Configuring authorization for your application is to verify
whether a user or group belongs to a specified role, and whether this
role has the privilege to access a resource.
About this task
The Liberty profile server extracts user and group mapping
information from a user registry, then checks the authorization configuration
for the application to determine whether a user or group is assigned
to one of the required roles. Then the server reads the deployment
descriptor of the application, to determine whether the user or group
has the privilege to access the resource.
Procedure
- Enable the appSecurity-2.0 Liberty
feature in the server.xml file.
For
example:
<featureManager>
<feature> appSecurity-2.0</feature>
</featureManager>
- Configure a user registry for authentication on the Liberty
profile server.
See Authenticating users in the Liberty profile.
- Ensure that the deployment descriptor for your application
includes security constraints and other security related information.
Note: You can also use a tool such as Rational® Application Developer to create
the deployment descriptor.
- Configure the authorization information such as the user
and group to role mapping.
You can configure the authorization
table in the following ways:
- If you have an EAR file, you can add the authorization configuration
definition to the ibm-application-bnd.xml or ibm-application-bnd.xmi file.
- If you have standalone WAR files, you can add the authorization
table definitions to the server.xml file under
the respective application element. You can use the WebSphere® Application Server Developer Tools for Eclipse to do
this.
A role can be mapped to a user, a group, or a special
subject. The two types of special subject are EVERYONE and ALL_AUTHENTICATED_USERS.
When a role is mapped to the EVERYONE special subject,
there is no security because everyone is allowed access and you are
not prompted to enter credentials. When a role is mapped to the ALL_AUTHENTICATED_USERS special
subject, then any user who has been authenticated by the application
server can access the protected resource.
Here is example code
for configuring the user and group to role mapping in the
server.xml file:
<application type="war" id="myapp" name="myapp" location="${server.config.dir}/apps/myapp.war">
<application-bnd>
<security-role name="user">
<group name="students" />
</security-role>
<security-role name="admin">
<user name="gjones" />
<group name="administrators" />
</security-role>
<security-role name="AllAuthenticated">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
</application>
In this example, the admin role
is mapped to the user ID gjones and all users in
the group administrators. The AllAuthenticatedRole is
mapped to the special subject ALL_AUTHENTICATED_USERS,
meaning that any user has access as long as they provide valid credentials
for authentication.