The end-to-end steps, commands, and sample code snippets required for enabling users who are not WebSphere Application Server administrators to access the virtual member manager application programming interface (APIs) in a multiple security domain environment are provided here.
Federated repository management rights allow users who are not WebSphere Application Server administrators to manage users and groups, and access other virtual member manager APIs in admin and application domains. Read about the predefined roles and their permissions in the topic, Providing security in the virtual member manager documentation. You can use the following wsadmin commands to implement this feature: mapIdMgrUserToRole, mapIdMgrGroupToRole, removeIdMgrUsersFromRole, removeIdMgrGroupsFromRole, and listIdMgrUsersForRoles. For more information, read about using these commands in the topic, IdMgrConfig command group for the AdminTask object in the WebSphere Application Server information center
The following steps are covered in this sample scenario:
Ensure that you have read the information and completed the steps described in the topic, Programming prerequisites.
You must complete the following configuration steps before using the sample code. Start the wsadmin tool and execute the following commands. Replace the variables with the actual values that you want to use.
$AdminApp.install('app_server_root/installableApps/wimperdomain.ear',
'[-appname wimperdomain -BindJndiForEJBNonMessageBinding [[ wim.ejb
WIMService wimejb.jar,META-INF/ejb-jar.xml ejbd2/com/ibm/websphere/wim/ejb/WIMServiceHome]]
-MapModulesToServers [[ wim.ejb wimejb.jar,META-INF/ejb-jar.xml
WebSphere:cell=myCell,node=myNode,server=server1 ]]]' )
$AdminTask createUser {-uid vmmadmin –password tempPass -confirmPassword tempPass
–cn admincn –sn adminsn -securityDomainName domain1 }
$AdminTask mapIdMgrUserToRole {-userId vmmadmin -roleName IdMgrAdmin -securityDomainName domain1}
Add the following end-to-end sample code to your application code as described in the following steps. Replace the variables with the actual values that you want to use.
import commonj.sdo.DataObject;
public class SimpleTest extends BaseApp
{
public static void createAsAdmin()
{
try {
createUser("vmmadmin", "tempPass");
}
catch (Exception e) {
e.printStackTrace();
}
}
public static void createUser(String user, String password) throws Exception
{
DataObject result = (DataObject) runAsUser(user, password, new java.security.PrivilegedExceptionAction()
{
public Object run() throws Exception
{
//Note the service instance used is that of security domain obtained in step 1.
DataObject root = service.createRootDataObject();
DataObject user = root.createDataObject(DO_ENTITIES, WIM_NS_URI, DO_PERSON_ACCOUNT);
user.set("uid", "authzzuser");
user.set("cn", "authzzuser");
user.set("sn", "authzzuser");
user.set(PROP_PASSWORD, com.ibm.websphere.wim.util.PasswordUtil
.getByteArrayPassword("authzzuser"));
// Print Input datagraph
System.out.println("Input datagraph before creating user" + printDO(root));
DataObject retObject = service.create(root);
// Print the output datagraph
System.out.println("Output datagraph after creating user" + printDO(retObject));
return retObject;
}
});
}
public static void main(String[] args)
{
// Note that the EJB JNDI is same as one used in step 1.
service = locateService("ejbd2/com/ibm/websphere/wim/ejb/WIMServiceHome");
createAsAdmin();
}
}