Protecting resources on WebSphere Application Server or WebSphere Application Server Liberty
You can protect your resources that are running on WebSphere® Application Server or WebSphere Application Server Liberty servers with OAuth-based IBM MobileFirst™ Platform Foundation security.
Overview
To enable MobileFirst OAuth security for resources on WebSphere Application Server or WebSphere Application Server Liberty servers, complete the following steps:
Configure OAuthTAI
You configure the OAuthTAI feature by using XML. For WebSphere Application Server Liberty, you add the XML to the server.xml file. For WebSphere Application Server, you save it in a separate file.
The OAuthTAI element is the root element. The following sections describe the OAuthTAI attributes and subelements:
OAuthTAI attributes
- cacheSize
-
(Optional) Maximum number of tokens allowed. The default is 500.
- id
-
(Mandatory) Defines a unique id of OAuthTAI.
OAuthTAI subelements
- securityConstraint
-
(Mandatory) The value of securityConstraint must be a number 1 to n.
securityConstraint attributes
- securedURLs
- (Mandatory) If multiple URLs are specified in securedURLs, separate each URL by a space. The following types of URLs are supported:
- Exact match URL. For example,/context-root/a/xyz
- Path match URL. For example, /context-root/*
- Wild card match URL. For example,/context-root/*/xyz
- httpMethods
-
(Optional) Default value: ALL. The httpMethods attribute is case insensitive. Its value can be one or more of the following strings: ALL, DELETE, GET, POST,PUT,HEAD,OPTIONS,TRACE, or CONNECT. If multiple methods are specified, separate the methods by a space.
- scope
-
(Optional) If scope is not specified, the only checking that is done is to make sure that the mandatory scopes are not expired.
<?xml version="1.0" encoding="UTF-8"?>
<OAuthTAI>
<securityConstraint httpMethods="GET POST" securedURLs="/mfp-oauth-java-tests/*"
scope="Realm1 Realm2"/>
<securityConstraint httpMethods="DELETE" securedURLs="/another-context-root/*"/>
</OAuthTAI>
Set the security role
To protect the web resources used by your application, you must specify TAIUserRole as the Java™ Platform, Enterprise Edition (Java EE) security role. You can specify TAIUserRole as the Java EE security role in one of two ways: in the web.xml file or as an annotation.
<security-constraint>
<web-resource-collection>
<web-resource-name>BaseServlet</web-resource-name>
<url-pattern>/Test/devices</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>TAIUserRole</role-name>
</auth-constraint>
</security-constraint>
<security-role id="SecurityRole_TAIUserRole" >
<description>This is the role that MobileFirst OAuthTAI uses to protect the resource. It must be mapped to 'All Authenticated in Application' in WAS and to 'ALL_AUTHENTICATED_USERS' in Liberty.</description>
<role-name>TAIUserRole</role-name>
</security-role>
@WebServlet("/Test/devices")
@ServletSecurity(@HttpConstraint(rolesAllowed={"TAIUserRole"}))
public class BaseServlet extends HttpServlet {
// servlet code ...
}
Install and configure OAuthTAI in WebSphere Application Server or WebSphere Application Server Liberty
Installing OAuthTAI in WebSphere Application Server Liberty
- Copy the file product_install_dir/WorklightServer/external-server-libraries/com.ibm.worklight.oauth.tai_1.0.0.jar
to usr/extension/lib.
where
- product_install_dir
- is the installation directory for MobileFirst Server.
- usr
- is the user directory for theWebSphere Application Server Liberty profile (default name usr).
- Copy the file OAuthTai-1.0.mf from the directory WorklightServer/external-server-libraries to the directory usr/extension/lib/features.
- Edit the server.xml file to add the OAuthTAI
-1.0 feature. For example:
<featureManager> <feature>appSecurity-2.0</feature> <feature>usr:OAuthTai-1.0</feature> <!--other necessary features--> </featureManager>
- Edit the server.xml file to add the OAuthTAI
feature. Note that the security role TAIUserRole is
mapped to a special subject named ALL_AUTHENTICATED_USERS.
For example:
<usr_OAuthTAI id="myOAuthTAI"> <securityConstraint httpMethods="GET POST" securedURLs="/worklight-oauth-java-tests/*" scope="Realm1 Realm2"/> <securityConstraint httpMethods="DELETE" securedURLs="/another-context-root/*"/> </usr_OAuthTAI> <basicRegistry id="basic" realm="BasicRealm" /> <application type="war" id="basicauth" name="basicauth" location="${server.config.dir}/apps/basicauth.war"> <application-bnd> <security-role name="TAIUserRole"> <special-subject type="ALL_AUTHENTICATED_USERS" /> </security-role> </application-bnd> </application>
- Add the URL to the authorization server into the environment variables
of your deployment. One way of doing so is to add the entry into the server.env file,
which is located in the same directory as the server.xml file.
Add the following, where
publicKeyServerUrl=URL_to_authorization_server.
URL_to_authorization_server is the URL to the MobileFirst authorization server.
Installing OAuthTAI in WebSphere Application Server
- Copy project_root_dir/target/com.ibm.worklight.oauth.tai_1.0.0.jar to product_install_dir/lib/ext.
- Open the WebSphere Application Server console.
- Click Enable LTPA. , and select
- Click Security > Global Security > Application security > Enable application security.
- Configure the trust association.
- Click Security > Global Security > Web and SIP security > Trust association.
- Click Enable trust association.
- Under Interceptors, click New,
and create a new interceptor with the following values:
- Interceptor class name:com.worklight.oauth.tai.OAuthTAI
- Custom properties: configFileLocation = OAuthTAI_config_file_dir/filename.xml
where
OAuthTAI_config_file_dir/filename.xml is the directory path and file name of the XML configuration file that you already created. See the configuration file example .
