Role Mapping

Kevin Creason (11●2●3) | asked Jan 23 '17, 6:05 p.m.
retagged Jan 30 '17, 10:36 a.m. by Michael Afshar (701●4)

I'm building up Jazz Team Server 6.0.3 for users in our organization. Apologies, I don't quite understand all the names of the products to check off -- but it is DOORS next Gen, Jazz Team Server, with some modules for quality management, and it installs under the "clm" in the directory tree on the linux server.
I am trying to integrate it with our Single Sign On solution with servlet filter. I've seen the write-up for Tomcat role mapping, but I understand that tomcat is not on the long-term support road map. So I am attempting to do this with the liberty websphere which is version 8.5.5.9.
I have had some success by modifying the WAR file to include the jars for the servlet filter.
I modify the web.xml for JTS to include the servlet filter, and followed the tomcat role-mapping guide for adding the the role/group names as the SSO retrieves them from the active directory.
I have dropped in a test JSP file into the jts.war directory and I am confident it is seeing both the username and the role properly, but the application just is not seeing the provided role name as the correct name.
The code "<%= request.getRemoteUser() %>" sees the username.
The code "(request.isUserInRole("JS-DLG-ISS-SSO_JazzAdmins")" sees the role should be mapped to JazzAdmins.

In the JTS.war/WEB-INF directory I have modified the web.xml and included the servlet filter loading and configuration. Do I need to disable/comment out the other login or auth filters?

<!--
          Allows requests to j_security_check to be checked for a CSRF attack.  
        -->
    <filter>
      <filter-name>loginfilter</filter-name>
      <filter-class>com.ibm.team.repository.server.servletbridge.LoginFilter</filter-class>
    </filter>
    <filter-mapping>
      <filter-name>loginfilter</filter-name>
      <url-pattern>/j_security_check</url-pattern>
    </filter-mapping>
   <filter-mapping>
      <filter-name>loginfilter</filter-name>
      <url-pattern>/authenticated/j_security_check</url-pattern>
    </filter-mapping>
          <filter-mapping>
      <filter-name>loginfilter</filter-name>
      <url-pattern>/auth/j_security_check</url-pattern>
    </filter-mapping>

Before the closing servlet tag, I have added my security-role-ref:

<!-- Added for Cams SSO roles from the AD -->

                <security-role-ref>

                        <role-name>JazzUsers</role-name>

                        <role-link>JS-DLG-ISS-SSO_JazzUsers</role-link>

                </security-role-ref>

                <security-role-ref>

                        <role-name>JazzAdmins</role-name>

                        <role-link>JS-DLG-ISS-SSO_JazzAdmins</role-link>

                </security-role-ref>

                <security-role-ref>

                        <role-name>JazzGuests</role-name>

                        <role-link>JS-DLG-ISS-SSO_JazzGuests</role-link>

                </security-role-ref>

                <security-role-ref>

                        <role-name>JazzProjectAdmins</role-name>

                        <role-link>JS-DLG-ISS-SSO_JazzProjectAdmins</role-link>

                </security-role-ref>

Then, down in the security-contstraint section, I added the new roles names:

              <auth-constraint>

                        <role-name>JazzUsers</role-name>

                        <role-name>JazzAdmins</role-name>

                        <role-name>JazzGuests</role-name>

                        <role-name>JazzProjectAdmins</role-name>


                <!-- Added for Cams SSO roles from the AD -->

                        <role-name>JS-DLG-ISS-SSO_JazzUsers</role-name>

                        <role-name>JS-DLG-ISS-SSO_JazzAdmins</role-name>

                        <role-name>JS-DLG-ISS-SSO_JazzGuests</role-name>

                        <role-name>JS-DLG-ISS-SSO_JazzProjectAdmins</role-name>

                </auth-constraint>

Then lower down, I'm basically just searching for JazzAdmins in order to find the locations to modify, I add in the new names underneath the existing role names. This is in a block following login-config:

        <security-role>

                <role-name>JazzAdmins</role-name>

        </security-role>

        <security-role>

                <role-name>JazzUsers</role-name>

        </security-role>


        <security-role>

                <role-name>JazzGuests</role-name>

        </security-role>


        <security-role>

                <role-name>JazzProjectAdmins</role-name>

        </security-role>


        <security-role>

                <role-name>JazzDebug</role-name>

        </security-role>


<!-- Added for Cams SSO roles from the AD -->

        <security-role>

                <role-name>JS-DLG-ISS-SSO_JazzAdmins</role-name>

        </security-role>

        <security-role>

                <role-name>JS-DLG-ISS-SSO_JazzUsers</role-name>

        </security-role>


        <security-role>

                <role-name>JS-DLG-ISS-SSO_JazzGuests</role-name>

        </security-role>


        <security-role>

                <role-name>JS-DLG-ISS-SSO_JazzProjectAdmins</role-name>

        </security-role>

What have I missed, or what have I messed up?

One answer

Most liked answers ↑|Newest answers|Oldest answers

permanent link

Donald Nong (14.5k●6●14) | answered Jan 23 '17, 7:39 p.m.

It seems that you have made things too complicated. CLM provides its own SSO solutions and you should understand what if offers before trying to implement your own. The first question will be, what you try to SSO with?

If you install all CLM applications within the same Liberty profile, they are already SSO-enabled among themselves. If you try to SSO with other applications/platforms, that will depends on the actual implementation. You can look into the two available options first.
https://jazz.net/help-dev/clm/topic/com.ibm.jazz.install.doc/topics/c_kerSso_config.html
https://jazz.net/help-dev/clm/topic/com.ibm.jazz.install.doc/topics/t_jsasso_jas_user_mgmt_saml.html

Role-mapping, on the other hands, is a different topic. To make it simple, you only need to modify the application.xml file to add new <group> entries within <security-role> if you don't use the default JazzAdmins, JazzUsers and etc group names in your user repository.

Comments

Kevin Creason commented Jan 24 '17, 10:35 a.m. | edited Jan 24 '17, 10:39 a.m.

Thank you, the role-mapping is the issue. I had explored those SSO options and ruled them out for a variety of reasons. Utilizing the servlet filter should work and would be the most flexible and supportable method for me.

I've added the new group entries in the security-role above but did not remove the existing role. My thought was both might be needed since the tomcat doc referenced adding a role-link for the new name in the security-role-ref definition. This morning I'm trying removing those other entries but not making any progress. To further complicate things I see there roles/groups also defined in /opt/IBM/JazzTeamServer/server/liberty/servers/clm/conf/application.xml for most applications such as JTS.

If you have some explicit examples...

Donald Nong commented Jan 25 '17, 12:50 a.m.

The role names are hard coded in the applications, so if you add new roles/groups (as in the servlet), they will not get recognized. The application.xml file is for Liberty to convert/map the group name(s) from LDAP or other user repository to the appropriate roles (JazzAdmins and etc).

You're using CLM 6.0.3 and it comes bundled with WAS Liberty - why do you talk about Tomcat?

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

It's all about the answers!

Related questions

Role Mapping

One answer

Your answer