Protecting resources on WebSphere Application Server or WebSphere Application Server Liberty

You can protect your resources that are running on WebSphere® Application Server or WebSphere Application Server Liberty servers with OAuth-based IBM MobileFirst™ Platform Foundation security.

Overview

To enable MobileFirst OAuth security for resources on WebSphere Application Server or WebSphere Application Server Liberty servers, complete the following steps:

Configure OAuthTAI

You configure the OAuthTAI feature by using XML. For WebSphere Application Server Liberty, you add the XML to the server.xml file. For WebSphere Application Server, you save it in a separate file.

The OAuthTAI element is the root element. The following sections describe the OAuthTAI attributes and subelements:

OAuthTAI attributes

cacheSize: (Optional) Maximum number of tokens allowed. The default is 500.

id: (Mandatory) Defines a unique id of OAuthTAI.

OAuthTAI subelements

securityConstraint: (Mandatory) The value of securityConstraint must be a number 1 to n.

securityConstraint attributes

securedURLs

(Mandatory) If multiple URLs are specified in securedURLs, separate each URL by a space. The following types of URLs are supported:

Exact match URL. For example,/context-root/a/xyz
Path match URL. For example, /context-root/*
Wild card match URL. For example,/context-root/*/xyz

httpMethods: (Optional) Default value: ALL. The httpMethods attribute is case insensitive. Its value can be one or more of the following strings: ALL, DELETE, GET, POST,PUT,HEAD,OPTIONS,TRACE, or CONNECT. If multiple methods are specified, separate the methods by a space.

scope: (Optional) If scope is not specified, the only checking that is done is to make sure that the mandatory scopes are not expired.

The following is an example:

<?xml version="1.0" encoding="UTF-8"?>
   <OAuthTAI>
       <securityConstraint httpMethods="GET POST" securedURLs="/mfp-oauth-java-tests/*" 
          scope="Realm1 Realm2"/>
       <securityConstraint httpMethods="DELETE" securedURLs="/another-context-root/*"/>
   </OAuthTAI>

Set the security role

To protect the web resources used by your application, you must specify TAIUserRole as the Java™ Platform, Enterprise Edition (Java EE) security role. You can specify TAIUserRole as the Java EE security role in one of two ways: in the web.xml file or as an annotation.

To specify the TAIUserRole in the web.xml file, define TAIUserRole in the security-role element, and then use this role to secure the web resource in the security-constraint element. For example:

<security-constraint>
   <web-resource-collection>
      <web-resource-name>BaseServlet</web-resource-name>
      <url-pattern>/Test/devices</url-pattern>
   </web-resource-collection>
      <auth-constraint>
         <role-name>TAIUserRole</role-name>
      </auth-constraint>
</security-constraint>
<security-role id="SecurityRole_TAIUserRole" >
   <description>This is the role that MobileFirst OAuthTAI uses to protect the resource. It must be mapped to 'All Authenticated in Application' in WAS and to 'ALL_AUTHENTICATED_USERS' in Liberty.</description> 
   <role-name>TAIUserRole</role-name>
</security-role>

To specify TAIUserRole with an annotation:

@WebServlet("/Test/devices")
@ServletSecurity(@HttpConstraint(rolesAllowed={"TAIUserRole"}))
public class BaseServlet extends HttpServlet {
    // servlet code ...
  }

Install and configure OAuthTAI in WebSphere Application Server or WebSphere Application Server Liberty

Installing OAuthTAI in WebSphere Application Server Liberty

Copy the file product_install_dir/WorklightServer/external-server-libraries/com.ibm.worklight.oauth.tai_1.0.0.jar to usr/extension/lib.
where

product_install_dir

is the installation directory for MobileFirst Server.

usr

is the user directory for theWebSphere Application Server Liberty profile (default name usr).
Copy the file OAuthTai-1.0.mf from the directory WorklightServer/external-server-libraries to the directory usr/extension/lib/features.

