A user is identified using an identity that must be authenticated
by WebSphere® Application Server in order to
access a WebSphere Application Server application
in a secure environment.
Understanding the different types of identities: The WebSphere Application
Server authenticates the user identity and represents the user with
a Java Authentication and Authorization Service
(JAAS) subject. A subject contains one or more principals (which are
technology-dependent representations of the authenticated user identity).
More detail follows:
- User identities
- Java EE identity
- The user identity authenticated by WebSphere and
used for access control decisions made by the WebSphere Application
Server at Java Platform, Enterprise Edition
(Java EE) runtime (such as the user identity
associated with a Java EE application request and
used in EJB method permission access control decisions).
- Operating system (OS) identity
- The user identity authenticated by the underlying operating system
and used for access control decisions made by the OS and its subsystems
(such as the user identity associated with a WebSphere Application
Server for z/OS® servant by the SAF STARTED class facility
and used by the file system for access control decisions when the
server attempts to access files).
- Thread identity
- Java thread identity
- The Java EE identity currently associated
with a Java thread managed by the WebSphere Java EE runtime (a Java thread
is the Java Virtual Machine (JVM) representation of
a thread). The Java thread identity is associated
with an operating system (OS) thread, but the JVM manages the user
identity on the Java representation of the thread
- separate from the user identity that the operating system manages
on the operating system thread. The Java EE
identity is current on the Java thread
for the life of the a given application request
- OS thread identity
- The operating system identity currently associated with the operating
system thread. The OS thread identity is typically the user identity
assigned to servant and is normally not the same as the Java thread identity. Note that Java EE maintains a Java EE
identity that corresponds to the OS thread identity assigned to the
servant. This Java EE identity can be used as
a RunAs identity.
- RunAs identity
- The Java EE identity chosen as the Java thread identity for a given Java EE application request (based on the RunAs
deployment descriptor policy on an Enterprise JavaBeans (EJB)
invoked within the Java EE application request). The Java EE identity is normally the identity of
the authenticated user who has made the Java EE
application request. WebSphere Application Server
RunAs policy allows three choices in assigning the Java thread
identity for the current request:
- Assign the client (for example, user) Java EE
identity - also referred to as selecting RunAs of "Caller"
- Assign the server's Java EE
identity
- Assign the Java EE identity that is in the
specified role
When security is enabled, each WebSphere Application
Server for z/OS request that invokes a Java EE
component is authenticated to ensure that an authorized user is requesting
access. A user is represented by a Java EE
identity (also called a JAAS subject). This Java EE
identity contains one or more principals, and each principal corresponds
to a specific user identity. This association is managed by the WebSphere Application Server. The Java EE identity and operating system OS thread
identity are associated with each other because they have the same
name and represent the same user.
WebSphere Application Server for z/OS dispatches
component requests in one of its available servant processes. Within
the servant process the component request is dispatched on a Java thread. A Java thread
is then mapped internally by the JVM to a z/OS thread
control block (TCB). A TCB is an operating system thread and is considered
part of the native process infrastructure. A servant process has a
OS identity assigned to it when it starts. The z/OS security
policy uses the SAF STARTED class facility to assign the identity.
Java EE authorization decisions including role
authorization and permission checking are determined using the Java EE identity. Through a configuration
setting, role authorization checking can be delegated to the underlying
operating system security manager (such as System Authorization Facility
(SAF)), in which case the associated operating system OS identity
is used in the role authorization decision.
Some resource managers on z/OS use the OS thread identity
to make authorization decisions. For example, file system access control
is determined entirely based on which OS thread identity is currently
on the TCB when the file is accessed. Similarly, local Java database connectivity (JDBC) connections
to DB2® for z/OS use the TCB OS thread identity
as the authorization identity under certain configurations. For resource
managers that use the OS thread identity such as DB2 for z/OS (and
unlike the file system) that applications access through Java Message Service (JMS), JDBC, or Java EE Connector Architecture (JCA) connectors
managed by the WebSphere Application Server for z/OS connection
management, we say that the connectors to these z/OS resource
managers "use operating system thread security".
For more information, refer to: