Security Realm for an application within WebSphere 7.0

Question

We are testing using security realms with our web application. In test we will be going against Microsoft Active Directory. Production will go against a custom realm. I have the working great in Tomcat, but can't seem to get this working in WebSphere. I have created a Security Domain (foo-ldap) within WebSphere that can connect to the AD. For now I have applied foo-ldap to the server1 scope. I'm not getting redirected to authenticate.faces when hitting /servlet/LoginServlet.

Web.xml and Tomcat config included below.

Tomcat config:

    <Realm className="org.apache.catalina.realm.JNDIRealm"
        connectionURL="ldap://ActiveDirectorySrv:389"
        connectionName="CN=ldap user,CN=Users,DC=foo,DC=com"
        connectionPassword="Password1"
        referrals="follow"
        userBase="CN=Users,DC=foo,DC=com"
        userSearch="(&amp;(objectCategory=user)(sAMAccountName={0}))"
        userSubtree="true"
        userRoleName="memberOf"
        roleBase="CN=Users,DC=foo,DC=com"  
        roleSubtree="true"  
        roleName="cn"  
        roleSearch="(member={0})"/>

Web.xml

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Protected Area</web-resource-name>
            <url-pattern>/servlet/LoginServlet</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Developers</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <form-login-config>
            <form-login-page>/authenticate.faces</form-login-page>
            <form-error-page>/loginFailed.faces</form-error-page>
        </form-login-config>
    </login-config>

    <security-role>
        <role-name>Developers</role-name>
    </security-role>

Answer 1

The issue I was running into was two fold.

1. The configuration for the security context exists in the web.xml. It must be present the installed war at application install time. We had the config commented out so developers wouldn't need to give credentials when debugging and I was trying to uncomment after deploying the war.

2. You must map roles to your security realm at install time. We have a script that deploys the applications and without modification, the roles were not mapped and the ability to map roles after install was not available. Even installing from the ibm console site, you have to select detailed install and map groups at install time or the link to map is not available.

Once I got the security installed and the redirect to the login page working, we had one other issue. I'm not sure if this is an issue with our JSF code or not, but I could not redirect to a page that used JSF within WebSphere (works fine with Tomcat). Our solution was to just use a jsp page for the authentication page.

Hope this helps someone else.