Edit the server.xml file to add the OAuthTAI -1.0 feature. For example:

<featureManager>
   <feature>appSecurity-2.0</feature>
   <feature>usr:OAuthTai-1.0</feature>
   <!--other necessary features-->
</featureManager>

Edit the server.xml file to add the OAuthTAI feature. Note that the security role TAIUserRole is mapped to a special subject named ALL_AUTHENTICATED_USERS. For example:

<usr_OAuthTAI id="myOAuthTAI">
   <securityConstraint httpMethods="GET POST" securedURLs="/worklight-oauth-java-tests/*"
       scope="Realm1 Realm2"/>
   <securityConstraint httpMethods="DELETE" securedURLs="/another-context-root/*"/>
</usr_OAuthTAI>
    
    <basicRegistry id="basic" realm="BasicRealm" />
    
    <application type="war" id="basicauth" name="basicauth" location="${server.config.dir}/apps/basicauth.war">
    <application-bnd>
			 <security-role name="TAIUserRole">
				 <special-subject type="ALL_AUTHENTICATED_USERS" />
		   </security-role>
	   </application-bnd>
   </application>

Add the URL to the authorization server into the environment variables of your deployment. One way of doing so is to add the entry into the server.env file, which is located in the same directory as the server.xml file. Add the following, where
```
 publicKeyServerUrl=URL_to_authorization_server.
```
URL_to_authorization_server is the URL to the MobileFirst authorization server.

Installing OAuthTAI in WebSphere Application Server

Copy project_root_dir/target/com.ibm.worklight.oauth.tai_1.0.0.jar to product_install_dir/lib/ext.
Open the WebSphere Application Server console.
Click Security > Global Security > Authentication, and select Enable LTPA.
Click Security > Global Security > Application security > Enable application security.
Configure the trust association.
1. Click Security > Global Security > Web and SIP security > Trust association.
2. Click Enable trust association.
3. Under Interceptors, click New, and create a new interceptor with the following values:
  - Interceptor class name:com.worklight.oauth.tai.OAuthTAI
  - Custom properties: configFileLocation = OAuthTAI_config_file_dir/filename.xml
    where
    
    OAuthTAI_config_file_dir/filename.xml is the directory path and file name of the XML configuration file that you already created. See the configuration file example .
Create an environment entry that points to the authorization server.
1. In the WebSphere Application Server console, click Servers > Server Types > WebSphere application servers > your_server_name > Server Infrastructure > Java and Process Management > Process Definition > Additional Properties > Environment Entries.
2. Create the following environment variable:
```
publicKeyServerUrl=authorization_server_URL
```
  where
  
  authorization_server_URL
  
  is the URL to the MobileFirst authorization server.
Map the security role.
1. In the WebSphere Application Server console, click Applications > Application Types > WebSphere enterprise applications > your_application_name > Details Properties > Security role to user/group mapping.
2. Map the role that is allowed to access your application to All Authenticated in Application's Realm. For example: TAIUserRole as in sample above.
Restart WebSphere Application Server.

Add the tokens to the authorization header of your request

Add the following line to the authorization header of your request:

Authorization: Bearer  Access_token ID_token

where

Bearer: (Mandatory) Is the required string for the token type, as defined in the OAuth 2.0 specification.
Access_token: (Mandatory) Encapsulates all of the security checks that the client has passed in the authorization phase.
ID_token: (Optional) Contains information about the user and device identity of the client.

When the application attempts to access resources protected by OAuth TAI, the following validation checks occur:

Validation item	Result if invalid
The authorization header exists.	A 401 error is returned, with the response header `WWW-Authenticate: Bearer realm=“imfAuthentication”, scope="${required_scopes_list}"`
The authorization header starts with the string `Bearer`.	A 400 error is returned, with the response header `WWW-Authenticate: Bearer realm=“imfAuthentication”, error="invalid_request", scope="${required_scopes_list}`
The signature of the access token and the ID token are valid and not expired, and theycan be decoded.	A 401 error is returned, with the response header `WWW-Authenticate: Bearer realm=“imfAuthentication”, error="invalid_request", scope="${required_scopes_list}"`
Validation of scope. This includes the following: Verification of the scope in the access token. Whether the mandatory scope is expired. Whether the scope is expired. Whether the access token contains all of the required realm names.	A 403 error is returned, with the response header `WWW-Authenticate: Bearer realm="imfAuthentication", error="insufficient_scope", error_description="${detail_information_of_error}.", scope="${required_scopes_list}"`

The security context object

After successful validation, a security context is available to your application. The security context is a JSON object that contains the following properties:

Subject: securityContext.get("imf.sub");

The subject is a string which uniquely identifies the application installation on a device and the authenticated user.

