Start of change

JEE application role security

JEE application role security can be configured in different ways depending upon the authorization type you wish to use. In distributed systems a basic registry or LDAP registry would typically be used in conjunction with an application specific <application-bnd> element, to map users from those registries into 'roles'. The deployment descriptor of the application determines which roles can access which parts of the application.

About this task

On z/OS® there is an additional registry type, the SAF registry. A Liberty JVM server implicitly uses this type for authentication when the cicsts:security-1.0 feature is installed. You can optionally choose to use it for authorization. The SAF registry type includes support for "user to role" mappings (EJB roles). As a result, the mapping information can be taken directly from the SAF registry itself.

In a Liberty JVM server, if you wish to use JEE roles without SAF authorization, then you cannot use CICS® bundles to install your applications. This is because a CICS Bundle installed application automatically creates an <application-bnd> element and uses the ALL_AUTHENTICATED_USERS special-subject, thus preventing you from defining the element yourself. Instead you must create an <application> element in server.xml directly and configure the <application-bnd> with the roles and users you require.

If however, you choose to use JEE roles and SAF authorization, you can continue to use CICS bundles to lifecycle your web applications. The <application-bnd> is ignored by Liberty in favour of using the role mappings determined by the SAF registry. Role mappings are determined by virtue of a 'user' belonging to an EJB role.

Procedure

  1. Add the <safAuthorization id="saf"/> element to your server.xml.
  2. Create the EJB roles you require, with reference to the prefix scheme described.
  3. Add users to those EJB roles.

    By default, if SAF authorization is used the application will use the pattern <profile_prefix>.<resource>.<role> to determine if a user is in a role. The profile_prefix defaults to BBGZDFLT but can be modified using the <safCredential> element. For more information, see Liberty profile: Accessing z/OS security resources using WZSSAD in WebSphere Application Server for z/OS product documentation.

    The role mapping preferences can be modified using the <safRoleMapper> element in the server.xml that defaults to <safRoleMapper profilePattern="myprofile.%resource%.%role%" toUpperCase="true"/>.

    Users can then be authorized to a particular EJB role using the following RACF® commands, where WEBUSER is the authenticated user ID.
    RDEFINE EJBROLE BBGZDFLT.MYAPP.ROLE UACC(NONE) 
PERMIT BBGZDFLT.MYAPP.ROLE CLASS(EJBROLE) ACCESS(READ) ID(WEBUSER)
Start of change

Results

You can use authorize access to web applications using CICS Security and/or JEE role security by defining the roles and the users within the roles.End of change
End of change