User registries for application security
A user registry is a data source that contains account information, such as usernames and passwords. An application server can retrieve this information to authenticate and authorize users.
Microservice-based applications in production often run on an application server that delegates identity management to a single sign-on provider, such as Google or Facebook. However, some enterprises maintain their own internal user registries, such as a Lightweight Directory Access Protocol (LDAP) registry. In test environments, a developer might want to set up a basic, file-based user registry within the application server to simplify security operations during the development process. In cases where these common options don’t suit the needs of your security configuration, you can configure a custom user registry. In Open Liberty, any of these kinds of user registries can be combined into a single federated user registry.
A basic user registry is a local file-based data source that developers can configure to test application resource permissions. Open Liberty provides an easy-to-use basic user registry for development environments.
You can configure a basic user registry directly in the
server.xml file. Although this registry is not intended for production environments, it can help simplify authentication and authorization scenarios during development and testing. For example, you can configure a basic user registry for your application that contains two users, their passwords, and one group for the administrator role. If you designate one of your two users as an administrator, you can test access to your application resources for that role without having to connect to an external user registry.
The Application Security feature provides the core capabilities that support the basic user registry configuration. To set up a basic user registry, enable the Application Security feature and configure the
basicRegistry element in your
server.xml file. For more information, see the Application Security feature.
The simplest way to configure a user registry for testing purposes is to enable QuickStart security. This option automatically configures a registry with only one user who is granted the administrator role. To use this option, configure both the Application Security feature and the
quickStartSecurity element in your
server.xml file. The registry that is configured by this option is not intended for production environments. However, it is useful in test scenarios, particularly for testing secured JMX connections that require administrator access. For more information, see the Application Security feature.
To keep your basic user registry secure, do not store user passwords in plain text. You can hash or encrypt the passwords in your basic user registry by using the securityUtility encode command.
LDAP is an open protocol that supports authentication and authorization services. LDAP specifies the language that application servers use to communicate with LDAP user registries, which store security information such as usernames, passwords, and groups. Although a basic user registry might be sufficient during development and testing of an application, an LDAP user registry provides the extra security that is required for applications in production.
LDAP user registries are often used to manage authentication within a specific domain, such as a corporate intranet or email system. If your application regulates access to resources that are specific to a particular organization or enterprise, you can configure it to connect with an existing LDAP registry.
To configure Open Liberty to manage authentication with an LDAP user registry, you must add the Application Security feature and LDAP User Registry features to your
If your application communicates with a TLS-enabled LDAP server, you must also add the Transport Security feature.
For more information, see the LDAP User Registry feature.
You can enable users to authenticate to an LDAP user registry with their social media credentials by configuring the Open Liberty Social Media Login feature. Depending how you configure the feature, users can either supply their social media credentials to authenticate or choose between their LDAP login and their social media credentials. For more information, see the Social Media Login feature.
If your application references a user registry other than a basic, LDAP, or federated user registry, you can define a custom user registry or a custom user repository in your
With custom user registries, you can perform read operations, such as
login, but you cannot perform write operations to modify the users or groups. Because custom user registries are simpler to configure, they are recommended for most situations. You can configure a stand-alone custom user registry by implementing the UserRegistry interface. The UserRegistry interface is an API that enables support for virtually any type of account repository. You can also configure the BELLS feature to load a custom user registry from a custom user registry JAR file that is stored in a shared library on your server.
Custom user repositories provide similar capabilities to custom user registries, but they can also define attributes of or modify users and groups. Custom user repositories are more complex to implement, and their additional capabilities are not required for most situations. Implement a custom user repository only if you require the write operations or customized attributes that the repository provides. The CustomRepository interface provides similar read operations to the
UserRegistry interface, but it also provides write operations, such as
update. The interface can also add customized attributes to both users and groups. Customized attributes are any attributes that are not already defined in the current server schema.
In cases where user and group information is spread across multiple registries, Open Liberty can federate distributed user information in a unified registry, with a continuous store of information. You can federate different types of registries to combine information from LDAP, basic, and custom user registries and repositories into a common registry.
If multiple basic, LDAP, or custom user registries are configured in your
server.xml file or a
userRegistry.xml file, they are federated by default when you enable the Federated User Registry feature. LDAP user registries are federated regardless of whether the LDAP registries are separate data stores or two subtrees of the same LDAP registry. However, user registries that are configured with the QuickStart security option cannot be federated with other user registries. For more information, see the Federated User Registry feature.
You can control the contents of federated registries by configuring the
federatedRepository element. This configuration can be useful if you want to exclude certain registries from a federated group by selectively including only the registries you want to federate.
For more information, see User Registry Federation.