Related Topics: IBM Cloud

IBM Cloud: Article

An LTPA Custom User Registry

An LTPA Custom User Registry

A three-letter acronym seen a lot recently is EAI (Enterprise Application Integration). EAI deals with the question of how to create a coherent enterprise system infrastructure within a heterogeneous application environment. One of the effects of mergers and the lack of standards for system integrators is the enormous amount of work it generates to glue all the parts of merging enterprises together. The major challenge is to do this in a logical manner while avoiding inconsistencies.

The aspect of EAI that I want to focus on is security, specifically the authentication and authorization of users. The J2EE platform requires user information in order to authenticate a user or group of users and to authorize access to a J2EE component or a Web resource. However, there is no consensus on where or how to store employee or customer information. Databases, LDAP (Lightweight Directory Access Protocol), or even the operating file system are used to store user information.

The WebSphere Security Center
The WebSphere Application Server Administrator's Console supports several user information registries for authentication purposes. Local registries are limited to a single application server. Centralized registries use the LTPA protocol to access a supported LDAP service. Customer-defined registries or pluggable registries use the WebSphere Custom Registry interface that facilitates access to a custom user registry. After enabling security in the WebSphere Security Center, WebSphere uses the local registry (operating system) by default to authenticate users. Although LDAP is becoming one of the major user repositories, there are still many companies that store user information in a database. I am not going to enter the LDAP versus database debate here. I will confine myself to stating that both have their strengths and weaknesses in particular uses.

If neither the OS or the LDAP authentication is applicable for the target platform, WebSphere provides a third, more generic authentication mechanism, called Lightweight Third Party Authentication (LTPA) or do-it-yourself authentication. Another great excuse for developers to take legal advantage of the Not Invented Here syndrome, LTPA offers the possibility to use a nonstandard or a legacy solution that is not natively supported by WebSphere as a custom user registry for authentication purposes. A database, for instance, is not a "standard" solution, because there is no industry-wide agreement on the exact data schema, when used in case of authentication.

LTPA circumvents this problem by providing an interface that can be implemented. The CustomRegistry interface of WebSphere holds all the methods that the application server uses for its authentication. Building your own WebSphere custom user registry on top of any technology is easy. Just give an implementation for these methods and WebSphere LTPA can do the rest. Even the more advanced authentication features of WebSphere, such as single sign-on, (SSO) are supported by LTPA. Because the LTPA interface is WebSphere specific, changing the J2EE server platform means finding another solution for the LTPA custom user registry.

A Custom User Registry
The sample custom user registry in this article uses a database as the user repository and runs on any DBMS that supports JDBC. The sample code is independent of a specific database, with all its harmful consequences, such as the passwords being in clear text due to the lack of a universal encryption function. It is therefore advised not to use this sample implementation in a real production environment. The selection of the database is configured in the WebSphere Security Center. I have used both MySQL and Microsoft SQL Server to test the sample code. Before going right into the gory details of LTPA, first there are some prerequisites that you will need when building your own custom user registry. Besides the sample code for this article, which you can download from www.sys-con.com/websphere/sourcec.cfm, you also need the JDBC drivers for the DBMS you use. To make life easier the authentication form and error page are taken from the "Big3 application" downloads.zip file from the IBM site (www-3.ibm.com/software/webservers/appserv/ doc/v40/aes/infocenter/was/0601_downloads.html). This zip file contains a login.jar file, which you will need later on. IBM also provides a sample custom user registry in the WebSphere InfoCenter, based on text files.

The User Database
The user database in this sample has a very simple layout. Its only purpose is to hold the information needed by LTPA. A "real" solution could provide a much more complicated data model, but for this sample I will stick to the data model in Figure 1. It contains a user table, a group table, and a member table to store the relations between the users and the groups. In many cases the database layout is predetermined by an existing system rather than a variable. The difficulty in these situations is to locate the corresponding fields in the database. Once the database is up and running, you can start with the actual custom user registry coding.

It is not possible to use the "normal" JDBC DataSource for enterprise applications to access the database from your custom user registry. The reason is that the WebSphere Application Server provides the JDBC DataSource when it is running and the custom user registry should also be available in the WebSphere Administration Server, even when no application server is active. For instance the Administrator's Console is protected by LTPA (if selected in the Security Center). So the old-fashioned JDBC Driver is used in the custom user registry to obtain the connection to the database.

CustomRegistry Interface
The custom user registry itself is just one Java class that implements the CustomRegistry interface. I will not discuss the complete sample source code of the custom user registry. It is well documented and not very complex. I will just highlight particular issues.

The CustomRegistry interface consists roughly of four groups of methods, i.e., two general methods (initialize and getRealm), two authentication methods (checkPassword and mapCertificate), eight user-related methods, and eight group-related methods.

The initialize method takes a properties argument to initialize the registry. The administrator sets these properties in the Security Center (Special Custom Settings, see Figure 2). In the sample registry the properties are used to provide the JDBC driver (name), the connection URL, and the username and password to connect to the database. The method getRealm returns the realm of the registry. A realm determines the scope of security data. It is the region to which a security ID or permission applies. The realm is shown in the login screen, when you start the Administrator's Console. All other methods include pretty straightforward SQL statements to provide the functionality.

During deployment you can search through users and groups with the help of regular expressions. I have added an extra method (regular ExpressionTo SQL) in the Custom Registry implementation class, which provides a very simple SQL wildcards translation.

The most important concern is the correctness of your code. It is advisable to write a small JUnit test program to test your code. Correctness is crucial because you can lock yourself out of the Administrator's Console. If your custom user registry contains a bug that prevents you from gaining access, you will not be able to start up the Administrator's Console, without having to go into the WebSphere configuration files.

Build the Registry
In order to compile and build the custom user registry, you need to add the websphere.jar on the Java build path. In WebSphere Application Developer, add the JAR file via the variable WAS_PLUGINDIR/lib/websphere.jar. If you use some other IDE, you can find this JAR in the WebSphere directory (WebSphere/AppServer/lib/websphere.jar).

The class file compiled during the build must be copied to the WebSphere/Appserver/classes directory. Don't forget the directory structure of the Java package, or else the Security Center will not be able to use the registry. In the case of the sample registry the full path is WebSphere/Appserver/classes/nl/mnemonics/ltpa/ CustomUserRegistry.class.

Note that it is important to be very careful when upgrading to a newer version of your custom user registry. Use a different class name for the new registry, or select OS authentication first, reboot the administration server, overwrite the registry class, and select the new class in the Security Center. Overwriting a registry class while the Administration Server is running will result in a lockout. Remember always to be careful when altering security settings, especially the implementation class.

Library JARs
There are many opinions as to where to put library JARs. Because there are several classpaths (for the specific class loaders in WebSphere), there are also several places to store libraries. A rule of thumb is to put JARs as close to your application as possible, to minimize classpath problems. In other words, put it in the EAR file. In this case, however, there is no EAR file, at least not one specific for LTPA. The next best thing is to put the library JARs in the WebSphere Library Extension directory (WebSphere/Appserver/lib/ext).The JDBC driver library JARs for the selected DBMS are stored at this location.

Security Center
When the registry code is tested and installed in the classes directory of WebSphere and the JDBC Driver library files are available in the library extension, the LTPA custom user registry can be configured in WebSphere. Open the Security Center in the Administrator's Console, enable security, and go to the Authentication tab (see Figure 2). Select LTPA and enter the full domain name of the WebSphere Application Server. It is very important to enter the full name and not just the server name or else the registry will not work. It took me over an hour to figure that out.

Select Custom User Registry and enter the registry settings (user name, password, and class name). The user name and password of the registry settings represent the administrator's account. The next time, you need to use these credentials to log in to the Administrator's Console.

