Security

Liberty profile security features provide protection for web resources in accordance with the Servlet 3.0 specification and EJB resources in accordance with the ejbLite 3.1 specification. The Liberty profile security also provides protection for the JMX connections when using the REST connector.

1. An HTTP client requests a web resource in the WebContainer.

2. The WebContainer delegates the security check to the WebSecurity Collaborator.

3. The WebSecurity Collaborator prompts the user to enter credentials if absent, and uses the Authentication service to authenticate the user.

4. The Authentication service authenticates, creates, and returns the subject if authenticated successfully. Otherwise, the Authentication service reports an exception for the authentication failure.

5. The WebSecurity Collaborator uses the Authorization service to perform a user authorization check.

6. The Authorization service returns the authorization result to the WebSecurity Collaborator.

7. The WebSecurity Collaborator returns the result of the security check about whether the user is authorized.

8. The WebContainer serves or rejects the requested resource.

Quick start

With the quickStartSecurity element, we can configure a single user security environment in the Liberty profile. See Quick overview of security for details of how the security workflow is when we use the quickStartSecurity element, and Get started with security for a sample task.

Authentication

Authentication confirms the identity of a user. The most common form of authentication is user name and password, such as through either basic authentication or form login for web applications. When a user is authenticated, the source of a request is represented as a Subject object at the run time. This process involves performing access control checks when a user accesses a resource, based on the authorization rules configured for the resource. See Authentication for more concepts and Authenticate users for detailed tasks.

Authorization

Authorization determines whether to grant a user access to resources within the system. The Java EE model uses subjects, resources, and roles to determine what can and cannot be allowed. This process involves checking the user credentials such as the user ID and password, certificates, and tokens, and creating a subject based on the authenticated user. See Authorization for more concepts and Authorizing access to resources for detailed tasks.

Secure Socket Layer (SSL)

SSL provides transport level security. See Enable SSL communication for detailed tasks.

Single Sign-On (SSO)

SSO enables access to applications without the user being prompted to login multiple times. See Concept of SSO for more details and Customize SSO configuration using LTPA cookies for the detailed task.

Web security-related properties

There are many configuration properties that we can configure as part of web security, such as SSO and client certificate authentication, for our applications. See Configuration elements in server.xml for available attributes and see Configure web security related properties for some examples.

Security public APIs

The Liberty profile contains public APIs we can leverage to implement security functions. The security public APIs in the Liberty profile are a subset of the full profile security public APIs. The main classes are WSSecurityHelper, WSSubject, and RegistryHelper. These classes contain a subset of the methods available in the full profile versions. There is also a new class WebSecurityHelper. See Security public APIs.

The Java API documentation for each Liberty profile API is detailed in the Programming Interfaces (APIs) section of the information center, and is also available as a separate .zip file in one of the javadoc subdirectories of the ${wlp.install.dir}/dev directory.

See Develop extensions to the Liberty profile security infrastructure for some examples.

Management security

Management security means that we can manage the Liberty profile using a remote JMX client. To secure remote connections using the REST connector, see Access local and JMX REST connectors . We can also develop our own JMX client application as described in Develop a JMX Java client .

Authentication aliases

Authentication data aliases provide the security support for database connectivity. See Configure authentication aliases .

Configuration examples and samples

There are several security configuration examples on the WASdev.net website for reference when configuring security for the applications on the Liberty profile.

Security compatibility and differences

We can learn about the main differences in the security capability between the full profile and the Liberty profile. See Configuration differences between the full profile and Liberty profile: security.

Configure Lightweight Directory Access Protocol (LDAP)

After selecting the LDAP User Registry item to add to the server configuration, the LDAP User Registry Details panel will display a list for the supported LDAP server types. If selected a supported LDAP server type, the LDAP filters associated with the selected LDAP server type will not automatically pre-populated.

Each of the supported LDAP server types has a default set of filters defined. After the LDAP User Registry item and server type has been added, the associated LDAP filters can be configured by selecting the LDAP User Registry configuration and adding the required LDAP filter:

• Active Directory LDAP filters
• Custom LDAP filters
• Domino LDAP filters
• eDirectory LDAP filters
• IBM Directory Server LDAP filters
• iPlanet LDAP filters
• Netscape LDAP filters
• SecureWay LDAP filters

Selecting any of the LDAP filters will display the default values for the filter types:

• user filter
• group filter
• user ID map
• group ID map
• group member ID map

If the default filters are used, server.xml is not updated with any filter information. If any of the filters are changed, only the changed filter types will be updated in the server.xml.

If no reference ID is specified or selected via the Browse button, the default filters associated with selected LDAP server type will be used.

Alternatively, we can add an LDAP filter to the server configuration. An ID must be specified to associate the reference to this particular filter configuration, in order to associate it with the LDAP User Registry configuration. If this method of configuring the LDAP filters is used, the reference ID will then be selected on the LDAP User Registry Details panel (located using the Browse button under the respective LDAP filter type).

If we are using Eclipse-based developer tools to configure LDAP, verify the configuration saved against the samples in wlp/templates/config/ldapRegistry.xml.

See Configure LDAP user registries with the Liberty profile.

Troubleshooting

Use the troubleshooting information to solve security-related problems when we use the Liberty profile. See Troubleshooting security and Troubleshooting LDAP.

Tools

Configure security using the Eclipse-based developer tools for the Liberty profile. See Edit the Liberty profile configuration using developer tools. Specific information about tools and security configuration is available in Configure TAI on the Liberty profile using developer tools and Configure JAAS on the Liberty profile using developer tools.

Subtopics

• Quick overview of security
  
• Authentication
  
• Authorization
  
• Security public APIs
  
• Configuration differences between the full profile and Liberty profile: security
  
• The limits to protection through password encryption
  

Parent topic: WebSphere Application Server Liberty Core: Overview

Tasks:

Secure the Liberty profile and its applications