Welcome!

Related Topics: IBM Cloud

IBM Cloud: Article

An LTPA Custom User Registry

An LTPA Custom User Registry

A three-letter acronym seen a lot recently is EAI (Enterprise Application Integration). EAI deals with the question of how to create a coherent enterprise system infrastructure within a heterogeneous application environment. One of the effects of mergers and the lack of standards for system integrators is the enormous amount of work it generates to glue all the parts of merging enterprises together. The major challenge is to do this in a logical manner while avoiding inconsistencies.

The aspect of EAI that I want to focus on is security, specifically the authentication and authorization of users. The J2EE platform requires user information in order to authenticate a user or group of users and to authorize access to a J2EE component or a Web resource. However, there is no consensus on where or how to store employee or customer information. Databases, LDAP (Lightweight Directory Access Protocol), or even the operating file system are used to store user information.

The WebSphere Security Center
The WebSphere Application Server Administrator's Console supports several user information registries for authentication purposes. Local registries are limited to a single application server. Centralized registries use the LTPA protocol to access a supported LDAP service. Customer-defined registries or pluggable registries use the WebSphere Custom Registry interface that facilitates access to a custom user registry. After enabling security in the WebSphere Security Center, WebSphere uses the local registry (operating system) by default to authenticate users. Although LDAP is becoming one of the major user repositories, there are still many companies that store user information in a database. I am not going to enter the LDAP versus database debate here. I will confine myself to stating that both have their strengths and weaknesses in particular uses.

LTPA
If neither the OS or the LDAP authentication is applicable for the target platform, WebSphere provides a third, more generic authentication mechanism, called Lightweight Third Party Authentication (LTPA) or do-it-yourself authentication. Another great excuse for developers to take legal advantage of the Not Invented Here syndrome, LTPA offers the possibility to use a nonstandard or a legacy solution that is not natively supported by WebSphere as a custom user registry for authentication purposes. A database, for instance, is not a "standard" solution, because there is no industry-wide agreement on the exact data schema, when used in case of authentication.

LTPA circumvents this problem by providing an interface that can be implemented. The CustomRegistry interface of WebSphere holds all the methods that the application server uses for its authentication. Building your own WebSphere custom user registry on top of any technology is easy. Just give an implementation for these methods and WebSphere LTPA can do the rest. Even the more advanced authentication features of WebSphere, such as single sign-on, (SSO) are supported by LTPA. Because the LTPA interface is WebSphere specific, changing the J2EE server platform means finding another solution for the LTPA custom user registry.

A Custom User Registry
The sample custom user registry in this article uses a database as the user repository and runs on any DBMS that supports JDBC. The sample code is independent of a specific database, with all its harmful consequences, such as the passwords being in clear text due to the lack of a universal encryption function. It is therefore advised not to use this sample implementation in a real production environment. The selection of the database is configured in the WebSphere Security Center. I have used both MySQL and Microsoft SQL Server to test the sample code. Before going right into the gory details of LTPA, first there are some prerequisites that you will need when building your own custom user registry. Besides the sample code for this article, which you can download from www.sys-con.com/websphere/sourcec.cfm, you also need the JDBC drivers for the DBMS you use. To make life easier the authentication form and error page are taken from the "Big3 application" downloads.zip file from the IBM site (www-3.ibm.com/software/webservers/appserv/ doc/v40/aes/infocenter/was/0601_downloads.html). This zip file contains a login.jar file, which you will need later on. IBM also provides a sample custom user registry in the WebSphere InfoCenter, based on text files.

The User Database
The user database in this sample has a very simple layout. Its only purpose is to hold the information needed by LTPA. A "real" solution could provide a much more complicated data model, but for this sample I will stick to the data model in Figure 1. It contains a user table, a group table, and a member table to store the relations between the users and the groups. In many cases the database layout is predetermined by an existing system rather than a variable. The difficulty in these situations is to locate the corresponding fields in the database. Once the database is up and running, you can start with the actual custom user registry coding.

It is not possible to use the "normal" JDBC DataSource for enterprise applications to access the database from your custom user registry. The reason is that the WebSphere Application Server provides the JDBC DataSource when it is running and the custom user registry should also be available in the WebSphere Administration Server, even when no application server is active. For instance the Administrator's Console is protected by LTPA (if selected in the Security Center). So the old-fashioned JDBC Driver is used in the custom user registry to obtain the connection to the database.

CustomRegistry Interface
The custom user registry itself is just one Java class that implements the CustomRegistry interface. I will not discuss the complete sample source code of the custom user registry. It is well documented and not very complex. I will just highlight particular issues.

The CustomRegistry interface consists roughly of four groups of methods, i.e., two general methods (initialize and getRealm), two authentication methods (checkPassword and mapCertificate), eight user-related methods, and eight group-related methods.

The initialize method takes a properties argument to initialize the registry. The administrator sets these properties in the Security Center (Special Custom Settings, see Figure 2). In the sample registry the properties are used to provide the JDBC driver (name), the connection URL, and the username and password to connect to the database. The method getRealm returns the realm of the registry. A realm determines the scope of security data. It is the region to which a security ID or permission applies. The realm is shown in the login screen, when you start the Administrator's Console. All other methods include pretty straightforward SQL statements to provide the functionality.

