Customizing user registries or repositories for Liberty

A user registry contains information about users and groups that is used to authenticate and authorize a user. With user registries, you can perform read operations, such as read, search, and login, but you cannot perform write operations to modify the users or groups. Because custom user registries are simpler to configure, they are recommended for most situations.

User repositories provide similar capabilities to user registries, but they can also define attributes of or modify users and groups. Custom user repositories are more complex to implement, and their additional capabilities are not required for most situations. Implement a custom user repository only if you require the write operations or customized attributes that the repository provides.

In Liberty, you can implement the following service programming interfaces (SPIs) to develop either a custom user registry or a custom user repository.

User registry interface: com.ibm.websphere.security.UserRegistry

Use the UserRegistry interface to implement user registries, including a stand-alone basic registry, a stand-alone SAF user registry, a quickStartSecurity registry, and a custom registry. Implementing the interface is helpful in situations where user and group information exists in a format, such as a database, that cannot move to local operating system or LDAP registries. In these cases, you can implement the UserRegistry interface so that the Liberty server can use the existing registry for all security-related operations.

To create the registry, implement the UserRegistry interface in your code so that it does not depend on Liberty server resource management to operate. For example, you cannot use the Liberty server data source configuration, so you must invoke database connections and define their behavior in your code.

The UserRegistry interface provides read operations, such as read, search, and login, but it does not provide write operations. For write operations, you must implement the CustomRepository interface.

Custom user repository interface: com.ibm.wsspi.security.wim.CustomRepository

The CustomRepository interface provides similar read operations to the UserRegistry interface, but it also provides write operations, such as create, delete, and update. The interface also provides the ability to add customized attributes to both users and groups. Customized attributes are any attributes that are not already defined in the current schema.