To extend the function provided by the Java Authentication and Authorization Service (JAAS) application programming interfaces (APIs), you can set the RunAs subject (or invocation subject) with a different valid entry that is used for outbound requests on this execution thread.
Gives flexibility for associating the Subject with all remote calls on this thread whether using a WSSubject.doAs() to associate the subject with the remote action or not. For example:
try { javax.security.auth.Subject runas_subject, caller_subject; runas_subject = com.ibm.websphere.security.auth.WSSubject.getRunAsSubject(); caller_subject = com.ibm.websphere.security.auth.WSSubject.getCallerSubject(); // set a new RunAs subject for the thread, overriding the one declaratively set com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(caller_subject); // do some remote calls // restore back to the previous runAsSubject com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(runas_subject); } catch (WSSecurityException e) { // log error } catch (Exception e) { // log error }
Note: An application
developer can use the WSSubject.doAs method to establish a JAAS subject authenticated
by a JAAS login module as the active security identity to be used by WebSphere
runtime while performing a specified action. When used in conjunction with
the application Synch to OS Thread Allowed option, this identity is set on
the operating system thread for the scope of that action.
You need the following Java 2 Security permissions to run these APIs:
permission javax.security.auth.AuthPermission "wssecurity.getRunAsSubject"; permission javax.security.auth.AuthPermission "wssecurity.getCallerSubject"; permission javax.security.auth.AuthPermission "wssecurity.setRunAsSubject";