Authorizing users to run applications in a Liberty JVM server

To authorize user IDs to run transactions in a Liberty JVM server, you can either use CICS® transaction and resource security or you can use JEE application security roles to authorize access to JEE applications.

About this task

Using CICS security allows you to use existing security procedures but requires that individual web applications are accessed from different URIMAPs whereas using role-based security allows you to reuse existing standard JEE security definitions from another JEE application server. See Authenticating users in a Liberty JVM server. If you want to use CICS authorization exclusively, you can choose to avoid further Liberty role-based checking using the special subject ALL_AUTHENTICATED_USERS in the definition of your application in server.xml. If you deploy a Liberty application in a CICS bundle, CICS automatically configures this for you.
<application id="com.ibm.cics.server.examples.wlp.tsq.app" 
    name="com.ibm.cics.server.examples.wlp.tsq.app" type="eba" 
    location="${server.output.dir}/installedApps/com.ibm.cics.server.examples.wlp.tsq.app.eba">
	<application-bnd>
		<security-role name="cicsAllAuthenticated">
			<special-subject type="ALL_AUTHENTICATED_USERS"/>
		</security-role>
	</application-bnd>
</application>

Using this special subject, and giving the cicsAllAuthenticated role access to all URLs in your web applications deployment descriptor (web.xml), will allow access to the web application using any authenticated user ID and authorization to the transaction must be controlled using CICS transaction security. If you deploy your application directly to the dropins directory, it is not configured to use CICS security as dropins does not support security.

To use CICS transaction or resource security you should follow the following steps:

Procedure

  1. Define a URIMAP of type JVMSERVER for each web application. Typically, you might specify a URIMAP to match the generic context root (URI) of a web application to scope the transaction ID to the set of servlets that make up the application. Or you may choose to run each individual servlet under a different transaction with a more precise URI.
  2. Authorize all users of the web application to use the transaction specified in the URIMAP using CICS transaction or resource security profiles.