You can secure your feature's application endpoint by performing
the following steps:
Procedure
- In the .mf file of your feature, add
the com.ibm.wsspi.appserver.webBundleSecurity-1.0 feature
to the Subsystem-Content: header. This addition causes
any protected servlets (as specified in your feature bundle's WEB-INF/web.xml file)
to be authenticated, and enables role base authorization. You can
also assign users, groups, and special subjects to any roles that
are defined in the WEB-INF/web.xml file.
Subsystem-Content:
my.user.feature.bundle; version="[1,1.0.100)",
com.ibm.wsspi.appserver.webBundleSecurity-1.0; type="osgi.subsystem.feature"
- To map roles to users, groups, and special subjects, do
the following steps:
- Add the IBM-Authorization-Roles header to your OSGi
bundle's MANIFEST.MF file. The header
must specify a name which is the id of a role mapping you specify
in the server.xml file.
IBM-Authorization-Roles: my.feature.role.map
- In the server.xml file, add an authorization-roles element
to map the role names to users and groups. The id attribute
of the authorization-roles element must have the
same value as the IBM-Authorization-Roles header in the MANIFEST.MF file.
Add a <security-role> subelement for each role
that you want to assign user and groups to.
<authorization-roles id="my.feature.role.map">
<security-role name="employee">
<special-subject type="ALL_AUTHENTICATED_USERS"/>
</security-role>
<security-role name="manager">
<user name="bob"/>
<user name="mary"/>
<group name="managers"/>
</security-role>
</authorization-roles>