Tuesday, 4 December 2018

WebSphere Application Server - Get your security roles right

I'm back in the early noughties, tinkering with Java Enterprise Edition (JEE) servlets and WebSphere Application Server (WAS) Network Deployment (ND).

This, in part, is to enable me to test my SPNEGO / Kerberos configuration.

Having created a JEE application in Eclipse, with servlet, login page etc. and having tested it in Liberty, I'd deployed my code to WAS ND.

However, when I tried to access the servlet: -

https://was.uk.ibm.com:9444/HelloWorld/Hello

I saw this: -

[03/12/18 17:15:19:295 GMT] 00000096 WebCollaborat A   SECJ0129E: Authorization failed for user hayd:defaultWIMFileBasedRealm while invoking GET on default_host://HelloWorld, Authorization failed, Not granted any of the required roles: reader

I'd already ensured that I'd mapped my users ( hayd and Administrator ) to the appropriate role: -



However, I was holding it wrong .... when I'd hand-cranked the web.xml, I'd made a little booboo.

I'd specified the Security Role as: -

Reader

but specified the Auth Constraint -> Role Name as: -

reader

So it made NO difference to which user/group I assigned the Reader role; it'd never work :-(

Get it right .....

No comments:

Fun with OpenSSL Certificate Requests and space characters in Subject Names

I've got a command within a Dockerfile that generates a Certificate Service Request, via the openssl req  command. This references an ...