Recently I came across a requirement to enable single sign on between two different Web applications running on different machines but on the same domain. WebSphere does provide out of the box support of single sign on, but figuring it out took a lot of time for me. So I have written this step by step guide so that you don’t have to go through the torture again!

All the screenshots in this guide are taking from Rational Application Developer (RAD). I could configure everything except “roles to groups mapping” directly from RAD’s console. For configuring “roles to group mapping” I had to export and deploy the application from an EAR file.

1. Enabling WebSphere security

Check out the following screenshot which shows the settings I have selected under Security->Global Security.

a) LTPA is required when the Web applications are on the different machines but on same domain.

b) I used a custom user registry which checked the users against a database. A more common approach is to use LDAP.

2. Click on the “custom” link under user registries in Security->Global Security. Following settings were selected on this page.

a) userid and password given is a valid user id in the database.

b) MyUserRegistry implements com.ibm.websphere.security.UserRegistry interface and is copied to the “classes” folder inside WAS home folder.

3. Click on “LTPA” under authentication mechanisms. Single sign on can be enabled by clicking on the “Single Sign On” link on the right.

The above three steps completes the “Global Security” setup on WAS. Now we will configure JAAS for applying this security at the Web application level.

1. Configure web.xml of the application. This involves protecting Web resources using security-constraint entry. Following is a sample entry,

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Protected Area</web-resource-name>
            <url-pattern>*.do</url-pattern>
            <http-method>DELETE</http-method>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>operator</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>     
    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>MyApp</realm-name>
        <form-login-config>
            <form-login-page>/logon.jsp</form-login-page>
            <form-error-page>/logonError.jsp</form-error-page>
        </form-login-config>
    </login-config>

2. Implement a login page for application which conforms to WAS standards. Following is a sample page,

<html>
  <title>Login</title>
  <body>
  <form method=”post” action=”j_security_check”>
     Enter user ID and password:
     User ID: <input type=”text” size=”20″ name=”j_username”>
     Password: <input type=”password” size=”20″ name=”j_password”>
     <input type=”submit” name=”login” value=”Login”>
    </form>
</body>
</html>

3. While deploying bind web.xml roles with groups from UserRegistry. For simplicity you could also attach the entire role to “any authenticated user”.

Some common errors and their solution,

1. When I start RAD after enabling Global Security, it is in “starting” mode forever!

Open soap.client.props in base_v6\profiles\default\properties folder and add the userid and password fields as shown below. The userid/password must be the same as the one given on “custom user registry” page.

com.ibm.SOAP.loginUserid=test
com.ibm.SOAP.loginPassword=test

Run the following command on the command as shown. Replace the cell name and node name with the values on your machine. This reconfigures FileTransfer application with authentication.

D:\Rational\runtimes\base_v6\bin>wsadmin wsadmin.bat -profile redeployFileTransf
er.jacl -c “fileTransferAuthenticationOn machine97622Node01Cell machine97622Node01
 server1″ -user test -password test

2. I am getting the following error,

Authentication failed for user: com.ibm.ws.console.security.ConnectToRuntimeException: null nested exception is com.ibm.websphere.security.CustomRegistryException

This means that custom user registry is not loaded. Ensure that you restart RAD after copying custom user registry class. Also ensure that custom user registry class is under classes folder (base_v6\classes on RAD)

3. I have an error which is not listed above?

Check the trace.log inside base_v6\profiles\default\logs\server1 folder. This should give a lot of information about the underlying problem. If you are still unable to resolve the issue, contact me!

While changing the datasource configuration in Rational Application Developer 6.0, I across the following error.

java.lang.IllegalArgumentException: resolve against non-hierarchical or relative base

This turned out to be a very nasty problem. I first tried removing the datasource configuration and reconfiguring it. When that didn’t work tried deleting the server configuration. No luck!

On googling, I came across this solution.
http://www-1.ibm.com/support/docview.wss?uid=swg21218587

Solution
Open the resources.xml and find:
<cmpDatasource href=”tempworkarea.xmi#DataSource_1125683336050″ mce_href=”tempworkarea.xmi#DataSource_1125683336050″/>

The only way to fix this error is to manually edit the resources.xml. On searching under runtimes folder, I came across multiple resources.xml files. Edited all of them and removed cmpDataSource references completely.

The steps are,

1. Shutdown RAD.
2. Remove cmpDataSource entries completely from resource.xml files under “runtimes” folder.
3. Start RAD and reconfigure datasources.

It worked!

When you start Web application in RAD 6.0 (Rational Application Developer 6.0), the first thing you need to configure is the database access. In this article, I will show you how to configure DB2 database access in RAD. I assume that DB2 is hosted on a Windows machine.

First thing you need to configure DB2 is the DB2 universal JDBC driver. These can be taken from DB2 server installation or from DB2 connect installation. The files you need are,

db2jcc.jar
db2jcc_license_cu.jar
db2jcc_license_cisuz.jar

Copy these files to a folder. This can be anywhere(I would suggest that you keep this under Rational root folder).

I assume you have already created a server configuration in RAD. Now right click on the server (from server window) and click on “Run administrative console”. This will open up the administrative interface. Typically it runs at “http://localhost:9060/ibm/console/“.

Login by giving any userId. Click on “JDBC providers” under “Resources”. On the right side you will see JDBC providers listed. Click on “New”. Now select values as shown below.

Click on Next. Now fill the driver paths in the Class path as shown below. You need to change this to point to the folder where JDBC jars are stored.

Click on Apply button. Once you have pressed apply button, you will see a Save link above. Click on Save and then click on “Data sources” link on the right side. Fill in as shown below. Please substitute your DB2 server configuration (IP address, DB name and port etc.). Also note the JNDI name, which you will use in your application.

Click on “J2C authentication entries” on the right and fill in as shown below. This should be the DB2 userid/password. After completing this, press apply and return to Datasource screen.

Now you need to select the userid alias you have created from “J2C authentication entries” under component managed authentication alias as shown below. Please note that this is in Datasource screen.

Now you can apply and save the settings. Click on “Test Connection” to verify the settings. If you see a successful message, you are all set for DB2 access from your Web application!

Any problems? Mail me!

Recently while working on a J2EE project, I had to know the Struts version being used. The IDE used was Rational Application Developer. I couldn’t find an option in IDE which tells me the Struts version it is using!

The only way I could see was to open the struts.jar in Winzip and inspect the Manifest.mf. It showed Implementation-Version : 1.1. This means that RAD by default uses Struts 1.1.

I wanted to use the latest stable version of Struts (which is 1.3.5). Hence I deleted all the jars from WEB-INF/lib and then copied new jars from struts-1.3.5-lib.zip. Thats it!