Mapping users to RunAs roles using an assembly tool

RunAs roles are used for delegation. A servlet or enterprise bean component uses the RunAs role to invoke another enterprise bean by impersonating that role.

Before you begin

Before you perform this task:
  • Secure the web application and enterprise bean applications, including creating and assigning new roles to enterprise bean and web resources. For more information, see Securing web applications using an assembly tool and Securing enterprise bean applications.
  • Assign users and groups to roles. For more information, see Adding users and groups to roles using an assembly tool. Complete this step during the installation of the application. The environment or user registry under which the application is going to run is not known until deployment. If you already know the environment in which the application is going to run and you know the user registry, then you can use an assembly tool to assign users to RunAs roles.

About this task

Note: This procedure might not match the steps that are required when using your assembly tool, or match the version of the assembly tool that you are using. You should follow the instructions for the tool and version that you are using.

To define RunAs roles when a servlet or an enterprise bean in an application is configured with RunAs settings, perform these steps:

Procedure

  1. In the Project Explorer view of an assembly tool, right-click an enterprise application project or Enterprise Archive (EAR) file and click Open With > Deployment Descriptor Editor. An application deployment descriptor editor opens on the EAR file. To access information about the editor, press F1 and click Application deployment descriptor editor.
  2. On the Security tab, under Security Role Run As Bindings, click Add.
  3. Click Add under RunAs Bindings.
  4. In the Security Role wizard, select one or more roles and click Finish.
  5. Repeat steps 3 through 5 for all the RunAs roles in the application.
  6. Close the application deployment descriptor editor and, when prompted, click Yes to save the changes.

Results

The ibm-application-bnd.xmi file in the application contains the user to RunAs role mapping table.
支援的配置 支援的配置: 對於 IBM® 延伸和連結檔而言,.xmi 或 .xml 副檔名取決於您是使用 Java EE 5 之前的應用程式或模組,或 Java EE 5 或更新版本的應用程式或模組。 IBM 延伸或連結檔稱為 ibm-*-ext.xmi 或 ibm-*-bnd.xmi,其中 * 是延伸或連結檔的類型,例如:app、application、ejb-jar 或 web。 適用的條件如下:
  • 如果應用程式或模組使用第 5 版之前的 Java EE,副檔名必須是 .xmi。
  • 如果應用程式或模組使用 Java EE 5 或更新的版本,副檔名必須是 .xml。 如果 .xmi 檔是隨附在應用程式或模組,則本產品會忽略 .xmi 檔。

不過,即使應用程式含有 Java EE 5 之前的檔案,且所用的副檔名是 .xmi,其中也可以有 Java EE 5 或更新版本的模組。

ibm-webservices-ext.xmiibm-webservices-bnd.xmiibm-webservicesclient-bnd.xmiibm-webservicesclient-ext.xmiibm-portlet-ext.xmi 檔會繼續使用 .xmi 副檔名。

sptcfg

What to do next

After securing an application, you can install the application using the administrative console. You can change the RunAs role mappings of an installed application. For more information, see User RunAs collection.

指出主題類型的圖示 作業主題



時間戳記圖示 前次更新: July 9, 2016 11:17
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=cord&product=was-nd-mp&topic=tsec_runas_atk
檔名:tsec_runas_atk.html