Configuring authorization for your application is to verify whether a user or group belongs to a specified role, and whether this role has the privilege to access a resource.
The Liberty profile server extracts user and group mapping information from a user registry, then checks the authorization configuration for the application to determine whether a user or group is assigned to one of the required roles. Then the server reads the deployment descriptor of the application, to determine whether the user or group has the privilege to access the resource.
When
using System Authorization Facility (SAF) authorization, roles are
mapped to EJBROLE resource profiles using the SAF role mapper. The
server queries SAF to determine if the user has the required READ
access to the EJBROLE resource profile.
<featureManager>
<feature>appSecurity-2.0</feature>
</featureManager>
<featureManager>
<feature>appSecurity-2.0</feature>
<feature>zosSecurity-1.0</feature>
</featureManager>
<safAuthorization id="saf" />
See Authenticating users in the Liberty profile.
If
you are using the SAF authorization provider, you must use the SAF
registry and the server must be authorized to use SAF authorized services.
See Activating and configuring the SAF registry on z/OS.
<applicationMonitor dropinsEnabled="false" />
A role can be mapped to a user, a group, or a special subject. The two types of special subject are EVERYONE and ALL_AUTHENTICATED_USERS. When a role is mapped to the EVERYONE special subject, there is no security because everyone is allowed access and you are not prompted to enter credentials. When a role is mapped to the ALL_AUTHENTICATED_USERS special subject, then any user who has been authenticated by the application server can access the protected resource.
<application type="war" id="myapp" name="myapp" location="${server.config.dir}/apps/myapp.war">
<application-bnd>
<security-role name="user">
<group name="students" />
</security-role>
<security-role name="admin">
<user name="gjones" />
<group name="administrators" />
</security-role>
<security-role name="AllAuthenticated">
<special-subject type="ALL_AUTHENTICATED_USERS" />
</security-role>
</application-bnd>
</application>
In this example, the admin role is mapped to the user ID gjones and all users in the group administrators. The AllAuthenticatedRole is mapped to the special subject ALL_AUTHENTICATED_USERS, meaning that any user has access as long as they provide valid credentials for authentication.
rdef EJBROLE BBGZDFLT.myapp.admin uacc(none)
permit BBGZDFLT.myapp.admin class(EJBROLE) access(read) id(gjones)