During deployment you can search through users and groups with the help of regular expressions. I have added an extra method (regular ExpressionTo SQL) in the Custom Registry implementation class, which provides a very simple SQL wildcards translation.

The most important concern is the correctness of your code. It is advisable to write a small JUnit test program to test your code. Correctness is crucial because you can lock yourself out of the Administrator's Console. If your custom user registry contains a bug that prevents you from gaining access, you will not be able to start up the Administrator's Console, without having to go into the WebSphere configuration files.

Build the Registry
In order to compile and build the custom user registry, you need to add the websphere.jar on the Java build path. In WebSphere Application Developer, add the JAR file via the variable WAS_PLUGINDIR/lib/websphere.jar. If you use some other IDE, you can find this JAR in the WebSphere directory (WebSphere/AppServer/lib/websphere.jar).

The class file compiled during the build must be copied to the WebSphere/Appserver/classes directory. Don't forget the directory structure of the Java package, or else the Security Center will not be able to use the registry. In the case of the sample registry the full path is WebSphere/Appserver/classes/nl/mnemonics/ltpa/ CustomUserRegistry.class.

Note that it is important to be very careful when upgrading to a newer version of your custom user registry. Use a different class name for the new registry, or select OS authentication first, reboot the administration server, overwrite the registry class, and select the new class in the Security Center. Overwriting a registry class while the Administration Server is running will result in a lockout. Remember always to be careful when altering security settings, especially the implementation class.

Library JARs
There are many opinions as to where to put library JARs. Because there are several classpaths (for the specific class loaders in WebSphere), there are also several places to store libraries. A rule of thumb is to put JARs as close to your application as possible, to minimize classpath problems. In other words, put it in the EAR file. In this case, however, there is no EAR file, at least not one specific for LTPA. The next best thing is to put the library JARs in the WebSphere Library Extension directory (WebSphere/Appserver/lib/ext).The JDBC driver library JARs for the selected DBMS are stored at this location.

Security Center
When the registry code is tested and installed in the classes directory of WebSphere and the JDBC Driver library files are available in the library extension, the LTPA custom user registry can be configured in WebSphere. Open the Security Center in the Administrator's Console, enable security, and go to the Authentication tab (see Figure 2). Select LTPA and enter the full domain name of the WebSphere Application Server. It is very important to enter the full name and not just the server name or else the registry will not work. It took me over an hour to figure that out.

Select Custom User Registry and enter the registry settings (user name, password, and class name). The user name and password of the registry settings represent the administrator's account. The next time, you need to use these credentials to log in to the Administrator's Console.

Click the Special Custom Settings button and enter the name/value pair settings for the initialize method of the registry (driver, URL, user, and password). The user and password of the Special Custom Settings belong to the corresponding JDBC connection (URL).

If everything is okay, applying the settings will cause the system to respond with something about the settings becoming active after the Administration Server is restarted. The Security Center checks the validity of the Security Server ID and the Security Server password during this process. If there is a bug in your custom user registry code, the settings are wrong, or WebSphere is unable to connect to the database, you will get an error. You can pinpoint the source of the problem with the provided stack trace.

When you restart the Administration Server the custom user registry will be active. Notice the custom user registry realm name during startup of the Administrator's Console.

WebSphere Versions
Although I have not experienced problems with different versions of WebSphere, there are reports of failing LTPA security in some versions of WebSphere Application Server. I have tested the custom user registry in WebSphere 4.0.3 and 4.0.4, and both worked fine.

Application Assembly
The sample application, mxTestLTPA, is not really an enterprise application at all. It is just a single dummy EJB with some simple Web resources for testing the custom user registry. The EJB has three methods (employee, manager, and administrator) that coincide with the J2EE roles defined in the EAR file and the groups defined in the database. I have added method permissions with the Application Assembly Tool (AAT) to map the groups directly on the J2EE roles. Of course, it is not mandatory that J2EE roles have names identical to those of the groups in a user registry.

There are also three HTML pages (employee.html, manager.html, and administrator.html) that are protected by the security constraints of the Web resource. I have added the login.html and error.jsp from the IBM "Big 3" application (login.jar). Notice the name of the HTML form and fields in login.html. This naming scheme enables WebSphere to use the username and password information for authentication purposes.

The Login Configurations can be found in the Web Modules node of the AAT tree in the Advanced tab (see Figure 3).

The J2EE roles, method permissions of the EJB, security constraints of the Web resources, and login configuration can also be set by WSAD. In many cases you can skip the AAT part completely when you use WSAD.

Authorization
Once the security settings of the EAR file are completed, the application can be deployed on the application server. During deployment the Administrator's Console will ask you to map the J2EE roles defined in the EAR file onto the users and groups of the LTPA custom user registry (see Figure 4). Now you can see some of the methods of your registry in action. For instance a search with simple regular expressions will fill the available users and groups list (see Figure 5). After the role mapping and the rest of the deployment, you can use the application to test the custom user registry.

