Configuring basic authentication for Liberty web applications

Authenticate a user to an application that runs in a Liberty JVM server by using basic authentication.

Before you begin

You must complete the configuration of a user registry for the Liberty server, see Configuring authentication in CICS Liberty for a list of related configuration tasks.

Recommended: It is recommended to use HTTPS with basic authentication because the credentials are not signed or encrypted. For more information, see the task Configuring TLS for a Liberty JVM server by using RACF.

You must have:

  • Authorization to create or update the application security constraint in the deployment descriptor (web.xml).
  • Write access to the server.xml configuration file

About this task

In this task, you configure your Liberty web application to authenticate with basic authentication.

Procedure

  1. Add the appSecurity-2.0 feature (or a more recent version of this feature) to the server.xml file.
  2. Add the security controls to the application's deployment descriptor as follows. The web.xml file can be found inside the source files for the web application that you are deploying.
    1. Add a login configuration to the application’s web.xml file to specify HTTP basic authentication as the authentication method.
      <login-config>
        <auth-method>BASIC</auth-method>
</login-config>
    2. Define an authorization constraint in the web.xml to restrict access to URL paths for this application to specific roles. For example, the security constraint below restricts the access for any HTTP method to all URL paths to users with the role cicsAllAuthenticated. 
      <security-constraint>
    <web-resource-collection>
        <web-resource-name>myResourceName</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>cicsAllAuthenticated</role-name>
    </auth-constraint>
</security-constraint>

    The role needs to be defined to the server and be associated to the authorized users. When deploying a Java™ application in a CICS® bundle, the cicsAllAuthenticated role is automatically defined and associated with the special subject ALL_AUTHENTICATED_USERS.

    The resource name myResourceName is a logical name that represents the collection of web resources.

  3. Deploy the Java application.

    For example, as a CICS bundle (see Deploying a CICS bundle in the CICS Explorer product documentation).

    If an application already has a security constraint defined but uses a different auth-method, you can override this at the Liberty server scope to use basic authentication by default:

    <webAppSecurity overrideHttpAuthMethod="BASIC"/>

Results

Requests to the Java application are authenticated by using a user ID and password.

You can use the CICS security request recording (SRR) feature from within CICS Explorer to validate this example. With the Regions view in focus, you select the Add Security Request Recording pop-up menu option. On that window, select the JVM Server tab and set the Transaction ID field to the transaction ID defined by the URIMAP that matches the request (or CJSA by default). For more information, see Checking that a CICS security configuration example is working by using the SRR.

What to do next

You might want to authorize the authenticated user to run the web request by following the steps in Configuring CICS transaction security for a Liberty JVM server or Configuring SAF authorization with an EJBROLE .