Setting up security for your application

About this task

Setting up security for your application requires the following tasks:

  • Setting up security roles and constraints for your application by editing the Web Deployment Descriptor.
  • Gathering roles used for your application by editing the EAR Deployment Descriptor.

Security roles are logical groups of users (such as bankTeller or bankManager). When you deploy the application, these roles are mapped to specific individuals or groups of individuals. Constraints define which parts of the application to secure, such as servlets and JSPs, and which roles can access them.

To define security roles and constraints:

Procedure

  1. In the Navigator view, expand the Web project folder and double-click the Web Deployment Descriptor file (web.xml) under WebContent/WEB-INF to open it in the editor. (If the Navigator view is not visible in the workbench, click Window > Show View > Other > General > Navigator to display the view.)
  2. On the Design tab, select the Web Application (Application name) and click the Add button in the Overview area. In the popup window, scroll down to select Security Role and click OK to insert a new security role. For this application, the role specifies all users in the LDAP directory.
  3. In the Security Role Details, enter All application users in the Role Name field.
  4. On the Design tab, select the Web Applicatin (Application name) and click the Add button in the Overview area. In the popup window, scroll down to select Security Constraint and click OK to define the security constraints for this new security role.
  5. Type the name for the constraint in the Display Name field, for example, Access Constraint.
  6. Click Add next to Authorization Constraints to add all authorized security roles you just created. Enter a description of the authorization constraint in the Description field. For example, Allow all.
  7. In the Overview section, select Web Resource Collection under this new "Security Constraint". Type the resource name in the Web Resource Name field (for example, All resources) , and click Add next to the URL Pattern box and enter /* for the URL pattern. This specifies that these particular users have access to all Web resources in the application.
  8. In the Overview, select Web Resource Collection and click Add button, select the HTTP method in the popup window and click OK to specify the actions that you can perform, for example, GET and POST. If you add nothing, all actions are allowed. The updates to the Security page are complete.
  9. Save and close the Web Deployment Descriptor file.
  10. In the Navigator view, expand the EAR project folder for your project and double-click the EAR Deployment Descriptor file (application.xml) under the META-INF directory.
  11. On the Design tab, select Application and click Add button. Select Security Role and click OK to add all the security roles. Type the security role name details for added security roles.
  12. Under WebSphere Deployment Descriptors, click the Open WebSphere Bindings Descriptor link. In the WebSphere bindings section, add all authorized security roles and all authorized users under each security role. Save changes.
  13. Save and close the EAR Deployment Descriptor file.
  14. Restart the application.

What to do next

With this configuration, you have allowed any user that can be authenticated to LDAP (All authenticated users) to access any resource in the project (/*). In your application, you may want to create additional roles and constraints to further refine which users (roles) can access which resources.

Parent topic: Securing your Web applications with single signon

Related concepts:

Deployment descriptor