Configuring J2EE Declarative Security for Tomcat 6.0 Web Applications

This section describes how to configure J2EE declarative security for the Tomcat 6.0 Manager, Administration, and Host Manager web applications, including:

• Setting the Agent Filter Modes

• Creating OpenSSO Enterprise Users and Groups

• Allowing an OpenSSO Enterprise User to Access the Manager Web Application

• Allowing an OpenSSO Enterprise User to Access the Administration Web Application

• Allowing an OpenSSO Enterprise User to Access the Host Manager Web Application

Setting the Agent Filter Modes

By default, the Tomcat 6.0 version 3.0 agent protects the Tomcat Manager, Administration, and Host Manager web applications with J2EE security. This default configuration is set by the agent installer, which sets the Agent Filter Mode (com.sun.identity.agents.config.filter.mode property) to J2EE_POLICY in the Tomcat 6.0 version 3.0 agent configuration.

If you prefer, you can protect the Manager, Administration, and Host Manager web applications with a filter mode other than J2EE_POLICY, depending on the requirements for your deployment. For example, you can change the filter mode for these applications to URL_POLICY or ALL.

To Set the Agent Filter Modes

1. Log in to the OpenSSO Enterprise Administration Console.

2. Click Access Control, realm-name, Agents, J2EE, and then the name of the Tomcat 6.0 version 3.0 agent.

3. Click General and add the Agent Filter Mode as required by your deployment for:

   • Manager web application (manager)

   • Administration web application (admin)

   • Host Manager web application (host-manager)

   The corresponding properties are:

   com.sun.identity.agents.config.filter.mode[manager]
   com.sun.identity.agents.config.filter.mode[admin]
   com.sun.identity.agents.config.filter.mode[host-manager]

4. Click Save.

5. The com.sun.identity.agents.config.filter.mode property is not hot-swappable, so you must restart the OpenSSO Enterprise web container for the new values to take effect.

Creating OpenSSO Enterprise Users and Groups

In this task, you create new OpenSSO Enterprise users and groups who will be able to access the Tomcat 6.0 version 3.0 Manager, Administration, and Host Manager web applications.

In Access Manager 7.1 and Access Manager 7 2005Q4, users were assigned specific roles. OpenSSO Enterprise uses groups rather than roles for the same functionality.

To Create OpenSSO Enterprise Users and Groups

1. Log in to the OpenSSO Enterprise Administration Console.

2. Click Access Control, realm-name, Subjects, and then User.

3. Create the following new users, as required by your deployment:

   • Manager user: A user who will be assigned to the manager group and will be able to log into the Manager web application.

   • Administrator user: A user who will be assigned to the admin group and will be able to log into the Administration and Host Manager web applications.

4. Click Access Control, realm-name, Subjects, and then Group.

5. Create the following new groups:

   • Manager group named manager

   • Administrator group named admin

6. Assign the new users created in Step 3 to their respective groups:

   • Assign the Manager user to the Manager group (manager).

   • Assign the Administrator user to the Administrator group (admin).

7. Save all changes to the new users and groups.

Allowing an OpenSSO Enterprise User to Access the Manager Web Application

In this task, you edit the Tomcat 6.0 version 3.0 Manager web.xml file to allow an OpenSSO Enterprise user to access the Manager web application.

To Allow an OpenSSO Enterprise User to Access the Manager Web Application

1. Change to the following directory for the Tomcat 6.0 version 3.0 instance:

   $CATALINA_HOME/server/webapps/manager/WEB-INF

2. In the web.xml file, find the user and role information for the Manager role.

   This role is defined in the <role-name> element under the <security-role> element.

3. Delete the Manager security role.

4. Create a new Manager security role using the user and group that you created in the OpenSSO Enterprise Console, as described in Creating OpenSSO Enterprise Users and Groups.

   For example:

   <security-role>
   id=manager,ou=group,dc=realm-name,dc=example,dc=com
   </security-role>

5. Replace the Manager role defined in the <role-name> element under the <auth-constraint> element with the contents of the <role-name> element as described in the previous step.

   For example:

   <auth-constraint>
   <role-name>id=manager,ou=group,dc=realm-name,dc=example,dc=com</role-name>
   </auth-constraint>

6. Save the web.xml file.

Allowing an OpenSSO Enterprise User to Access the Administration Web Application

In this task, you edit the Administration web application's web.xml file to allow an OpenSSO Enterprise user to access the Administration web application.

To Allow an OpenSSO Enterprise User to Access the Administration Web Application

1. Change to the following directory for the Tomcat 6.0 version 3.0 instance:

   $CATALINA_HOME/server/webapps/admin/WEB-INF

2. In the web.xml file, find the user and role information for the Administrator role.

   This role is defined in the <role-name> element under the <security-role> element.

3. Delete the Administrator security role.

4. Create a new Administrator security role using the user and group that you created in the OpenSSO Enterprise Console, as described in Creating OpenSSO Enterprise Users and Groups.

   For example:

   <security-role>
   <role-name>id=admin,ou=group,dc=realm-name,dc=example,dc=com</role-name>
   </security-role>

5. Replace the Administrator role defined in the <role-name> element under the <auth-constraint> element with the contents of the <role-name> element as described in the previous step.

   For example:

   <auth-constraint>
   <role-name>id=admin,ou=group,dc=realm-name,dc=example,dc=com</role-name>
   </auth-constraint>

6. Save the web.xml file.

7. Restart the Tomcat 6.0 web container.

Allowing an OpenSSO Enterprise User to Access the Host Manager Web Application

In this task, you edit the Host Manager web application's web.xml file to allow an OpenSSO Enterprise user to access the Host Manager web application.

The steps to configuring the Host Manager web application with declarative security are similar to the steps for the Administration web application. Both applications are accessible by users assigned to the admin group.

To Allow an OpenSSO Enterprise User to Access the Host Manager Web Application

1. Change to the following directory for the Tomcat 6.0 version 3.0 instance:

   $CATALINA_HOME/server/webapps/host-manager/WEB-INF

2. In the web.xml file, find the user and role information for the Host Manager web application role.

   This role is defined in the <role-name> element under the <security-role> element.

3. Delete the Host Manager web application security role.

4. Create a new Host Manager web application security role using the user and group that you created in the OpenSSO Enterprise Console, as described in Creating OpenSSO Enterprise Users and Groups.

   For example:

   <security-role>
   <role-name>id=host-manager,ou=group,dc=realm-name,dc=example,dc=com</role-name>
   </security-role>

5. Replace the Host Manager web application role defined in the <role-name> element under the <auth-constraint> element with the contents of the <role-name> element as described in the previous step.

   For example:

   <auth-constraint>
   <role-name>id=host-manager,ou=group,dc=realm-name,dc=example,dc=com</role-name>
   </auth-constraint>

6. Save the web.xml file.

7. Restart the Tomcat 6.0 web container.