- Create an environment entry that points to the authorization server.
- In the WebSphere Application Server console, click Servers > Server Types > WebSphere application servers > your_server_name > Server Infrastructure > Java and Process Management > Process Definition > Additional Properties > Environment Entries.
- Create the following environment variable:
publicKeyServerUrl=authorization_server_URL
where
- authorization_server_URL
- is the URL to the MobileFirst authorization server.
- Map the security role.
- In the WebSphere Application Server console, click Applications > Application Types > WebSphere enterprise applications > your_application_name > Details Properties > Security role to user/group mapping.
- Map the role that is allowed to access your application to All Authenticated in Application's Realm. For example: TAIUserRole as in sample above.
- Restart WebSphere Application Server.
Add the tokens to the authorization header of your request
Authorization: Bearer Access_token ID_token
where
- Bearer
- (Mandatory) Is the required string for the token type, as defined in the OAuth 2.0 specification.
- Access_token
- (Mandatory) Encapsulates all of the security checks that the client has passed in the authorization phase.
- ID_token
- (Optional) Contains information about the user and device identity of the client.
Validation item | Result if invalid |
---|---|
The authorization header exists. | A 401 error is returned, with the response header WWW-Authenticate: Bearer realm=“imfAuthentication”, scope="${required_scopes_list}" |
The authorization header starts with the string Bearer. | A 400 error is returned, with the response header WWW-Authenticate: Bearer realm=“imfAuthentication”, error="invalid_request", scope="${required_scopes_list} |
The signature of the access token and the ID token are valid and not expired, and theycan be decoded. | A 401 error is returned, with the response header WWW-Authenticate: Bearer realm=“imfAuthentication”, error="invalid_request", scope="${required_scopes_list}" |
Validation of scope. This includes the following:
|
A 403 error is returned, with the response header WWW-Authenticate: Bearer realm="imfAuthentication", error="insufficient_scope", error_description="${detail_information_of_error}.", scope="${required_scopes_list}" |
The security context object
After successful validation, a security context is available to your application. The security context is a JSON object that contains the following properties:
- Subject: securityContext.get("imf.sub");
- The subject is a string which uniquely identifies the application installation on a device and the authenticated user.
- User Identity: (Optional)securityContext.get("imf.user");
- The user identity is a JSON object which contains information
about the authenticated user. For anonymous tokens, the user identity
is null. The user identity contains the following properties:
- "id": (Mandatory) The user identity of the authenticated user identity realm.
- "authBy": (Mandatory):The name of the authenticated user identity realm.
- "displayName": (Optional) The user's display name as set when authenticating the user identity realm. This property may be null.
- "attributes" : (Optional) Additional data that can be set when authenticating the user identity realm. This property may be null.
- Application information:securityContext.get("imf.application");
- Application information, including"id", "environment",
and "version". For example:
{"id":"com.MobileFirst.TestApp","environment":"Android","version":"1.0"}
- Device information:securityContext.get("imf.device");
- Device information, including "id", "platform", "model" and "osVersion". For
example:
{"id":"E7D426A2-214C-834C-87FF-D8E9DF93655D","platform":"Android","model":"Nexus 5","osVersion":"5.0"}
Example
JSONObject securityContext = callerWLCredential.getSecurityContext();
String subject = securityContext.get("imf.sub");
JSONObject imfUser = securityContext.get("imf.user");
JSONObject imfDevice = securityContext.get("imf.device");
JSONObject imfApplication = securityContext.get("imf.application");
- com.ibm.websphere.security.cred.WSCredential
- The WSCredential interface defines a credential that represents an authenticated principal to WebSphere Application Server or WebSphere Application Server Liberty. For example:
For more information about WSCredential, see the WSCredential documentation for your version of WebSphere Application Server or WebSphere Application Server Liberty. For example, see WSCredential for WebSphere Application Server Network Deployment 8.5.Subject callerSubject = WSSubject.getCallerSubject(); WSCredential callerCredential = callerSubject.getPublicCredentials (WSCredential.class).iterator().next();
- com.worklight.oauth.tai.WLCredential
- The WLCredential interface provides APIs to get the MobileFirst specific
principal details.
WLCredential callerWLCredential = callerSubject.getPublicCredentials (WLCredential.class).iterator().next();
IBM MobileFirst Platform Foundation OAuthTAI in development mode
In development mode, you can copy the jar and the manifest file from the following locations, depending on your development environment:- MobileFirst Studio
- The root of every project contains a folder named externalServerLibraries. This folder contains both the TAI jar file (com.ibm.worklight.oauth.tai_1.0.0.jar) and the manifest file (OAuthTai-1.0.mf).
- MobileFirst Platform Command Line Interface
-
The TAI jar file (com.ibm.worklight.oauth.tai_1.0.0.jar) and the manifest file (OAuthTai-1.0.mf ) are located in the CLI_install_dir/public folder,
where
CLI_install_dir
is the path where MobileFirst Platform Command Line Interface is installed.
Both files are also copied into the /externalServerLibraries folder in any new MobileFirst project created by the command-line interface.
Reporting analytics
The Token lib library can report analytic events to IBM MobileFirst Platform Operational Analytics. You must configure the Resource Server that contains the Token lib with your Analytics URL and credentials.
- imf.analytics.url
- imf.analytics.username
- imf.analytics.password
<jndiEntry jndiName="imf.analytics.username" value="admin"/>
If your Resource Server is running on WebSphere Application Server, you must configure these properties as Environment Entries. In the WebSphere Application Server Console, go to . This value is the location where you had to set publicKeyServerUrl when you set up OAuthTAI.