Configuring WebSphere Liberty for distributed network security credentials

You can enable IMS to audit the network security credentials that are passed to and from a Java™ EE application that runs on WebSphere® Liberty.

Before you enable support for distributed network security credentials that are passed from your Java EE application, ensure that the following items are enabled:

Container-managed security for your application.
An external user account registry, such as an LDAP server, that contains authorized users.

This procedure assumes that you are using an LDAP server as the external user registry. However, you can use any other user registry that is supported by WebSphere Liberty.

Procedure

If the distributed network security credentials are sent from a web application, ensure that the application URI is protected because WebSphere Liberty does not authenticate unprotected URIs. To protect a web application URI, define security roles and authorizations in the web.xml file of your web application.
In the following example web.xml file, a security role that is called Testing is defined, and in the <security-constraint> tag, Testing is the only role that is authorized to access that application. Any user that wants to access the application must be assigned the Testing role.
```
<security-constraint>
<display-name>SampleWebApp</display-name>
	<web-resource-collection>
		<web-resource-name>SampleWebApp</web-resource-name>
		<url-pattern>/*</url-pattern>
	</web-resource-collection>
	<auth-constraint>
		<role-name>Testing</role-name>
	</auth-constraint>
</security-constraint>
	
<security-role>
	<role-name>Testing</role-name>
</security-role>
```
Set up a user registry for your application by creating the registry element in the server.xml file.
In the registry tag, specify the following items:
- The LDAP type, port, and host address
- The baseDN attribute for the base distinguished name
- The <customFilters> element for custom filters
In this example, the <ldapRegistry> element is used because an LDAP server is used as the user registry.
Configure the custom login module in the server.xml file.
1. Create a <library> element that uses a <fileset> element, which indicates where the IMSLogin.jar file is. The IMSLogin.jar file is packaged in the IMS TM resource adapter .rar file. However, WebSphere Liberty cannot scan .rar files, so you must extract the .rar file to a directory that can be scanned by WebSphere Liberty. In this example, the id is customLoginLib.
2. Create the <jaasLoginModule> element and set the following attributes:
  - The id attribute. In this example, the id is IMS_Login.
  - On the className attribute, specify the com.ibm.ims.login.IMSLoginModule class.
  - On the controlFlag attribute, specify REQUIRED to require a successful authentication of the distributed network security credentials.
  - On the <libraryRef> tag, specify customLoginLib, the ID of the <library> element configured in the previous substep.
3. Create a <jaasLoginContextEntry> element and specify an ID and a unique name of the system-defined JAAS configuration. In the following example, IMS_Login_Entry is used as the name and ID. On the loginModuleRef attribute, specify IMS_Login, the ID of the <jaasLoginModule> element that you created in the previous substep.
The server configuration is now set up to use your login module.
Link your application to the custom JAAS login module. In the web application bind file, manually link the application to the login module by using the loginConfigurationName attribute of the <resRefBindings> element. For the value of the loginConfigurationName attribute, specify the ID of the <jaasLoginContextEntry> element that you defined in the previous step.