+

Search Tips   |   Advanced Search

Add users and groups to roles using an assembly tool

After creating new roles and assigning them to enterprise bean and web resources, use this task to add users and groups to roles with an assembly tool.

Before performing this task, we already completed the steps in Secure web applications using an assembly tool and Secure enterprise bean applications where we created new roles and assigned those roles to enterprise bean and web resources. Complete these steps during application installation. The environment user registry under which the application is running is not known until deployment.

If we already know the environment in which the application is running and the user registry used, we can use an assembly tool to assign users and groups to roles. Using the administrative console to assign users and groups to roles is recommended.

(ZOS) The following information applies to authorization using WebSphere Application Server bindings. If we create WAS bindings, but specify System Authorization Facility (SAF) authorization, the WAS bindings are ignored. If SAF authorization is to be used, create a SAF EJBROLE profile for each Java EE role in the application, and permit users and groups to that role. Refer to System Authorization Facility for role-based authorization for reference.

This procedure might not match the steps required when using your assembly tool, or match the version of the assembly tool that we are using. We should follow the instructions for the tool and version that we are using.

To add users and groups to roles using an assembly tool, follow these steps:


Tasks

  1. In the Project Explorer view of an assembly tool, rclick an enterprise application project, or Enterprise Archive (EAR) file, and click Open With > Deployment Descriptor Editor. An application deployment descriptor editor opens on the EAR file. To access information about the editor, press F1 and click Application deployment descriptor editor.

  2. Click the Security tab and, under the main panel, click Add.

  3. In the Add Security Role wizard, name and describe the security role. Click Finish.

  4. Under WebSphere Bindings, select the user or group extension properties for the security role. Available values include: Everyone, All authenticated users, and Users/Groups.

  5. If we selected Users/Groups, click Add next to the Users or Groups pane. In the wizard that opens, specify a user or group name and click Finish. Repeat this step until we added all the users and groups to which the security role applies.
  6. Close the application deployment descriptor editor and, when prompted, click Yes to save the changes.

The ibm-application-bnd.xmi or ibm-application-bnd.xml file in the application contains the users and groups-to-roles mapping table, which is the authorization table. For Java EE v5 applications, the ibm-application-bnd.xml file contains the authorization table.

For IBM extension and binding files, the .xmi or .xml file name extension is different depending on whether we are using a pre-Java EE 5 application or module or a Java EE 5 or later application or module. An IBM extension or binding file is named ibm-*-ext.xmi or ibm-*-bnd.xmi where * is the type of extension or binding file such as app, application, ejb-jar, or web. The following conditions apply:

However, a Java EE 5 or later module can exist within an application that includes pre-Java EE 5 files and uses the .xmi file name extension.

The ibm-webservices-ext.xmi, ibm-webservices-bnd.xmi, ibm-webservicesclient-bnd.xmi, ibm-webservicesclient-ext.xmi, and ibm-portlet-ext.xmi files continue to use the .xmi file extensions.


What to do next

After securing an application, install the application using the administrative console.


Related:

  • Web component security
  • Role-based authorization
  • (ZOS) System Authorization Facility for role-based authorization
  • Assemble applications
  • Security: Resources for learning