SAF role mapper not allowing access. (Liberty in CICS)

Question

I have a web application running on Liberty in CICS of which I am trying to use SAF role mapping along with CICS authentication. I have the following EJBROLE's mapped to three users in CICS for a test: The application is named CPSM.APP

TECH.CPSM.APP.VIEWER

TECH.CPSM.APP.UPDATER

TECH.CPSM.APP.ADMIN

but when those users log into the application, It returns a 403 error for all 3 of them. Not sure what I am doing incorrectly. I will post my relevant server.xml and relevant web.xml components below.

Web.XML

<security-role>
    <description>Admin privileges</description>
    <role-name>ADMIN</role-name>
</security-role>

<security-role>
    <description>Viewer privileges</description>
    <role-name>VIEWER</role-name>
</security-role>

<security-role>
    <description>Updater privileges</description>
    <role-name>UPDATER</role-name>
</security-role>      

 <security-constraint>
    <display-name>com.ibm.cicsdev.jdbc.web.SecurityConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>com.regions.cics.CPSM_Batch.jdbc</web-resource- 
  name>
        <url-pattern>/main.xhtml</url-pattern>
        <url-pattern>/viewgroups.xhtml</url-pattern>
        <url-pattern>/viewfileandtran.xhtml</url-pattern>
        <url-pattern>/viewgrouptable.xhtml</url-pattern>
    </web-resource-collection>

    <auth-constraint>
        <role-name>ADMIN</role-name>
        <role-name>VIEWER</role-name>
        <role-name>UPDATER</role-name>
    </auth-constraint>

    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>   

<security-constraint>
    <display-name>com.ibm.cicsdev.jdbc.web.SecurityConstraint</display-name>
    <web-resource-collection>
        <web-resource-name>com.regions.cics.CPSM_Batch.jdbc</web-resource- 
   name>
        <url-pattern>/editgroup.xhtml</url-pattern>
        <url-pattern>/addnewgroup.xhtml</url-pattern>
        <url-pattern>/entergroup.xhtml</url-pattern>
    </web-resource-collection>

    <auth-constraint>
        <role-name>ADMIN</role-name>
        <role-name>UPDATER</role-name>
    </auth-constraint>

    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<login-config>
<auth-method>BASIC</auth-method>
</login-config>    

Server.xml

    <featureManager>
     <feature>cicsts:core-1.0</feature>
    <feature>cicsts:defaultApp-1.0</feature>
    <feature>jsp-2.3</feature>

    <feature>javaMail-1.5</feature>

    <feature>jndi-1.0</feature>
    <feature>jsf-2.2</feature>
    <feature>jdbc-4.1</feature>
    <feature>jsp-2.3</feature>

    <feature>appSecurity-2.0</feature>

    <feature>cicsts:security-1.0</feature>
    <feature>ssl-1.0</feature>
</featureManager>

<!-- Use SAF registry -->
<safRegistry enableFailover="true" id="saf"/>
<safAuthorization id="saf"/>
<safCredentials profilePrefix="TECH" unauthenticatedUser="LIBGUEST"/>

<safRoleMapper profilePattern="%profilePrefix%.%resource%.%role%" 
toUpperCase="true"/>

When I attempt to access any URL defined by the application I get a 403 error. and this error message in the sys log:

.ibm.ws.webcontainer.security.WebAppSecurityCollaboratorImpl A CWWKS9104A: 
Authorization failed for user LIBTST1 while invoking CPSM on 
/viewgroups.xhtml. The user is not granted access to any of the required 
roles: [ADMIN, VIEWER, UPDATER].

UPDATE: I'm adding the referring to this application from my installedapps.xml in case it may help solve the issue.

 <application id="CPSM.APP" name="CPSM.APP" type="war" 
location="${server.output.dir}/installedApps/CPSM.APP.war" 
bundle="X11CPSM" token="1BEB96B000000199" bundlepart="CPSM_Batch" 
platform_id="" application_id="" appl_major_ver="-1" appl_minor_ver="-1" 
appl_micro_ver="-1">
    <application-bnd>
        <security-role name="cicsAllAuthenticated">
            <special-subject type="ALL_AUTHENTICATED_USERS"/>
        </security-role>
    </application-bnd>
</application>

Answer 1

I have resolved this issue. I have included a link below that explains what needs to be changed for anyone who has the same issue. For those who use CA top secret for CICS security. There is a facility control option RES that must be set to allow rules for prefixed resources, such as EJBROLES, to get loaded into the security record for a given user. If this option is set to NORES, all security checks for a given EJBROLE will fail.

Link to solution: https://comm.support.ca.com/kb/permitted-resource-receiving-tss7250e-136/kb000005323

Answer 2

Your safAuthorization element is commented out - that's what enables safAuthorization (i.e. EJBRoles checking). Then also check your safRoleMapper values to ensure they map with the right prefixes to the EJBroles you created.

Answer 3

When using EJBROLEs the application-bnd is bypassed/ignored. The mappings are held in SAF rather than the binding element. Also note, you must 'refresh' your SAF changes before starting the CICS region. I think having 'read' access to the EJBROLE (or equivalent in TOP SECRET) is a must.

I'm also wondering if you have the resource part of the profilePattern matching correctly, you said the App is called CPSM.APP. Normally the project in Eclipse (if that's your dev-env) is then reflected into the application element in installedApps.xml and has a more qualified name. One example provided by CICS is called com.ibm.cics.server.examples.wlp.hello.war, and so the EJBROLE definition would be TECH.com.ibm.cics.server.examples.wlp.hello.war.ADMIN.

There's more information here in case I skim-read and missed anything useful.