Authorizing users to run applications in a Liberty JVM server
You can use Java EE application security roles to authorize access to Java EE applications. Additionally, in a Liberty JVM server you can further restrict access to transactions (run as part of the application) by using CICS transaction and resource security.
About this task
<auth_constraint>
element, in the deployment descriptor
(web.xml). If present, this ensures that access to your application is achieved
only by a user that is a member of an authorized role. User or group membership to a Java EE role is
determined in one of two ways:- Use an
<application-bnd>
element in the<application>
element of your server.xml to describe the user/group to role mappings directly in XML. - Use
<safAuthorization>
in your server.xml to allow users/groups role membership to be mapped by SAF (typically using EJBROLES).
Using CICS security allows you to re-use existing security procedures but requires that individual web applications are accessed from different URIMAPs. Using role-based security allows you to use existing standard Java EE security definitions from another Java EE application server. For more information, see Authenticating users in a Liberty JVM server.
<application id="com.ibm.cics.server.examples.wlp.tsq.app"
name="com.ibm.cics.server.examples.wlp.tsq.app" type="eba"
location="${server.output.dir}/installedApps/com.ibm.cics.server.examples.wlp.tsq.app.eba">
<application-bnd>
<security-role name="cicsAllAuthenticated">
<special-subject type="ALL_AUTHENTICATED_USERS"/>
</security-role>
</application-bnd>
</application>
Using this special subject, and giving the cicsAllAuthenticated role access to all URLs in your web applications deployment descriptor (web.xml), allows access to the web application using any authenticated user ID and authorization to the transaction must be controlled using CICS transaction security. If you deploy your application directly to the dropins directory, it is not configured to use CICS security as dropins does not support security.
<application-bnd>
no longer acts
as the source of user ID to role mapping. Instead, EJBROLEs in SAF determine which SAF users are in
which roles (EJBROLEs). With safAuthorization the <application-bnd>
is ignored.
To achieve the same effect and allow all authenticated users to be authorized to run your
application, the <auth-constraint>
in web.xml must use the
special role **
, for example:<auth-constraint>
<description>special role for all authenticated users</description>
<role-name>**</role-name>
</auth-constraint>
- The special role name
**
is a shorthand for any authenticated user independent of role. - The special role name
*
is a shorthand for all role names defined in the deployment descriptor.
**
appears in an authorization constraint, it
indicates that any authenticated user, independent of role, is authorized to perform the constrained
requests. Special roles do not need an additional <security-role>
declaration in
web.xml.To use CICS transaction or resource security you should follow the following steps:
Procedure
- Define a URIMAP of type JVMSERVER for each web application. Typically, you might specify a URIMAP to match the generic context root (URI) of a web application to scope the transaction ID to the set of servlets that make up the application. Or you may choose to run each individual servlet under a different transaction with a more precise URI.
- Authorize all users of the web application to use the transaction specified in the URIMAP using CICS transaction or resource security profiles.