This rule flags
<security-domain> elements within the jboss-web.xml file and
<login-config> elements within the web.xml file
to alert you that you must configure security for your application.
You can secure applications by adding the users and groups you need to the default
user registry and mapping roles to them.
On WebSphere Application Server traditional, you can manage the user registry from the
WebSphere Application Server administrative console by navigating to
Users and Groups > Manage Users and
Users and Groups > Manage Groups.
On Liberty, you can set up the user registry by configuring
a basicRegistry element in the server.xml file.
Alternatively, you can set up a a file-based registry, a Lightweight Directory Access Protocol (LDAP) registry, or a custom registry. You can also configure multiple security configurations for your environment by creating security domains.
For more information about securing WebSphere Application Server traditional and Liberty, see IBM WebSphere Application Server for Distributed Platforms, Version 8.5: Securing applications and their environment.
Your application might use Java Authentication and Authorization Service (JAAS) login modules.
If you are using a login module, the class name is either defined
in the jboss-web.xml file by a
<valve> element within the <security-domain>
element or
in the conf/login-config.xml file by a
<login-config> element.
If you are using login modules that are provided by JBoss Application Server or that use proprietary APIs,
then you must replace and reconfigure these modules in WebSphere Application Server.
For information about configuring JAAS login modules on Liberty, see the following documentation:
For information about configuring JAAS login modules on WebSphere Application Server traditional, see the following documentation: