Recently I came across a requirement to enable single sign on between two different Web applications running on different machines but on the same domain. WebSphere does provide out of the box support of single sign on, but figuring it out took a lot of time for me. So I have written this step by step guide so that you don’t have to go through the torture again!

All the screenshots in this guide are taking from Rational Application Developer (RAD). I could configure everything except “roles to groups mapping” directly from RAD’s console. For configuring “roles to group mapping” I had to export and deploy the application from an EAR file.

1. Enabling WebSphere security

Check out the following screenshot which shows the settings I have selected under Security->Global Security.

a) LTPA is required when the Web applications are on the different machines but on same domain.

b) I used a custom user registry which checked the users against a database. A more common approach is to use LDAP.

2. Click on the “custom” link under user registries in Security->Global Security. Following settings were selected on this page.

a) userid and password given is a valid user id in the database.

b) MyUserRegistry implements com.ibm.websphere.security.UserRegistry interface and is copied to the “classes” folder inside WAS home folder.

3. Click on “LTPA” under authentication mechanisms. Single sign on can be enabled by clicking on the “Single Sign On” link on the right.

The above three steps completes the “Global Security” setup on WAS. Now we will configure JAAS for applying this security at the Web application level.

1. Configure web.xml of the application. This involves protecting Web resources using security-constraint entry. Following is a sample entry,

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Protected Area</web-resource-name>
            <url-pattern>*.do</url-pattern>
            <http-method>DELETE</http-method>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>operator</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>     
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>MyApp</realm-name>
        <form-login-config>
            <form-login-page>/logon.jsp</form-login-page>
            <form-error-page>/logonError.jsp</form-error-page>
        </form-login-config>
    </login-config>

2. Implement a login page for application which conforms to WAS standards. Following is a sample page,

<html>
  <title>Login</title>
  <body>
  <form method=”post” action=”j_security_check”>
     Enter user ID and password:
     User ID: <input type=”text” size=”20″ name=”j_username”>
     Password: <input type=”password” size=”20″ name=”j_password”>
     <input type=”submit” name=”login” value=”Login”>
    </form>
</body>
</html>

3. While deploying bind web.xml roles with groups from UserRegistry. For simplicity you could also attach the entire role to “any authenticated user”.

Some common errors and their solution,

1. When I start RAD after enabling Global Security, it is in “starting” mode forever!

Open soap.client.props in base_v6\profiles\default\properties folder and add the userid and password fields as shown below. The userid/password must be the same as the one given on “custom user registry” page.

com.ibm.SOAP.loginUserid=test
com.ibm.SOAP.loginPassword=test

Run the following command on the command as shown. Replace the cell name and node name with the values on your machine. This reconfigures FileTransfer application with authentication.

D:\Rational\runtimes\base_v6\bin>wsadmin wsadmin.bat -profile redeployFileTransf
er.jacl -c “fileTransferAuthenticationOn machine97622Node01Cell machine97622Node01
 server1″ -user test -password test

2. I am getting the following error,

Authentication failed for user: com.ibm.ws.console.security.ConnectToRuntimeException: null nested exception is com.ibm.websphere.security.CustomRegistryException

This means that custom user registry is not loaded. Ensure that you restart RAD after copying custom user registry class. Also ensure that custom user registry class is under classes folder (base_v6\classes on RAD)

3. I have an error which is not listed above?

Check the trace.log inside base_v6\profiles\default\logs\server1 folder. This should give a lot of information about the underlying problem. If you are still unable to resolve the issue, contact me!

Pagination is required when you develop a listing screen which has thousands of records. The best way to implement pagination is to leverage features available on the database. In an Oracle database you can use RANK() function. On a DB2 database you can use ROW_NUMBER() function. Following example shows how to implement pagination on a DB2 database,

SELECT * FROM
  (SELECT a.customer_name, ROW_NUMBER() OVER
    (ORDER BY a.customer_name) AS RN FROM customer a
    WHERE a.customer_status=’ACTIVE’
  )
X WHERE X.RN BETWEEN 0 AND 100

This method won’t work if you are using AS400. On AS400, the only way seems to be iterating through the entire result set and then picking up records needed for the screen. For example, if you want to show records 100 to 200, start from 0, ignore upto 100 and then populate records from 100 to 200 and then stop. Obviously this means that if the resultset is huge and if you navigate to the last page, it might take a lot of time.

Blogging guru Darren Browse is currently running a group writing project called “Top 5“. He is offering $1001 for the best blog post on “Top 5″. With the rise in the value of rupee, $1001 is not worth much, but still will fetch a decent laptop. So I decided to give it a try.

Top 5 ways to love your wife

1. Listen to her - This is one of the most important things that husbands normally miss. Listen to your wife and it is something guaranteed to improve your family life! Here is a tip - don’t pretend to be listening, trust me, it won’t work.

2. Express your love - It is something which is easily overlooked in our busy life. But expressing your love is so much important for the warmth and closeness of a married life. You know, sex is good for your health and mind

3. Share responsibilities - There is a saying that “a man is incomplete until he is married”*.  Giving your wife responsibilities is an effective way to show that you trust her. Also help her in taking care of babies or in kitchen work.

4. Respect her - “Respect” has an unique property. You give it, you will get it back. So if you expect respect from your wife, first show it to her!

5. Surprise her - There are a lot of ways to surprise her. Throw a surprise party, go on an unplanned vacation or just buy her a simple gift. The smile on her face is worth a million bucks!

After writing this I have decided to change what I planned to buy with Darren’s gift. I would probably buy an all paid family trip to singapore

*- the complete quote is “A man is incomplete until he is married. After that, he is finished.”