Overriding the RunAs subject on the thread for JAAS
To extend the function that is provided by the Java™ Authentication and Authorization Service (JAAS) application programming interfaces (APIs), you can set the RunAs subject or invocation subject with a different valid entry that is used for outbound requests on this running thread.
Before you begin
- permission javax.security.auth.AuthPermission "wssecurity.getRunAsSubject"
- permission javax.security.auth.AuthPermission "wssecurity.getCallerSubject"
- permission javax.security.auth.AuthPermission "wssecurity.setRunAsSubject"
About this task
This extension gives you the flexibility to associate the Subject with all the remote calls on this thread whether you use a WSSubject.doAs method to associate the subject with the remote action.
An application developer
can use the WSSubject.doAs method to establish a JAAS subject that
is authenticated by a JAAS login module as the active security identity
for the WebSphere® Application Server runtime to
use while performing a specified action. WSSubject.doAs only synchronizes
the thread identity when it is called within a component that is configured
for sync-to-thread. When used with the application Synch to OS Thread
Allowed option, this identity is set on the operating system thread
for the scope of that action.
Procedure
Example
try { javax.security.auth.Subject runas_subject, caller_subject; runas_subject = com.ibm.websphere.security.auth.WSSubject.getRunAsSubject(); caller_subject = com.ibm.websphere.security.auth.WSSubject.getCallerSubject(); // set a new RunAs subject for the thread, overriding the one declaratively set com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(caller_subject); // do some remote calls // restore back to the previous runAsSubject com.ibm.websphere.security.auth.WSSubject.setRunAsSubject(runas_subject); } catch (WSSecurityException e) { // log error } catch (Exception e) { // log error }