content
Software and Hardware Environment Develops WSAD to increase the security feature web application LDAP server configuration WebSphere server-side configuration web application installation verification SSO Conclusion Author information
Jing Jing (Jin.xiao@chinacreator.com) Software Center Software Engineer in August 2003
The implementation of SSO involves two parts: the development of enterprise applications and the configuration of the server. Next, the author will demonstrate a step in implementing SSO between WebSphere servers, hoping to help everyone. This article
SSO Realization Technology is prepared to introduce the relevant mechanisms and concepts of SSO (Single Sign-ON: single sign-on, all-à roams) in the WebSphere environment.
1 Software and Hardware Environment In this demo environment, two hosts configured with WebSphere servers, they belong to the same DNS domain, the specific configuration parameters are as follows: DNS Domain --Chinacreator.comLDAP Database Address - B.ChinacReator.com : 389
Indicator Machine 1 Machine 2 Host Domain Name A.Chinacreator.comB.Chinacreator.com Operating System Windows 2000 ServerWindows 2000 ServerWebspherewas AE 4.0 Patch 4.0.6WAS AE 4.0 Patch 4.0.6LDAP (Directory Database) IBM Secureway Directory 2 Added using WSAD development Web application for security features We design a web application that contains a securityfold file. We define a security role admin_role, which only allows the user to access the securityfold folder under the securityFold folder. The following is the detailed steps: 1. Open WSAD ( I use the WSAD4 English version), build a new web application: Enterprise App Name: SecurityWebsourceWeb App Name: SSO 2. Established three. HTML file, one is login.html, one is Error.html, or is the logout.html a. login.html login.html file is used as a login interface of network user authentication, according to J2EE regulations, this login page has some Specific provisions:
Must include a FORM element, the action attribute must be j_security_check, j_security_check is a small application specifically handled in J2EE (servlet) Form must include two text boxes, one name: j_username, and the other: j_password The name of both text boxes cannot be changed. Other page elements can be customized to meet customers' personalized, stylized demand B. Error.html error.html When the network user authentication fails to give the customer prompt error message, you can customize it. [Note] The name of these two files is not important because we can set it in the configuration file. C. logout.html allows the user to log out from the system, this feature is not a standard implementation in J2EE, but an auxiliary feature given in WebSphere, it does not need to be made in the web application description file (web.xml) as any definition, But a simple .html file.
This file needs to include a FORM element, and the Action of Form is fixed to IBM_Security_Logout, which is a small application that provides a logout function in WebSphere (servlet) Form, which includes an implicit text box, its name is: LogoutexitPage, value is generally set to Login page, us here is /login.html [Note] Source code for these three files can be found in the sample file. 3. Continue additional operations, complete your web app, in the author's example, for convenience, set the securityfold subdirectory in the root directory, then build HelloWorld.jsp under SecurityFold, the file structure of the entire web application is as follows : 4. Set this web application to need security control, which requires the modification of the web.xml properties. Open the web.xml file in WSAD, switch to the Pages tab, modify the properties as follows: Realm Name - Security domain name This is an identity name in our security domain, is not important, my setting is: Security My Web AUTHORTICATION METHOD-Authentication method provides several authentication methods, commonly used FORM-based authentication methods and security certificates based authentication methods, FORM-based authentication only require users to enter username and password, more easy to implement, so author In the example, the authentication method based on the FORM login is used, so select Form. Login page - the user does not authenticate to access the protected resources, the login page is the Login.html we have established in front, if When you create a different name, please change your name. ERROR PAGE - Network User Use Error Message When logging in to the system is the error.html we created in front, if you choose another name when you create, please change your name.
5. Add the role to the web application to open the web.xml file in WSAD and switch to the Security tab. A. Add a security role Admin_Role B. Add a security constraint (Security-constraint). Adding this security constraint. It can access the network resources that the network resources you can access. There are two aspects of the network resources that can be accessed, but can be accessed, but Access file. The method that can be accessed includes POST, GET, and the like. The file that can be accessed includes a determined file or a folder:
Specify a certain file (such as: /securityfold/helloWorld.jsp) Specify a directory that can be accessed (for example: To set this security constraint to access all files below Securityfold, then you should be in URL-patterns input / securityfold / *). D. Adding security roles to this security constraint can choose to join your defined security roles to this security constraint, that is, users who are only the specified security roles can access the resources specified in this security constraint.
