Federated repository default file based implementation

When you install WebSphere Portal by default the Application security is enabled and it is configured to use Federated Repository. You can take a look at this by login into WebSphere Application Server Admin console and Go to Security -> Secure administration, applications, and infrastructure. You will get this screen

Now click on the COnfigure button next to Federated Repository. It will take you to the Federated Repositories configurations screen. On this screen you will notice that there is one repository in the "Repositories in the realm" list, which is file based repository. THat means the users are stored in the File based repository.

If you want you can take a look at how the configuration is actually stored.

  1. The file based repository information is stored in wp_profile/config/cells/DefaultNode/fileRegistry.xml file. This is how it looks like by default

    <?xml version="1.0" encoding="UTF-8"?>
    <sdo:datagraph xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:sdo="commonj.sdo" xmlns:wim="http://www.ibm.com/websphere/wim">
    <wim:Root>
    <wim:entities xsi:type="wim:PersonAccount">
    <wim:identifier externalId="c233f13f-663d-4292-baf0-989e2ef805a4" externalName="uid=wasadmin,o=defaultWIMFileBasedRealm"
    uniqueId="c233f13f-663d-4292-baf0-989e2ef805a4" uniqueName="uid=wasadmin,o=defaultWIMFileBasedRealm"/>
    <wim:parent>
    <wim:identifier uniqueName="o=defaultWIMFileBasedRealm"/>
    </wim:parent>
    <wim:createTimestamp>2008-11-15T19:23:49.811Z</wim:createTimestamp>
    <wim:modifyTimestamp>2009-04-04T10:43:02.788-07:00</wim:modifyTimestamp>
    <wim:password>U0hBLTE6NWtqbHV1b3hjY2FwOmtzLzVMSHFQUkpCQ1R4ZGlIak8yRDRBdUlkYz0K</wim:password>
    <wim:uid>wasadmin</wim:uid>
    <wim:cn>wasadmin</wim:cn>
    <wim:sn>wasadmin</wim:sn>
    </wim:entities>
    <wim:entities xsi:type="wim:Group">
    <wim:identifier externalId="db0469c8-487a-4610-83de-c063f4652389" externalName="cn=wpsadmins,o=defaultWIMFileBasedRealm"
    uniqueId="db0469c8-487a-4610-83de-c063f4652389" uniqueName="cn=wpsadmins,o=defaultWIMFileBasedRealm"/>
    <wim:parent>
    <wim:identifier uniqueName="o=defaultWIMFileBasedRealm"/>
    </wim:parent>
    <wim:createTimestamp>2008-11-15T19:25:08.265Z</wim:createTimestamp>
    <wim:cn>wpsadmins</wim:cn>
    <wim:members>
    <wim:identifier uniqueName="uid=wasadmin,o=defaultWIMFileBasedRealm"/>
    </wim:members>
    </wim:entities>
    </wim:Root>
    </sdo:datagraph>

    My repository has only one user uid=wasadmin,o=defaultWIMFileBasedRealm because there is only one entry under <wim:entities xsi:type="wim:PersonAccount"> element. Also there is only one entry under <wim:entities xsi:type="wim:Group">
    element for cn=wpsadmins,o=defaultWIMFileBasedRealm group. If you sign up additional users then those entries would be created in this file.
    THe password of the user is stored in the fileRegistry and it is SHA-1 algoritham. ANd it is hash that is valid for 1 day only.

  2. The wimconfig.xml is another important file that is stored in wp_profile/config/cells/DefaultNode/wim/config directory. It has global information about the federated repository things like algorithm for password encryption, what all user repositories are part of the federated repository, etc. By default it looks like this

