I'm pretty new in websphere security. In my application I have an ejb which has security settings for run as user. When I'm ping the ejb it executes methods with user specified in the runas configs. Is it possible to do same for servlets? I mean when user sends request from ui and websphere executes dopost/doget as user from runas configs?
If you are using Servlet 3.1 (Java EE 7) then you can use the @RunAs annotation on a servlet class.
For example, this set of Servlet annotations will allow Manager and Employee roles to access the servlet and run as the Employee role:
@RunAs("Employee")
@WebServlet("/myServlet")
@ServletSecurity(
httpMethodConstraints = {
@HttpMethodConstraint(value = "GET", rolesAllowed = "Manager"),
@HttpMethodConstraint(value = "GET", rolesAllowed = "Employee")
}
)
public class MyServlet extends HttpServlet {
// ...
}
For full Liberty doc on RunAs configuration, see here: Configuring RunAs authentication in Liberty