Websphere 7 simple realm (like tomcat-users.xml)

I am trying to port a J2EE app from Tomcat to Websphere and I'm not too familiar with Websphere.

The only problem I am having is authorization (I use basic-authentication in my web.xml). In Tomcat I use the tomcat-users.xml file to define my users/passwords and to what roles they belong.

How do I do this "simply" in Websphere? When deploying the EAR to Websphere it also asks me to map my role from web.xml to a user or group.

Do I have to set up some sort of realm? Custom user registry?

Thanks.

UPDATE:

I configured a Standalone custom registry, however I can't get a log-in prompt for username/password. It works just fine in Tomcat, and it doesn't in Websphere.

Code from web.xml

<security-constraint>
<web-resource-collection>
<web-resource-name>basic-auth security</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>HELLO_USER</role-name>
</auth-constraint>
<user-data-cons开发者_StackOverflow中文版traint>NONE</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
</login-config>
<security-role>
<role-name>HELLO_USER</role-name>
</security-role>

Application security on WAS isn't enabled by default.

In the Admin Console, go to: Security -> Global Security and make sure the Enable application security check-box is checked.

You may need to restart the server after saving changes.

By default, WAS (I assume you're asking about the application server, and not some other WebSphere product) has a global domain with a file based registry for users and groups. The most simple solution to your problem is to add the users and groups you need to that registry, and map your roles to them. You can manage this registry from the WAS Admin Console by navigating to:
Users and Groups -> Manage Users
or
Users and Groups -> Manage Groups

The potential downside to this approach is that the users and groups you create are valid users and groups for all applications on the server. That is, the users you create will have at least "All Authenticated" rights for any application on the server, including the admin console. This often isn't a problem (the admin console doesn't actually grant any rights to "all authenticated", and other apps may not either), but is something to keep in mind.

A more complex solution is to create a separate security domain for your application. This allows the creation of a registry for only your application. The registry can be file based, LDAP, or a custom registry. See: http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/tsec_sec_domains_config.html

See this blog of mine File-based User Authentication under WebSphere 6 for how to authenticate users agains a file with usernames/passwords.