Click the Special Custom Settings button and enter the name/value pair settings for the initialize method of the registry (driver, URL, user, and password). The user and password of the Special Custom Settings belong to the corresponding JDBC connection (URL).

If everything is okay, applying the settings will cause the system to respond with something about the settings becoming active after the Administration Server is restarted. The Security Center checks the validity of the Security Server ID and the Security Server password during this process. If there is a bug in your custom user registry code, the settings are wrong, or WebSphere is unable to connect to the database, you will get an error. You can pinpoint the source of the problem with the provided stack trace.

When you restart the Administration Server the custom user registry will be active. Notice the custom user registry realm name during startup of the Administrator's Console.

WebSphere Versions
Although I have not experienced problems with different versions of WebSphere, there are reports of failing LTPA security in some versions of WebSphere Application Server. I have tested the custom user registry in WebSphere 4.0.3 and 4.0.4, and both worked fine.

Application Assembly
The sample application, mxTestLTPA, is not really an enterprise application at all. It is just a single dummy EJB with some simple Web resources for testing the custom user registry. The EJB has three methods (employee, manager, and administrator) that coincide with the J2EE roles defined in the EAR file and the groups defined in the database. I have added method permissions with the Application Assembly Tool (AAT) to map the groups directly on the J2EE roles. Of course, it is not mandatory that J2EE roles have names identical to those of the groups in a user registry.

There are also three HTML pages (employee.html, manager.html, and administrator.html) that are protected by the security constraints of the Web resource. I have added the login.html and error.jsp from the IBM "Big 3" application (login.jar). Notice the name of the HTML form and fields in login.html. This naming scheme enables WebSphere to use the username and password information for authentication purposes.

The Login Configurations can be found in the Web Modules node of the AAT tree in the Advanced tab (see Figure 3).

The J2EE roles, method permissions of the EJB, security constraints of the Web resources, and login configuration can also be set by WSAD. In many cases you can skip the AAT part completely when you use WSAD.

Once the security settings of the EAR file are completed, the application can be deployed on the application server. During deployment the Administrator's Console will ask you to map the J2EE roles defined in the EAR file onto the users and groups of the LTPA custom user registry (see Figure 4). Now you can see some of the methods of your registry in action. For instance a search with simple regular expressions will fill the available users and groups list (see Figure 5). After the role mapping and the rest of the deployment, you can use the application to test the custom user registry.

Using the WebSphere feature to allow custom user registries via LTPA is an option and not the standard solution. Personally, I avoid using the custom user registry and use LDAP if there is a choice. The custom user registry is provided as a last resort, in case the project, the infrastructure, or the system environment dictates the type of authentication registry.

As described earlier, building an LTPA custom user registry in WebSphere is very easy. You have to be careful, though, to produce correct code or you might lock yourself out of the Administrator's Console. Always test a custom user registry and never overwrite the custom user registry class while it is active in WebSphere.

There is one characteristic of user registries in WebSphere that might be confusing, especially in the case of a custom user registry. For performance reasons, the authentication of users and groups is cached in WebSphere. It is understandable that WebSphere doesn't check the users and groups for every call to a protected EJB method or Web resource. The performance would drop to an unacceptable level in the case of the database custom user registry described here. It will only check the validity of a user the first time and after expiration of the timeout.

The reason to have a custom user registry in the first place is because of an existing system that stores the user information. Inconsistencies may occur when other (non-WebSphere) applications are also manipulating the user information repository (e.g., database). If another application changes the membership of users and groups, the altered relationship will not be reflected in WebSphere immediately. Dropping the caching timeout is a possible remedy, but it will hurt the performance significantly.