    <sdo:datagraph xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:config="http://www.ibm.com/websphere/wim/config" xmlns:sdo="commonj.sdo">
    <config:configurationProvider maxPagingResults="500" maxSearchResults="4500" maxTotalPagingResults="1000"
    pagedCacheTimeOut="900" pagingEntityObject="true" searchTimeOut="600000">
    <config:dynamicModel xsdFileName="wimdatagraph.xsd"/>
    <config:supportedEntityTypes defaultParent="o=defaultWIMFileBasedRealm" name="Group">
    <config:rdnProperties>cn</config:rdnProperties>
    </config:supportedEntityTypes>
    <config:supportedEntityTypes defaultParent="o=defaultWIMFileBasedRealm" name="OrgContainer">
    <config:rdnProperties>o</config:rdnProperties>
    <config:rdnProperties>ou</config:rdnProperties>
    <config:rdnProperties>dc</config:rdnProperties>
    <config:rdnProperties>cn</config:rdnProperties>
    </config:supportedEntityTypes>
    <config:supportedEntityTypes defaultParent="o=defaultWIMFileBasedRealm" name="PersonAccount">
    <config:rdnProperties>uid</config:rdnProperties>
    </config:supportedEntityTypes>
    <config:repositories xsi:type="config:FileRepositoryType" adapterClassName="com.ibm.ws.wim.adapter.file.was.FileAdapter"
    id="InternalFileRepository" supportPaging="false" messageDigestAlgorithm="SHA-1">
    <config:baseEntries name="o=defaultWIMFileBasedRealm"/>
    </config:repositories>
    <config:realmConfiguration defaultRealm="defaultWIMFileBasedRealm">
    <config:realms delimiter="/" name="defaultWIMFileBasedRealm" securityUse="active">
    <config:participatingBaseEntries name="o=defaultWIMFileBasedRealm"/>
    <config:uniqueUserIdMapping propertyForInput="uniqueName" propertyForOutput="uniqueName"/>
    <config:userSecurityNameMapping propertyForInput="principalName" propertyForOutput="principalName"/>
    <config:userDisplayNameMapping propertyForInput="principalName" propertyForOutput="principalName"/>
    <config:uniqueGroupIdMapping propertyForInput="uniqueName" propertyForOutput="uniqueName"/>
    <config:groupSecurityNameMapping propertyForInput="cn" propertyForOutput="cn"/>
    <config:groupDisplayNameMapping propertyForInput="cn" propertyForOutput="cn"/>
    </config:realms>
    </config:realmConfiguration>
    <config:pluginManagerConfiguration>
    <config:topicSubscriberList>
    <config:topicSubscriber topicSubscriberName="DefaultDAViewProcessor" topicSubscriberType="ModificationSubscriber">
    <config:className>com.ibm.ws.wim.plugins.orgview.impl.DefaultDAViewProcessorImpl</config:className>
    </config:topicSubscriber>
    </config:topicSubscriberList>
    <config:topicRegistrationList>
    <config:topicEmitter topicEmitterName="com.ibm.ws.wim.ProfileManager.create">
    <config:preExit>
    <config:notificationSubscriberList/>
    <config:modificationSubscriberList>
    <config:modificationSubscriber>
    <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
    <config:realmList>All</config:realmList>
    </config:modificationSubscriber>
    </config:modificationSubscriberList>
    </config:preExit>
    <config:inlineExit inlineExitName="createInViewExplicit">
    <config:modificationSubscriberList>
    <config:modificationSubscriber>
    <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
    <config:realmList>All</config:realmList>
    </config:modificationSubscriber>
    </config:modificationSubscriberList>
    </config:inlineExit>
    <config:postExit>
    <config:modificationSubscriberList>
    <config:modificationSubscriber>
    <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
    <config:realmList>All</config:realmList>
    </config:modificationSubscriber>
    </config:modificationSubscriberList>
    <config:notificationSubscriberList/>
    </config:postExit>
    </config:topicEmitter>
    <config:topicEmitter topicEmitterName="com.ibm.ws.wim.ProfileManager.delete">
    <config:preExit>
    <config:notificationSubscriberList/>
    <config:modificationSubscriberList>
    <config:modificationSubscriber>
    <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
    <config:realmList>All</config:realmList>
    </config:modificationSubscriber>
    </config:modificationSubscriberList>
    </config:preExit>
    <config:inlineExit inlineExitName="deleteInViewExplicit">
    <config:modificationSubscriberList>
    <config:modificationSubscriber>
    <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
    <config:realmList>All</config:realmList>
    </config:modificationSubscriber>
    </config:modificationSubscriberList>
    </config:inlineExit>
    <config:postExit>
    <config:modificationSubscriberList>
    <config:modificationSubscriber>
    <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
    <config:realmList>All</config:realmList>
    </config:modificationSubscriber>
    </config:modificationSubscriberList>
    <config:notificationSubscriberList/>
    </config:postExit>
    </config:topicEmitter>
    <config:topicEmitter topicEmitterName="com.ibm.ws.wim.ProfileManager.update">
    <config:preExit>
