How to configure Security in Open Liberty Application Server?

I started to run our Imixs-Workflow engine on Open Liberty Application Server. One important thing in Imixs-Workflow is the authentication against the workflow engine. In Open Libertry, security can be configured in the server.xml file. But it takes me some time to figure out the correct configuration of the role mapping in combination with the @RunAs annotation which we use in our service EJBs.

We define different Roles in your application and use the @RunAs annotation to run some services with specific roles. This looks in code like this:

@DeclareRoles({ "org.imixs.ACCESSLEVEL.MANAGERACCESS" })
@RunAs("org.imixs.ACCESSLEVEL.MANAGERACCESS")
@Startup
@Singleton
@Path("/setup")
public class SetupService {
..
}

First my realm configuration in the server.xml file looked like this:

...
    <basicRegistry id="basic" realm="imixsrealm">
		<user name="admin" password="adminadmin" />
		<user name="alex" password="password" />
		<group name="org.imixs.ACCESSLEVEL.MANAGERACCESS">
			<member name="admin" />
		</group>
		<group name="org.imixs.ACCESSLEVEL.AUTHORACCESS">
			<member name="alex" />
		</group>
	</basicRegistry>
....

This allows me to authenticate as user ‘admin’ or user ‘alex’ against my application but I got the following error messages on my server log:

imixssample-app_1  | [WARNING ] CWWKS9112W: Invalid run-as configuration for security-role name org.imixs.ACCESSLEVEL.MANAGERACCESS in the application imixs-jsf-example. Check the configuration for run-as and confirm that the userid and password are configured correctly. The initial caller identity will be used for authorization because the runAs role could not be applied.
imixssample-app_1  | [AUDIT   ] CWWKS9400A: Authorization failed for user UNAUTHENTICATED while invoking saveModel on imixs-jsf-example. The user is not granted access to any of the required roles: [org.imixs.ACCESSLEVEL.NOACCESS, org.imixs.ACCESSLEVEL.READERACCESS, org.imixs.ACCESSLEVEL.AUTHORACCESS, org.imixs.ACCESSLEVEL.EDITORACCESS, org.imixs.ACCESSLEVEL.MANAGERACCESS].
imixssample-app_1  | [ERROR   ] CWOWB2001E: A POST_CONSTRUCT lifecycle inteceptor threw an exception: javax.ejb.EJBAccessException: CWWKS9400A: Authorization failed for user UNAUTHENTICATED while invoking saveModel on imixs-jsf-example. The user is not granted access to any of the required roles: [org.imixs.ACCESSLEVEL.NOACCESS, org.imixs.ACCESSLEVEL.READERACCESS, org.imixs.ACCESSLEVEL.AUTHORACCESS, org.imixs.ACCESSLEVEL.EDITORACCESS, org.imixs.ACCESSLEVEL.MANAGERACCESS].
imixssample-app_1  | 	at com.ibm.ws.ejbcontainer.security.internal.EJBSecurityCollaboratorImpl.authorizeEJB(EJBSecurityCollaboratorImpl.java:503)

It takes me several hours to figure out the correct configuration of the server.xml file which should look like this:

<?xml version="1.0" encoding="UTF-8"?>
<server description="new server">
	<!-- Enable features -->
	<featureManager>
		<feature>javaee-8.0</feature>
		<feature>microProfile-2.2</feature>
	</featureManager>
	<basicRegistry id="basic" realm="imixsrealm">
		<user name="admin" password="adminadmin" />
		<user name="alex" password="password" />
                <user name="workflow-service" password="xyz"  />
	</basicRegistry>

	<applicationMonitor dropinsEnabled="false" />

	<application name="imixs-jsf-example"  context-root="/" type="war" 
		id="imixs-jsf-example"
    	location="${server.config.dir}dropins/imixs-jsf-example-4.2.2.war">
	    <application-bnd>
	        <security-role name="org.imixs.ACCESSLEVEL.MANAGERACCESS" >
	            <user name="workflow-service" />
	            <user name="admin" />
	            <run-as userid="workflow-service"/>
	        </security-role>
	         <security-role name="org.imixs.ACCESSLEVEL.AUTHORACCESS" >
	            <user name="manfred"  />
		    <user name="alex"  />
	        </security-role>
	    </application-bnd>
	</application>
	<httpEndpoint id="defaultHttpEndpoint" httpPort="9080"
		httpsPort="9443" />
	<applicationManager autoExpand="true" />
</server>

The important part here is that the security-role mapping need to be part of the section ‘application-bnd’. In this section you map your users and you can also define a user to be used for the run-as identity within your application.

The Group Mapping is not necessary for this simple user registry. But you can create a group with a set of users and assign the group to a role for authorization checks (instead of listing all the users in the role section). But for the run-as case, however, you need a user.

And finally it is recommended to disable the “drop-in feature” by adding the following tag:

....
  <applicationMonitor dropinsEnabled="false" />
...

That’s it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.