Securing an application endpoint
You can secure your feature's application endpoint by completing the following steps:
Procedure
- In the .mf file of your feature, add
the
com.ibm.wsspi.appserver.webBundleSecurity-1.0
feature to the Subsystem-Content: header.This addition causes any protected servlets (as specified in your feature bundle's WEB-INF/web.xml file) to be authenticated, and enables role base authorization. You can also assign users, groups, and special subjects to any roles that are defined in the WEB-INF/web.xml file.Subsystem-Content: my.user.feature.bundle; version="[1,1.0.100)", com.ibm.wsspi.appserver.webBundleSecurity-1.0; type="osgi.subsystem.feature"
- To map roles to users, groups, and special subjects, do
the following steps:
-
Add the IBM®-Authorization-Roles header to your OSGi bundle's MANIFEST.MF
file.
The header must specify a name that is the ID of a role mapping you specify in the server.xml file.
IBM-Authorization-Roles: my.feature.role.map
-
In the server.xml file, add an
authorization-roles
element to map the role names to users and groups.Theid
attribute of theauthorization-roles
element must have the same value as the IBM-Authorization-Roles header in the MANIFEST.MF file. Add a<security-role>
subelement for each role that you want to assign user and groups to.<authorization-roles id="my.feature.role.map"> <security-role name="employee"> <special-subject type="ALL_AUTHENTICATED_USERS"/> </security-role> <security-role name="manager"> <user name="bob"/> <user name="mary"/> <group name="managers"/> </security-role> </authorization-roles>
Note: You can also enable security by configuring the appSecurity-1.0 or appSecurity-2.0 features in the server configuration. If you enable the features after the web application bundles (WABs) start, restart the WABs.
-
Add the IBM®-Authorization-Roles header to your OSGi bundle's MANIFEST.MF
file.