Search code examples
ldapwebspherejava-ee-8open-libertywebseal

How does WSSubject.getCallerPrincipal() extract a logged in user data in Java EE application?

I am being new to Java EE application. I am working on one of the legacy project migration task, while doing that I need to get some idea how the authentication machanism works in the application. It is using IBM OpenLiberty server. As per the documentation it is using Webseal and LDAP in combination. But I am not getting clear picture about the authentication process. I have a class in which there , it calls a method WSSubject.getCallerPrincipal() and it gets userId as a string . But I am not able to get from where it is getting those user details and how it is communicating to LDAP for those user details.

Any direction will be appreciated.

Solution

  • If your user registry is properly configure and uses server infrastructrure, you will find it in server.xml file, for example:

    <feature>ldapRegistry-3.0</feature>    <== this enables ldap feature

<!-- this is sample config for TDS -->

<ldapRegistry baseDN="o=acme.com" host="ldap.acme.com"
        ldapType="IBM Tivoli Directory Server" port="389" realm="AcmeLdap"
        bindDN="cn=testuser,o=acme.com" bindPassword="mypassword">
    <idsFilters
            groupFilter="(&amp;(cn=%v)(objectclass=groupofnames))"
            userFilter="(&amp;(objectclass=inetorgperson)(|(uid=%v)(mail=%v)))" />
</ldapRegistry>

    In that case, classes contained in LDAP feature are responsible for managing connections to your LDAP

    You can find much more details about setting various LDAPs with OpenLiberty here - LDAP User Registry 3.0

    If your app is using homegrown security framework, unfortunately you have to dig in, and fully understand all the libs it contains.

    UPDATE
    If you are migrating from WebSphere and your application is using JEE security roles, you may need to create user<->role mappings unless they are already defined in the binding file (ibm-application-bnd.xml).

    Check here for details: Configuring authorization for applications in Liberty

    In short:

    • add <feature>appSecurity</feature>
    • check if you have in EAR - ibm-application-bnd.xml
    • if not, in old WebSphere env, look at the "User to role mapping" in the console, and recreate similar as application bindings in server.xml:
    <application type="war" id="myapp" name="myapp" location="${server.config.dir}/apps/myapp.war">
    <application-bnd>
        <security-role name="user">
            <group name="students" />
        </security-role>
        <security-role name="admin">
            <user name="gjones" />
            <group name="administrators" />
        </security-role>
        <security-role name="AllAuthenticated">
            <special-subject type="ALL_AUTHENTICATED_USERS" />
        </security-role>
    </application-bnd>
</application>