Security in Spring Boot applications

You have three options when you are using Spring Boot security in CICS®.

  1. You can use Spring Boot security directly and avoid integration with Liberty or CICS security. This option is useful if you are taking an existing Spring Boot application and deploying it unchanged in CICS.
  2. You can use Enterprise Java security to authenticate web requests using any of the Liberty registry types. In this approach you configure security using the standard Enterprise Java <security-constraint>and <login-config> in the application's web.xml. This option is useful if you want to authenticate users through Liberty, and then control transaction authorization with CICS security. For more information, see Authenticating users to run CICS Liberty web applications.
    Note: You must ensure that web.xml is stored in src/main/webapp/WEB-INF/
  3. You can integrate Spring Boot security with Enterprise Java security using container pre-authentication. This approach allows Spring Boot applications to authenticate users through an external system. It supplies a validated user ID and set of roles for Spring Boot security to operate with. To do this, you need to modify the application and create an @Configuration annotated class that extends WebSecurityConfigurerAdapter. This annotation allows you to propagate named roles into Spring Boot security. Configure Enterprise Java security settings in the applications web.xml and <application-bnd>, or set-up EJBROLE profiles if you are using SAF role authorization. Use this option if you want to use Liberty to authenticate users while authorizing requests to individual methods with security roles.

For an example of configuring security for Spring Boot applications in CICS, see the tutorial Spring Boot Java applications for CICS, Part 2: Security. This tutorial also provides sample code for you to play with different security options.