• Add a Comment
  • Edit
  • More Actions v
  • Quarantine this Entry

Comments (4)

1 Eric Nyssens commented Permalink

Hello Shane,

 
We've integrated your example (eaists1.ear) from previous article "Using Tivoli Access Manager for eBusiness WebSEAL without a user registry". This really fulfill our requirements and works perfectly, thanks !
 
However, to get it working we have disabled temporary the security on STS (let's say we were in a trusted network).
But in fact we had to re-enable this security setting and STS became unauthorized, as expected.
 
Following, we created an user on the WS registry and associated it to the role TrustClientInternalRole (this role allows access to the STS).
 
Since we are using WebSphere 6.1, the "WebSphere WS-Trust Client API" isn't available.
And your example below requires "Policy Set" and "Policy Set Binding" which seems not to be available on our 6.1 version.
 
So, basically, would you have some idea or example of what we can do to authenticate my user and get access to STS ?
Probably I will have to adapt the code to force a basic-authentication.
 
For the moment we have (from eaists2.ear):
 
_stsConfig.put(StsClientFactory.BASIC_AUTHENTICATION_USER_ID, "myuser")
_stsConfig.put(StsClientFactory.BASIC_AUTHENTICATION_PASSWORD, "mypassword")
 
Than _stsConfig is bounded to the IStsClient who sends the IRequestSecurityToken (doSTSExchange method).
At this point we're getting the error 401, unauthorized:
 
com.ibm.tivoli.fim.sts.client.higgins.StsHigginsClientImpl$StsHigginsClientRequestException: (401)Unauthorized::<string>return code: 401
</string><HttpErrorCode xmlns="http://xml.apache.org/axis/">401</HttpErrorCode>
at com.ibm.tivoli.fim.sts.client.higgins.StsHigginsClientImpl.sendRequest(StsHigginsClientImpl.java:176)
at com.ibm.eai.EAIServlet.doSTSExchange(EAIServlet.java:317)
at com.ibm.eai.EAIServlet.doGet(EAIServlet.java:231)
...
 
I've also noticed the web.xml is slightly different on the eaists2.ear, it's adding the <security-constraint> for the EAIServlet.
 
Thanks,
Eric</security-constraint>

2 Eric Nyssens commented Permalink

Hello Shane,

 
In fact, using the "Updated Java STS Client", the user authentication is working perfectly !
Many thanks,
Eric

3 Dilip Yogi commented Permalink

Hello Shane,

 
We are trying to implement a custom login module that makes use of the WS Trust Client API and calls STS. We deployed the login module in our WAS (7.0.0.11) and we are getting the following NoClassDefFoundError. Is there anything we need to configure in the WAS to make the WS Trust Client API available for the code ? Any suggestion will be very helpful.
 
[1/9/12 16:43:21:517 CST] 00000029 LdapRegistryI A SECJ0419I: The user registry is currently connected to the LDAP server ldap://10.158.136.64:23891.
[1/9/12 16:43:21:689 CST] 00000029 FfdcProvider W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /apps_01/webapps/BaseWSRRWAS7_profile/logs/ffdc/EchoServices_server0_3e263e26_12.01.09_16.43.21.6204184981666085787373.txt com.ibm.ws.webcontainer.WebContainer 162
[1/9/12 16:43:21:698 CST] 00000029 webcontainer E com.ibm.ws.webcontainer.WebContainer handleRequest SRVE0232E: Internal Server Error.
Exception Message: [java.lang.NoClassDefFoundError: com.ibm.websphere.wssecurity.wssapi.WSSException
at java.lang.J9VMInternals.verifyImpl(Native Method)
at java.lang.J9VMInternals.verify(J9VMInternals.java:72)
at java.lang.J9VMInternals.initialize(J9VMInternals.java:134)
at java.lang.Class.forNameImpl(Native Method)
 
thanks,
-Dilip

4 Shane Weeden commented Permalink

Dilip - You problem sounds like a classloader / classpath issue. The solution may depend on precisely how your code is "deployed" in WebSphere. Describe in more detail where/how you code is deployed in WebSphere. Is it part of an EAR application, copied to the lib/ext directory, part of a TFIM plugin, etc. Based on what you've said thus far I suggest you first try one of my provided examples as-is and ensure it works on you WebSphere server. This will prove your WAS server environment contains the necessary classes and that it is indeed a problem specific to your deployment characteristics.

Add a Comment Add a Comment