Express (Distributed operating systems), v8.0 > Secure applications and their environment > Authenticate users > Select a registry or repository > Manage realms in a federated repository > Virtual member manager > Develop with virtual member manager > Integrate virtual member manager into the application > Sample code
Sample code for using federated repository management rights
The end-to-end steps, commands, and sample code snippets required for enabling users who are not WAS administrators to access the virtual member manager APIs in a multiple security domain environment are provided here.
Federated repository management rights allow users who are not WAS administrators to manage users and groups, and access other virtual member manager APIs in admin and application domains. Read about the predefined roles and their permissions in the topic, Provide security in the virtual member manager documentation. We can use the following wsadmin commands to implement this feature: mapIdMgrUserToRole, mapIdMgrGroupToRole, removeIdMgrUsersFromRole, removeIdMgrGroupsFromRole, and listIdMgrUsersForRoles. For more information, read about using these commands in the topic, IdMgrConfig command group in the WAS information center
The following steps are covered in this sample scenario:
- Install wimperdomain application on the server that is scoped to the security domain. In a multiple security domain environment, deploy virtual member manager EJB on each target server, where the server scope is associated with that security domain, to get a reference to the virtual member manager instance in that domain. This procedure enables you to call virtual member manager APIs through EJB for a specific domain. Only users with the required access roles for virtual member manager APIs or superusers in that domain can call the respective APIs.
- Create a user in the user registry that corresponds to the security domain. We must be logged in as a WAS administrator.
- Assign the user to a virtual member manager role. Valid predefined virtual member manager roles are IdMgrAdmin, IdMgrWriter, and IdMgrReader.
- Access the virtual member manager instance that corresponds to the security domain with EJB lookup. In a network deployment environment, the EJB on the managed server node must be first looked up with the absolute path of the context (for example, cell/nodes/myNode/servers/server1/ejbna where ejbna is the JNDI name of the virtual member manager EJB on the managed server, server1).
- Perform an operation on the virtual member manager instance that corresponds to the security domain as the user who is assigned a virtual member manager role.
Prerequisites
Ensure that we have read the information and completed the steps described in the topic, Program prerequisites.
We must complete the following configuration steps before using the sample code. Start wsadmin.sh and execute the following commands. Replace the variables with the actual values to use.
- Install wimperdomain application on the server that is scoped to the security domain. The wimperdomain.ear application is available under the WAS_HOME/installableApps/ directory. Deploy the wimperdomain.ear application on the specific target server for the domain. We must specify a unique JNDI URL for the EJB.
$AdminApp.install(' WAS_HOME/installableApps/wimperdomain.ear', '[-appname wimperdomain -BindJndiForEJBNonMessageBinding [[ wim.ejb WIMService wimejb.jar,META-INF/ejb-jar.xml ejbd2/com/ibm/websphere/wim/ejb/WIMServiceHome]] -MapModulesToServers [[ wim.ejb wimejb.jar,META-INF/ejb-jar.xml WebSphere:cell=myCell,node=myNode,server=server1 ]]]' )
- Create a user vmmadmin in the user registry that corresponds to the security domain domain1. We must be logged in as a WAS administrator.
$AdminTask createUser {-uid vmmadmin –password tempPass -confirmPassword tempPass –cn admincn –sn adminsn -securityDomainName domain1 }- Assign the virtual member manager role IdMgrAdmin to the user vmmadmin in the user registry that corresponds to the security domain domain1.
$AdminTask mapIdMgrUserToRole {-userId vmmadmin -roleName IdMgrAdmin -securityDomainName domain1}
Sample code
Add the following end-to-end sample code to the application code as described in the following steps. Replace the variables with the actual values to use.
- Access the virtual member manager instance that corresponds to the security domain domain1 with EJB lookup. The EJB JNDI is the same as the one used previously in step 1 of the Prerequisites section.
- Create a user in domain1 as the user vmmadmin who is assigned a virtual member manager role in step 3 of the Prerequisites section.
import commonj.sdo.DataObject; public class SimpleTest extends BaseApp { public static void createAsAdmin() { try { createUser("vmmadmin", "tempPass"); } catch (Exception e) { e.printStackTrace(); } } public static void createUser(String user, String password) throws Exception { DataObject result = (DataObject) runAsUser(user, password, new java.security.PrivilegedExceptionAction() { public Object run() throws Exception { //Note the service instance used is that of security domain obtained in step 1. DataObject root = service.createRootDataObject(); DataObject user = root.createDataObject(DO_ENTITIES, WIM_NS_URI, DO_PERSON_ACCOUNT); user.set("uid", "authzzuser"); user.set("cn", "authzzuser"); user.set("sn", "authzzuser"); user.set(PROP_PASSWORD, com.ibm.websphere.wim.util.PasswordUtil .getByteArrayPassword("authzzuser")); // Print Input datagraph System.out.println("Input datagraph before creating user" + printDO(root)); DataObject retObject = service.create(root); // Print the output datagraph System.out.println("Output datagraph after creating user" + printDO(retObject)); return retObject; } }); } public static void main(String[] args) { // Note that the EJB JNDI is same as one used in step 1. service = locateService("ejbd2/com/ibm/websphere/wim/ejb/WIMServiceHome"); createAsAdmin(); } }
Parent topic: Sample code