Configuring the CICS Default Web Application

The CICS® Liberty Default Web Application verifies that the Liberty server is running. The Default Web Application also provides information on the server configuration. Users are able to browse the JVM Profile, the JVM server logs, the Liberty server.xml, and the messages log by using the FileViewer servlet.

Before you begin

Without application security enabled, full access to the Default Web Application is available to all users. If you have autoconfigure enabled and run with CICS security (sec=yes), or you have manually configured your server.xml by adding the cicsts:security-1.0 feature, your user ID requires additional permissions to run the application. For access to the Default servlet and basic information, you need to be in the User role. For access to the FileViewer servlet, you need to be in the Administrator role.

1. If you are using SAF authorization, and your server.xml contains the <safAuthorization .../> element, you need to create these profiles:
   1. To access the Default servlet, use the following example:

      RDEFINE EJBROLE BBGZDFLT.com.ibm.cics.wlp.defaultapp.User UACC(NONE)
      PERMIT BBGZDFLT.com.ibm.cics.wlp.defaultapp.User CLASS(EJBROLE) ID(WLPSVRS) ACCESS(READ)
      SETROPTS RACLIST(EJBROLE) REFRESH

   2. To access the FileViewer servlet, use the following example:

      RDEFINE EJBROLE BBGZDFLT.com.ibm.cics.wlp.defaultapp.Administrator UACC(NONE)
      PERMIT BBGZDFLT.com.ibm.cics.wlp.defaultapp.Administrator CLASS(EJBROLE) ID(WLPSVRS) ACCESS(READ)
      SETROPTS RACLIST(EJBROLE) REFRESH

2. Alternatively, if you do not have SAF authorization configured, then the default JEE role-based access is used.
   • CICS provides a default authorization definition as shown in the following configuration. Access to the Default servlet is granted through the User role to the special subject ALL_AUTHENTICATED_USERS, which means all users are authenticated. By default CICS does not provide access to the FileViewer servlet.

     <authorization-roles id="com.ibm.cics.wlp.defaultapp">
         <security-role name="User">
              <special-subject type="ALL_AUTHENTICATED_USERS"/>
         </security-role>
     </authorization-roles>

   • However, the default JEE role information can be customized in server.xml by adding an authorization element in the example that follows. This example extends the default configuration by adding user2 into the Administrator role and giving access to the FileViewer servlet.

     <authorization-roles id="com.ibm.cics.wlp.defaultapp">
         <security-role name="User">
             <user name="user1"/>
             <user name="user2"/>
        </security-role>
         <security-role name="Administrator">
             <user name="user2"/>
         </security-role>
     </authorization-roles>

     In this case, user1 can access the Default servlet but not the FileViewer servlet and user2 can access the Default servlet and the FileViewer servlet.

Results

You have successfully configured the CICS Default Web Application.