A user is identified using an identity that must be authenticated
by WebSphere Application Server in order to access a WebSphere Application
Server application in a secure environment.
Understanding the different types of identities: The WebSphere Application
Server authenticates the user identity and represents the user with a Java
Authentication and Authorization Service (JAAS) subject. A subject contains
one or more principals (which are technology-dependent representations of
the authenticated user identity). More detail follows:
- User identities
- J2EE identity
- The user identity authenticated by WebSphere and used for access control
decisions made by the WebSphere Application Server at Java 2 Platform, Enterprise
Edition (J2EE) runtime (such as the user identity associated with a J2EE application
request and used in EJB method permission access control decisions).
- Operating system (OS) identity
- The user identity authenticated by the underlying operating system and
used for access control decisions made by the OS and its subsystems (such
as the user identity associated with a WebSphere Application Server for z/OS
servant by the SAF STARTED class facility and used by the file system for
access control decisions when the server attempts to access files).
- Thread identity
- Java thread identity
- The J2EE identity currently associated with a Java thread managed by the
WebSphere J2EE runtime (a Java thread is the Java Virtual Machine (JVM) representation
of a thread). The Java thread identity is associated with an operating system
(OS) thread, but the JVM manages the user identity on the Java representation
of the thread - separate from the user identity that the operating system
manages on the operating system thread. The J2EE identity is current on the
Java thread for the life of the a given application request
- OS thread identity
- The operating system identity currently associated with the operating
system thread. The OS thread identity is typically the user identity assigned
to servant and is normally not the same as the Java thread identity. Note
that J2EE maintains a J2EE identity that corresponds to the OS thread identity
assigned to the servant. This J2EE identity can be used as a RunAs identity.
- RunAs identity
- The J2EE identity chosen as the Java thread identity for a given J2EE
application request (based on the RunAs deployment descriptor policy on an
Enterprise JavaBeans (EJB) invoked within the J2EE application request). The
J2EE identity is normally the identity of the authenticated user who has made
the J2EE application request. WebSphere Application Server RunAs policy allows
three choices in assigning the Java thread identity for the current request:
- Assign the client (for example, user) J2EE identity - also referred to
as selecting RunAs of "Caller"
- Assign the server's J2EE identity
- Assign the J2EE identity that is in the specified role
When security is enabled, each WebSphere Application Server for z/OS request
that invokes a J2EE component is authenticated to ensure that an authorized
user is requesting access. A user is represented by a J2EE identity (also
called a JAAS subject). This J2EE identity contains one or more principals,
and each principal corresponds to a specific user identity. This association
is managed by the WebSphere Application Server. The J2EE identity and operating
system OS thread identity are associated with each other because they have
the same name and represent the same user.
WebSphere Application Server for z/OS dispatches component requests in
one of its available servant processes. Within the servant process the component
request is dispatched on a Java thread. A Java thread is then mapped internally
by the JVM to a z/OS thread control block (TCB). A TCB is an operating system
thread and is considered part of the native process infrastructure. A servant
process has a OS identity assigned to it when it starts. The z/OS security
policy uses the SAF STARTED class facility to assign the identity.
J2EE authorization decisions including role authorization and permission
checking are determined using the J2EE identity. Through a configuration
setting, role authorization checking can be delegated to the underlying operating
system security manager (such as System Authorization Facility (SAF)), in
which case the associated operating system OS identity is used in the role
authorization decision.
Some resource managers on z/OS use the OS thread identity to make authorization
decisions. For example, file system access control is determined entirely
based on which OS thread identity is currently on the TCB when the file is
accessed. Similarly, local Java database connectivity (JDBC) connections to
DB2 for z/OS use the TCB OS thread identity as the authorization identity
under certain configurations. For resource managers that use the OS thread
identity such as DB2 for z/OS (and unlike the file system) that applications
access through Java Message Service (JMS), JDBC, or J2EE Connector Architecture
(JCA) connectors managed by the WebSphere Application Server for z/OS connection
management, we say that the connectors to these z/OS resource managers "use
operating system thread security".