Understanding Java 2 Platform, Enterprise Edition identities and operating
system thread identities
Understanding the different types of identities: A WebSphere Application
Server user is identified using an identity that must be authenticated by
WebSphere Application Server in order to access a WebSphere Application Server
application in a secure environment. The WebSphere Application Server authenticates
the user identity and represents the user with a Java Authentication and Authorization
Service (JAAS) subject. A subject contains one or more principals (which are
technology-dependent representations of the authenticated user identity).
More detail follows:
- User identities
- J2EE identity
- The user identity authenticated by WebSphere and used for access control
decisions made by the WebSphere Application Server at Java 2 Platform, Enterprise
Edition (J2EE) runtime (such as the user identity associated with a J2EE application
request and used in EJB method permission access control decisions).
- Operating system (OS) identity
- The user identity authenticated by the underlying operating system and
used for access control decisions made by the OS and its subsystems (such
as the user identity associated with a WebSphere Application Server for z/OS
servant region by the SAF STARTED class facility and used by the file system
for access control decisions when the server attempts to access files).
- Thread identity
- Java thread identity
- The J2EE identity currently associated with a Java thread managed by the
WebSphere J2EE runtime (a Java thread is the JVM's representation of a thread).
The Java thread identity is associated with an operating system (OS) thread,
but the Java virtual machine (JVM) manages the user identity on the Java representation
of the thread - separate from the user identity that the operating system
manages on the operating system thread. The J2EE identity is current on the
Java thread for the life of the a given application request.
- OS thread identity
- The operating system identity currently associated with the operating
system thread. The OS thread identity is typically the user identity assigned
to servant region and is normally not the same as the Java thread identity.
Note that J2EE maintains a J2EE identity that corresponds to the OS thread
identity assigned to the servant region. This J2EE identity can be used as
a RunAs identity.
- RunAs identity
- The J2EE identity chosen as the Java thread identity for a given J2EE
application request (based on the RunAs deployment descriptor policy on an
EJB invoked within the J2EE application request). The J2EE identity is normally
the identity of the authenticated user who has made the J2EE application request.
WebSphere Application Server RunAs policy allows three choices in assigning
the Java thread identity for the current request:
- Assign the client (for example, user) J2EE identity - also referred to
as selecting RunAs of "Caller"
- Assign the server's J2EE identity
- Assign the J2EE identity that is in the specified role
- Web Application J2EE identity
- A Web application can run with a J2EE identity. For example, in a Web
application using Basic Authentication or Form-based authentication the J2EE
identity is the user identity used in basic authentication or form-based authentication
logon. In certain contexts, this J2EE identity is used with Web applications
in the same ways as the RunAs identity is used with EJBs, (such as together
with connector thread identity support).
When security is enabled, each WebSphere Application Server for z/OS request
that invokes a J2EE component is authenticated to ensure that an authorized
user is requesting access. A user is represented by a J2EE identity (also
called a JAAS subject). This J2EE identity contains one or more principals,
and each principal corresponds to a specific user identity. This association
is managed by the WebSphere Application Server. The J2EE identity and operating
system OS thread identity are associated with each other because they have
the same name and represent the same user.
WebSphere Application Server for z/OS dispatches component requests in
one of its available servant processes. Within the servant process the component
request is dispatched on a Java thread. A Java thread is then mapped internally
by the Java Virtual Machine (JVM) to a z/OS task control block (TCB). A TCB
is an operating system thread and is considered part of the native process
infrastructure. A servant process has a OS identity assigned to it when it
starts. The z/OS security policy uses the SAF STARTED class facility to assign
the identity.

J2EE authorization decisions including role authorization and permission
checking are determined using the J2EE identity. Through a configuration setting,
role authorization checking can be delegated to the underlying operating system
security manager (such as System Authorization Facility (SAF)), in which case
the associated operating system OS identity is used in the role authorization
decision.
Some resource managers on z/OS use the OS thread identity to make authorization
decisions. For example, file system access control is determined entirely
based on which OS thread identity is currently on the TCB when the file is
accessed. Similarly, local Java database connectivity (JDBC) connections to
Database 2 (DB2) for z/OS use the TCB OS thread identity as the authorization
identity under certain configurations. For resource managers that use the
OS thread identity such as DB2 for z/OS (and unlike the file system) that
applications access through Java Message Service (JMS), JDBC, or J2EE Connector
Architecture (JCA) connectors managed by the WebSphere Application Server
for z/OS connection management, we say that the connectors to these z/OS resource
managers "use operating system thread security". For more information, refer
to:
Searchable topic ID:
csecunderstandj2eenativeid
Last updated: Jun 21, 2007 9:56:50 PM CDT
WebSphere Application Server for z/OS, Version 5.0.2
http://publib.boulder.ibm.com/infocenter/wasinfo/index.jsp?topic=/com.ibm.websphere.zseries.doc/info/zseries/ae/csec_understandj2eenativeid.html