I'm in doubt about the context protection definitions for a Liberty server that was deployed onto a Bluemix environment, mainly in view of the login and authorization functions that will be triggered by the settings. For Liberty, all configuration is placed inside a single server.xml setup file.
The deployment structure generated by the Eclipse choice "Dynamic Web Project" is as followed:
. WebSphere Application Server Packaged on Bluemix (Utilities: Package on Bluemix Server)
.. LibertyStarterClaudeEAR (.ear)
... LiberyStarterClaude (.war)
The application generated an .ear archive file for deployment. Inside this archive there is a .war file with the web application itself, indeed its a simple "hello world" from the Bluemix sample repository. Without the use of application and application-bnd statements, the web screen is displaying correctly, once the application statement is active, I get an error message as followed:
404 Not Found: Requested route ('xyzxyz.mybluemix.net') does not exist.
Here is the context definition I wish to add to the server.xml:
<!-- Nov. 21 2016 the next section adds the web context authorization -->
<application type="war" id="LibertyStarterClaude" name="LibertyStarterClaude" location="${server.config.dir}/apps/LibertyStarterClaude.war">
<application-bnd>
<security-role name="All Role">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
</application>
What are the correct path and application type definitions to activate the context protection and login intercept for deployment of .ear archives and its application?
Below the console messages resulting from the "package on IBM Bluemix" command (push):
Deploy and push the local Liberty server with tag section defined under the server.xml configuration file.
name: liberty_with_oidc
manifest: save to manifest file
subdomain: libertystarterclaude
domain: mybluemix.net
deployed url: libertystarterclaude.mybluemix.net
start application at deployment: enabled
Checking application - liberty_with_oidc
Generating application archive - liberty_with_oidc
Pushing application - liberty_with_oidc
Creating application - liberty_with_oidc
Application successfully pushed
Starting application - liberty_with_oidc
Got staging request for app with id ff091f13-1c94-4d0f-adea-70db04cceb7c
Updated app with guid ff091f13-1c94-4d0f-adea-70db04cceb7c ({"state"=>"STARTED"})
-----> Downloaded app package (36K)
[Application Running Check] - Checking if application is running - liberty_with_oidc. Please wait...
-----> Retrieving IBM 1.8.0_20160919 JRE (ibm-java-jre-8.0-3.12-pxa6480sr3fp12-20160919_01-cloud.tgz) ... (0.0s)
Expanding JRE to .java ... (1.1s)
-----> Retrieving App Management 1.21.0_20161010-1459 (app-mgmt_v1.21-20161010-1459.zip) ... (0.0s)
Expanding App Management to .app-management (0.1s)
-----> Retrieving com.ibm.ws.liberty-16.0.0.3-201610302241.tar.gz ... (0.0s)
Installing archive ... (1.1s)
-----> Retrieving com.ibm.ws.liberty.ext-16.0.0.3-201610302241.tar.gz ... (0.0s)
Installing archive ... (1.0s)
-----> Liberty buildpack is done creating the droplet
[AUDIT ] CWWKE0001I: The server wlp2016beta has been launched.
[AUDIT ] CWWKG0028A: Processing included configuration resource: /home/vcap/app/wlp/usr/servers/wlp2016beta/runtime-vars.xml
[INFO ] CWWKE0002I: The kernel started after 3.267 seconds
[INFO ] CWWKF0007I: Feature update started.
[ERROR ] CWWKF0042E: A feature definition cannot be found for the bluemixutility-1.0 feature. Try running the command, bin/installUtility install bluemixutility-1.0, to install the feature. Alternatively, you can run the command, bin/installUtility install wlp2016beta, to install all features that are referenced by this configuration.
[INFO ] CWWKS0007I: The security service is starting...
[AUDIT ] CWWKZ0058I: Monitoring dropins for applications.
[INFO ] CWWKO0219I: TCP Channel defaultHttpEndpoint has been started and is now listening for requests on host localhost (IPv4: 127.0.0.1) port 61655.
[INFO ] CWWKO0219I: TCP Channel defaultHttpEndpoint-ssl has been started and is now listening for requests on host localhost (IPv4: 127.0.0.1) port 9443.
[INFO ] DYNA1001I: WebSphere Dynamic Cache instance named baseCache initialized successfully.
[INFO ] DYNA1071I: The cache provider default is being used.
[INFO ] DYNA1056I: Dynamic Cache (object cache) initialized successfully.
[INFO ] CWWKY0005I: The batch In-Memory persistence service is activated.
[INFO ] CWWKY0008I: The batch feature is using persistence type In-Memory.
[INFO ] CWIMK0009I: The user registry federation service is ready.
