Configure RunAs authentication in Liberty

We can delegate authentication to another identity by configuring the RunAs specification for Liberty.

By mapping a specified user identity and optional password to a RunAs role, we can delegate the authentication process to a user that has the RunAs role.

We must enable the appSecurity-2.0 and servlet-3.0 Liberty features and have a user registry for the application to configure the RunAs role.

To configure RunAs authentication, complete the following steps:

Enable the appSecurity-2.0 and servlet-3.0 Liberty features in the server.xml file.
Configure a user registry for the application.

Specify the <run-as> element in the deployment descriptor of the application.

The following example of web.xml file specifies subsequent calls be delegated to the user that is mapped to the role of Employee:

     <servlet id="Servlet_1">
  <servlet-name>RunAsServlet</servlet-name>
  <display-name>RunAsServlet</display-name>
  <description>RunAsServlet</description>
  <servlet-class>web.RunAsServlet</servlet-class> 
  <run-as>
       <role-name>Employee</role-name> 
  </run-as>
      </servlet>

Map the role that you specified in the previous step to a user. We can do this either in the ibm-application-bnd.xmi/xml or in the server.xml file. In the <run-as> element, we must specify a user name. If we are using the ibm-application-bnd.xml file, the password is also required; if we are using the server.xml file, the password is optional. If the password is required, encode the password using the securityUtility encode command in the /bin directory. For more information about the securityUtility command, see securityUtility command.
The following example uses the <run-as> element within the <application-bnd> element of the server.xml file, where the Employee role has been mapped to the RunAs user of user5:
Note:
- Because the password is optional in the server.xml file, we can also use the following code for a user without a password:
- If we specify the <application-bnd> element in the server.xml file, the application must not be in the dropins folder. If we leave the application in the dropins folder, then we must disable application monitoring by setting the following in the server.xml file:
The RunAs user name needs to be unique, and does not exist in external accounts. For example, if we authenticate a user to a SAML identity provider or OpenID Connect provider, make sure the RunAs user name is not in those external accounts.
For more information about the run-as element, see Java Servlets 3.0.
Configure RunAs authentication via SAF resource profiles, which is specific for z/OS users.
1. Enable RunAs delegation via SAF.
2. Assign the RunAs user identity to the app resource and role. This is done by setting the RunAs user identity into the APPLDATA field of the corresponding SAF resource profile. By default, the corresponding SAF resource profile for a given application and role is named {profilePrefix}.{appName}.{roleName} in the EJBROLE SAF class.
  This is the same resource profile used by Liberty SAF Authorization for authorizing users to the application and role. The name of the profile is governed by the safRoleMapper configuration. For more information about mapping application and role names to SAF profile names, see Control how roles are mapped to SAF Profiles. Here are some example RACF commands for assigning user5 as the RunAs user for the application myapp and the role of Employee: