You can specify options to synchronize a Java thread identity and
an operating system thread identity.
Enterprise JavaBeans (EJB) support a method-level RunAs role specification
that associates a Java 2 Platform, Enterprise Edition (J2EE) role with an
EJB method invocation. The EJB method runs by using the authority associated
with the designated security role. The authority is mapped to the designated
role using a user identity. Normally, this identity is recognized by Web-based
and J2EE runtime and is associated with the current dispatch thread. This
identity governs access to only those resources and those facilities subject
to J2EE security. The actual OS thread identity is unaffected by the EJB
RunAs role selection and is typically the identity of the server.
Setting the OS identity thread synchronizes the J2EE role identity and
OS thread (SyncToOSThread). This means that the OS thread identity is associated
with the J2EE role identity for the duration of the EJB method invocation
(application assemblers and deployers associate the RunAs identity with the
operating system thread by setting the thread identity to the RunAs identity
for specific bean methods). This association means that the caller or security
role identity (rather than the server region identity) is used for z/OS system
service requests such as access to files and database management systems.
Note that the WebSphere Application Server for z/OS J2EE server can be configured
to enable or disable this association (or synchronization). The default setting
disables the ability to modify the identity on the operating system thread,
regardless of the OS thread identity to RunAs identity setting in the deployment
descriptor for the installed application. If the application installer does
not enable synchronization, any method that sets the RunAs identity to the
operating system thread fails with a no_permission error.
You complete the specification of options to synchronize
a Java thread identity and an operating system thread identity by using the
resource access control facility (RACF) to define FACILITY and optionally
SURROGAT class profiles for Synch to OS Thread Allowed. This gives the RACF
administrator in the WebSphere Application Server configuration the ability
to control the permissions that allow the synchronization of the J2EE role
identity and the OS thread (SyncToOSThread).
Using the administrative console, you can specify the
following options for thread identity synchronization on the z/OS security
options panel:
- Enable WebSphere Application Server and z/OS thread identity synchronization
- Specifies whether an application SynchToOSThread is permitted. When this
security option is selected (meaning true is specified) the application-specified
SyncToOSThread is honored and subsequently carried out by the EJB and Web
containers as indicated by EJB and Web application SyncToOSThread specifications.
The default is false or disabled.
- Enable the connection manager RunAs thread identity
- Specifies whether the connection manager synchronizes the current J2EE
principal to the OS thread when a connection is obtained from a resource reference
that specifies res-auth=container. The default is false or
disabled.
You can also select the SyncToOSThread support using a method-level extended
deployment descriptor (XDD) for Enterprise JavaBeans (EJB). Enable this support
using a distinguished environment entry defined through the EJB or Web application
standard deployment descriptor. During assembly or deployment, bind a value
to this variable by specifying:
- True, which specifies that the J2EE principal or identity should
be synchronized to the OS thread for all requests invoked on the EJB or Web
application.
- False, specifies the J2EE principal application or identity should
not be synchronized to the OS thread for all requests invoked on the EJB or
Web application. This value is the default.
When processing a request, the Web container understands what roles, if
any, are required to access the component represented by the input URL. The
container validates requestor authentication and that the authenticated user
has been granted permission to the required roles. The Web container makes
use of the same System Authorization Facility (SAF) - based user
registry and EJB role profiles as the EJB container to perform this validation.
Therefore, you can use the same user registry and role profiles for administering
Web applications as you use for Enterprise Beans and J2EE Services. For setting
thread identity, possible active user registries include:
Application events that modify the thread identity value include:
- Initial value when the first method is set
- By default, invocations of servlet service methods and EJB business methods
implicitly run as caller (RunAsCaller) unless the Run as field of a policy's
implicitly run as caller (RunAsCaller) unless the Run as field of a policy's
attribute specifies otherwise. EJB client applications always run as server
(RunAsServer). Note that for Web applications if no security constraints are
specified the application might run with an unauthenticated user ID.
- Method delegation changes to the J2EE identity (RunAs Specified)
- The connection manager synchronizes the current J2EE identity with the
OS thread when obtaining applications from resources references that have
container-managed resource authorization (res-auth=container). EJB
methods marked with SynchToOSThread cause the J2EE role identity to be synchronized
to the OS thread.
- WSSubject.doAs()
- This setting offers flexibility when associating the Subject with remote
calls on a thread without having to do a WSSubject.doAs() to associate the
subject with the remote action.
Thread identity is temporarily reset on the server in the following situations:
- JavaServer Pages (JSP) Compilation
- Web container JSP compilation modifies the identity of the server if SyncToOSThread
is enabled for the server (security_EnableSyncToOSThread=1).
- Access of Stateful Backing Store
- EJB container stateful session activation changes the identity of the
server if SyncToOSThread is enabled. Always access the EJB stateful session
backing store using theidentity of the server.
- Web application Reloading
- When the Web container reloads the Web application, it changes the server
identity if SyncToOSThread is enabled for Web applications.
- Connection Manager Requests
- When the resource reference specifies res-auth=application, the
thread identity is temporarily set to the identity of the server.
Note: When running with administrative security enabled,
it is recommended that you have Java 2 security enabled. Exercise caution
when enabling this support because it can cause general z/OS system resources
(such as files and sockets) to fall outside the control of the WebSphere Application
Server runtime and these system resources management to be accessible to identities
established through J2EE applications.