WAS v8.5 > Secure applications > Secure the Liberty profile and its applications > Authenticate users in the Liberty profile

Configuring RunAs authentication in the Liberty profile

We can delegate to another identity during authentication by configuring RunAs specification for the Liberty profile. By mapping a specified user identity and optionally password to a RunAs role, we can delegate the authentication process to a user with the RunAs role. You must enable the appSecurity-1.0 Liberty feature and have a user registry for the application to configure the RunAs role.

See RunAs() authentication on how RunAs authentication works.

1. Enable the appSecurity-1.0 Liberty feature in server.xml.
2. Configure a user registry for the application.
   

3. Specify the run-as element in the deployment descriptor of the application.

   Here is an example of a web.xml that specifies subsequent calls be delegated to the user mapped to the role of Employee:

        <servlet >           <servlet-name>RunAsServlet</servlet-name>           <display-name>RunAsServlet</display-name>           <description>RunAsServlet</description>           <servlet-class>web.RunAsServlet</servlet-class> 
             <run-as>                <role-name>Employee</role-name> 
             </run-as>       </servlet>    

4. Map this role to a user. We can do this either in the ibm-application-bnd.xmi/xml or in server.xml. In the run-as element, specify a user name. If we are using the ibm-application-bnd.xml file, the password is also required; if you are using server.xml, the password is optional. If the password is present, IBM recommends the password is encoded. For example, encode the password using the securityUtility encode command in the /bin directory of the Liberty profile.

   Here is an example of using run-as element within the application-bnd element in server.xml, where the Employee role has been mapped to the RunAs user of user5:

        < application-bnd>
             <security-role name="Employee">                <user name="user1" />                <user name="user5" />                <run-as userid="user5" password="{xor}Lz4sLCgwLTs=" />           </security-role>      </application-bnd>   

   • Because the password is optional in server.xml, we can also use the following code for a user without a password:

         < application-bnd>
               <security-role name="Employee">                <user name="user1" />                <user name="user5" />                <run-as userid="user5" />            </security-role>      </application-bnd>   

   • If we specify the application-bnd element in server.xml, the application must not be in the dropins folder. If we leave it in the dropins folder, then you must disable application monitoring by setting the following in your server.xml file:
     < applicationMonitor dropinsEnabled="false" />

   For more information about the run-as element, see Liberty profile: Configuration elements in server.xml.

Parent topic: Authenticate users in the Liberty profile

Related concepts:

Liberty profile: Authentication

|