  • IBM WebSphere InfoCenter, 5.2: Introduction to custom registries: www-3.ibm.com/software/webservers/ appserv/doc/v40/aee/wasa_content/0502.html
  • IBM WebSphere V4.0 Advanced Edition Security, IBM Redbooks.
  • Ben-Natan, R., and Sasson, O. (2002). IBM WebSphere Application Server: The Complete Reference, McGraw-Hill Osborne Media.
  • More Stories By Marcel Heijmans

    Marcel Heijmans is a senior software engineer and founder of Mnemonics. He created the J2EE Development Coaching concept, which trains and supports novice developers and architects within their projects while minimizing the project risks.

    Comments (1) View Comments

    Share your thoughts on this story.

    Add your comment
    You must be signed in to add a comment. Sign-in | Register

    In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.

    Most Recent Comments
    ropin 10/26/04 02:23:16 AM EDT

    excellent work!

    Latest Stories
    DX World EXPO, LLC, a Lighthouse Point, Florida-based startup trade show producer and the creator of "DXWorldEXPO® - Digital Transformation Conference & Expo" has announced its executive management team. The team is headed by Levent Selamoglu, who has been named CEO. "Now is the time for a truly global DX event, to bring together the leading minds from the technology world in a conversation about Digital Transformation," he said in making the announcement.
    "Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
    DevOps is under attack because developers don’t want to mess with infrastructure. They will happily own their code into production, but want to use platforms instead of raw automation. That’s changing the landscape that we understand as DevOps with both architecture concepts (CloudNative) and process redefinition (SRE). Rob Hirschfeld’s recent work in Kubernetes operations has led to the conclusion that containers and related platforms have changed the way we should be thinking about DevOps and...
    SYS-CON Events announced today that Conference Guru has been named “Media Sponsor” of the 22nd International Cloud Expo, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. A valuable conference experience generates new contacts, sales leads, potential strategic partners and potential investors; helps gather competitive intelligence and even provides inspiration for new products and services. Conference Guru works with conference organizers to pass great deals to gre...
    The Internet of Things will challenge the status quo of how IT and development organizations operate. Or will it? Certainly the fog layer of IoT requires special insights about data ontology, security and transactional integrity. But the developmental challenges are the same: People, Process and Platform. In his session at @ThingsExpo, Craig Sproule, CEO of Metavine, demonstrated how to move beyond today's coding paradigm and shared the must-have mindsets for removing complexity from the develop...
    In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
    Companies are harnessing data in ways we once associated with science fiction. Analysts have access to a plethora of visualization and reporting tools, but considering the vast amount of data businesses collect and limitations of CPUs, end users are forced to design their structures and systems with limitations. Until now. As the cloud toolkit to analyze data has evolved, GPUs have stepped in to massively parallel SQL, visualization and machine learning.
    The next XaaS is CICDaaS. Why? Because CICD saves developers a huge amount of time. CD is an especially great option for projects that require multiple and frequent contributions to be integrated. But… securing CICD best practices is an emerging, essential, yet little understood practice for DevOps teams and their Cloud Service Providers. The only way to get CICD to work in a highly secure environment takes collaboration, patience and persistence. Building CICD in the cloud requires rigorous ar...
    "Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
    To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
    Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
    "ZeroStack is a startup in Silicon Valley. We're solving a very interesting problem around bringing public cloud convenience with private cloud control for enterprises and mid-size companies," explained Kamesh Pemmaraju, VP of Product Management at ZeroStack, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
    Large industrial manufacturing organizations are adopting the agile principles of cloud software companies. The industrial manufacturing development process has not scaled over time. Now that design CAD teams are geographically distributed, centralizing their work is key. With large multi-gigabyte projects, outdated tools have stifled industrial team agility, time-to-market milestones, and impacted P&L stakeholders.
    "Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
    Enterprises are adopting Kubernetes to accelerate the development and the delivery of cloud-native applications. However, sharing a Kubernetes cluster between members of the same team can be challenging. And, sharing clusters across multiple teams is even harder. Kubernetes offers several constructs to help implement segmentation and isolation. However, these primitives can be complex to understand and apply. As a result, it’s becoming common for enterprises to end up with several clusters. Thi...