6. Package the entire application into a .ser file, the development of our company's application is completed. 3 LDAP Server Configuration In order to configure the need for WebSphere's security configuration and test, we need to use the LDAP database, in my LDAP database, I built 2 roots, which are CN = root and cn = SSO, where CN = ROOT is built under the security authentication for starting the management console, and the cn = SSO directory establishes an Administrators user to bind the security role in our app. 4 WebSphere server-side configuration Since the WebSphere server does not support SSO by default, we need to configure the characteristics of the server, which is the server supports SSO, which will demonstrate the detailed process of the SSO configuration. 1. Make sure you have installed the WebSphere server 4.0, preferably Advanced Edition 2. Download WebSphere to upgrade WebSphere to version 3. Start the server, start the management console 4. Click Manage Console -> Security Center, select the "Enable SSO" in the General Label page check box, other settings can be modified according to yourself.
5. Switch to the authentication tab i. Select a lightweight third-party authentication (LPTA), indicating that we use the LPTA security certification mechanism because SSO does not support user authentication mechanisms based on local operating systems, so we can only select this option. II. Select the check box on the left of "Enable Single Registration", enter the DNS domain you want to use in the text box behind "Domain", such as the name of my machine is B.ChinaAcreator.com, then here should enter CHINACREATOR.COM. III. Select Enable Web Trust Association. IV. If it is configured to configure the first server in all Webpshere servers, then we need to click Generate Key, enter the username and password in the pop-up prompt box. If you are not configured to configure the first server, click Import Key to select the key file that is poured out from the first server to import the generated key. v. Select the radio box on the left side of the LDAP, indicating that using the LDAP database as a user registration library, if it is the SSO between WebSphere and WebSphere, we can also choose your own registration library, if you need to implement the SSO between WebSphere and Domino, You can only select the LDAP database as a user registration library, because Domino does not support the registration library you implemented by the user. VI. Security Server Identifier means that the management domain's management username is required to use one user existing in the LDAP database, and you need to use the information corresponding to its UID field, please do not use the username such as CN = XXX, you must Remember this user information, after the configuration is complete, you need to enter this user information when the management console is started next time. According to the settings of our LDAP database, "admin" VII in the following text box is the password viii corresponding to the above username. The host is the machine name of LDAP, we are B.Chinacreator.com [Note] It is best not to use the host's IP address. IX. Port is the port of the LDAP server, the default is 389 x. Basic proprietary name refers to we can bind the user's root directory, in our demonstration instance, all network user information is stored in the cn = SSO root directory , Here, enter CN = SSO. Xi. Binding proprietary names and binding passwords refer to user DN information and passwords of users who can search for LDAP, generally not filled, because LDAP database defaults all users have this Permissions unless additional restrictions have been added in LDAP. Xii. Click the "OK" button to end the WebSphere server security configuration XIII. Ratsen the server to make the security definition
If you need to configure additional WebSphere servers, follow the steps above. 5 Web Application Now we need to install Web applications we developed to the WebSpher server. 1. Open the management console on a.chinacreator.com 2. Select Enterprise Applications, right click, select Install Enterprise Applications 3. Click Browse, select Securitysso.cture we have exported in front, click Next 4. Click Selection, select all the authenticated users here there are three options, can be multi-selection, if all users are selected, then this role is to correspond to all users, whether it is logged in. If you choose a authenticated user, then this role corresponds to all users under CN = SSO, as long as it enters the correct username and password, it will become this role, and you can choose the specified username and group. 5. Always click Next until the application is installed onto the server 6. Start our company's application to repeat 1 ~ 7 steps, will be installed on B.Chinacreator.com. 6 Verify SSO 1. Verify that the security feature of the web application is played to browse it. Enter any user name and password of CN = SSO, the system will automatically redirect to the HelloWorld.jsp page, which shows that the security features in our web application have played a role. 2. Verify that SSO is next to our browser Enter http://a.chinacreator.com:9080/sso/seircurityfold/helloworld.jsp, the ideal case should be that we can see the page directly, without re-entering the login information for authentication. If there is no ideal situation, then refer to the 5.8.4 chapter "of the IBM WebSphere Information Center" is discounted SSO configuration problem ". 7 Conclusion In this article, the authors demonstrate how to implement the SSO between the two WebSphere servers under the same DNS domain, and explain the key points and special requirements that need to be taken during the implementation process. During the configuration process, the author has not resolved a problem, which is to map the user, and cannot choose the user group existing in the LDAP database (see Section 5. 5.), the author will continue to study, and strive to solve, if you Solved this question and I would like to notify you the author. The entire demo example passes through the author's test environment. If you have encountered any difficulties or questions during the reader SSO configuration, you can communicate with the author.
