This topic applies to WebSphere Application Server Liberty V8.5.5.9 and earlier. For the latest Liberty topics, see the WebSphere Application Server Liberty documentation.

Configuration differences between the traditional and Liberty: security

The configuration differences in the security capability between Liberty and traditional indicates the items that you might need to know during applications migration.

Liberty security supports only a subset of security features in the traditional. Unless the support is explicitly mentioned in Liberty documentation, you must assume that the support is not available yet.

The following security features are not included in Liberty:
  • Not all public APIs and SPIs are supported. The Java™ API documentation for each Liberty API is detailed in the Programming Interfaces (APIs) section of the documentation, and is also available as a separate .zip file in one of the javadoc subdirectories of the ${wlp.install.dir}/dev directory.
  • Horizontal propagation.
  • SecurityAdmin MBean support, therefore methods such as clearing the authentication cache are not available.
  • Java 2 Connector (J2C) principal mapping modules support.
  • Multiple security domain support.
  • Liberty Repository[8.5.5.6 or later]CSIv2 security attribute propagation.
  • Liberty Repository[8.5.5.6 or later]Kerberos authentication.
  • Liberty Repository[8.5.5.6 or later]SPNEGO on non-IBM JDK.
  • Security auditing subsystem that is part of the security infrastructure of the server.

In Liberty, you can configure user-to-role mappings and RunAs users in the application-bnd element of the server.xml file. For a Run-As entry, the password is optional. In the traditional, you can only configure the Run-AS entry in the ibm-application-bnd.xml/xmi file. For a Run-As entry, the password is required. See Configuring authorization for applications in Liberty.

In Liberty, role names can be referenced by the HttpServletRequest.isUserInRole and EJBContext.isCallerInRole APIs or by elements in the deployment descriptor without first declaring the role names using the @DeclareRoles annotation or the <security-role/> element in the deployment descriptor. However, roles must be declared before being used in WebSphere® Application Server traditional.


Icon that indicates the type of topic Reference topic



Timestamp icon Last updated: Tuesday, 12 December 2017
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-libcore-mp&topic=rwlp_sec_diff
File name: rwlp_sec_diff.html