Delegation is a process security identity propagation from a caller to a called object. As per the J2EE specification, a servlet and enterprise beans can propagate either the client (remote user) identity when invoking enterprise beans or they can use another specified identity as indicated in the corresponding deployment descriptor.
The IBM extension supports Enterprise JavaBeans (EJB) to propagate to the server ID when invoking other entity beans. There are three types of delegations:
Delegate (RunAs) Client Identity
Delegate (RunAs) Specified Identity
Delegate (RunAs) System Identity
The EJB specification only supports delegation (RunAs) at the EJB level.
But an IBM extension allows EJB method level RunAs specification. Method EJB
method level runAs specification allows one to specify a different RunAs role
for different methods within the same enterprise beans.
The RunAs specification is detailed in the deployment descriptor (the ejb-jar.xml file in the EJB module and the web.xml file in the Web module). The IBM extension to the RunAs specification is included in the ibm-ejb-jar-ext.xmi file.
There is also an IBM specific binding file for each application that contains a mapping from the RunAs role to the user. This file is specified in the ibm-application-bnd.xmi file.
These
specifications are read by the run time during application startup. The following
figure illustrates the delegation mechanism as implemented in the WebSphere
Application Server security model.
Delegation Process
There are two tables that help in the delegation process:
Use the Resource to RunAs role mapping table to get the role that is used by a servlet or by enterprise beans to propagate to the next enterprise beans call.
Use the RunAsRole to User ID and Password mapping table to get the user ID that belongs to the RunAs role and its password.
Delegation is performed after successful authentication and authorization. During this process, the delegation module consults the Resource to RunAs role mapping table to get the RunAs role (3). The delegation module consults the RunAs role to user ID and password mapping table to get the user that belongs to the RunAs role (4). The user ID and password is used to create a new credential using the authentication module, which is not shown in figure.