Overriding the RunAs subject on the thread for JAAS

To extend the function that is provided by the Java™ Authentication and Authorization Service (JAAS) application programming interfaces (APIs), you can set the RunAs subject or invocation subject with a different valid entry that is used for outbound requests on this running thread.

Before you begin

You need the following Java 2 security permissions to run these APIs:
  • permission javax.security.auth.AuthPermission "wssecurity.getRunAsSubject"
  • permission javax.security.auth.AuthPermission "wssecurity.getCallerSubject"
  • permission javax.security.auth.AuthPermission "wssecurity.setRunAsSubject"

About this task

This extension gives you the flexibility to associate the Subject with all the remote calls on this thread whether you use a WSSubject.doAs method to associate the subject with the remote action.

[z/OS]An application developer can use the WSSubject.doAs method to establish a JAAS subject that is authenticated by a JAAS login module as the active security identity for the WebSphere® Application Server runtime to use while performing a specified action. WSSubject.doAs only synchronizes the thread identity when it is called within a component that is configured for sync-to-thread. When used with the application Synch to OS Thread Allowed option, this identity is set on the operating system thread for the scope of that action.

Procedure

  1. Set a new RunAs subject for the thread, overriding the one declaratively set.
    com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(caller_subject);  	 	 
  2. Perform some remote calls.
  3. Restore the previous RunAs subject.
    com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(runas_subject);

Example

try { javax.security.auth.Subject runas_subject, caller_subject; runas_subject = com.ibm.websphere.security.auth.WSSubject.getRunAsSubject(); caller_subject = com.ibm.websphere.security.auth.WSSubject.getCallerSubject();   // set a new RunAs subject for the thread, overriding the one declaratively set com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(caller_subject);   // do some remote calls   // restore back to the previous runAsSubject com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(runas_subject); } catch (WSSecurityException e) { // log error } catch (Exception e) { // log error }


指出主題類型的圖示 作業主題



時間戳記圖示 前次更新: July 9, 2016 11:17
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=tsec_override
檔名:tsec_override.html