6

In Java EE some servers unfortunately require a vendor specific group to role mapping for the security configuration. For these servers, such mapping is mandatory even when there really is nothing to map.

Unfortunately, IBM Liberty is such a server. It requires a mapping in a file called ibm-application-bnd.xml, that one is supposed to put inside an EAR's META-INF/ folder. For example:

<?xml version="1.0" encoding="UTF-8"?>
<application-bnd xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-application-bnd_1_2.xsd"
    xmlns="http://websphere.ibm.com/xml/ns/javaee"
    version="1.2">

    <security-role name="architect"> 
        <group name="architect" />
    </security-role>

</application-bnd>

Even more unfortunate is that seemingly this file can only be used from an EAR.

How can group to role mapping be specified from within the application archive when using a WAR with Liberty?

(solutions that require me to change anything inside the server, or interact with any kind of console or graphical admin interface are unfortunately not usable for me)

Arjan Tijms
  • 37,782
  • 12
  • 108
  • 140
  • 1
    You've already answered your question. There are 2 such ways, one through bnd file in EAR, second via mapping in server.xml. Any reasons why you cannot use one of those? If you have control on app then you use binding file, if you have control on server - you use the server way. It looks like you want to have complete control for that mapping inside of your app and not using any user registry at all. Whats the real problem you are trying to solve? – Gas Apr 08 '15 at 21:16
  • 2
    @Gas "Any reasons why you cannot use one of those?" - I'd like to return the question; any reason why when using an EAR the mapping can be defined inside the archive, but when using a WAR this is (seemingly) not possible? – Arjan Tijms Apr 08 '15 at 21:33
  • @Gas "Whats the real problem you are trying to solve?" - I don't have a "real problem" in the sense of a business case. I'm testing JASPIC implementations for spec compliance. See https://github.com/javaee-samples/javaee7-samples/tree/master/jaspic – Arjan Tijms Apr 08 '15 at 21:35
  • @Gas "Any reasons why you cannot use one of those?" - The JASPIC tests run the tests on a range of servers. Modifying the installed server for each integration test that is executed is troublesome, ruling our `server.xml`. Using an EAR is also troublesome, since all tests for all other servers are WAR based. Wrapping the WAR to be tested in an EAR for just the Liberty test is not so nice, and the question is why this is needed? All servers either don't demand group to role mapping or allow a mapping file inside the war. Why is Liberty different here? – Arjan Tijms Apr 08 '15 at 21:41
  • @Gas "It looks like you want to have complete control for that mapping inside of your app and not using any user registry at all." - True, I'm also a member of the Java EE Security JSR EG, and we're working towards fully standardized security that can be configured from with the application. JASPIC is very likely going to be an important foundation there. From a Java EE spec viewpoint, the "user registry" can never be a mandatory part of that, since it's an IBM specific artifact. – Arjan Tijms Apr 08 '15 at 21:55
  • @Gas p.s. last but not least regarding the user registry; JASPIC was specified to facilitate *portable* authentication modules. If there is a dependency on a vendor specific artifact, then such module is not portable anymore, defeating the entire purpose of it. I wonder what IBM's thinking exactly was when giving the IBM specific user registry such an important role here. This is not criticism, I'm really genuinely interested in the thought process here and whether it's a misinterpretation of the spec that could be clarified. – Arjan Tijms Apr 08 '15 at 22:22
  • Arjan, I'm not from WebSphere development, so I cannot answer 'why', but I can give you personal opinion based on long work with WebSphere. So back to your questions :) – Gas Apr 10 '15 at 11:45
  • Why binding in EAR? - as you wrote there is no standard way to do it. You want it in war, some other person would like it ejb jar, if you would have many modules in ear you would need to repeat that. Since Java EE server should support deploying EARs, from my point of view it is quite ok to have it one place instead of providing it with every module. Originally WebSphere wrapped deployed WARs in EAR, so there always was EAR to put the bindings. – Gas Apr 10 '15 at 11:47
  • However, if you need to have it in WAR, you may create [Request For Enhancement](https://www.ibm.com/developerworks/rfe/?BRAND_ID=181) and vote for it. If there will be enough people interested, it might get implemented. – Gas Apr 10 '15 at 11:48
  • Using an EAR is also troublesome - aren't the servers you are testing Java EE? So they should support deploying EARs, and development tools can quickly create you EAR for your WAR, so you may use EARs everywhere. Again there is no spec that mapping must be in WAR, so each server may do it differently. And Liberty provides mapping for WARs via `server.xml`. – Gas Apr 10 '15 at 12:05
  • Modifying the installed server for each integration test that is executed is troublesome - I don't know your testing scenarios, but why you need to modify that file for each integration test? Cant you create server.xml with bindings for all you tests once and just use different scenarios on it? server.xml also supports modularity, so you may have one server.xml with general information and just use to add application specific data for given scenarios. – Gas Apr 10 '15 at 12:07
  • User registry is not IBM specific artifact. Many servers provide it under different names, it might be user registry, repository, security domain, realm, etc. It is the way to specify users population for application roles. In many cases that mapping is defined by application administrator or system/security administrator, not the application developer and user population is enterprise wide, not specific to the particular application. This mapping usually changes even for the same app depending on the deployment env (UAT,PRD), so it is easier if it is not embedded in the application. – Gas Apr 10 '15 at 12:43
  • @gas thanks for the answers (probably SO will ask to move this to chat soon, but let's see) "Originally WebSphere wrapped deployed WARs in EAR, so there always was EAR to put the bindings." - This is perhaps -the- reason. If WebSphere never supported deploying separate WARs in the early days, it might just be a legacy issue. All other servers either don't require a mapping file, or when they do support having it inside the war too. – Arjan Tijms Apr 10 '15 at 22:05
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/74974/discussion-between-arjan-tijms-and-gas). – Arjan Tijms Apr 10 '15 at 22:06
  • 1
    I think you raise good points so I have raised two requests for enhancement for this. I can't promise when or if we will deliver them, but you can log in and subscribe. https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=69687 https://www.ibm.com/developerworks/rfe/execute?use_case=viewRfe&CR_ID=69688 – Alasdair Apr 15 '15 at 23:23

2 Answers2

3

This post is a bit dated but here are my finding for anyone else who may be struggling with this issue.

With the latest version of WebSphere Liberty (currently @ 8.5.5.6) you can place your application bindings file (ibm-application-bnd.xml) into the web application's META-INF folder and Liberty will parse the bindings file as if it was packaged in an EAR. I am not sure if this is a documented feature or not.

Colby Montgomery
  • 51
  • 5
2

Another update - in the June 2016 delivery (Liberty fix pack 16.0.0.2) we now support default role to group name mapping. If you are happy for your group name to be the same as the role name then you don’t need to provide binding informtaion, the mapping will occur automatically.

To summarise there are now 3 ways in Liberty to map groups to roles:

  1. Mapping information in ibm-application-bnd.xml in the .ear file
  2. Mapping information in application configuration in the server.xml file
  3. Allow group name to default to role name by not providing any mapping
Alex Mulholland
  • 41
  • 1
  • As per Colby's answer above, it's actually 4 ways ;) Or you could say there are two variants of the first way, one for the .ear and one for the .war. – Arjan Tijms Jul 16 '16 at 20:57
  • how does the "special-subject" works in that case? can I put this in just WAR file without server.xml or EAR? – Tilo May 06 '19 at 23:47