InfoCenter Home > 5.1.4: The WebSphere delegation modelThe WebSphere delegation model is an extension the Enterprise JavaBeans 1.1 specification; delegation is fully addressed in Enterprise JavaBeans 2.0 specification. Enterprise beans can have delegation policies; Web resources cannot. Delegation allows an intermediary to perform a task initiated by a client under an identity determined by the associated policy. Therefore, enforcement of delegation policies affects the identity under which the intermediary performs downstream invocations, that is, invocation made by the intermediary in order to complete the current request, on other objects. By default, if no delegation policy is set, the intermediary will use the identity of the the requesting client while making the downstream calls. Alternatively, the intermediary can perform the downstream invocations under its own identity or under an identity specified by configuration. When the intermediary operates under an identity other than its own, downstream resources do not know the identity of the intermediary. Therefore, they make their access decisions based on the privileges associated with the identity being used. The administrator specifies a delegation policy by setting the run-as mode for each enterprise-bean method. For each, the administrator can choose among three policies:
For example, suppose that a client invokes a session bean that invokes an entity bean. If the delegation policy states that methods are invoked under the client's identity, the session bean makes its invocations under the client's identity. Therefore, it is the client, rather than the session bean, that must have permission to invoke the entity-bean methods. If the delegation policy requires the system identity, the session bean makes its invocation under the identity of the server in which the session bean resides; it is this server that must have permission on the entity-bean methods. Finally, if the delegation policy requires a specified identity, the session bean invokes the methods under this identity, so the specified identity must have permission on the entity-bean methods.
In WebSphere Application Server, the application assembler determines
the use of delegation by using the application-assembly tool (AAT) to
set the
UseCallerIdentity means that the intermediary
will use its client's credentials for downstream invocations. Use of
UseSystemIdentity means that the intermediary will
use its own credentials for downstream infocations. Use of
RunAsSpecifiedIdentity means that credentials
determined elsewhere will be used.
The application assembler does not typically know the makeup of
the run-time environment, including the specific user identities
that are available. Therefore, it can be impossible for an
assembler to have a concrete value to specify for an intermediary
that is to run as a specified identity. Therefore, the run-as
identity is designated as a logical role name, which corresponds
to one of the security roles defined in the deployment descriptor.
That is, if the type of identity is specified as the
... <runAsSpecifiedIdentity xmi:id="Identity_1" roleName="admin" description="" /> ...At deployment time, a particular user is assigned to that role and becomes the run-as identity by indirection. This allows you to use the specified-identity delegation policy to run beans under the identity of a user who has been associated with the role. |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|