Authorization using SAF role mapping
Mapping Java EE roles to users and groups can be achieved in different ways. In distributed systems, a basic registry or LDAP registry would typically be used in conjunction with an application specific <application-bnd> element, to map users from those registries into roles. The deployment descriptor of the application determines which roles can access which parts of the application.
About this task
On z/OS®, there is an additional registry type, the System
Authorization Facility (SAF) registry. A Liberty JVM server implicitly uses this type for
authentication when the cicsts:security-1.0
feature is installed unless configured
to use LDAP. You can choose to make use of SAF authorization. When using SAF authorization,
user to role mappings are used to map roles to EJBROLE resource profiles using
the SAF role mapper. The server queries SAF to determine if the user has the required READ access to
the EJBROLE resource profile.
In a Liberty JVM server, if you want to use Java EE roles without SAF authorization, you cannot
use CICS® bundles to install your applications. This is
because a CICS bundle installed application automatically
creates an <application-bnd> element and uses the
ALL_AUTHENTICATED_USERS
special-subject, which prevents you from defining the
element yourself. Instead, you must create an <application> element in
server.xml directly and configure the <application-bnd>
with the roles and users you require.
If, however, you choose to use Java EE roles and SAF authorization, you can continue to use CICS bundles to lifecycle your web applications. The <application-bnd> is ignored by Liberty in favor of using the role mappings determined by the SAF registry. Role mappings are determined by virtue of a user belonging to an EJB role.
ALL_AUTHENTICATED_USERS
and
EVERYONE
can not be used when SAF authorization is enabled.