|
Problem(Abstract) |
The customer was using the Local Redirector Plug-in with
the IBM HTTP Server v5.3 to route requests to a J2EE server. The
application running in the J2EE server called getRemoteUser() on the
request object which returned null. The customer had set up basic
authentication in his HTTP Server and could see the REMOTE_USER
environment variable being passed to the plug-in in his -vv trace. |
|
|
|
Cause |
The customer had not set up EJBROLEs for his Web
application. |
|
|
Resolving the
problem |
In order for REMOTE_USER to pass through from the HTTP
Server address space to the J2EE server address space, you must have an
EJBROLE defined to enable security on the Web application. A single
EJBROLE, like "AuthorizedUsers", is sufficient to cover everyone that is
authorized to access the Web application. RACF instructions for setting up
an EJBROLE for a Web application can be found in Chapter 4 of WebSphere
Application Server V4.0.1 for z/OS and OS/390: Assembling J2EE
Applications, SA22-7836, under the section "Security Roles
and Method Permissions". Also, changes must be made to the web.xml and
application.xml files for the Web applications's EAR file. For example,
the following tags need to be updated or added for configuring BASIC
authentication (as opposed to Form-Based authentication) in a Web
application:
- You must add a security-constraint and login-config tag to
your web.xml file.
Here is an example of each of these tags:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Example Basic Authentication Area</realm-name>
</login-config>
- You must also add a security-role tag to your
application.xml file.
Here is an example:
<security-role>
<description>A manager in the enterprise.</description>
<role-name>Manager</role-name>
</security-role>
Once the customer setup his EJBROLE, and added these tags, he was able to
access the REMOTE_USER variable in his Web application using a call to
getRemoteUser(). |
|
|
|
|
|
|