Authenticate a user to an application that runs in a Liberty JVM server by using basic
authentication.
Before you begin
You must complete the configuration of a user registry for the Liberty server, see Configuring authentication in CICS Liberty for a list of related configuration tasks.
You must have:
- Authorization to create or update the application security constraint in the deployment
descriptor (web.xml).
- Write access to the server.xml configuration file
About this task
In this task, you configure your Liberty web application to authenticate with basic
authentication.
Procedure
- Add the appSecurity-2.0 feature (or a more recent version of this
feature) to the server.xml file.
- Add the security controls to the application's deployment descriptor as follows. The
web.xml file can be found inside the source files for the web application that
you are deploying.
- Add a login configuration to the application’s web.xml file to specify HTTP basic authentication
as the authentication method.
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
- Define an authorization constraint in the web.xml to restrict access to URL paths for this
application to specific roles. For example, the security constraint below restricts the access for
any HTTP method to all URL paths to users with the role
cicsAllAuthenticated
.
<security-constraint>
<web-resource-collection>
<web-resource-name>myResourceName</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>cicsAllAuthenticated</role-name>
</auth-constraint>
</security-constraint>
The role needs to be defined to the server and be associated to the authorized users. When
deploying a Java™ application in a CICS® bundle, the cicsAllAuthenticated
role is automatically
defined and associated with the special subject ALL_AUTHENTICATED_USERS.
The resource name myResourceName
is a logical name that represents the
collection of web resources.
- Deploy the Java application.
For example, as a CICS bundle (see Deploying a CICS bundle in the CICS Explorer product documentation).
If an application already has a security constraint defined but uses a different auth-method, you
can override this at the Liberty server scope to use basic authentication by default:
<webAppSecurity overrideHttpAuthMethod="BASIC"/>
Results
Requests to the Java application are authenticated by using a user ID and password.
You can use the CICS security
request recording (SRR) feature from within CICS Explorer to validate this example. With the Regions view in focus, you select the Add Security
Request Recording pop-up menu option. On that window, select the JVM
Server tab and set the Transaction ID field to the transaction ID
defined by the URIMAP that matches the request (or CJSA by default). For more information, see Checking that a CICS security configuration example is working by using the SRR.
What to do next
You might want to authorize the authenticated user to run the web request by following the steps
in Configuring CICS transaction security for a Liberty JVM server or Configuring SAF authorization with an EJBROLE
.