Sample code for using federated repository management rights
The end-to-end steps, commands, and sample code snippets required for enabling users who are not WebSphere Application Server administrators to access the virtual member manager application programming interface (APIs) in a multiple security domain environment are provided here.
Federated repository management rights allow users who are not WebSphere Application Server administrators to manage users and groups, and access other virtual member manager APIs in admin and application domains. Read about the predefined roles and their permissions in the topic, Providing security in the virtual member manager documentation. You can use the following wsadmin commands to implement this feature: mapIdMgrUserToRole, mapIdMgrGroupToRole, removeIdMgrUsersFromRole, removeIdMgrGroupsFromRole, and listIdMgrUsersForRoles. For more information, read about using these commands in the topic, IdMgrConfig command group for the AdminTask object in the WebSphere Application Server documentation
The following steps are covered in this sample scenario:
- Install wimperdomain application on the server that is scoped to the security domain. In a multiple security domain environment, you must deploy virtual member manager EJB on each target server, where the server scope is associated with that security domain, to get a reference to the virtual member manager instance in that domain. This procedure enables you to call virtual member manager APIs through EJB for a specific domain. Only users with the required access roles for virtual member manager APIs or superusers in that domain can call the respective APIs.
- Create a user in the user registry that corresponds to the security domain. You must be logged in as a WebSphere Application Server administrator.
- Assign the user to a virtual member manager role. Valid predefined virtual member manager roles are IdMgrAdmin, IdMgrWriter, and IdMgrReader.
- Access the virtual member manager instance that corresponds to the security domain with EJB lookup. In a network deployment environment, the EJB on the managed server node must be first looked up with the absolute path of the context (for example, cell/nodes/myNode/servers/server1/ejbna where ejbna is the JNDI name of the virtual member manager EJB on the managed server, server1).
- Perform an operation on the virtual member manager instance that corresponds to the security domain as the user who is assigned a virtual member manager role.
Prerequisites
Ensure that you have read the information and completed the steps described in the topic, Programming prerequisites.
You must complete the following configuration steps before using the sample code. Start the wsadmin tool and execute the following commands. Replace the variables with the actual values that you want to use.
- Install wimperdomain application on the server that is scoped to the security domain. The
wimperdomain.ear application is available under the
app_server_root/installableApps/directory. Deploy the wimperdomain.ear application on the specific target server for the domain. You must specify a unique JNDI URL for the EJB.$AdminApp.install('app_server_root/installableApps/wimperdomain.ear', '[-appname wimperdomain -BindJndiForEJBNonMessageBinding [[ wim.ejb WIMService wimejb.jar,META-INF/ejb-jar.xml ejbd2/com/ibm/websphere/wim/ejb/WIMServiceHome]] -MapModulesToServers [[ wim.ejb wimejb.jar,META-INF/ejb-jar.xml WebSphere:cell=myCell,node=myNode,server=server1 ]]]' ) - Create a user vmmadmin in the user registry that corresponds to the security
domain domain1. You must be logged in as a WebSphere Application Server
administrator.
$AdminTask createUser {-uid vmmadmin -password tempPass -confirmPassword tempPass -cn admincn -sn adminsn -securityDomainName domain1 } - Assign the virtual member manager role IdMgrAdmin to the user vmmadmin in
the user registry that corresponds to the security domain
domain1.
$AdminTask mapIdMgrUserToRole {-userId vmmadmin -roleName IdMgrAdmin -securityDomainName domain1}
Sample code
Add the following end-to-end sample code to your application code as described in the following steps. Replace the variables with the actual values that you want to use.
- Access the virtual member manager instance that corresponds to the security domain domain1 with EJB lookup. The EJB JNDI is the same as the one used previously in step 1 of the Prerequisites section.
- Create a user in domain1 as the user vmmadmin who is
assigned a virtual member manager role in step 3 of the Prerequisites
section.
import commonj.sdo.DataObject; public class SimpleTest extends BaseApp { public static void createAsAdmin() { try { createUser("vmmadmin", "tempPass"); } catch (Exception e) { e.printStackTrace(); } } public static void createUser(String user, String password) throws Exception { DataObject result = (DataObject) runAsUser(user, password, new java.security.PrivilegedExceptionAction() { public Object run() throws Exception { //Note the service instance used is that of security domain obtained in step 1. DataObject root = service.createRootDataObject(); DataObject user = root.createDataObject(DO_ENTITIES, WIM_NS_URI, DO_PERSON_ACCOUNT); user.set("uid", "authzzuser"); user.set("cn", "authzzuser"); user.set("sn", "authzzuser"); user.set(PROP_PASSWORD, com.ibm.websphere.wim.util.PasswordUtil .getByteArrayPassword("authzzuser")); // Print Input datagraph System.out.println("Input datagraph before creating user" + printDO(root)); DataObject retObject = service.create(root); // Print the output datagraph System.out.println("Output datagraph after creating user" + printDO(retObject)); return retObject; } }); } public static void main(String[] args) { // Note that the EJB JNDI is same as one used in step 1. service = locateService("ejbd2/com/ibm/websphere/wim/ejb/WIMServiceHome"); createAsAdmin(); } }