Deploy secured applications

Deploying applications that have security constraints (secured applications) is not much different than deploying applications without any security constraints. The only difference is that you may need to assign users and groups to roles for a secured application, which requires that you have the correct active registry.

If you are installing a secured application, roles are defined in the application. If delegation is required in the application, RunAs roles are also defined in the application. You then assign users and groups to these defined roles. The users and groups may have already been assigned through the AAT tool. (For more information, see Add users and groups to roles.) In this case you can confirm the mapping, add new users and groups, or modify existing information during deployment.

If the delegation policy is set to Specified Identity during assembly, an intermediary component invokes a method that uses an identity that is set up during deployment. (For more information, see Delegation.) For example, if the user bob is mapped to the RunAs role, and the client user alice invokes a servlet (which has delegation set) that calls an enterprise bean, then the method on the enterprise bean is invoked with bob as the identity. Use the RunAs role to specify the identity under which later invocations are made. This step may have been done during assembly. (See Map users to RunAs roles for more information.) In this case, you can assign new users to RunAs roles or modify existing users during deployment.

These steps are common for both installing an application and modifying an existing application. If the application contains roles, the application installation wizard in the WebSphere administrative console prompts you to map security roles to users and groups. (You can also perform this step when you manage installed applications.)

To install (or deploy) your secured application, perform these steps in the administrative console:

  1. Click Applications --> Install New Application.

  2. Complete the non-security related steps prior to the step entitled Map security roles to users and groups.

  3. Map security roles to users and groups. See Assign users and groups to roles for more information.

  4. Map users to RunAs roles if RunAs roles exist in the application. See Assign users to RunAs roles for more information.

  5. (For enterprise beans only) Click Correct use of System Identity to specify RunAs roles if needed. Complete this action if the application has delegation that is set up to use System Identity.

    System Identity uses the WebSphere Application Server security server ID to invoke subsequent methods. This should be used with caution as this ID has more privileges than other identities in terms of accessing WebSphere Application Server internal methods.

    If no changes are necessary, skip this task.

  6. Complete the remaining steps to finish installing and deploying the application. If you are updating a previously installed application, stop the application and start it.

After a secured application is deployed, make sure you can access the resources in the application with the correct credentials. For example, if your application has a protected Web module, make sure you only use the users listed in the roles for that Web resource to access.

Update and redeploying secured applications

After an application is deployed, you can use the administrative console to modify the existing users and groups mapping to roles. You can also modify the users for the RunAs roles using the administrative console.

After you complete the changes, make sure to save the changes. Stop and start the application for the changes to become effective.

To update any other security related information, use the Application Assembly Tool (AAT). Use the AAT to modify roles, method permissions, auth-constraints, data-constraints, and other security-related information. After the changes are done, save the EAR file, uninstall the old application, deploy the modified application, and start the application to make the changes effective. If information about roles is modified make sure you update the user and group information using the administrative console.