You can delegate authentication to another identity by configuring the RunAs
specification for Liberty.
About this task
By mapping a specified user identity and optional password to a RunAs role, you can delegate the
authentication process to a user that has the RunAs role.
You must enable the appSecurity-2.0
and servlet-3.0
Liberty features and have a user registry for
your application to configure the RunAs role.
To configure RunAs
authentication, complete the following steps:
Procedure
-
Enable the
appSecurity-2.0
and servlet-3.0
Liberty features in the
server.xml file.
-
Configure a user registry for your
application.
-
Specify the
<run-as>
element in the deployment descriptor of your
application.
The following example of web.xml file specifies subsequent calls be
delegated to the user that is mapped to the role of Employee
:
<servlet id="Servlet_1">
<servlet-name>RunAsServlet</servlet-name>
<display-name>RunAsServlet</display-name>
<description>RunAsServlet</description>
<servlet-class>web.RunAsServlet</servlet-class>
<run-as>
<role-name>Employee</role-name>
</run-as>
</servlet>
-
Configure RunAs authentication via SAF resource profiles, which is specific for z/OS
users.
-
Enable RunAs delegation via SAF.
<safAuthorization enableDelegation="true" />
-
Assign the RunAs user identity to the app resource and role. This is done by setting the RunAs
user identity into the
APPLDATA
field of the corresponding SAF resource profile. By
default, the corresponding SAF resource profile for a given application and role is named
{profilePrefix}.{appName}.{roleName}
in the EJBROLE
SAF
class.
This is the same resource profile used by Liberty SAF Authorization for authorizing users
to the application and role. The name of the profile is governed by the
safRoleMapper
configuration. For more information about mapping application and
role names to SAF profile names, see Controlling how roles are mapped to SAF Profiles.
Here are some example
RACF
commands for assigning
user5
as the RunAs user for the application
myapp
and the role of
Employee
:
RDEFINE EJBROLE BBGZDFLT.myapp.Employee UACC(READ)
RALTER EJBROLE BBGZDFLT.myapp.Employee APPLDATA('user5')
SETROPTS GENERIC(EJBROLE) REFRESH
SETROPTS RACLIST(EJBROLE) REFRESH