Authorization using SAF role mapping
Mapping Java™ EE roles to users and groups can be achieved in different ways. In distributed systems, a basic registry or LDAP registry would typically be used in conjunction with an application specific <application-bnd> element, to map users from those registries into roles. The deployment descriptor of the application determines which roles can access which parts of the application.
About this task
On z/OS®, there is an additional registry type, the System
Authorization Facility (SAF) registry. A Liberty JVM server implicitly uses this type for
authentication when the cicsts:security-1.0
feature is installed unless configured
to use LDAP. You can choose to make use of SAF authorization. When using SAF
authorization, user to role mappings are used to map roles to EJBROLE resource
profiles using the SAF role mapper. The server queries SAF to determine if the user has the required
READ access to the EJBROLE resource profile.
In a Liberty JVM server, if you want to use Java EE roles without SAF authorization, you cannot use CICS® bundles to install your applications. This is because a CICS bundle
installed application automatically creates an <application-bnd> element and uses the ALL_AUTHENTICATED_USERS
special-subject, which prevents you from defining the element yourself. Instead, you must create an
<application> element in server.xml directly and configure the <application-bnd> with the roles and users you require.
If, however, you choose to use Java EE roles and SAF authorization, you can continue to use CICS bundles to lifecycle your web applications. The <application-bnd> is ignored by Liberty in favor of using the role mappings determined by the SAF registry. Role mappings are determined by virtue of a user belonging to an EJB role.
ALL_AUTHENTICATED_USERS
and EVERYONE
, or users can not be defined
in server.xml in this case.