Deploying secured applications
Deploying applications that have security constraints (secured applications) is not much different than deploying applications that do not contain any security constraints. The only difference is that you might need to assign users and groups to roles for a secured application. The secured application requires that you have the correct active user registry.
Before you begin
- If you are installing a secured application, roles will be defined in the application.
- If delegation is required in the application, you will be defining RunAs roles also.
During the installation of a new application, the role definition is completed as part of the step that maps security roles to users and groups. If this assignment has already been completed by using an assembly tool, you can still confirm the mapping by following this installation step. You can add new users and groups and modify existing information during this step.
If the application supports delegation, a RunAs role will already be defined in the application. If the delegation policy is set to Specified Identity during assembly, the intermediary invokes a method by using an identity setup during deployment. Use the RunAs role to specify the identity under which the downstream invocations are made. For example, if the RunAs role is assigned user bob and the client alice is invoking a servlet, with delegation set that calls the enterprise beans, the method on the enterprise beans is invoked with bob as the identity.
As part of the new application installation and deployment process, one of the steps is to map or modify users to the RunAs roles. Use this step to assign new users or modify existing users to RunAs roles when the delegation policy is set to Specified Identity.
About this task
To install and deploy the application, complete the following steps.
Procedure
- Click Applications > Install New Application. Complete the required steps until you see the step for mapping security roles to users and groups.
- If the
application contains roles, assign users and groups to roles.
At this step during the installation, under Additional Properties, click Map security roles to users and groups. For more information, see Assigning users and groups to roles.
- If RunAs roles exist in the application, assign users to
RunAs roles. At this step during the installation, under Additional Properties, click Map RunAs roles to users. For more information, see Assigning users to RunAs roles.
- Optional: Click Correct use of System Identity to
specify RunAs roles, if needed. Complete this action if the application
has delegation set to use system identity, which is applicable to
enterprise beans only. System identity uses the WebSphere Application Server security server ID to invoke downstream methods. Using system identity is not recommended as this ID has more privileges than other identities in accessing WebSphere Application Server internal methods. This task is provided to make sure that the deployer is aware that the methods listed in the panel have system identity set up for delegation and to correct them if necessary. When the internalServerId feature is used, runAs with system identity is not supported; you must specify RunAs roles here.
- Complete the remaining non-security related steps to finish installing and deploying the application.