RunAs roles are used for delegation. A servlet or enterprise
bean component uses the RunAs role to invoke another enterprise bean
by impersonating that role.
Before you begin
Before you perform this task:
- Secure the web application and enterprise bean applications, including
creating and assigning new roles to enterprise bean and web resources.
For more information, see Securing web applications using an assembly tool and Securing enterprise bean applications.
- Assign users and groups to roles. For more information, see Adding users and groups to roles using an assembly tool. Complete this step
during the installation of the application. The environment or user
registry under which the application is going to run is not known
until deployment. If you already know the environment in which the
application is going to run and you know the user registry, then you
can use an assembly tool to assign users to RunAs roles.
About this task
Note: This procedure might not match the steps that are required
when using your
assembly
tool, or match the version of the assembly tool that you are
using. You should follow the instructions for the tool and version
that you are using.
To define RunAs roles when a servlet
or an enterprise bean in an application is configured with RunAs settings,
perform these steps:
Procedure
- In the Project Explorer view of an assembly tool, right-click
an enterprise application project or Enterprise Archive (EAR) file
and click Open With > Deployment Descriptor Editor. An application deployment descriptor editor opens on the EAR
file. To access information about the editor, press F1 and click Application
deployment descriptor editor.
- On the Security tab, under Security Role Run As Bindings,
click Add.
- Click Add under RunAs Bindings.
- In the Security Role wizard, select one or more roles and
click Finish.
- Repeat steps 3 through 5 for all the RunAs roles in the
application.
- Close the application deployment descriptor editor and,
when prompted, click Yes to save the changes.
Results
The
ibm-application-bnd.xmi file in the application
contains the user to RunAs role mapping table.
Supported configurations: For IBM® extension
and binding files, the .xmi or .xml file name extension is different
depending on whether you are using a pre-Java EE 5 application or
module or a Java EE 5 or later
application or module. An IBM extension
or binding file is named ibm-*-ext.xmi or ibm-*-bnd.xmi where * is
the type of extension or binding file such as app, application, ejb-jar,
or web. The following conditions apply:
- For an application or module that uses a Java EE version prior to version 5, the file
extension must be .xmi.
- For an application or module that uses Java EE 5 or later, the file extension must
be .xml. If .xmi files are included with the application or module,
the product ignores the .xmi files.
However, a Java EE
5 or later module can exist within an application that includes pre-Java
EE 5 files and uses the .xmi file name extension.
The ibm-webservices-ext.xmi, ibm-webservices-bnd.xmi, ibm-webservicesclient-bnd.xmi, ibm-webservicesclient-ext.xmi,
and ibm-portlet-ext.xmi files continue to use
the .xmi file extensions.
sptcfg
What to do next
After securing an application, you can
install the application using
the administrative console. You can change the RunAs role mappings
of an installed application. For more information, see
User RunAs collection.