Configuring RunAs authentication in Liberty

You can delegate authentication to another identity by configuring the RunAs specification for Liberty.

About this task

By mapping a specified user identity and optional password to a RunAs role, you can delegate the authentication process to a user that has the RunAs role.

You must enable the appSecurity-2.0 and servlet-3.0 Liberty features and have a user registry for your application to configure the RunAs role.

To configure RunAs authentication, complete the following steps:

Procedure

Enable the appSecurity-2.0 and servlet-3.0 Liberty features in the server.xml file.
Configure a user registry for your application.

Specify the <run-as> element in the deployment descriptor of your application.

The following example of web.xml file specifies subsequent calls be delegated to the user that is mapped to the role of Employee:

     <servlet id="Servlet_1">
          <servlet-name>RunAsServlet</servlet-name>
          <display-name>RunAsServlet</display-name>
          <description>RunAsServlet</description>
          <servlet-class>web.RunAsServlet</servlet-class> 
          <run-as>
               <role-name>Employee</role-name> 
          </run-as>
      </servlet>

Map the role that you specified in the previous step to a user. You can do this either in the ibm-application-bnd.xmi/xml or in the server.xml file. In the <run-as> element, you must specify a user name. If you are using the ibm-application-bnd.xml file, the password is also required; if you are using the server.xml file, the password is optional. If the password is required, encode the password using the securityUtility encode command in the /bin directory. For more information about the securityUtility command, see securityUtility command.
The following example uses the <run-as> element within the <application-bnd> element of the server.xml file, where the Employee role has been mapped to the RunAs user of user5:
```
     <application-bnd>
          <security-role name="Employee">
               <user name="user1" />
               <user name="user5" />
               <run-as userid="user5" password="{xor}Lz4sLCgwLTs=" />
          </security-role>
     </application-bnd>   
```
Note:
- Because the password is optional in the server.xml file, you can also use the following code for a user without a password:
```
    <application-bnd>
          <security-role name="Employee">
               <user name="user1" />
               <user name="user5" />
               <run-as userid="user5" />
           </security-role>
     </application-bnd>   
```
- If you specify the <application-bnd> element in the server.xml file, your application must not be in the dropins folder. If you leave your application in the dropins folder, then you must disable application monitoring by setting the following in your server.xml file:
```
<applicationMonitor dropinsEnabled="false" />
```
The RunAs user name needs to be unique, and does not exist in external accounts. For example, if you authenticate a user to a SAML identity provider or OpenID Connect provider, make sure the RunAs user name is not in those external accounts.

For more information about the run-as element, see Java Servlets 3.0.