Moon123 Moon123 - 1 month ago 12
reST (reStructuredText) Question

ignored declarative Security in IBM WebShere application server

I have a spring MVC rest application that is deployed as a war file to IBM WebSphere application server v 8.5, i want to secure some of the rest api in this application, hence, i used the application web.xml and declare the security role i want, then i enabled the application security from the WAS console, but for some reason my security roles are ignored and i can access all rest API that are supposed to be secured, any help is appreciated.

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" version="3.0">
<servlet>
<servlet-name>appServlet</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<init-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>appServlet</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>LBS_System</web-resource-name>
<url-pattern>/LBS/*</url-pattern>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>DELETE</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>Administrators</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>defaultWIMFileBasedRealm</realm-name>
</login-config>
<security-role>
<role-name>Administrators</role-name>
</security-role>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<resource-ref>
<res-ref-name>jdbc/MoictDB</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
</resource-ref>
<persistence-unit-ref>
<persistence-unit-ref-name>persistence/MoICTAppUnit</persistence-unit-ref-name>
<persistence-unit-name>MoICTAppUnit</persistence-unit-name>
</persistence-unit-ref>
</web-app>

Gas Gas
Answer

You should not include your context-root (LBS in your case) in the url-pattern. It is relative to your application context-root. The /* pattern protects all urls, but only in your application, not others. So if you just want to protect for example rest api, it is usually mapped to some sub path e.g. /LBS/rest/something, in that case you would put /rest/* in the pattern.

You should not include context-root in any mappings and url patterns in the web.xml, especially that application might be deployed under different context-root and in that case it would be broken.