Security Overview

The service layer security in current release will be a BASIC authentication and authorization using a container-based security model. This document outlines the security model configuration with WebSphere Liberty. The WebSphere Server provides a standard security model for securing web-application deployed in Websphere Liberty server.

To enable application security with HTTP Basic Authentication in WebSphere Liberty, perform the following steps:

Step 1 - Enable Application Security in WebSphere Liberty

Refer to the attached ServiceLayer's server.xml file for the Users' configurations under the basicRegistry section. Under this, you can find the user and group section to configure the mapping of users to the role and adding the users to the User Repository.

Note: Enable the "appSecurity-2.0" Liberty feature in server.xml

Feature

<featureManager>

<feature>appSecurity-2.0</feature>

</featureManager>

Users and groups are configured under Basis registry section provided by Liberty Server. Sample users and groups are as below:

User and Groups

<basicRegistry id="basic">

<user name="admin" password="Welcome1" />

<user name="qatester3" password="qatester3" />

<user name="qatester1" password="qatester1" />

<group name="POLICY_GRP">

<member name="qatester3"/>

<member name="qatester1"/>

</group>

<group name="CLIENT_GRP">

<member name="qatester3"/>

</group>

<group name="SLADMIN_GRP">

<member name="qatester3"/>

</group>

</basicRegistry>

Configuring the user's and group's to role mapping in the server.xml

Role Mapping

<!-- PASService application section -->

<webApplication contextRoot="PASService" location="PASService-websphere.war">

<classloader delegation="parentLast">

<commonLibrary>

<fileset includes="*" dir="/scratch/oipa/externallibs/"/>

<fileset includes="*" dir="/scratch/oipa/externallibs/conf/servicelayer/"/>

<folder dir="/scratch/oipa/externallibs/conf/servicelayer"/>

<file name="/scratch/oipa/externallibs/conf/servicelayer/Service.properties"/>

</commonLibrary>

</classloader>

<application-bnd>

<security-role name="POLICY_READ">

<group name="POLICY_GRP" />

</security-role>

<security-role name="CLIENT_READ">

<group name="CLIENT_GRP" />

</security-role>

<security-role name="SL_ADMIN">

<group name="POLICY_GRP"/>

<group name="CLIENT_GRP"/>

<group name="SLADMIN_GRP"/>

</security-role>

<security-role name="AllAuthenticated">

<special-subject type="ALL_AUTHENTICATED_USERS" />

</security-role>

</application-bnd>

</webApplication>

Note: A role can be mapped to a user, a group, or a special subject. The two types of special subject are EVERYONE and ALL_AUTHENTICATED_USERS. When a role is mapped to the EVERYONE special subject, there is no security because everyone is allowed access and you are not prompted to enter credentials. When a role is mapped to the ALL_AUTHENTICATED_USERS special subject, then any user who is authenticated by the application server can access the protected resource.