SECJ0053E: Authorization failed for /UNAUTHENTICATED

Technote (troubleshooting)


Problem(Abstract)

While enabling Application Server Security (LDAP Authentication) on Maximo 7.x with WebSphere Application Server "/UNAUTHENTICATED" errors show in the WebSphere SystemOut and/or SystemErr log files.

Symptom

These errors may cause problems with user login or group membership and could impact Maximo functionality.

This document will also resolve the following error :
SECJ0129E: Authorization failed for username while invoking GET on maximo_host:/maximo/ui/login, Authorization failed, Not granted any of the required roles: maximouser


Cause

When the Maximo.EAR file is deployed to WebSphere users must be mapped to the "maximouser" role in order for WebSphere to authorize users to access deployed applications.


Environment

Only applies to Maximo 7 environments running IBM WebSphere Application Server. This issue is not platform specific.

Diagnosing the problem

Deploy the system and map the security role, maximouser, to the users and groups that meet your organization’s requirements, or assign the users to the default group, maximousers, in the LDAP system.

Resolving the problem

To map users to maximouser role or to specific users or groups, in WebSphere:


Using the WebSphere administrative console:
- On the Left Pane, click Applications>>Enterprise Applications.
- Click on the deployed Maximo EAR File.
- Click the Configuration tab
- Under the Additional Properties heading, click Map security roles to users/groups
- Select maximouser.
- To give individual users access to Maximo, click Look up users .
- To give specific groups and users in those groups access to Maximo click Look up groups .
- For WebSphere 6.0 and 6.1, to give Maximo access to all successfully authenticated users, click All Authenticated.
- For WebSphere 7.0, to give Maximo access to all successfully authenticated users, select Map Special Subjects and select All Authenticated in Application's Realm.

To authenticate users into Maximo:
- For individual users, search for max* for maximouser or * for all users. Click >> to move users from the Available list to the Selected list.
- For groups, search for max* for maximouser groups or * for all users. Click >> to move user groups from the Available list to the Selected list.
- Click OK when complete and then click Save to save the Enterprise Application configuration changes.
- Click OK to synchronize changes with nodes.
- In the left pane, go to the Servers> Application servers folder and click maximoserver and start the server.


This action needs to be taken each time you redeploy the Maximo.EAR file. This may also need to be completed after changes have been made to the Maximo server in WebSphere.


If after applying the above change, the error is not resolved please review the following section to see if it applied to your situation.

Customers who have recently implemented Application Server Security while already using Netcool/Omnibus integration, or are currently implementing Netcool/Omnibus with Maximo using Application Server Security may receive the similar error below when sending a transaction to Maximo. This change may also be necessary for other components external integration

[ERROR] Error while processing the incoming transaction
javax.ejb.AccessLocalException: ; nested exception is: com.ibm.websphere.csi.CSIAccessException: SECJ0053E: Authorization failed for /UNAUTHENTICATED while invoking (Bean)ejb/maximo/remote/mosservice secureProcessMOS(byte[],java.lang.String):3 securityName: /UNAUTHENTICATED;accessID: UNAUTHENTICATED is not granted any of the required roles: maximouser

The following changes are required to allow secure access to the correct methods.

Locate and edit the web.xml file in \ibm\SMP\maximo\applications\maximo\meaweb\webmodule\WEB-INF\.

Uncomment the Security-Constraint sections by removing the comment tags highlighted in BOLD below.

Change the AppServerSecurity parameter from 0 (false) to 1 (true) as highlighted below in BOLD.

<!--
<security-constraint>
<web-resource-collection>
<web-resource-name>Enterprise Service Servlet</web-resource-name>
<description>Enterprise Service Servlet (HTTP POST) accessible by authorized users</description>
<url-pattern>/es/*</url-pattern>
<url-pattern>/esqueue/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Roles that have access to Enterprise Service Servlet (HTTP POST)</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>App Service Servlet</web-resource-name>
<description>App Service Servlet (HTTP POST) accessible by authorized users</description>
<url-pattern>/ss/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Roles that have access to App Service Servlet (HTTP POST)</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>Object Structure Service Servlet</web-resource-name>
<description>Object Structure Service Servlet (HTTP POST) accessible by authorized users</description>
<url-pattern>/os/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Roles that have access to Object Structure Service Servlet (HTTP POST)</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<security-constraint>
<web-resource-collection>
<web-resource-name>Integration Web Services</web-resource-name>
<description>Integration Web Services accessible by authorized users</description>
<url-pattern>/services/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<description>Roles that have access to Integration Web Services</description>
<role-name>maximouser</role-name>
</auth-constraint>
<user-data-constraint>
<description>data transmission gaurantee</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
-->
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Integration Web Application Realm</realm-name>
</login-config>

<security-role>
<description>MAXIMO Application Users</description>
<role-name>maximouser</role-name>
</security-role>
<env-entry>
<description>Indicates whether to use Application Server security or not</description>
<env-entry-name>useAppServerSecurity</env-entry-name>
<env-entry-type>java.lang.String</env-entry-type>
<env-entry-value>1</env-entry-value>
</env-entry>



After the changes to the web.xml are made, save the file and rebuild then redeploy the Maximo.EAR file. When the Maximo.EAR is redeployed, refer to the steps at the top of this document to re-map the users to roles in WebSphere.

Cross reference information
Segment Product Component Platform Version Edition
Systems and Asset Management Tivoli Asset Management for IT All
Systems and Asset Management IBM Maximo Asset Management Essentials All

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM Maximo Asset Management
Maximo Login

Software version:

7.1, 7.1.1, 7.2, 7.2.1, 7.5

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1321974

Modified date:

2009-10-09

Translate my page

Machine Translation

Content navigation