Liberty supports authorization that is based on the Java™ Authorization Contract for Containers (JACC) specification in addition to the default
authorization. When security is enabled in Liberty, the default authorization is used unless a JACC
provider is specified.
About this task
JACC enables third-party security providers to manage authorization in the application server.
The default authorization does not require special setup, and the default authorization engine makes
all of the authorization decisions. However, if a JACC provider is configured and set up for Liberty
to use, all of the enterprise beans and web authorization decisions are delegated to the JACC
provider. JACC defines security contracts between the Application Server and authorization policy
modules. These contracts specify how the authorization providers are installed, configured, and used
in access decisions. To add the jacc-1.5 feature to your Liberty server, add a
third-party JACC provider which is not a part of Liberty.
You can develop a JACC provider to have custom authorization decisions for Java EE applications by implementing the
com.ibm.wsspi.security.authorization.jacc.ProviderService interface that is
provided in the Liberty server. The JACC specification, JSR 115, defines an interface for
authorization providers. In the Liberty server, you must package your JACC provider as a user
feature. Your feature must implement the
com.ibm.wsspi.security.authorization.jacc.ProviderService interface.
Procedure
-
Create an OSGi Bundle Project to develop the
Java class.
Your project might have compile errors. To fix these errors, you need to import two packages,
javax.security.jacc and
com.ibm.wsspi.security.authorization.jacc.
Edit the file
MANIFEST.MF to import the missing
package:
Manifest-Version: 1.0
Service-Component: OSGI-INF/myjaccExampleComponent.xml,
Bundle-ManifestVersion: 2
Bundle-Name: com.example.myjaac.osgiBundle
Bundle-SymbolicName: com.example.myjaac.osgiBundle
Bundle-Version: 1.0.0
Bundle-RequiredExecutionEnvironment: JavaSE-1.7
Import-Package: com.ibm.wsspi.security.authorization.jacc;version="1.0.0",
javax.security.jacc;version="1.5.0"
An
example of the service component XML,
myjaccExampleComponent.xml:
<?xml version="1.0" encoding="UTF-8"?>
<scr:component xmlns:scr="http://www.osgi.org/xmlns/scr/v1.1.0" immediate="true"
name="TestPolicyServiceProvider">
<implementation class="com.example.myjaac.osgiBundle.TestPolicyServiceProvider"/>
<property name="javax.security.jacc.policy.provider" type="String" value=""/>
<property name="javax.security.jacc.PolicyConfigurationFactory.provider" type="String" value=""/>
<service>
<provide interface="com.ibm.wsspi.security.authorization.jacc.ProviderService"/>
</service>
</scr:component>
-
Create a Liberty Feature Project to add the previous OSGi bundle into the user Liberty feature,
under Subsystem-Content in the feature manifest file.
-
Refine the feature manifest to add the necessary OSGi subsystem content:
com.ibm.ws.javaee.jacc.1.5; version="[1,1.0.200)"; location:="dev/api/spec/".
Subsystem-ManifestVersion: 1.0
IBM-Feature-Version: 2
IBM-ShortName: jacc15CICSLiberty-1.0
Subsystem-SymbolicName: com.example.myjaac.libertyFeature;visibility:=public
Subsystem-Version: 1.0.0
Subsystem-Type: osgi.subsystem.feature
Subsystem-Content: com.example.myjaac.osgiBundle;version="1.0.0",
com.ibm.ws.javaee.jacc.1.5;version="[1,1.0.200)";location:="dev/api/spec/"
Manifest-Version: 1.0
If you need to add one more Subsystem-Content, you must add at least one
space before you type the content. If you do not add a
space, CICS returns java.lang.IllegalArgumentException.
-
Export the Liberty Feature Project as a Liberty Feature (ESA) file.
-
FTP the ESA file to zFS.
-
Use the
installUtility command to install the ESA file.
./wlpenv installUtility install myFeature.esa
-
Add the
jacc-1.5 feature and the ESA file containing the JACC provider as a
user feature to server.xml.
<feature>jacc-1.5</feature>
<feature>usr:jacc15CICSLiberty-1.0</feature>