How to authorize a Java Batch job so it can run from a startup bean in WebSphere Liberty?

Question

I am trying to submit a basic batch job from within my startup bean, which is giving me an error message of "User UNAUTHENTICATED is not authorized to start batch jobs."

This is my startup bean:

@Singleton
@Startup
public class ControllerBean {
    @PersistenceContext(unitName = "item-persister")
    EntityManager entityManager; 

    @PostConstruct
    public void initialize() { 
        JobOperator jobOperator = BatchRuntime.getJobOperator();
        long execID = jobOperator.start("testjob", null);
    }
}

In my server.xml, I have configured a username and password:

<basicRegistry id="basic" realm="ibm/api">
    <user name="bob" password="bobpwd"/>
</basicRegistry>

<authorization-roles id="com.ibm.ws.batch">
    <security-role name="batchAdmin">
        <user name="bob"/>
    </security-role>
</authorization-roles>

How do I authenticate properly so that my job can be run by a startup bean?

Answer 1

An easy way is to:

Configure a RunAs identity

You need to align the @RunAs annotation value with the server configuration.

In the server config (server.xml):

<application name="MyApp" ... >
    <application-bnd>
        <security-role name="JOBSTARTER">
            <user name="bob" />
            <run-as userid="bob" password="bobpwd"/>
        </security-role>
    </application-bnd>
</application>

In your Java code calling JobOperator:

@Singleton
@Startup
@RunAs("JOBSTARTER")
public class ControllerBean {

    @PostConstruct
    public void initialize() { 
        JobOperator jobOperator = BatchRuntime.getJobOperator();
        long execID = jobOperator.start("testjob", null);
    }
}

In your snippet you had the basic registry and the user mapped to the batch authorization role. You just needed to establish this user on the thread via the @RunAs.