1

Very broad and I apologize if I have a lack of understanding but here goes: I have a webapp that I runs in a Liberty server in a CICS region. I would like certain functionality of that app to be user specific. For example, if a user logs into the web app, I want them to only be able to perform tasks on the page depending on who they are. I've looked into setting up roles but cant quite grasp it well. I have a setup thus far where any user in my CICS with an ID and password and access to that region can use my webapp. I will post the .xml security part. If more elaboration is needed please ask me. 

 <security-role>
    <description>All CICS auhenticated users</description>
    <role-name>cicsAllAuthenticated</role-name>
</security-role>
<security-constraint>
    <display-name>xxx.xxxx.xxx.jdbc.web.SecurityConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>xxxx.xxxx.xxxx.xxxx_xxxx.jdbc</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>cicsAllAuthenticated</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

I'm obtaining the IDs via some SAF registry and keystore setup in the server configuration. I just need to know if there is a way to use that in Java to grant privileges. Thanks for any ideas!

1 Answers1

2

You can use SAF role mapping in Liberty. This will map the SAF EJBROLE to a Java EE role, which can then be used to secure applications.

The mapping of EJBROLEs to Java EE roles is controlled through the server.xml element safRoleMapper, for example, the SAF role mapper:

<safRoleMapper profilePattern="myprofile.%resource%.%role%" toUpperCase="true" />

The profile when accessing the application myapp with role admin would be:

myprofile.myapp.admin

For more information, see: Liberty: Controlling how roles are mapped to SAF Profiles. By default the profilePattern is %profilePefix%.%resource%.%role%.

In CICS, you should have the cicsts:security-1.0 feature installed as this will also map the CICS transaction user to the Liberty user.

For more information about configuring security in a Liberty JVM server in CICS, see: Configuring security for a Liberty JVM server.

To bring this back to your original question, if you use SAF EJBROLEs, you should be able to create a SAF role mapper, then use the the parts matched by %role% in your web.xml to protect resources.

You can also check access programmatically in JSPs using 

<% if (request.isUserInRole("role")) { %>
  <!-- Content to display for users in role 'role' -->
<% } %>
SoftlySplinter
  • 66
  • 2
  • Thanks so much! This was really helpful. –  Sep 21 '18 at 17:57
  • Update for anyone who needs something similar. If you're using jsf and not servlets, FacesContext.getCurrentInstance().getExternalContext().isUserInRole(role) works exactly like request. –  Oct 02 '18 at 17:41