Custom user registries

A custom user registry is a customer-implemented user registry, which implements the UserRegistry Java interface as provided by the product. A custom-implemented user registry can support virtually any type of an account repository from a relational database, flat file, and so on. The custom user registry provides considerable flexibility in adapting product security to various environments where some form of a user registry, other than Lightweight Directory Access Protocol (LDAP) or Local Operating System (LocalOS), already exists in the operational environment.

WAS security provides an implementation that uses various local operating system-based registries (Windows, AIX, Solaris, Linux) and various LDAP-based registries. However, situations can exist where your user and group data resides in other repositories or custom registries (a database, for example) and moving this information to either a LocalOS or an LDAP registry implementation might not be feasible. For these situations WAS security provides a service provider interface (SPI) that you can implement to interact with your current registry. The SPI is the UserRegistry interface. This interface has a set of methods to implement for the product security to interact with your registries for all security-related tasks. The LocalOS and LDAP registry implementations that are provided also implement this interface. Custom user registries are sometimes called the pluggable user registries or custom registries for short. Your custom user registry implementation is expected to be thread-safe.

The UserRegistry interface is a collection of methods required to authenticate individual users using either password or certificates and to collect information about the user (privilege attributes) for authorization purposes. This interface also includes methods that obtain user and group information so that they can be given access to resources. When implementing the methods in the interface, decide how to map the information manipulated by the UserRegistry interface to the information in your registry.

Verify that your implementation of the custom registry does not depend on any WAS components such as data sources, enterprise beans, and so on. Do not have this dependency because security is initialized and enabled prior to most of the other WAS components during startup. If your previous implementation used these components, make a change that eliminates the dependency. For example, if your previous implementation used data sources to connect to a database, use Java database connectivity (JDBC) to connect to the database.

The methods in the UserRegistry interface operate on the following information for users...

User Security Name The user name, which is similar to the user name in the Windows systems and the UNIX systems Local OS registries. This name is used to log in when prompted by a secured application. By default, the Enterprise JavaBean (EJB) method getCallerPrincipal and the servlet methods getRemoteUser and getUserPrincipal return this name. The user security name is also referred to as userSecurityName, userName or user name.

Unique ID This ID represents a unique identifier for the user. The UserRegistry interface requires this identifier to be unique. The unique ID similar to the system ID (SID) in Windows systems, Unique ID (UID) in UNIX systems, distinguished name (DN) in LDAP. This ID is also referred to as uniqueUserId. The unique ID is used to make the authorization decisions for protected resources.

Display name This name is an optional string that describes a user, and it is similar to the FullName attribute in Windows operating systems. The implementation can use display names for informational purposes only; these names are not required to exist or to be unique. The user interface can use the display name to present more information about the user.

Group Security name This name, which represents the security group, is also referred to as groupSecurityName, groupName and group name.

Unique ID The unique ID is the identifier for a group. This name is also referred to as uniqueGroupId.

Display name The display name is an optional string that describes a group.

The article on UserRegistry interface methods describes each of the methods in the UserRegistry interface that need implementing. An explanation of each of the methods and their usage in the Sample and any changes from the Version 4 interface are provided. The Related references section provides links to all other custom user registries documentation, including a file-based registry Sample. The Sample provided is very simple and is intended to familiarize you with this feature. Do not use this sample in an actual production environment.

 

See Also

Simple WebSphere authentication mechanism
Lightweight Third Party Authentication
LDAP
Local operating system user registries
UserRegistry interface methods
UserRegistry.java files
FileRegistrySample.java file for WAS v5 and V5.1
FileRegistrySample.java file for WAS v5.0.2
Custom user registry settings