|
Problem |
The customer was using the Local Redirector
Plug-in with the IBM HTTP Server v5.3 to route requests to a J2EE server.
The application running in the J2EE server called getRemoteUser() on the
request object which returned null. The customer had set up basic
authentication in his HTTP Server and could see the REMOTE_USER
environment variable being passed to the plug-in in his -vv trace.
|
|
Cause |
The customer had not set up EJBROLEs for his Web
application. |
|
Solution |
In order for
REMOTE_USER to pass through from the HTTP Server address space to the J2EE
server address space, you must have an EJBROLE defined to enable security
on the Web application. A single EJBROLE, like "AuthorizedUsers", is
sufficient to cover everyone that is authorized to access the Web
application. RACF instructions for setting up an EJBROLE for a Web
application can be found in Chapter 4 of WebSphere Application Server V4.0.1 for z/OS and
OS/390: Assembling J2EE Applications, SA22-7836,
under the section "Security Roles
and Method Permissions". Also, changes must be made to the web.xml and
application.xml files for the Web applications's EAR file. For example,
the following tags need to be updated or added for configuring BASIC
authentication (as opposed to Form-Based authentication) in a Web
application:
- You must add a
security-constraint and login-config tag to your web.xml file.
Here is an example of each of these tags:
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Area</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>manager</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Example Basic Authentication Area</realm-name>
</login-config>
- You must also add a
security-role tag to your application.xml file.
Here is an example:
<security-role>
<description>A manager in the enterprise.</description>
<role-name>Manager</role-name>
</security-role>
Once the customer setup his
EJBROLE, and added these tags, he was able to access the REMOTE_USER
variable in his Web application using a call to
getRemoteUser(). |
|
|
|
|
|
|
|