Secure an application endpoint
We can secure the feature's application endpoint by performing the following steps:
- In the .mf file of the feature, add the com.ibm.wsspi.appserver.webBundleSecurity-1.0 feature to the Subsystem-Content: header. This addition causes any protected servlets (as specified in the feature bundle's WEB-INF/web.xml file) to be authenticated, and enables role base authorization. We can also assign users, groups, and special subjects to any roles defined in the WEB-INF/web.xml file.
Subsystem-Content: my.user.feature.bundle; version="[1,1.0.100)", com.ibm.wsspi.appserver.webBundleSecurity-1.0; type="osgi.subsystem.feature"
- To map roles to users, groups, and special subjects, do the following steps:
- Add the IBM-Authorization-Roles header to the OSGi bundle's MANIFEST.MF file. The header must specify a name which is the id of a role mapping we specify in server.xml.
IBM-Authorization-Roles: my.feature.role.map
- In server.xml, add an authorization-roles element to map the role names to users and groups. The id attribute of the authorization-roles element must have the same value as the IBM-Authorization-Roles header in the MANIFEST.MF file. Add a <security-role> subelement for each role to assign user and groups to.
<authorization-roles id="my.feature.role.map"> <security-role name="employee"> <special-subject type="ALL_AUTHENTICATED_USERS"/> </security-role> <security-role name="manager"> <user name="bob"/> <user name="mary"/> <group name="managers"/> </security-role> </authorization-roles>
Parent topic: Provide an application endpoint