WAS v8.5 > Secure applications > Secure the Liberty profile and its applications

Get started with security in the Liberty profile

We can use the quickStartSecurity element to quickly enable a simple (one user) security setup for the Liberty profile.

This topic describes the basic steps required to set up a secured Liberty profile server and web application. Additionally, configuration actions within the Liberty profile are dynamic, which means the configuration updates take effect without having to restart the server.

1. Create and start your server.
   server create MyNewServer
   server start MyNewServer

   Edit...

   wlp\usr\servers\myNewServer\server.xml

   ...and set the the appSecurity-1.0 feature...

   < featureManager>
        <feature>appSecurity-1.0</feature> </featureManager> 

2. Define the user name and password to be granted the Administrator role for server management activities.
   < quickStartSecurity userName="Bob" userPassword="bobpwd" />

   Choose a user name and password that are meaningful to you. Never use the name and password in the example for the applications.

3. Configure the deployment descriptor with the relevant security constraints to protect the web resource.

   To define a role that can access the web resource, use...

   <auth-constraint>
   • <role-name>

   The following example web.xml file shows that access to all the URIs in the application is protected by the testing role.

   <?xml version="1.0" encoding="UTF-8"?> 
   <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
                            "http://java.sun.com/dtd/web-app_2_3.dtd"> 
   <web-app id="myWebApp"> 
    <!-- SERVLET DEFINITIONS -->  <servlet id="Default">     <servlet-name>myWebApp</servlet-name>     <servlet-class>com.web.app.MyWebAppServlet</servlet-class>     <load-on-startup/>  </servlet> 
    <!-- SERVLET MAPPINGS -->        
    <servlet-mapping id="ServletMapping_Default">     <servlet-name>myWebApp</servlet-name>     <url-pattern>/*</url-pattern>  </servlet-mapping> 
    <!-- SECURITY ROLES -->  <security-role>     <role-name>testing</role-name>  </security-role> 
    <!-- SECURITY CONSTRAINTS -->  <security-constraint>     <web-resource-collection>       <url-pattern>/*</url-pattern>     </web-resource-collection>     <auth-constraint>       <role-name>testing</role-name>     </auth-constraint>  </security-constraint> 
    <!-- AUTHENTICATION METHOD: Basic authentication -->  <login-config>     <auth-method>BASIC</auth-method>  </login-config> 
   
   </web-app>

4. Configure the application in server.xml.

   In the following example, the user Bob is mapped to the testing role of the application:

    <application type="war" id="myWebApp" name="myWebApp" 
                 location="${server.config.dir}/apps/myWebApp.war">      < application-bnd>
            <security-role name="testing">               <user name="Bob" />          </security-role>      </application-bnd>  </application>

5. Access the application and log in with the user name Bob. The default URL for the myWebApp application is http://localhost:9080/myWebApp

Results

You have now secured the application.

See also

• Liberty profile: Quick overview of security
  This topic describes some common security terms, along with an example that helps you understand the basic workflow of security in the Liberty profile.
• Set up BasicRegistry and role mapping on the Liberty profile
  We can configure the Liberty profile to authenticate and authorize users using a basic user registry.

|