59 lines
5.1 KiB
HTML
59 lines
5.1 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
|
|
<LINK rel="stylesheet" type="text/css" href="../../../rzahg/ic.css">
|
|
|
|
<title>Custom user registries</title>
|
|
</head>
|
|
|
|
<BODY>
|
|
<!-- Java sync-link -->
|
|
<SCRIPT LANGUAGE="Javascript" SRC="../../../rzahg/synch.js" TYPE="text/javascript"></SCRIPT>
|
|
|
|
<h4><a name="seccust"></a>Custom user registries</h4>
|
|
|
|
<p>A custom user registry is a user registry that you implement with the UserRegistry Java interface that is provided by the product. A custom implemented user registry can support virtually any type of user registry, such as a relational database or a flat file. The custom user registry provides considerable flexibility in adapting product security to various environments where some notion of a user registry, other than Lightweight Directory Access Protocol (LDAP) or Local Operating System (LocalOS), already exists in the operational environment.</p>
|
|
|
|
<p>WebSphere Application Server - Express security provides an implementation that uses various local operating system based registries (Windows, AIX, Solaris, Linux, i5/OS) and various Lightweight Directory Access Protocol (LDAP) based registries. However, there might be situations where your user and group data resides in other repositories (a database, for example) and moving this information to either the LocalOS or LDAP might not be feasible. For these situations the WebSphere Application Server - Express security provides an SPI that you can implement to interact with your current registry. The SPI is the UserRegistry interface. This interface has a set of methods that need implementing in order for the product security to interact with your registries for all security-related tasks. The LocalOS and LDAP registry implementations that are provided also implement this interface. Custom user registries are sometimes called the pluggable user registries or custom registries for short.</p>
|
|
|
|
<p>The UserRegistry interface is a collection of methods required to authenticate individual users (using either password or certificates) and collect information about the user (privilege attributes) for authorization purposes. It also includes methods that obtain user and group information so that they can be given access to resources. The UserRegistry interface operates on the basis of the several pieces of information. When implementing the methods in the interface, you must decide how to map the information manipulated by the UserRegistry interface to the information in your registry. The methods in the UserRegistry interface operate on the following information for users:</p>
|
|
|
|
<ul>
|
|
<li><p><strong>User Security Name</strong>
|
|
<br>This refers to the user name, which is similar to the user profile name in the i5/OS Local OS registry. This name is used to login when prompted by a secured application. By default, the servlet methods getRemoteUser() and getUserPrincipal() return this name. The user security name is also referred to as userSecurityName, userName, or user name.</p></li>
|
|
|
|
<li><p><strong>Unique ID</strong>
|
|
<br>This ID represents a unique identifier for the user. The UserRegistry interface requires this identifier to be unique. The unique ID similar to the User ID number in i5/OS systems, system ID (SID) in Windows systems, Unique ID (UID) in UNIX systems, and distinguished name (DN) in Lightweight Directory Authentication Protocol (LDAP). This is also referred to as uniqueUserId. The unique ID is used to make the authorization decisions for protected resources.</p></li>
|
|
|
|
<li><p><strong>Display name</strong>
|
|
<br>The display name is a registry-specific string that represents a descriptive (but not necessarily unique) name for a user. If the user does not have a display name, an empty string is returned. For i5/OS, the display name is the text description for the user profile.</p></li>
|
|
|
|
<li><p><strong>Group Security name</strong>
|
|
<br>This name, which represents the security group, is also referred to as groupSecurityName, groupName, and group name.</p></li>
|
|
|
|
<li><p><strong>Unique ID</strong>
|
|
<br>The unique ID is the identifier for a group. It is also referred to as uniqueGroupId.</p></li>
|
|
|
|
<li><p><strong>Display name</strong>
|
|
<br>The display name is an optional string that describes a group.</p></li>
|
|
</ul>
|
|
|
|
<p>For a description of the methods in the UserRegistry interface that need implementing, see <a href="secdcurm.htm">UserRegistry interface methods</a>.</p>
|
|
|
|
<p>A simple file-based registry sample is provided. The sample is intended to familiarize you with the custom user registry feature, and should not be used in an actual production environment.</p>
|
|
|
|
<ul>
|
|
<li><a href="secdcurj.htm">Example: UserRegistry.java file</a></li>
|
|
<li><a href="secdcurf.htm">Example: FileRegistrySample.java file</a></li>
|
|
<li><a href="secdcurg.htm">Example: Groups.props file</a></li>
|
|
<li><a href="secdcuru.htm">Example: Users.props file</a></li>
|
|
<li><a href="secdcurr.htm">Example: Results.java file</a></li>
|
|
</ul>
|
|
|
|
<p>See the <a href="codex.htm">Code example disclaimer</a> for legal information about this code example.</p>
|
|
|
|
</body>
|
|
</html>
|
|
|