WebSphere Liberty Profile - how to add security constraints when deploying the Spring Boot uber JAR

Question

I was very happy to see WebSphere Liberty Profile have support for deploying Spring Boot support JARs directly in version 18.0.0.2.

In my server.xml I have:

<application id="x" name="x"
             type="spring"
             location="${server.config.dir}/apps/spring-boot-uber.jar">
        <application-bnd>
            <security-role name="Authenticated">
                <special-subject type="ALL_AUTHENTICATED_USERS"/>
            </security-role>
            <security-role name="SUPER_USERS">
                <group name="My_Admins"/>
            </security-role>
        </application-bnd>
    </application>

Note the security role bindings.

In web.xml (WAR) or ibm-ws-bnd.xml (EAR) I think I would need to do:

<?xml version="1.0" encoding="UTF-8"?>
<webservices-bnd xmlns="http://websphere.ibm.com/xml/ns/javaee"
                 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                 xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-ws-bnd_1_0.xsd"
                 version="1.0">
    <http-publishing>
        <webservice-security>

            <security-constraint>
                <web-resource-collection>
                    <web-resource-name>all</web-resource-name>
                    <url-pattern>/*</url-pattern>
                    <http-method>GET</http-method>
                    <http-method>PUT</http-method>
                    <http-method>HEAD</http-method>
                    <http-method>TRACE</http-method>
                    <http-method>POST</http-method>
                    <http-method>DELETE</http-method>
                    <http-method>OPTIONS</http-method>
                </web-resource-collection>
                <auth-constraint>
                    <role-name>Authenticated</role-name>
                </auth-constraint>
            </security-constraint>

            <security-role>
                <description>All authenticated users</description>
                <role-name>Authenticated</role-name>
            </security-role>
            <security-role>
                <description>Super users</description>
                <role-name>SUPER_USERS</role-name>
            </security-role>

        </webservice-security>
    </http-publishing>
</webservices-bnd>

in order for the authentication info to be set in http requests (user principal).

How can I get this working with Spring Boot applications, where I have neither an EAR or a WAR (so I have no web.xml file).

I have tried adding ibm-ws-bnd.xml to the META-INF folder of the spring boot uber jar but nothing seems to happen.

UPDATE:

I am not even sure WLP supports application-bnd when deploying the Spring Boot uber JAR, but then I don't know how to bind the roles to it at all.

Answer 1

You might want to consider using Spring Security https://spring.io/guides/gs/securing-web/ to provide the user details and security roles in the Spring Boot application. As of now liberty doesn't support Spring Boot application JAR with authorization roles defined in application-bnd.

Or you can convert the JAR file into a WAR and place your web.xml file in src/main/webapp/WEB-INF folder and provide the application type as "war" in server.xml