Design example: Securing a Liberty web application with basic authentication and CICS transaction security
In this example, the Enterprise Java application is deployed with security constraints in its application deployment descriptor (web.xml) that require the web client to provide basic authentication credentials. CICS® transaction security is used to authorize access to the Enterprise Java application. The Enterprise Java application is deployed as a CICS bundle so all authenticated users are automatically authorized to run the application in Liberty. A URIMAP that matches the request URI specifies the transaction ID to be used for the request. The transaction is protected such that the authenticated user ID must be authorized to run the transaction.
For more information about configuring this scenario, see the configuration task Configuration example: Securing a web application with basic authentication and CICS transaction security.
Figure 1 shows an overview of the scenario.
- The web client sends an HTTPS request with the clientUserid and password in
the HTTP Authorization header to the Liberty JVM server. Important: It is recommended to use HTTPS because the basic authentication credentials are not signed or encrypted.
- To authenticate the request, the Liberty JVM server validates the clientUserid and password against the configured RACF® user registry and sets the Java security subject to the clientUserid.
- CICS transaction security is used to authorize the request. The URIMAP that matches the request determines the transaction tranA is to be used. CICS checks that the clientUserid is authorized to run the transaction. To do this, CICS calls RACF to verify that the clientUserid has READ access to member list memberListA that contains tranA, in the GCICSTRN class.
- The CICS transaction (including the Enterprise Java application) runs with transaction tranA under the context of the clientUserid. Any JCICS calls to CICS resources such as VSAM files use the clientUserid security context.