Develop custom user registries

WebSphere Application Server security supports the use of custom registries in addition to LocalOS and LDAP registries for authentication and authorization purposes. A custom user registry is a customer-implemented user registry. You must implement the UserRegistry interface that is provided by WebSphere Application Server. A custom implemented user registry can support virtually any type or notion of an accounts repository from a relational database or a flat file, among others. The custom user registry provides considerable flexibility in adapting WebSphere Application Server security to various environments where some notion of a user registry, other than LDAP or LocalOS, that already exist in the operational environment.

Implementing a custom user registry is a software development effort. Use the methods defined in the UserRegistry interface to make calls to the desired registry to obtain user and group information. The interface defines a very general set of methods, so it can be used to encapsulate a wide variety of registries. For more information, see UserRegistry interface methods. A custom user registry can be configured as the active user registry when configuring WebSphere Application Server global security.

Note: Make sure that your implementation of the custom registry does not depend on any WebSphere Application Server components such as data sources, enterprise beans, and so on. Do not have this dependency because security is initialized and enabled prior to most of the other WebSphere Application Server components during startup. If your previous implementation used these components, make a change that eliminates the dependency. For example, if your previous implementation used data sources to connect to a database, use Java database connectivity (JDBC) to connect to the database.

See these code examples for a simple implementation of a custom user registry:

• Example: UserRegistry.java file
• Example: FileRegistrySample.java file (Versions 5.0 and 5.0.1)
• Example: FileRegistrySample.java file (Version 5.0.2 and later)
• Example: Groups.props file
• Example: Users.props file
• Example: Results.java file

For backward compatibility, the WebSphere Application Server Version 4.0 custom registry is also supported. Refer to the Migrate custom user registries topic for more information on migrating. However, it is recommended that you use the new interface to implement your custom registry.

Perform these steps to develop a custom user registry:

1. If you are not familiar with the concept of custom user registries, see Custom user registries. This topic explains each of the methods in the interface in detail and the changes for these methods from the 4.0 release.

2. Implement all of the methods in the interface except for the createCredential() method, which is implemented by WebSphere Application Server.

3. Build your implementation.

4. To compile your code, you need the sas.jar and wssec.jar files in your classpath. For example:

   javac -extdirs /QIBM/ProdData/WebAS5/base/java/ext:/QIBM/UserData/Java400/ext:
     /QIBM/ProdData/Java400/jdk13/lib/ext:/QIBM/ProdData/WebAS5/Base/lib
     -classpath /QIBM/ProdData/WebAS5/Base/lib/sas.jar:
     /QIBM/ProdData/WebAS5/lib/wssec.jar
     com/ibm/websphere/security/FileRegistrySample.java

5. Follow the steps in Configure custom user registries to configure your implementation using the administrative console.

Note: As of Version 5.0.1, you can use JDBC connections to connect to the custom user registry database.