[INFO ] CWWKS0008I: The security service is ready.
[INFO ] CWWKS4105I: LTPA configuration is ready after 0.902 seconds.
[INFO ] CWWKS1410I: The OAuth endpoint service is activated.
[INFO ] CWWKS1700I: OpenID Connect client bluemixoidc1 configuration successfully processed.
[INFO ] CWSCX0122I: Register management Bean provider: com.ibm.ws.cloudoe.management.client.provider.dump.JavaDumpBeanProvider@8023ef99.
[INFO ] CWSCX0122I: Register management Bean provider: com.ibm.ws.cloudoe.management.client.provider.logging.LibertyLoggingBeanProvider@ffcd3586.
[INFO ] CWWKY0300I: Batch security is enabled.
[WARNING ] CWWKZ0014W: The application LibertyStarterClaude could not be started as it could not be found at location /home/vcap/app/wlp/usr/servers/wlp2016beta//apps/LibertyStarterClaude.war.
[INFO ] CWWKZ0018I: Starting application LibertyStarterClaudeEAR.
[INFO ] SRVE0169I: Loading Web Module: ibm/api.
[INFO ] SRVE0250I: Web Module ibm/api has been bound to default_host.
[AUDIT ] CWWKT0016I: Web application available (default_host): http://localhost:61655/ibm/api/
[INFO ] SRVE0169I: Loading Web Module: com.ibm.ws.cloudoe.management.client.liberty.connector.
[INFO ] SRVE0250I: Web Module com.ibm.ws.cloudoe.management.client.liberty.connector has been bound to default_host.
[AUDIT ] CWWKT0016I: Web application available (default_host): http://localhost:61655/IBMMGMTRest/
[INFO ] SRVE0169I: Loading Web Module: OpenID Connect Client Redirect Servlet.
[INFO ] SRVE0250I: Web Module OpenID Connect Client Redirect Servlet has been bound to default_host.
[AUDIT ] CWWKT0016I: Web application available (default_host): http://localhost:61655/oidcclient/
[INFO ] SRVE0169I: Loading Web Module: IBMJMXConnectorREST.
[INFO ] SRVE0250I: Web Module IBMJMXConnectorREST has been bound to default_host.
[AUDIT ] CWWKT0016I: Web application available (default_host): http://localhost:61655/IBMJMXConnectorREST/
[INFO ] CWWKX0103I: The JMX REST connector is running and is available at the following service URL: service:jmx:rest://localhost:9443/IBMJMXConnectorREST
[INFO ] CWWKX0103I: The JMX REST connector is running and is available at the following service URL: service:jmx:rest://localhost:9443/IBMJMXConnectorREST
[INFO ] WELD-000900: 2.3.4 (Final)
[INFO ] SRVE0169I: Loading Web Module: com.ibm.oauth.test.war.
[INFO ] SRVE0250I: Web Module com.ibm.oauth.test.war has been bound to default_host.
[AUDIT ] CWWKT0016I: Web application available (default_host): http://localhost:61655/oauth2/
[INFO ] SESN8501I: The session manager did not find a persistent storage location; HttpSession objects will be stored in the local application server's memory.
[INFO ] SRVE0250I: Web Module LibertyStarterClaude has been bound to default_host.
[INFO ] SRVE0169I: Loading Web Module: LibertyStarterClaude.
[AUDIT ] CWWKZ0001I: Application LibertyStarterClaudeEAR started in 1.047 seconds.
[INFO ] SRVE9103I: A configuration file for a web server plugin was automatically generated for this server at /home/vcap/app/wlp/usr/servers/wlp2016beta/logs/state/plugin-cfg.xml.
[AUDIT ] CWWKF0015I: The server has the following interim fixes active in the runtime: PI69141,PI68805. For a full listing of installed fixes run: productInfo version --ifixes
[AUDIT ] CWWKF0012I: The server installed the following features: [servlet-3.1, beanValidation-1.1, ssl-1.0, jndi-1.0, oauth-2.0, batchManagement-1.0, appSecurity-2.0, jdbc-4.1, jaxrs-2.0, openidConnectClient-1.0, restConnector-2.0, cdi-1.2, webProfile-7.0, jpa-2.1, appState-2.0, jsp-2.3, ejbLite-3.2, managedBeans-1.0, jsf-2.2, localConnector-1.0, federatedRegistry-1.0, jsonp-1.0, icap:managementConnector-1.0, el-3.0, jaxrsClient-2.0, batch-1.0, ldapRegistry-3.0, json-1.0, distributedMap-1.0, websocket-1.1].
[INFO ] CWWKF0008I: Feature update completed in 42.745 seconds.
