Federated User Registry
1.0

This feature enables support for federation of multiple user registries.

Enabling this feature

To enable the Federated User Registry 1.0 feature, add the following element declaration into your server.xml file, inside the featureManager element:

<feature>federatedRegistry-1.0</feature>

Examples

Default federation of user registries

If two or more user registries are configured in your server.xml file or in a userRegistry.xml file, you can combine them into a single federated user registry. When you enable the Federated User Registry feature, any user registries that are defined in your server.xml file or in a userRegistry.xml file are federated by default. This default federation applies to basic, LDAP, and custom user registries. However, user registries that are configured with the quickStartSecurity element cannot be federated with other user registries.

Custom federation of user registries

To federate a subset of user registries into a custom federated repository, you can define the participatingBaseEntry name attribute in the federatedRepository element. This configuration can be useful if you want to exclude certain user registries from a federated group by selectively including only the user registries that you want to federate. To avoid failures if any user registry is unavailable, set the allowOpIfRepoDown attribute on the primaryRealm subelement to true, as shown in the following example.

The following example shows the federation of a basic user registry and a custom user registry in a custom federated repository:

<federatedRepository>
    <primaryRealm name="PrimaryRealm" allowOpIfRepoDown="true">
        <participatingBaseEntry name="o=SampleBasicRealm1"/>
        <participatingBaseEntry name="o=customRegistryRealm1"/>
    </primaryRealm>
</federatedRepository>

The participating base entry for a user registry is defined by the participatingBaseEntry element. The participating base entry value for a custom or basic user registry is the o organization attribute set to equal the realm name of that user registry. The realm name for a user registry is the value that is returned from the getRealm() method of that user registry. The participating base entry for a custom user repository is one of the base entries that is returned by the getRepositoryBaseEntries() method for that repository.

Features that this feature enables

Supported Java versions

  • JavaSE-1.8

  • JavaSE-11.0

  • JavaSE-17.0

  • JavaSE-18.0

Features that enable this feature

Developing a feature that depends on this feature

If you are developing a feature that depends on this feature, include the following item in the Subsystem-Content header in your feature manifest file.

com.ibm.websphere.appserver.federatedRegistry-1.0; type="osgi.subsystem.feature"

SPI packages provided by this feature

  • com.ibm.wsspi.security.wim

  • com.ibm.wsspi.security.wim.exception

  • com.ibm.wsspi.security.wim.model