly configure and uses server infrastructrure, you will find it in server.xml file, for example:

<feature>ldapRegistry-3.0</feature>    <== this enables ldap feature

<!-- this is sample config for TDS -->

<ldapRegistry baseDN="o=acme.com" host="ldap.acme.com"
        ldapType="IBM Tivoli Directory Server" port="389" realm="AcmeLdap"
        bindDN="cn=testuser,o=acme.com" bindPassword="mypassword">
    <idsFilters
            groupFilter="(&amp;(cn=%v)(objectclass=groupofnames))"
            userFilter="(&amp;(objectclass=inetorgperson)(|(uid=%v)(mail=%v)))" />
</ldapRegistry>

In that case, classes contained in LDAP feature are responsible for managing connections to your LDAP

You can find much more details about setting various LDAPs with OpenLiberty here - LDAP User Registry 3.0

If your app is using homegrown security framework, unfortunately you have to dig in, and fully understand all the libs it contains.

UPDATE
If you are migrating from WebSphere and your application is using JEE security roles, you may need to create user<->role mappings unless they are already defined in the binding file (ibm-application-bnd.xml).

Check here for details: Configuring authorization for applications in Liberty

In short:

  • add <feature>appSecurity</feature>
  • check if you have in EAR - ibm-application-bnd.xml
  • if not, in old WebSphere env, look at the "User to role mapping" in the console, and recreate similar as application bindings in server.xml:
<application type="war" id="myapp" name="myapp" location="${server.config.dir}/apps/myapp.war">
    <application-bnd>
        <security-role name="user">
            <group name="students" />
        </security-role>
        <security-role name="admin">
            <user name="gjones" />
            <group name="administrators" />
        </security-role>
        <security-role name="AllAuthenticated">
            <special-subject type="ALL_AUTHENTICATED_USERS" />
        </security-role>
    </application-bnd>
</application>
Gas
  • 17,601
  • 4
  • 46
  • 93
  • Great, thanks @Gas. meanwhile you answered, I dig into code and I realize the same as you stated in your answer. Actually previously in this project Websphere server was used , and now in migration part I need to migrate application server as well to openliberty 21.*.*.* . Now i think I have to implement ldap in server.xml like you mentioned above and put old ldap server details over there. I found ldap server details in websphere console in infra existing for this project. – Anonymous Dec 16 '21 at 18:16
  • In addition, you may need to recreate user-role mapping, check updated answer @Anonymous – Gas Dec 16 '21 at 18:40