AC WebSphere Security
The Admin Console security in current release will be a BASIC authentication and authorization using a container-based security model. This document outlines the security model configuration with WebSphere Liberty. The WebSphere Server provides a standard security model for securing web-application deployed in Websphere Liberty server.
To enable application security with HTTP Basic Authentication in WebSphere Liberty, perform the following steps:
Enable Application Security in WebSphere Liberty
Refer to the AdminConsole's 'server.xml' file for the Users' configurations under the 'basicRegistry' section. Under this, find the user and group section to configure the mapping of users to the role and adding the users to the User Repository.
Note: Enable the "appSecurity-2.0" Liberty feature in server.xml.
Feature
<featureManager>
<feature>appSecurity-2.0</feature>
</featureManager>
Users and groups are configured under Basis registry section provided by Liberty Server. Sample users and groups are as below:
User and Groups
<basicRegistry id="basic">
<user name="admin" password="Welcome1" />
<user name="qatester3" password="qatester3" />
<group name="ACADMIN_GRP">
<member name="qatester3"/>
</group>
</basicRegistry>
Configuring the user's and group's to role mapping in the server.xml
Role Mapping
<!-- Admin Console application section -->
<webApplication contextRoot="AdminConsole" location="AdminConsole-websphere.war">
<classloader delegation="parentLast" >
<commonLibrary>
<fileset includes="*" dir="/scratch/oipa/externallibs/"/>
<fileset includes="*" dir="/scratch/oipa/externallibs/conf/adminconsole/"/>
<folder dir="/scratch/oipa/externallibs/conf/adminconsole"/>
<file name="/scratch/oipa/externallibs/conf/adminconsole/ac.properties"/>
</commonLibrary>
</classloader>
<application-bnd>
<security-role name="AC_ADMIN">
<group name="ACADMIN_GRP"/>
</security-role>
<security-role name="AllAuthenticated">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
</webApplication>
Note: A role can be mapped to a user, a group, or a special subject. The two types of special subject are EVERYONE and ALL_AUTHENTICATED_USERS. When a role is mapped to the EVERYONE special subject, there is no security because everyone is allowed access and you are not prompted to enter credentials. When a role is mapped to the ALL_AUTHENTICATED_USERS special subject, then any user who is authenticated by the application server can access the protected resource.
Role Definition for Admin Console
The roles defined for Admin Console will be per service rather than per resource. Roles by service means that each service will define roles required to access that particular service.
Possible Roles and their privileges
| Role Name | Role Description |
| AC_ADMIN | AdminConsole Administrator |
| AC_CYCLE | Access the Cycle Service to read the cycle results |
| AC_AUDIT | Access the Audit Service |
| AC_PURGE_LOG | Access the Purge Service |
| AC_CYCLEADMIN | Access the Cycle Client page and perform batch operations. |