User Identity: (Optional)securityContext.get("imf.user");

The user identity is a JSON object which contains information about the authenticated user. For anonymous tokens, the user identity is null. The user identity contains the following properties:

"id": (Mandatory) The user identity of the authenticated user identity realm.
"authBy": (Mandatory):The name of the authenticated user identity realm.
"displayName": (Optional) The user's display name as set when authenticating the user identity realm. This property may be null.
"attributes" : (Optional) Additional data that can be set when authenticating the user identity realm. This property may be null.

Application information:securityContext.get("imf.application");

Application information, including"id", "environment", and "version". For example:

 {"id":"com.MobileFirst.TestApp","environment":"Android","version":"1.0"}

Device information:securityContext.get("imf.device");

Device information, including "id", "platform", "model" and "osVersion". For example:

{"id":"E7D426A2-214C-834C-87FF-D8E9DF93655D","platform":"Android","model":"Nexus 5","osVersion":"5.0"}

Example

  JSONObject securityContext = callerWLCredential.getSecurityContext();
  String subject = securityContext.get("imf.sub");
  JSONObject imfUser = securityContext.get("imf.user");
  JSONObject imfDevice = securityContext.get("imf.device");
  JSONObject imfApplication = securityContext.get("imf.application");

The WSCredential and WLCredential APIs provide credential functionality.

com.ibm.websphere.security.cred.WSCredential

The WSCredential interface defines a credential that represents an authenticated principal to WebSphere Application Server or WebSphere Application Server Liberty. For example:

Subject callerSubject = WSSubject.getCallerSubject();
  WSCredential callerCredential = callerSubject.getPublicCredentials
     (WSCredential.class).iterator().next();

For more information about WSCredential, see the WSCredential documentation for your version of WebSphere Application Server or WebSphere Application Server Liberty. For example, see WSCredential for WebSphere Application Server Network Deployment 8.5.

com.worklight.oauth.tai.WLCredential

The WLCredential interface provides APIs to get the MobileFirst specific principal details.

    WLCredential callerWLCredential = callerSubject.getPublicCredentials
          (WLCredential.class).iterator().next();

IBM MobileFirst Platform Foundation OAuthTAI in development mode

In development mode, you can copy the jar and the manifest file from the following locations, depending on your development environment:

MobileFirst Studio: The root of every project contains a folder named externalServerLibraries. This folder contains both the TAI jar file (com.ibm.worklight.oauth.tai_1.0.0.jar) and the manifest file (OAuthTai-1.0.mf).

MobileFirst Platform Command Line Interface

The TAI jar file (com.ibm.worklight.oauth.tai_1.0.0.jar) and the manifest file (OAuthTai-1.0.mf ) are located in the CLI_install_dir/public folder,

where

CLI_install_dir

is the path where MobileFirst Platform Command Line Interface is installed.

Both files are also copied into the /externalServerLibraries folder in any new MobileFirst project created by the command-line interface.

Reporting analytics

The Token lib library can report analytic events to IBM MobileFirst Platform Operational Analytics. You must configure the Resource Server that contains the Token lib with your Analytics URL and credentials.

The MobileFirst Operational Analytics server is protected by basic authentication. When you installed this server, you configured the data entry point and basic authentication credentials. To configure the Resource Server, you must provide the Analytics credentials through JNDI properties, specifically the URL to the data entry point, the user name, and password. These properties are set with the following property names:

imf.analytics.url
imf.analytics.username
imf.analytics.password

If your Resource Server is running on WebSphere Application Server Liberty, you must configure these properties by using JNDI by adding entries to your server.xml file. For example:

<jndiEntry jndiName="imf.analytics.username" value="admin"/>

If your Resource Server is running on WebSphere Application Server, you must configure these properties as Environment Entries. In the WebSphere Application Server Console, go to Servers > Server Types > Websphere application servers > <your server> > Server Infrastructure > Java and Process Management > Process Definition > Additional Properties > Environment Entries > New. This value is the location where you had to set publicKeyServerUrl when you set up OAuthTAI.