Websphere Application Security Using Wsadmin

IBM WebSphere Application Server

The Java EE specification allows enterprise applications to declare security constraints on Web and EJB resources. This is why WebSphere forces you to login when you attempt to access certain URLs (and why you are denied access if you don’t have the rights). This specification also allows WebSphere to enforce who can and cannot invoke various EJB methods. For WebSphere to enforce those constraints, application security must be enabled and configured.
Prior to WebSphere V6.1, Administrative and application security were conflated into a single switch, known as global security. That changed with WebSphere V6.1. By default, new cells (Deployment Manager and Standalone Server profiles) are created with Administrative security enabled and Application security disabled. The name global security still exists but now refers to Administrative security
Enabling/Disabling Administrative and Application Security

For application security to work, you must first enable administrative security. That is normally the case, so let’s just verify that is enabled.

wsadmin> print AdminTask.isGlobalSecurityEnabled()
true


If it were off, you would turn it on with the following:

wsadmin> AdminTask.setGlobalSecurity (‘[-enabled true]’)

This example presumes that your registry is properly configured, which you can assume at this point. Now you can turn on application security, which requires knowledge of the proper attribute of the Security object. Below illustrates testing, setting, and verifying the setting.

wsadmin>print AdminTask.isAppSecurityEnabled()
false
wsadmin>securityConfigID = AdminConfig.getid(“/Security:/”)
wsadmin>AdminConfig.modify(securityConfigID,[[‘appEnabled’,’true’]])
‘’
wsadmin>print AdminTask.isAppSecurityEnabled()
true

Don’t forget that in order for these settings to take effect, you must save them, synchronize, and restart the cell. After you’ve enabled application security, you can move on to mapping users and/or groups to the security roles defined by each application.

As an aside, we find that Administrators working with WebSphere security for the first time often need to disable Administrative security because they have locked themselves out for one reason or another. Should this happen to you, use what is possibly the world’s most common single-line wsadmin command:

$ wsadmin -conntype NONE -c “securityoff”

Yes, it does exactly what you think it does. If the user executing that command has file system write access to the profile’s config/directory, security will be turned off.

 

In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.

2 Responses

  1. Dave Hay says:

    Hi, thanks, that was of immense help, as I was looking for a scripted way to enable/disable Application Security. Thanks, Dave

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.