[AUDIT ] CWWKF0011I: The server wlp2016beta is ready to run a smarter planet.
Instance (index 0) failed to start accepting connections
App instance exited with guid ff091f13-1c94-4d0f-adea-70db04cceb7c payload: {"cc_partition"=>"default", "droplet"=>"ff091f13-1c94-4d0f-adea-70db04cceb7c", "version"=>"2186b130-3bad-4631-bd74-3e436f10ec19", "instance"=>"75acb8c94a5b403398904d43aa53761d", "index"=>0, "reason"=>"CRASHED", "exit_status"=>-1, "exit_description"=>"failed to accept connections within health check timeout", "crash_timestamp"=>1479830482}
Starting app instance (index 0) with guid ff091f13-1c94-4d0f-adea-70db04cceb7c
ERROR ] CWWKF0042E: A feature definition cannot be found for the admincenter-1.0 feature. Try running the command, bin/installUtility install admincenter-1.0, to install the feature. Alternatively, you can run the command, bin/installUtility install wlp2016beta, to install all features that are referenced by this configuration.
[ERROR ] CWWKF0042E: A feature definition cannot be found for the bluemixlogcollector-1.1 feature. Try running the command, bin/installUtility install bluemixlogcollector-1.1, to install the feature. Alternatively, you can run the command, bin/installUtility install wlp2016beta, to install all features that are referenced by this configuration.
[ERROR ] CWWKF0042E: A feature definition cannot be found for the bluemixutility-1.0 feature. Try running the command, bin/installUtility install bluemixutility-1.0, to install the feature. Alternatively, you can run the command, bin/installUtility install wlp2016beta, to install all features that are referenced by this configuration.
[INFO ] CWWKS0007I: The security service is starting...
[INFO ] CWWKO0219I: TCP Channel defaultHttpEndpoint has been started and is now listening for requests on host localhost (IPv4: 127.0.0.1) port 61700.
[AUDIT ] CWWKZ0058I: Monitoring dropins for applications.
[INFO ] CWWKO0219I: TCP Channel defaultHttpEndpoint-ssl has been started and is now listening for requests on host localhost (IPv4: 127.0.0.1) port 9443.
[INFO ] DYNA1001I: WebSphere Dynamic Cache instance named baseCache initialized successfully.
[INFO ] DYNA1071I: The cache provider default is being used.
[INFO ] DYNA1056I: Dynamic Cache (object cache) initialized successfully.
[INFO ] CWWKY0005I: The batch In-Memory persistence service is activated.
[INFO ] CWWKY0008I: The batch feature is using persistence type In-Memory.
[INFO ] CWIMK0009I: The user registry federation service is ready.
[INFO ] CWWKS1700I: OpenID Connect client bluemixoidc1 configuration successfully processed.
[INFO ] CWWKS0008I: The security service is ready.
[INFO ] CWWKS4105I: LTPA configuration is ready after 0.752 seconds.
[INFO ] CWSCX0122I: Register management Bean provider: com.ibm.ws.cloudoe.management.client.provider.dump.JavaDumpBeanProvider@50e65231.
[INFO ] CWSCX0122I: Register management Bean provider: com.ibm.ws.cloudoe.management.client.provider.logging.LibertyLoggingBeanProvider@9176be54.
[INFO ] CWWKY0300I: Batch security is enabled.
[WARNING ] CWWKZ0014W: The application LibertyStarterClaude could not be started as it could not be found at location /home/vcap/app/wlp/usr/servers/wlp2016beta//apps/LibertyStarterClaude.war.
[INFO ] CWWKZ0018I: Starting application LibertyStarterClaudeEAR.
[INFO ] SRVE0169I: Loading Web Module: com.ibm.ws.cloudoe.management.client.liberty.connector.
[AUDIT ] CWWKT0016I: Web application available (default_host): http://localhost:61700/IBMMGMTRest/
[INFO ] SRVE0250I: Web Module OpenID Connect Client Redirect Servlet has been bound to default_host.
[INFO ] SRVE0250I: Web Module ibm/api has been bound to default_host.
[INFO ] SRVE0169I: Loading Web Module: ibm/api.
[AUDIT ] CWWKT0016I: Web application available (default_host): http://localhost:61700/ibm/api/
[INFO ] WELD-000900: 2.3.4 (Final)
[INFO ] SRVE0250I: Web Module IBMJMXConnectorREST has been bound to default_host.
[INFO ] SRVE0169I: Loading Web Module: IBMJMXConnectorREST.
