Custom user registries

A custom user registry is a customer implemented user registry, which implements the UserRegistry Java interface as provided by the product. A custom implemented user registry can support virtually any type or notion of an accounts repository from a relational database, flat file, etc. The custom user registry provides considerable flexibility in adapting product security to various environments where some notion of a user registry, other than Lightweight Directory Access Protocol (LDAP) or Local Operating System (LocalOS), already exists in the operational environment.

WebSphere Application Server security provides an implementation that uses various local operating system based registries (OS/400, Windows, AIX, Solaris, Linux) and various Lightweight Directory Access Protocol (LDAP) based registries. However, there might be situations where your user and group data resides in other repositories (a database, for example) and moving this information to either the LocalOS or LDAP might not be feasible. For these situations the WebSphere Application Server security provides an SPI that you can implement to interact with your current registry. The SPI is the UserRegistry interface. This interface has a set of methods that need implementing in order for the product security to interact with your registries for all security-related tasks. The LocalOS and LDAP registry implementations that are provided also implement this interface. Custom user registries are sometimes called the pluggable user registries or custom registries for short.

The UserRegistry interface is a collection of methods required to authenticate individual users (using either password or certificates) and collect information about the user (privilege attributes) for authorization purposes. It also includes methods that obtain user and group information so that they can be given access to resources. The UserRegistry interface operates on the basis of the several pieces of information. When implementing the methods in the interface, decide how to map the information manipulated by the UserRegistry interface to the information in your registry. The methods in the UserRegistry interface operate on the following information for users:

• User Security Name
  This refers to the user name, which is similar to the user profile name in the OS/400 Local OS user registry. This name is used to log in when prompted by a secured application. By default, the enterprise bean method getCallerPrincipal and the servlet methods getRemoteUser and getUserPrincipal return this name. The user security name is also referred to as userSecurityName, userName, or user name.

• Unique ID
  This ID represents a unique identifier for the user. The UserRegistry interface requires this identifier to be unique. The unique ID similar to the system ID (SID) in Windows systems, Unique ID (UID) in UNIX systems, or distinguished name (DN) in Lightweight Directory Authentication Protocol (LDAP). This is also referred to as uniqueUserId. The unique ID is used to make the authorization decisions for protected resources.

• Display name
  The display name is a registry-specific string that represents a descriptive (but not necessarily unique) name for a user. If the user does not have a display name, an empty string is returned. For OS/400, the display name is the text description for the user profile.

• Group Security name
  This name, which represents the security group, is also referred to as groupSecurityName, groupName, and group name.

• Unique ID
  The unique ID is the identifier for a group. It is also referred to as uniqueGroupId.

• Display name
  The display name is an optional string that describes a group.

For a description of the methods in the UserRegistry interface that need implementing, see UserRegistry interface methods.

A simple file-based registry sample is provided. The sample is intended to familiarize you with the custom user registry feature, and should not be used in an actual production environment.

• Example: UserRegistry.java file
• Example: FileRegistrySample.java file
• Example: Groups.props file
• Example: Users.props file
• Example: Results.java file

See the Code example disclaimer for legal information about this code example.