InfoCenter Home >
5: Securing applications -- special topics >
5.1: The WebSphere security components >
5.1.4: The WebSphere delegation model

5.1.4: The WebSphere delegation model

Delegation allows an intermediary to perform a task initiated by a client under an identity determined by the associated policy. Therefore, enforcement of delegation policies affects the identity under which the intermediary performs downstream invocations, that is, invocation made by the intermediary in order to complete the current request, on other objects. By default, if no delegation policy is set, the intermediary will use the identity of the the requesting client while making the downstream calls. Alternatively, the intermediary can perform the downstream invocations under its own identity or under an identity specified by configuration.

When the intermediary operates under an identity other than its own, downstream resources do not know the identity of the intermediary. Therefore, they make their access decisions based on the privileges associated with the identity being used.

The administrator specifies a delegation policy by setting the run-as mode for each enterprise-bean method. For each, the administrator can choose among three policies:
  • The client identity
  • The system identity, the identity of the intermediary
  • A specified identity, named in the delegation policy

For example, suppose that a client invokes a session bean that invokes an entity bean. If the delegation policy states that methods are invoked under the client's identity, the session bean makes its invocations under the client's identity. Therefore, it is the client, rather than the session bean, that must have permission to invoke the entity-bean methods. If the delegation policy requires the system identity, the session bean makes its invocation under the identity of the server in which the session bean resides; it is this server that must have permission on the entity-bean methods. Finally, if the delegation policy requires a specified identity, the session bean invokes the methods under this identity, so the specified identity must have permission on the entity-bean methods.

In WebSphere Application Server, every enterprise application (a collection of resources) can have an associated identity. Therefore, you can use the specified-identity delegation policy to run beans under the identity of the application to which they belong.

Creating a delegation policy

In WebSphere Application Server, the delegation policy is determined by values associated with the methods of enterprise bean. The initial values are retrieved from the deployment descriptor of a bean, but the administrator can modify them. Delegation policies can be applied jointly to all the methods in a bean or separately to individual methods.

A delegation policy is created by setting the values of one (or two) attributes:

  • RunAsMode: determines the identity under which methods art to be run. The valid values follow:
    • CLIENT_IDENTITY
    • SYSTEM_IDENTITY
    • SPECIFIED_IDENTITY
  • RunAsIdentity: specifies the principal when the RunAsMode is SPECIFIED_IDENTITY.

Go to previous article: Securing resources and applications Go to next article: Operating environment

 

 
Go to previous article: Securing resources and applications Go to next article: Operating environment