Liberty profile security provides protection for web resources in accordance with the Servlet 3.0 specification and EJB resources in accordance with the ejbLite 3.1 specification. The Liberty profile security also provides protection for the JMX connections when you are using the REST connector.
The following diagram shows a typical security process involved when accessing a protected web resource. To make the security process work, you must configure the appropriate security features and the configurations that are required for the authentication and authorization.
With the quickStartSecurity element, you can configure a single user security environment in the Liberty profile. See Liberty profile: Quick overview of security for details of how the security workflow is when you use the quickStartSecurity element, and Getting started with security in the Liberty profile for a sample task.
Authentication confirms the identity of a user. The most common form of authentication is user name and password, such as through either basic authentication or form login for web applications. When a user is authenticated, the source of a request is represented as a Subject object at the run time. This process involves performing access control checks when a user accesses a resource, based on the authorization rules configured for the resource. See Liberty profile: Authentication for more concepts and Authenticating users in the Liberty profile for detailed tasks.
Authorization determines whether to grant a user access to resources within the system. The Java™ EE model uses subjects, resources, and roles to determine what can and cannot be allowed. This process involves checking the user credentials such as the user ID and password, certificates, and tokens, and creating a subject based on the authenticated user. See Liberty profile: Authorization for more concepts and Authorizing access to resources in the Liberty profile for detailed tasks.
SSL provides transport level security. See Enabling SSL communication for the Liberty profile for detailed tasks.
SSO enables access to applications without the user being prompted to login multiple times. See Concept of SSO for more details and Customizing SSO configuration using LTPA cookies for the Liberty profile for the detailed task.
There are many configuration properties that you can configure as part of web security, such as SSO and client certificate authentication, for your applications. See Liberty profile: Configuration elements in the server.xml file for available attributes and see Configuring web security related properties for the Liberty profile for some examples.
The Liberty profile contains public APIs that you can use to implement security functions. The security public APIs in the Liberty profile are a subset of the full profile security public APIs. The main classes are WSSecurityHelper, WSSubject, and RegistryHelper. These classes contain a subset of the methods that are available in the full profile versions. There is also a new class WebSecurityHelper. See Liberty profile: Security public APIs.
The Java API documentation for each Liberty profile API is detailed in the Programming Interfaces (APIs) section of the information center, and is also available as a separate .zip file in one of the javadoc subdirectories of the ${wlp.install.dir}/dev directory.
See Developing extensions to the Liberty profile security infrastructure for some examples.
Management security means that you can manage the Liberty profile by using a remote JMX client. To secure remote connections using the REST connector, see Connecting to the Liberty profile by using JMX. You can also develop your own JMX client application as described in Developing a JMX Java client for the Liberty profile.
Authentication data aliases provide the security support for database connectivity. See Configuring authentication aliases for the Liberty profile.
There are several security configuration examples on the wasdev.net website for reference when configuring security for your applications on the Liberty profile.
You can learn about the main differences in the security capability between the full profile and the Liberty profile. See Configuration differences between the full profile and Liberty profile: security.
After selecting the LDAP User Registry item to add to the server configuration, the LDAP User Registry Details panel will display a list for the supported LDAP server types. If you select a supported LDAP server type, the LDAP filters associated with the selected LDAP server type will not automatically pre-populated.
Alternatively, you can add an LDAP filter to the server configuration. An ID must be specified to associate the reference to this particular filter configuration, in order to associate it with the LDAP User Registry configuration. If this method of configuring the LDAP filters is used, the reference ID will then be selected on the LDAP User Registry Details panel (located using the Browse button under the respective LDAP filter type).
If you are using Eclipse-based developer tools to configure LDAP, verify the configuration saved against the samples in wlp/templates/config/ldapRegistry.xml.
For more information, see Configuring LDAP user registries with the Liberty profile.
Use the troubleshooting information to solve security-related problems when you use the Liberty profile. See Troubleshooting security and Troubleshooting LDAP.