Configuration differences between the full profile and Liberty profile: security

The configuration differences in the security capability between the Liberty profile and full profile indicates the items that you might need to know during applications migration.

The Liberty profile security supports only a subset of security features in the full profile. Unless the support is explicitly mentioned in the Liberty profile documentation, you must assume that the support is not available yet.

The following security features are not included in the Liberty profile:
  • Java™ 2 security.
  • Not all public APIs and SPIs are supported. The Java API documentation for each Liberty profile API is detailed in the Programming Interfaces (APIs) section of the information center, and is also available as a separate .zip file in one of the javadoc subdirectories of the ${wlp.install.dir}/dev directory.
  • Horizontal propagation.
  • SecurityAdmin MBean support, therefore methods like clearing the authentication cache are not available.
  • Java Authorization Contract for Container (JACC) support.
  • Java 2 Connector (J2C) principal mapping modules support.
  • Java Authentication SPI (JASPI) support.
  • Multiple security domain support.
  • Security auditing subsystem that is part of the security infrastructure of the server.
  • For z/OS platforms SAF delegation.
  • For z/OS platforms SAF authorization is not supported with a user registry that is not on the local operating system.
  • For z/OS platforms SAF distributed identity mapping.
  • For z/OS platforms Custom SAF EJBROLE mapper

In the Liberty profile, you can configure user-to-role mappings and RunAs users in the application-bnd element of the server.xml file. Fix Pack 8550 For a Run-As entry, the password is optional. In the full profile, you can only configure the Run-AS entry in the ibm-application-bnd.xml/xmi file. Fix Pack 8550 For a Run-As entry, the password is required. See Configuring authorization for applications on the Liberty profile.

In the Liberty profile, role names can be referenced by the HttpServletRequest.isUserInRole and EJBContext.isCallerInRole APIs or by elements in the deployment descriptor without first declaring the role names using the @DeclareRoles annotation or the <security-role/> element in the deployment descriptor. However, roles must be declared before being used in the full profile.


Icon that indicates the type of topic Reference topic

Terms and conditions for information centers | Feedback


Timestamp icon Last updated: Monday, 21 April 2014
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-mp&topic=rwlp_sec_diff
File name: rwlp_sec_diff.html