You can specify options to synchronize a Java thread identity
and an operating system thread identity.
Enterprise JavaBeans (EJB) support a method-level RunAs role specification
that associates a Java 2 Platform, Enterprise Edition (J2EE) role
with an EJB method invocation. The EJB method runs by using the authority
associated with the designated security role. The authority is mapped
to the designated role using a user identity. Normally, this identity
is recognized by Web-based and J2EE runtime and is associated with
the current dispatch thread. This identity governs access to only
those resources and those facilities subject to J2EE security. The
actual OS thread identity is unaffected by the EJB RunAs role selection
and is typically the identity of the server.
Setting the OS identity thread synchronizes the J2EE role identity
and OS thread (SyncToOSThread). This means that the OS thread identity
is associated with the J2EE role identity for the duration of the
EJB method invocation (application assemblers and deployers associate
the RunAs identity with the operating system thread by setting the
thread identity to the RunAs identity for specific bean methods).
This association means that the caller or security role identity (rather
than the server region identity) is used for z/OS system service requests
such as access to files and database management systems. Note that
the WebSphere Application Server for z/OS J2EE server can be configured
to enable or disable this association (or synchronization). The default
setting disables the ability to modify the identity on the operating
system thread, regardless of the OS thread identity to RunAs identity
setting in the deployment descriptor for the installed application.
If the application installer does not enable synchronization, any
method that sets the RunAs identity to the operating system thread
fails with a no_permission error.
You complete the specification of options to synchronize
a Java thread identity and an operating system thread identity by
using the resource access control facility (RACF) to define FACILITY
and optionally SURROGAT class profiles for Synch to OS Thread Allowed.
This gives the RACF administrator in the WebSphere Application Server
configuration the ability to control the permissions that allow the
synchronization of the J2EE role identity and the OS thread (SyncToOSThread).
Using the administrative console, you can specify
the following options for thread identity synchronization on the z/OS
security options panel:
- Enable WebSphere Application Server and z/OS thread identity synchronization
- Specifies whether an application SynchToOSThread is permitted.
When this security option is selected (meaning true is specified)
the application-specified SyncToOSThread is honored and subsequently
carried out by the EJB and Web containers as indicated by EJB and
Web application SyncToOSThread specifications. The default is false or
disabled.
- Enable the connection manager RunAs thread identity
- Specifies whether the connection manager synchronizes the current
J2EE principal to the OS thread when a connection is obtained from
a resource reference that specifies res-auth=container. The
default is false or disabled.
You can also select the SyncToOSThread support using a method-level
extended deployment descriptor (XDD) for Enterprise JavaBeans (EJB).
Enable this support using a distinguished environment entry defined
through the EJB or Web application standard deployment descriptor.
During assembly or deployment, bind a value to this variable by specifying:
- True, which specifies that the J2EE principal or identity
should be synchronized to the OS thread for all requests invoked on
the EJB or Web application.
- False, specifies the J2EE principal application or identity
should not be synchronized to the OS thread for all requests invoked
on the EJB or Web application. This value is the default.
When processing a request, the Web container understands what roles,
if any, are required to access the component represented by the input
URL. The container validates requestor authentication and that the
authenticated user has been granted permission to the required roles.
The Web container makes use of the same System Authorization Facility
(SAF) - based user registry and EJB role profiles as the EJB container
to perform this validation. Therefore, you can use the same user registry
and role profiles for administering Web applications as you use for
Enterprise Beans and J2EE Services. For setting thread identity, possible
active user registries include:
Application events that modify the thread identity value include:
- Initial value when the first method is set
- By default, invocations of servlet service methods
and EJB business methods implicitly run as caller (RunAsCaller) unless
the Run as field of a policy's attribute specifies otherwise. EJB
client applications always run as server (RunAsServer).
Note: For
Web applications, if security constraints are not specified, the application
might run with an unauthenticated user ID.
- Method delegation changes to the J2EE identity (RunAs Specified)
- The connection manager synchronizes the current J2EE identity
with the OS thread when obtaining applications from resources references
that have container-managed resource authorization (res-auth=container).
EJB methods marked with SynchToOSThread cause the J2EE role identity
to be synchronized to the OS thread.
- WSSubject.doAs()
- This setting offers flexibility when associating the Subject with
remote calls on a thread without having to do a WSSubject.doAs() to
associate the subject with the remote action.
Thread identity is temporarily reset on the server in the following
situations:
- JavaServer Pages (JSP) Compilation
- Web container JSP compilation modifies the identity of the server
if SyncToOSThread is enabled for the server (security_EnableSyncToOSThread=1).
- Access of Stateful Backing Store
- EJB container stateful session activation changes the identity
of the server if SyncToOSThread is enabled. Always access the EJB
stateful session backing store using theidentity of the server.
- Web application Reloading
- When the Web container reloads the Web application, it changes
the server identity if SyncToOSThread is enabled for Web applications.
- Connection Manager Requests
- When the resource reference specifies res-auth=application,
the thread identity is temporarily set to the identity of the server.
Note: When running with administrative security enabled,
it is recommended that you have Java 2 security enabled. Exercise
caution when enabling this support because it can cause general z/OS
system resources (such as files and sockets) to fall outside the control
of the WebSphere Application Server runtime and these system resources
management to be accessible to identities established through J2EE
applications.