    <config:notificationSubscriberList/>
    <config:modificationSubscriberList>
    <config:modificationSubscriber>
    <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
    <config:realmList>All</config:realmList>
    </config:modificationSubscriber>
    </config:modificationSubscriberList>
    </config:preExit>
    <config:postExit>
    <config:modificationSubscriberList>
    <config:modificationSubscriber>
    <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
    <config:realmList>All</config:realmList>
    </config:modificationSubscriber>
    </config:modificationSubscriberList>
    <config:notificationSubscriberList/>
    </config:postExit>
    </config:topicEmitter>
    <config:topicEmitter topicEmitterName="com.ibm.ws.wim.ProfileManager.get">
    <config:preExit>
    <config:notificationSubscriberList/>
    <config:modificationSubscriberList>
    <config:modificationSubscriber>
    <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
    <config:realmList>All</config:realmList>
    </config:modificationSubscriber>
    </config:modificationSubscriberList>
    </config:preExit>
    <config:inlineExit inlineExitName="getInViewExplicit">
    <config:modificationSubscriberList>
    <config:modificationSubscriber>
    <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
    <config:realmList>All</config:realmList>
    </config:modificationSubscriber>
    </config:modificationSubscriberList>
    </config:inlineExit>
    <config:postExit>
    <config:modificationSubscriberList>
    <config:modificationSubscriber>
    <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
    <config:realmList>All</config:realmList>
    </config:modificationSubscriber>
    </config:modificationSubscriberList>
    <config:notificationSubscriberList/>
    </config:postExit>
    </config:topicEmitter>
    <config:topicEmitter topicEmitterName="com.ibm.ws.wim.authz.ProfileSecurityManager">
    <config:preExit>
    <config:notificationSubscriberList/>
    <config:modificationSubscriberList>
    <config:modificationSubscriber>
    <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
    <config:realmList>All</config:realmList>
    </config:modificationSubscriber>
    </config:modificationSubscriberList>
    </config:preExit>
    <config:inlineExit inlineExitName="getInViewExplicit">
    <config:modificationSubscriberList>
    <config:modificationSubscriber>
    <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
    <config:realmList>All</config:realmList>
    </config:modificationSubscriber>
    </config:modificationSubscriberList>
    </config:inlineExit>
    <config:postExit>
    <config:modificationSubscriberList>
    <config:modificationSubscriber>
    <config:modificationSubscriberReference>DefaultDAViewProcessor</config:modificationSubscriberReference>
    <config:realmList>All</config:realmList>
    </config:modificationSubscriber>
    </config:modificationSubscriberList>
    <config:notificationSubscriberList/>
    </config:postExit>
    </config:topicEmitter>
    </config:topicRegistrationList>
    </config:pluginManagerConfiguration>
    <config:authorization
    isSecurityEnabled="true" useSystemJACCProvider="false" importPolicyFromFile="true"
    isAttributeGroupingEnabled="true" defaultAttributeGroup="default"
    jaccPolicyClass="com.ibm.sec.authz.provider.CommonAuthzPolicy"
    jaccRoleMappingClass="com.ibm.sec.authz.provider.CommonAuthzRoleMapping"
    jaccPolicyConfigFactoryClass="com.ibm.sec.authz.provider.CommonAuthzPolicyConfigurationFactory"
    jaccRoleMappingConfigFactoryClass="com.ibm.sec.authz.provider.CommonAuthzRoleMappingConfigurationFactory"
    jaccRoleToPermissionPolicyId="WIM Policy"
    jaccPrincipalToRolePolicyId="WIM Policy"
    jaccRoleToPermissionPolicyFileName="wim-policy.xml"
    jaccPrincipalToRolePolicyFileName="wim-rolemapping.xml">
    <config:attributeGroups>
    <config:groupName>general</config:groupName>
    <config:attributeNames>cn</config:attributeNames>
    <config:attributeNames>sn</config:attributeNames>
    <config:attributeNames>uid</config:attributeNames>
    </config:attributeGroups>
    <config:attributeGroups>
    <config:groupName>sensitive</config:groupName>
    <config:attributeNames>password</config:attributeNames>
    </config:attributeGroups>
    <config:attributeGroups>
    <config:groupName>unchecked</config:groupName>
    <config:attributeNames>identifier</config:attributeNames>
    <config:attributeNames>createTimestamp</config:attributeNames>
    <config:attributeNames>modifyTimestamp</config:attributeNames>
    <config:attributeNames>entitlementInfo</config:attributeNames>
    </config:attributeGroups>
    </config:authorization>
    </config:configurationProvider>
    </sdo:datagraph>




Important Note : Always take a backup of wimconfig.xml before changing the federated repository. theoretically You should be able to restore the federated repository by using this file if something goes wrong

1 comment:

sudheer.katakam said...

Thanks for the explanation.