![[z/OS]](../images/ngzos.gif)
Map a registry principal to a System Authorization Facility user ID using a Java Authentication and Authorization Services login module
You can use a Java™ Authentication and Authorization Services (JAAS) login module to map a registry principal to the System Authorization Facility (SAF) user ID.
- A pluggable login module can set z/OS® well-defined attributes in the shared map during login.
- The com.ibm.websphere.security.SampleSAFMappingModule sample mapping module, is provided by WebSphere® Application Server. This module sets the z/OS attributes that are defined in the Shared State. This module must precede the com.ibm.ws.security.common.auth.module.MapPlatformSubject mapping module entry in the list of login modules.
The following set of well-defined attributes that are used in WebSphere Application Server mapping are defined in the com.ibm.wsspi.security.token.AttributeNameConstants class, which is available in the sas.jar file:
com.ibm.wsspi.security.token.AttributeNameConstants.ZOS_USERID
Use this attribute to set the value of the MVS™ user ID when an operation is performed that requires a z/OS SAF user ID. If a value is not specified, WebSphere Application Server uses the unauthenticated user to establish a SAF user ID. This SAF user ID must be a valid MVS user ID.
com.ibm.wsspi.security.token.AttributeNameConstants.ZOS_AUDIT_STRING
Use this attribute to indicate that the specified string is placed in the X500Name property when creating a Resource Access Control Facility (RACF®) access control environment element (ACEE).
- EJBROLE authorization check
- Any access check for an application that is running with the operating system identity and synchronized to the Java 2, Enterprise Edition (J2EE) identity. For more information, see Java thread identity and an operating system thread identity.
com.ibm.wsspi.security.token.AttributeName.Constants.CALLER_PRINCIPAL_CLASS
Use this optional field to indicate which principal class in a JAAS subject is returned when using the getCallerPrincipal and getUserPrincipal application programming interfaces (API).
- WebSphere Application Server runtime
- A JAAS login module
The default value of this field is com.ibm.websphere.security.auth.WSPrincipal. Using this default value returns the WebSphere Application Server principal name in the configured WebSphere Application Server registry.
To return a mapped SAF principal, specify com.ibm.ws.security.zos.Principal. If a value is specified but a principal does not match the specified CALLER_PRINCIPAL_CLASS value, the return value indicates an unauthenticated user. Specifying getUserInRole returns a null value, and specifying getCallerPrincipal() returns a string that indicates that the user is unauthenticated.
- Server identity
- This identity is always mapped to the user ID of the process and is assigned by the STARTED profile.
- SAF identity corresponding to the UNAUTHENTICATED user
- The SAF identity corresponding to the UNAUTHENTICATED user means there is no network identity. This value is configured using the WebSphere z/OS Profile Management Tool or the zpmt command and can be modified using the administrative console. It is recommended that you create the SAF identity for unauthenticated users with the RESTRICTED attribute.