Get started with security in Liberty

We can use the <quickStartSecurity> element to quickly enable a simple (one user) security setup for Liberty.

Configuration actions within Liberty are dynamic, which means the configuration updates take effect without having to restart the server.

Steps

1. Create and start the server.
   server create MyNewServer
   server start MyNewServer

2. Edit...
   /path/to/wlp/usr/servers/myNewServer/server.xml

   ...and include the appSecurity-2.0 and servlet-3.0 features...

   <featureManager>
        <feature>appSecurity-2.0</feature>
        <feature>servlet-3.0</feature>
   </featureManager>

3. Define the user name and password to be granted the Administrator role for server management activities.

   <quickStartSecurity userName="Bob" userPassword="bobpwd" />

4. Configure the deployment descriptor with relevant security constraints to protect web resource.

   For example, use <auth-constraint> and <role-name> elements to define a role that can access web resource.

   The following example web.xml file shows that access to all the URIs in the application is protected by the testing role.

   <?xml version="1.0" encoding="UTF-8"?>
   <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
         "http://java.sun.com/dtd/web-app_2_3.dtd">
   
   <web-app id="myWebApp">
   
    <!-- SERVLET DEFINITIONS -->
    <servlet id="Default">
       <servlet-name>myWebApp</servlet-name>
       <servlet-class>com.web.app.MyWebAppServlet</servlet-class>
       <load-on-startup/>
    </servlet>
   
    <!-- SERVLET MAPPINGS -->        
    <servlet-mapping id="ServletMapping_Default">
       <servlet-name>myWebApp</servlet-name>
       <url-pattern>/*</url-pattern>
    </servlet-mapping>
   
    <!-- SECURITY ROLES -->
    <security-role>
       <role-name>testing</role-name>
    </security-role>
   
    <!-- SECURITY CONSTRAINTS -->
    <security-constraint>
       <web-resource-collection>
         <url-pattern>/*</url-pattern>
       </web-resource-collection>
       <auth-constraint>
         <role-name>testing</role-name>
       </auth-constraint>
    </security-constraint>
   
    <!-- AUTHENTICATION METHOD: Basic authentication -->
    <login-config>
       <auth-method>BASIC</auth-method>
    </login-config> 
   
   </web-app>

5. Configure the application in server.xml.

   In the following example, the user Bob is mapped to the testing role of the application:

    
   <application 
       type="war" 
       id="myWebApp" 
       name="myWebApp" 
       location="${server.config.dir}/apps/myWebApp.war">
   
        <application-bnd>
            <security-role name="testing">
                <user name="Bob" />
            </security-role>
        </application-bnd>
   
    </application>

6. Access the application and log in with the user name Bob.

   The default URL for the myWebApp application is http://localhost:9080/myWebApp

You have now secured the application.

See also: Example: Use BasicRegistry and role mapping on Liberty

Parent topic: Secure Liberty and its applications

Related information

• Enable secure JMS messaging for Liberty