Security in Spring Boot applications

You have three options when you are using Spring Boot security in CICS.

  1. You can use Spring Boot security without integrating with Liberty or CICS security. This option is useful if you are taking an existing Spring Boot application and deploying it unchanged in CICS.
  2. You can use Java EE security to authenticate web requests by using any of the Liberty-supported registry types. You can configure it in the standard Java EE method by using a <security-constraint>and <login-config> in the application's web.xml. This option is useful if you want to authenticate users by using any of the supported Liberty registry types, and then control transaction authorization by using CICS security. For more information, see Authenticating users in a Liberty JVM server
    Note: You must ensure that web.xml is stored in src/main/webapp/WEB-INF/
  3. You can integrate Spring Boot security with Java EE security by using Java EE container pre-authentication. It allows you to authenticate users via an external system in order to provide a validated user ID and set of roles to Spring Boot security. To do this, you need to modify the application and create an @Configuration annotated class that extends WebSecurityConfigurerAdapter in order to name the roles to be propagated into Spring security. In addition, you then need to configure the standard Java EE security settings in the applications web.xml and <application-bnd> or EJBROLE profiles if you are using SAF authorization. Use this option if you want to authenticate users by using any of the supported Liberty registry types, and you want to authorize requests by using Java EE role-based access to individual methods