Configure RunAs authentication in the Liberty profile

We can delegate authentication to another identity by configuring the RunAs specification for the Liberty profile.

By mapping a specified user identity and optional password to a RunAs role, we can delegate the authentication process to a user that has the RunAs role.

We must enable the appSecurity-2.0 and servlet-3.0 Liberty features and have a user registry for the application to configure the RunAs role.

For more information about RunAs authentication, see RunAs() authentication.

To configure RunAs authentication:

1. Enable the appSecurity-2.0 and servlet-3.0 Liberty features in server.xml.

2. Configure a user registry for the application.

3. Specify the <run-as> element in the deployment descriptor of the application.

   The following example of web.xml file specifies subsequent calls be delegated to the user that is mapped to the role of Employee:

        <servlet id="Servlet_1">
             <servlet-name>RunAsServlet</servlet-name>
             <display-name>RunAsServlet</display-name>
             <description>RunAsServlet</description>
             <servlet-class>web.RunAsServlet</servlet-class> 
             <run-as>
                  <role-name>Employee</role-name> 
             </run-as>
         </servlet>   

4. Map the role that you specified in the previous step to a user. We can do this either in the ibm-application-bnd.xmi/xml or in server.xml. In the <run-as> element, we must specify a user name. If we are using the ibm-application-bnd.xml file, the password is also required; if we are using server.xml, the password is optional. If the password is required, encode the password using the securityUtility encode command in the /bin directory of the Liberty profile. For more information about the securityUtility command, see securityUtility command.

   The following example uses the <run-as> element within the <application-bnd> element of server.xml, where the Employee role has been mapped to the RunAs user of user5:

        <application-bnd>
             <security-role name="Employee">
                  <user name="user1" />
                  <user name="user5" />
                  <run-as userid="user5" password="{xor}Lz4sLCgwLTs=" />
             </security-role>
        </application-bnd>  

   • Because the password is optional in server.xml, we can also use the following code for a user without a password:

         <application-bnd>
               <security-role name="Employee">
                    <user name="user1" />
                    <user name="user5" />
                    <run-as userid="user5" />
                </security-role>
          </application-bnd>  

   • If we specify the <application-bnd> element in server.xml, the application must not be in the dropins folder. If you leave your application in the dropins folder, then we must disable application monitoring by setting the following in server.xml:
     <applicationMonitor dropinsEnabled="false" />

   For more information about the run-as element, see Configuration elements in server.xml.

Parent topic: Authenticate users

Concepts:

Authentication

The limits to protection through password encryption