Configuring RunAs authentication in Liberty

You can delegate authentication to another identity by configuring the RunAs specification for Liberty.

About this task

By mapping a specified user identity and optional password to a RunAs role, you can delegate the authentication process to a user that has the RunAs role.

You must enable the appSecurity-2.0 and servlet-3.0 Liberty features and have a user registry for your application to configure the RunAs role.

To configure RunAs authentication, complete the following steps:

Procedure

  1. Enable the appSecurity-2.0 and servlet-3.0 Liberty features in the server.xml file.
  2. Configure a user registry for your application.
  3. Specify the <run-as> element in the deployment descriptor of your application.

    The following example of web.xml file specifies subsequent calls be delegated to the user that is mapped to the role of Employee:

         <servlet id="Servlet_1">
          <servlet-name>RunAsServlet</servlet-name>
          <display-name>RunAsServlet</display-name>
          <description>RunAsServlet</description>
          <servlet-class>web.RunAsServlet</servlet-class> 
          <run-as>
               <role-name>Employee</role-name> 
          </run-as>
      </servlet>
  4. Configure RunAs authentication via SAF resource profiles, which is specific for z/OS users.
    1. Enable RunAs delegation via SAF. 
      <safAuthorization enableDelegation="true" />
    2. Assign the RunAs user identity to the app resource and role. This is done by setting the RunAs user identity into the APPLDATA field of the corresponding SAF resource profile. By default, the corresponding SAF resource profile for a given application and role is named {profilePrefix}.{appName}.{roleName} in the EJBROLE SAF class.

      This is the same resource profile used by Liberty SAF Authorization for authorizing users to the application and role. The name of the profile is governed by the safRoleMapper configuration. For more information about mapping application and role names to SAF profile names, see Controlling how roles are mapped to SAF Profiles.

      Here are some example RACF commands for assigning user5 as the RunAs user for the application myapp and the role of Employee:
      
RDEFINE EJBROLE BBGZDFLT.myapp.Employee UACC(READ)
RALTER EJBROLE BBGZDFLT.myapp.Employee APPLDATA('user5')
SETROPTS GENERIC(EJBROLE) REFRESH
SETROPTS RACLIST(EJBROLE) REFRESH