Securing an application endpoint

You can secure your feature's application endpoint by completing the following steps:

1. In the .mf file of your feature, add the com.ibm.wsspi.appserver.webBundleSecurity-1.0 feature to the Subsystem-Content: header.
   This addition causes any protected servlets (as specified in your feature bundle's WEB-INF/web.xml file) to be authenticated, and enables role base authorization. You can also assign users, groups, and special subjects to any roles that are defined in the WEB-INF/web.xml file.

   Subsystem-Content: 
    my.user.feature.bundle; version="[1,1.0.100)",
    com.ibm.wsspi.appserver.webBundleSecurity-1.0; type="osgi.subsystem.feature"

2. To map roles to users, groups, and special subjects, do the following steps:
   1. Add the IBM®-Authorization-Roles header to your OSGi bundle's MANIFEST.MF file.
      The header must specify a name that is the ID of a role mapping you specify in the server.xml file.

      IBM-Authorization-Roles: my.feature.role.map

   2. In the server.xml file, add an authorization-roles element to map the role names to users and groups.
      The id attribute of the authorization-roles element must have the same value as the IBM-Authorization-Roles header in the MANIFEST.MF file. Add a <security-role> subelement for each role that you want to assign user and groups to.

      <authorization-roles id="my.feature.role.map">
        <security-role name="employee">
          <special-subject type="ALL_AUTHENTICATED_USERS"/>
        </security-role>
        <security-role name="manager">
          <user name="bob"/>
          <user name="mary"/>
          <group name="managers"/>
        </security-role>
      </authorization-roles>

      Note: You can also enable security by configuring the appSecurity-1.0 or appSecurity-2.0 features in the server configuration. If you enable the features after the web application bundles (WABs) start, restart the WABs.