Configuration example: Securing a Liberty web application with basic authentication and CICS transaction security
Configure basic authentication for a web application and then check that the RACF® user ID is authorized to run the CICS® transaction.
Before you begin
This configuration task is based on the example security scenario Design example: Securing a CICS Liberty web application with basic authentication and CICS transaction security .
Before you begin this task, you must complete these tasks:
- Connect the Liberty server to the angel process, see Configuring and starting the Liberty angel process Connecting a Liberty JVM server to the angel process.
- Configure the Liberty server to use the RACF registry, see Configuring Liberty to use a SAF user registry.
You need to know the RACF user ID that is used to authenticate. This user ID must exist and have an OMVS segment.
You must have:
- Authorization to define CICS resource definitions.
- Authorization to update the application security constraint in the Enterprise Java deployment descriptor (web.xml).
- Write access to the server.xml configuration file.
About this task
In this task, you configure an application to use basic authentication with a RACF user registry and CICS transaction security to verify that the authenticated user ID is authorized to run the web application.
- clientUserid is the authenticated user ID.
Procedure
- Add the security controls to the Enterprise Java
application's deployment descriptor as follows. The web.xml can be found inside
the source files for the web application that you are deploying.
- Add a login configuration to the application's web.xml file to specify
basic authentication as the authentication method.
<auth-method>BASIC</auth-method> - Define an authorization constraint in the web.xml to restrict access to all
URL paths for this application to the special role
cicsAllAuthenticated:<security-constraint> <web-resource-collection> <web-resource-name>myResourceName</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>cicsAllAuthenticated</role-name> </auth-constraint> </security-constraint>
- Add a login configuration to the application's web.xml file to specify
basic authentication as the authentication method.
- Deploy the Java application as a CICS bundle (see Deploying a CICS bundle in the CICS Explorer product documentation).
- Assign a CICS transaction ID to be used for the request.
Define and install a URIMAP of type JVMSERVER for the web application. For example, you can specify a URIMAP to match the generic context root (URI) of the web application to scope the transaction ID to the application. For more information, see the configuration task Configuring CICS transaction security for a Liberty JVM server.
- Authorize the clientUserid to run the CICS transaction defined in step 3.
Authorize all users of the web application to run the transaction that is specified in the URIMAP that uses CICS transaction security. For more information, see the configuration task Configuring CICS transaction security for a Liberty JVM server.
Results
Requests to this application are authenticated by using a RACF user ID. Authorization is determined by using CICS transaction security profiles. The use of the role cicsAllAuthenticated - which maps to the special role ALL_AUTHENTICATED_USERS - creates a bypass of Liberty authorization. The authorization verification then relies on CICS transaction security.
To validate the security environment is functioning correctly, you need to send a request to the web application.
You can use the CICS security request recording (SRR) feature from within CICS Explorer® to validate this example. With the Regions view in focus, you select the Add Security Request Recording pop-up menu option. On that window, select the JVM Server tab and set the Transaction ID field to the transaction ID defined in step 3 (or CJSA by default). For more information, see Checking that a CICS security configuration example is working by using the SRR.