User registries and repositories

In WebSphere Application Server, a user registry or repository authenticates a user and retrieves information about users and groups to perform security-related functions, including authentication and authorization.The information about users and groups reside within a registry or repository. WebSphere Application Server makes access control decisions using the user registry or repository.

WebSphere Application Server provides implementations that support multiple types of registries and repositories including the local operating system registry, a standalone Lightweight Directory Access Protocol (LDAP) registry, a standalone custom registry, and federated repositories.

[z/OS] These authorization mechanism choices are valid for all user registries and repositories, such as virtual member manager, with the exception of Tivoli Access Manager, which is supported for Standalone LDAP registry configuration only.

[AIX HP-UX Linux Solaris Windows] [iSeries] With WebSphere Application Server, a user registry or a repository, such as virtual member manager, authenticates a user and retrieves information about users and groups to perform security-related functions including authentication and authorization.

With WebSphere Application Server, a user registry or repository is used for:
  • Authenticating a user using basic authentication, identity assertion, or client certificates
  • Retrieving information about users and groups to perform security-related administrative functions, such as mapping users and groups to security roles

Although WebSphere Application Server supports different types of user registries, only one user registry can be active. This active registry is shared by all of the product server processes.

After configuring the registry or repository, you must specify it as the active repository. Through the administration console, you can select an available realm definition for the registry or repository from the User account repository section of the Secure administration, applications, and administration panel. After selecting the registry or repository, first click Set as current, and then click Apply.

Note: WebSphere Application Server has implemented a user registry proxy by using the UserRegistry interface. However, the return values are little different from the interface. For example, getUniqueUserId returns the uniqueID with the realm name wrapped. You cannot use the return value to pass to getUserSecurityName, as shown in the following example:
// Retrieves the default InitialContext for this server.
javax.naming.InitialContext ctx = new javax.naming.InitialContext();

// Retrieves the local UserRegistry object.
com.ibm.websphere.security.UserRegistry reg =
         (com.ibm.websphere.security.UserRegistry) ctx.lookup("UserRegistry");

// Retrieves the registry uniqueID based on the userName that is specified
     // in the NameCallback.
String uniqueid = reg.getUniqueUserId(userName);
// Strip the realm name and get real uniqueID
String uid = com.ibm.wsspi.security.token.WSSecurityPropagationHelper.getUserFromUniqueID (uniqueID);

// Retrieves the security name from the user registry based on the uniqueID.
String securityName = reg.getUserSecurityName(uid);
You can use a Service Provider Interface (SPI) for this parsing function.
Attention: WebSphere Application Server supports a variety of user registries and repositories on different operating systems. During the user authentication process, you might use non-alphanumeric characters in your user name or password. Restrictions on the use of these non-alphanumeric characters depends on both the underlying operating system and the user registry type. For more information on which non-alphanumeric characters are not supported, see your operating system and user registry or repository documentation.

[AIX] For a comprehensive list of the non-alphanumeric characters that are not supported, see the IBM AIX operating system documentation.

[HP-UX] For a comprehensive list of the non-alphanumeric characters that are not supported, see the HP-UX operating system documentation.

[Windows] For a comprehensive list of the non-alphanumeric characters that are not supported, see the Microsoft Windows operating system documentation.




Related concepts
Standalone custom registries
Local operating system registries
Federated repositories
Tivoli Access Manager integration as the JACC provider
Concept topic Concept topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Aug 31, 2013 4:28:44 AM CDT
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=pix&product=was-nd-mp&topic=csecregistries
File name: csec_registries.html