Implementing Basic Auth with RAD and Servlet 2.4

A colleague recently wrote a RESTful service and wanted to add a bit of security to it.  Here at Cat we use IBM's RAD environment and I personally prefer to use the editors to make changes to the web.xml and such.

I wrote up a big woop-de-do maybe a year ago on how to set up basic auth in Websphere 7 and thought it was different than Websphere 6.  However, the differences really have to do with the servlet spec.  The servlet spec is declared at the top of the web.xml like this:

Here we see a spec 2.4 web.xml.  These instructions will show how to use the RAD tooling to add basic auth to a web project.  We are going to assume that you have a web project written and just need to add Basic to it.  Also, we are assuming that you are going to hook the services up to LDAP groups.

1.  The first step is to open the wizard up and select the "Security" tab (tabs are at the bottom).  

The first item we need to add are some Security Roles.  Notice here I have 5 roles and they are named "blahblahRole"  This is a good naming convention and I suggest it.  We will use the first one as the example so we have "ServiceToolRole".  Make one of these for each service you want to secure.  This will create xml in our web.xml like this:

2.  Next you add some constraints.  These are the servlet mappings:  So you add a "blahblahConstraint" and add some resources, (get/post/url) and a role.

So here you add the HTTP verbs you want to constrain (all others will NOT be constrained) and the URL.  Once this is added, you need to tie it to the role you created in step #1.

3.  OK.  Now you have your constraints and roles defined.  The next thing we need to do is tell Websphere to use Basic Auth.  Proceed to the "Pages screen to set this up:

Here we select "BASIC" from the drop down and then add some instructions that will eventually appear in the browser login window:

The instructions "Realm" appear in the red box above. Each browser is different.  This is the only customization you can do to the logon screen, so don't waste your time trying...

4.  We are done with the web.xml.  Now we need to set up the EAR file.  Find the application.xml file in the ear and click on the "Security" tab.

There may be no Roles in your view.  If the one you want is not there, hit the "Gather" button at the bottom.  This goes into the web.xml and "gathers" all the roles and displays them.  Then you need to click "Users/Groups" and add the LDAP groups you want.  You can just add Users also (individual users).  Save and close and you should be done.

Using the wizard here is a must because the file ibm-application-bnd.xmi is also changed.  It contains the specific LDAP groups and logons.

That's it!  Now when you hit your RESTFul service, you should be met with a logon page.  Type in your credentials and Bam!  Data!  Note that if you put in incorrect credentials, your webapp will not even know it.  Websphere is intercepting these transactions and sending back errors before it passes anything to your app.

Let me know if this has been helpful!