[AUDIT ] CWWKT0016I: Web application available (default_host): http://localhost:61700/IBMJMXConnectorREST/
[INFO ] CWWKX0103I: The JMX REST connector is running and is available at the following service URL: service:jmx:rest://localhost:9443/IBMJMXConnectorREST
[INFO ] CWWKX0103I: The JMX REST connector is running and is available at the following service URL: service:jmx:rest://localhost:9443/IBMJMXConnectorREST
[INFO ] SRVE0169I: Loading Web Module: com.ibm.oauth.test.war.
[INFO ] SRVE0250I: Web Module com.ibm.oauth.test.war has been bound to default_host.
[AUDIT ] CWWKT0016I: Web application available (default_host): http://localhost:61700/oauth2/
[INFO ] SESN8501I: The session manager did not find a persistent storage location; HttpSession objects will be stored in the local application server's memory.
[INFO ] SRVE0169I: Loading Web Module: LibertyStarterClaude.
[INFO ] SRVE0250I: Web Module LibertyStarterClaude has been bound to default_host.
[AUDIT ] CWWKZ0001I: Application LibertyStarterClaudeEAR started in 1.423 seconds.
[INFO ] SRVE9103I: A configuration file for a web server plugin was automatically generated for this server at /home/vcap/app/wlp/usr/servers/wlp2016beta/logs/state/plugin-cfg.xml.
[AUDIT ] CWWKF0015I: The server has the following interim fixes active in the runtime: PI69141,PI68805. For a full listing of installed fixes run: productInfo version --ifixes
[AUDIT ] CWWKF0012I: The server installed the following features: [servlet-3.1, beanValidation-1.1, ssl-1.0, jndi-1.0, oauth-2.0, batchManagement-1.0, appSecurity-2.0, jdbc-4.1, jaxrs-2.0, openidConnectClient-1.0, restConnector-2.0, cdi-1.2, webProfile-7.0, jpa-2.1, appState-2.0, jsp-2.3, ejbLite-3.2, managedBeans-1.0, jsf-2.2, localConnector-1.0, federatedRegistry-1.0, jsonp-1.0, icap:managementConnector-1.0, el-3.0, jaxrsClient-2.0, batch-1.0, ldapRegistry-3.0, json-1.0, distributedMap-1.0, websocket-1.1].
[AUDIT ] CWWKF0011I: The server wlp2016beta is ready to run a smarter planet.
[INFO ] CWWKF0008I: Feature update completed in 40.415 seconds.
Instance (index 0) failed to start accepting connections
App instance exited with guid ff091f13-1c94-4d0f-adea-70db04cceb7c payload: {"cc_partition"=>"default", "droplet"=>"ff091f13-1c94-4d0f-adea-70db04cceb7c", "version"=>"2186b130-3bad-4631-bd74-3e436f10ec19", "instance"=>"3cd219a09bbf48fd8b80db6b6290f5b9", "index"=>0, "reason"=>"CRASHED", "exit_status"=>-1, "exit_description"=>"failed to accept connections within health check timeout", "crash_timestamp"=>1479830595}
Starting app instance (index 0) with guid ff091f13-1c94-4d0f-adea-70db04cceb7c
.. restarting
My testing showed that there was a duplicate entry for .ear archive, as the application tag gives support for reading .ear archive. The new definition is:
`<application` location="${server.config.dir}apps/LibertyStarterClaudeEAR.ear" type="ear">
<application-bnd>
<security-role name="AllAuthenticated">
<special-subject type="ALL_AUTHENTICATED_USERS"/>
</security-role>
</application-bnd>
</application>
Commenting the duplicate .ear load from the original project setup:
<!-- enterpriseApplication id="LibertyStarterClaudeEAR" location="LibertyStarterClaudeEAR.ear" name="LibertyStarterClaudeEAR"/ -->
To setup security, you need to define security role, security constraint, authentication method as well as the application binding. You only mentioned the application binding part. I am not sure if you have done the rest. You can refer to this documentation on how to setup the rest: http://www.ibm.com/support/knowledgecenter/SS7K4U_liberty/com.ibm.websphere.wlp.zseries.doc/ae/twlp_sec_quickstart.html
For your application, do you want to deploy as an EAR or deploy as a standalone WAR? On the dynamic web project structure, you seems to be using an EAR. However, on the application binding config element that you have, it has been converted to a standalone WAR application without the EAR. I would suggest you to keep the original enterpriseApplciation element and just add the application-bnd section under that element instead of defining a new application element. The reason is changing the application type directly on the server config file will make the tools setup out of sync with the server configuration. If you want to deploy as a standalone WAR instead without the EAR, remove the EAR from the Server on the Servers view and add the WAR to the server first. Then, you can add the application-bnd section under the WAR definition to keep tools and config settings in sync.