IBM Support

JEE Server checks user role mapping for member of authorized group

Question & Answer


Question

LDAP Troubleshooting Multipart Document, part 7 of 11 What is the next step in the LDAP troubleshooting flow chart?

Cause

Enhanced documentation

Answer

Back to - Master LDAP troubleshooting Dociument -

LDAP Troubleshooting Master Document
Forward to - J2EE server checks for J2EE security enabled -
LDAP Troubleshooting Multipart Document 6 of 11 - LDAP server authenticates user

After:

  • The user enters a URL to Maximo
  • The JEE server is configured for JEE server security
  • The requested resource is protected
  • The JEE server requests security authentication
  • The browser displays the authentication dialog
  • The LDAP server authenticates the user

Once the LDAP server has authenticated the user, the role mapping set up in the JEE server is checked to confirm the user is a member of any groups authorized to use Maximo.


WebSphere

In WebSphere, if the user is authenticated but not a member of the group that is authorized to access Maximo, a browser 403 error will be displayed. In WebLogic, if the user is authenticated but not a member of the group that is authorized to access Maximo, the browser will display the login dialog again, in an attempt to obtain a valid user.

In WebSphere, role mapping is handled by five files, and one setting in the WebSphere console.

\maximo\applications\maximo\maximouiweb\webmodule\WEB-INF\web.xml

\maximo\applications\maximo\mboweb\webmodule\WEB-INF\web.xml

\maximo\applications\maximo\meaweb\webmodule\WEB-INF\web.xml

\maximo\applications\maximo\maxrestweb\webmodule\WEB-INF\web.xml

\maximo\applications\maximo\maximouiweb\webmodule\WEB-INF\web.xml

Each web.xml contains the following entry which defines the maximouser role:


    <security-role>
      <description>MAXIMO Application Users</description>
      <role-name>maximouser</role-name>
    </security-role>

There is more than one way to configure WebSphere role mapping. The next two screen shots show ways to map roles to groups during deployment and after deployment.

Note: The group name created in Active Directory and referenced by the Mapped Groups setting is maximousers (plural), while the role name that is created in the web.xml and referenced by the "Mapped Groups" setting is maximouser (singular).

The setting shown below configures the IBM WebSphere JEE server to roles to groups during the fifth step of the EAR deployment process.


The setting shown below configures the IBM WebSphere JEE server to map groups selected to the roles specified after the EAR has been deployed.


WebLogic

With Oracle WebLogic versions through 9.2, role mapping is also handled by four files, and one setting in the WebLogic console.

\maximo\applications\maximo\maximouiweb\webmodule\WEB-INF\weblogic.xml

\maximo\applications\maximo\META-INF\weblogic-application.xml

\maximo\applications\maximo\mboejb\ejbmodule\META-INF\weblogic-ejb-jar.xml

\maximo\applications\maximo\maximouiweb\webmodule\WEB-INF\web.xml

The files weblogic.xml, weblogic-application.xml, and weblogic-ejb-jar.xml all contain the following entry:


    <security-role-assignment>
      <role-name>maximouser</role-name>
      <principal-name>maximousers</principal-name>
    </security-role-assignment>

The file web.xml contains the following entry which defines the maximouser role:
    <security-role>
      <description>MAXIMO Application Users</description>
      <role-name>maximouser</role-name>
    </security-role>

Note: The group name created in Active Directory and referenced by the three WebLogic configuration files is maximousers (plural) while the role name that is created in the web.xml and referenced in the three WebLogic configuration files is maximouser (singular)

The setting shown below configures the Oracle WebLogic JEE server to find groups using the specified connection string. This should contain the Organizational Unit (OU) where the maximousers group configured in Active Directory can be found.




When these settings are correctly configured, the maximousers group will show up in the WebLogic console as a group under Security/Realms/myrealm/Groups as shown below.




If a user who is not a member of the authorized group mapped to the maximouser role is authenticated, the browser will redisplay the login dialog in step 5 of the login process.


Back to - Master LDAP troubleshooting Dociument -
LDAP Troubleshooting Master Document
Forward to - J2EE server checks for J2EE security enabled -
LDAP Troubleshooting Multipart Document 6 of 11 - LDAP server authenticates user

[{"Product":{"code":"SSLKT6","label":"IBM Maximo Asset Management"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Component":"Security Authentication","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSWT9A","label":"IBM Control Desk"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSLKTY","label":"Maximo Asset Management for IT"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSLKT6","label":"IBM Maximo Asset Management"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSKTXT","label":"Tivoli Change and Configuration Management Database"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSWK4A","label":"Maximo Asset Management Essentials"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SS6HJK","label":"Tivoli Service Request Manager"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
13 April 2021

UID

swg21304205

Page Feedback