Conclusion
Using the WebSphere feature to allow custom user registries via LTPA is an option and not the standard solution. Personally, I avoid using the custom user registry and use LDAP if there is a choice. The custom user registry is provided as a last resort, in case the project, the infrastructure, or the system environment dictates the type of authentication registry.

As described earlier, building an LTPA custom user registry in WebSphere is very easy. You have to be careful, though, to produce correct code or you might lock yourself out of the Administrator's Console. Always test a custom user registry and never overwrite the custom user registry class while it is active in WebSphere.

There is one characteristic of user registries in WebSphere that might be confusing, especially in the case of a custom user registry. For performance reasons, the authentication of users and groups is cached in WebSphere. It is understandable that WebSphere doesn't check the users and groups for every call to a protected EJB method or Web resource. The performance would drop to an unacceptable level in the case of the database custom user registry described here. It will only check the validity of a user the first time and after expiration of the timeout.

The reason to have a custom user registry in the first place is because of an existing system that stores the user information. Inconsistencies may occur when other (non-WebSphere) applications are also manipulating the user information repository (e.g., database). If another application changes the membership of users and groups, the altered relationship will not be reflected in WebSphere immediately. Dropping the caching timeout is a possible remedy, but it will hurt the performance significantly.

References

  • IBM WebSphere InfoCenter, 5.2: Introduction to custom registries: www-3.ibm.com/software/webservers/ appserv/doc/v40/aee/wasa_content/0502.html
  • IBM WebSphere V4.0 Advanced Edition Security, IBM Redbooks.
  • Ben-Natan, R., and Sasson, O. (2002). IBM WebSphere Application Server: The Complete Reference, McGraw-Hill Osborne Media.
  • More Stories By Marcel Heijmans

    Marcel Heijmans is a senior software engineer and founder of Mnemonics. He created the J2EE Development Coaching concept, which trains and supports novice developers and architects within their projects while minimizing the project risks.

    Comments (1) View Comments

    Share your thoughts on this story.

    Add your comment
    You must be signed in to add a comment. Sign-in | Register

    In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


    Most Recent Comments
    ropin 10/26/04 02:23:16 AM EDT

    excellent work!

    Latest Stories
    Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...
    "The Striim platform is a full end-to-end streaming integration and analytics platform that is middleware that covers a lot of different use cases," explained Steve Wilkes, Founder and CTO at Striim, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
    Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution and join Akvelon expert and IoT industry leader, Sergey Grebnov, in his session at @ThingsExpo, for an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
    SYS-CON Events announced today that Calligo, an innovative cloud service provider offering mid-sized companies the highest levels of data privacy and security, has been named "Bronze Sponsor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Calligo offers unparalleled application performance guarantees, commercial flexibility and a personalised support service from its globally located cloud plat...
    "At the keynote this morning we spoke about the value proposition of Nutanix, of having a DevOps culture and a mindset, and the business outcomes of achieving agility and scale, which everybody here is trying to accomplish," noted Mark Lavi, DevOps Solution Architect at Nutanix, in this SYS-CON.tv interview at @DevOpsSummit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
    DX World EXPO, LLC., a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.
    21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
    "With Digital Experience Monitoring what used to be a simple visit to a web page has exploded into app on phones, data from social media feeds, competitive benchmarking - these are all components that are only available because of some type of digital asset," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
    SYS-CON Events announced today that DXWorldExpo has been named “Global Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Digital Transformation is the key issue driving the global enterprise IT business. Digital Transformation is most prominent among Global 2000 enterprises and government institutions.
    SYS-CON Events announced today that Datera, that offers a radically new data management architecture, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera is transforming the traditional datacenter model through modern cloud simplicity. The technology industry is at another major inflection point. The rise of mobile, the Internet of Things, data storage and Big...
    "Outscale was founded in 2010, is based in France, is a strategic partner to Dassault Systémes and has done quite a bit of work with divisions of Dassault," explained Jackie Funk, Digital Marketing exec at Outscale, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
    "We were founded in 2003 and the way we were founded was about good backup and good disaster recovery for our clients, and for the last 20 years we've been pretty consistent with that," noted Marc Malafronte, Territory Manager at StorageCraft, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
    Kubernetes is an open source system for automating deployment, scaling, and management of containerized applications. Kubernetes was originally built by Google, leveraging years of experience with managing container workloads, and is now a Cloud Native Compute Foundation (CNCF) project. Kubernetes has been widely adopted by the community, supported on all major public and private cloud providers, and is gaining rapid adoption in enterprises. However, Kubernetes may seem intimidating and complex ...
    While the focus and objectives of IoT initiatives are many and diverse, they all share a few common attributes, and one of those is the network. Commonly, that network includes the Internet, over which there isn't any real control for performance and availability. Or is there? The current state of the art for Big Data analytics, as applied to network telemetry, offers new opportunities for improving and assuring operational integrity. In his session at @ThingsExpo, Jim Frey, Vice President of S...
    "DivvyCloud as a company set out to help customers automate solutions to the most common cloud problems," noted Jeremy Snyder, VP of Business Development at DivvyCloud, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.